A growing number of cyberattacks were discovered targeting retailers and online consumers as summer sales heat up. Though the holiday season remains the most profitable time for retailers, sale events are often launched in the slower summer months to increase revenue. Consumers often take advantage of these summer sale events including semi-annual sales; Independence, Memorial, and Labor Day sales; Father’s Day and graduation gifts; back-to-school sales, and Christmas in July sales. Akamai researchers identified a new, large-scale, Magecart-style web skimming campaign, designed to steal personally identifiable information (PII) and credit card information from e-commerce websites. Distinct from traditional Magecart campaigns, however, this campaign uses new techniques to hijack legitimate commerce websites in order to serve as improvised command-and-control (C2) servers, using the host victim’s website to further facilitate malicious code distribution.
Cybercriminals use various evasion techniques during the campaign, masking the attack to resemble popular third-party services and allowing it to go undetected for over a month. This attack may potentially exploit known vulnerabilities found in websites’ digital commerce platforms such as Magento, WooCommerce, WordPress, and Shopify, or in vulnerable third-party services used by the website. These attacks cannot be detected by popular web security methods, such as web application firewalls (WAFs), and are executed on the client side, prolonging the attack. This may result in tens of thousands of victims and damage the reputations of victimized organizations. Additionally, consumers’ PII and credit card information are at risk of being stolen or further sold on dark web forums.
Threat actors are also targeting online sellers in a new phishing campaign to distribute Vidar information-stealing (infostealer) malware. They impersonate a customer of an online retailer claiming that they were charged a large dollar amount after an alleged order did not go through. These complaints are sent to online store administrators via email or website contact forms and contain a link to a fake Google Drive page that prompts the user to download a malware-laden PDF file. Threat actors target online sellers to steal admin credentials in order to gain access to eCommerce websites and facilitate further cyberattacks.
Infostealers are remote access trojans (RATs) designed to gather information from a system. Infostealers gather login information, like usernames and passwords, and are frequently used to further facilitate ransomware attacks. The NJCCIC and other cybersecurity firms have indicated a steady increase in attempts to distribute infostealers, such as Redline Stealer, Vidar, and Raccoon Stealer. Vidar is capable of stealing browser cookies, browser history, saved passwords, cryptocurrency wallets, text files, Authy 2FA databases, and capturing screenshots of the active Windows screen. Redline Stealer is a powerful data collection tool, capable of extracting login credentials from a wide range of sources, including web browsers, FTP clients, email applications, Steam, instant messaging clients, and VPNs. Raccoon Stealer steals personal information, including email addresses, identification numbers, bank account information, and cryptocurrency information. Cybercriminals can use this stolen information to commit identity theft, financial fraud, and other crimes.
One week left to submit comments! On April 18, 2023 proposed updates to Workforce Framework for Cybersecurity (NICE Framework) Work Role Categories and Work Roles were announced. The proposed updates are based on feedback from the community during previous calls for comments, during regular engagement with stakeholders, and through consultations with subject matter experts. The updates focus on improving clarity, consistency, and accuracy to increase the usefulness of this resource. Updates include: Minor changes to Work Role Category names, descriptions, and ordering. Updates to Work Role names, minor updates to Work Role descriptions, and new Work Role IDs to reflect category updates and remove reference to deprecated Specialty Areas. An overview of the proposed updates is provided in “NICE Framework Work Role Categories and Work Roles: An Introduction and Summary of Proposed Updates”.
Barracuda Networks has released an update to their advisory addressing a vulnerability—CVE-2023-2868—in their Email Security Gateway Appliance (ESG). According to Barracuda, customers should replace impacted appliances immediately.
Note: Customers who used enterprise privileged credentials for management of their Barracuda appliance (such as Active Directory Domain Admin or similar) should take immediate incident investigation steps to validate the use and behavior of all credentials used on the appliance. It is of utmost importance to verify that threat actors have not compromised customer enterprise networks via this entry vector.
Fraudulent In-Browser WinRAR Screen With Opened .ZIP Archive. Image Source: BleepingComputer
In May 2023, Google launched several new top-level domains (TLDs), including .ZIP. The use of .ZIP for filename extensions and domain names is legitimate; however, threat actors are exploiting the .ZIP domain name in a new phishing technique called “file archiver in the browser.” These .ZIP websites can automatically turn a string ending in .ZIP into a malicious link used in phishing campaigns to steal credentials or deliver malware. If clicked, the browser opens the .ZIP website, redirects the target to a website displayed as an HTML page, and prompts the target to download the malicious .ZIP file. In the above example, when the .ZIP website is launched, a fraudulent WinRAR archiver software window is embedded in the browser to purportedly display an opened .ZIP archive and its contained files. To appear more convincing, a fraudulent security scan button is also displayed. If clicked, a message appears indicating that “the files were scanned and no threats were detected.” If one of these files is selected, the target is redirected to another website and prompted to enter their credentials to view the file.
A vulnerability has been discovered in Google Chrome, which could allow for arbitrary code execution. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the logged on user. Depending on the privileges associated with the user an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Threat IntelligenceGoogle is aware that an exploit for CVE-2023-3079 exists in the wild.
Systems Affected
Google Chrome versions prior to 114.0.5735.110 for Windows. Google Chrome versions prior to 114.0.5735.106 for Mac and Linux.
Risk Government: – Large and medium government entities: High – Small government entities: Medium
Businesses: – Large and medium business entities: High – Small business entities: Medium
Home Users: Low
Technical Summary A vulnerability has been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution.
Recommendations
Apply appropriate updates provided by Google to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Restrict execution of code to a virtual environment on or in transit to an endpoint system. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources. Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
This Joint Cybersecurity Information Sheet, authored by the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA), highlights threats to Baseboard Management Controllers (BMCs) and details actions organizations can use to harden them.
BMCs are trusted components designed into a computer’s hardware that operate separately from the operating system and firmware to allow for remote management and control, even when the system is shut down.
A BMC differs from the basic input output system and the Unified Extensible Firmware Interface, which have a later role in booting a computer, and management engine, which has different remote management functionality. BMC firmware is highly privileged, executes outside the scope of operating system (OS) controls, and has access to all resources of the server-class platform on which it resides. It executes the moment power is applied to the server. Therefore, boot to a hypervisor or OS is not necessary as the BMC functions even if the server is shut down.
Today, CISA, the Federal Bureau of Investigation (FBI), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and international partners released Understanding Ransomware Threat Actors: LockBit, a joint Cybersecurity Advisory (CSA) to help organizations understand and defend against threat actors using LockBit, the most globally used and prolific Ransomware-as-a-Service (RaaS) in 2022 and 2023. This guide is a comprehensive resource detailing the observed common vulnerabilities and exposures (CVEs) exploited, as well as the tools, and tactics, techniques, and procedures (TTPs) used by LockBit affiliates. Additionally, it includes recommended mitigations to help reduce the likelihood and impact of future ransomware incidents. In 2022, LockBit was the most deployed ransomware variant across the world and continues to be prolific in 2023. The LockBit Ransomware-as-a-Service (RaaS) attracts affiliates to use LockBit for conducting ransomware attacks, resulting in a large web of unconnected threat actors conducting wildly varying attacks. Affiliates have attacked organizations of various sizes across an array of critical infrastructure sectors including financial services, food and agriculture, education, energy, government and emergency services, healthcare, manufacturing, and transportation. LockBit has been successful through its innovation and continual development of the group’s administrative panel (i.e., a simplified, point-and-click interface making ransomware deployment accessible to those with lower degrees of technical skill), affiliate supporting functions, and constant revision of TTPs.
CISA and the authoring agencies of this joint CSA encourage the implementation of recommendations provided to proactively improve their organization’s defenses against this global ransomware operation, and to reduce the likelihood and impact of future ransomware incidents
On May 24, CISA joined the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and international partners in releasing a joint cybersecurity advisory highlighting recently discovered activities conducted by a People’s Republic of China (PRC) state-sponsored cyber threat actor.
This advisory highlights how PRC cyber actors use techniques called “living off the land” to evade detection by using built-in networking administration tools to compromise networks and conduct malicious activity. This enables the cyber actor to blend in with routine Windows system and network activities, limit activity and data captured in default logging configurations, and avoid endpoint detection and response (EDR) products that could alert to the introduction of third-party applications on the host or network. Private sector partners have identified that this activity affects networks across U.S. critical infrastructure sectors, and the authoring agencies believe the actor could apply the same techniques against these and other sectors worldwide. The authoring agencies have identified potential indicators associated with these techniques. To hunt for this activity, CISA and partners encourage network defenders to use the actor’s commands and detection signatures provided in this advisory. CISA and partners further encourage network defenders to view the indicators of compromise (IOCs) and mitigations summaries to detect this activity.
View and understand compliance posture across your multi-cloud environment
The first step in achieving and maintaining an optimal compliance posture is understanding how your current environment maps to your regulatory responsibilities. Compliance Manager supports over 350 regulations and standards, affording you a front-row seat to your organization’s current compliance posture within the context of the requirements or best practices you care about most. This view extends across your cloud services as well, providing a summary view of your posture across all relevant clouds.
Zoom into a specific posture assessment, such as this one for PCI DSS 3.2.1, and you’ll see a detailed drilldown of your performance for each of your clouds, allowing you to effectively plan and prioritize any remediation efforts, as well as monitor your organization’s progress. Compliance Manager partners with Microsoft Defender for Cloud to provide the most up to date results across your clouds, running nearly 1,000 tests across connected clouds and services every day. These tests are mapped across the relevant regulatory framework, allowing you to see precisely which control is impacted, and assign an owner or take action yourself as needed.
Figure 2: Detail view of PCI DSS posture assessment
Leverage clear and detailed guidance to remediate issues across your clouds
Dive into a specific control, and you’ll see that Compliance Manager provides a set of recommended actions necessary to meet the control requirements, each specially tailored to your multi-cloud environment. This guidance takes the guess-work out of managing your compliance posture, allowing your users to spend more time taking action and less time parsing control language or searching for relevant functionality. In the case of Control 10.1 for PCI DSS 3.2.1, Compliance Manager advises a set of specific actions to help you ensure that your audit trails are as robust as possible, using its knowledge of your clouds’ configurations to recommend features or capabilities that you are not utilizing to their potential.
Figure 3: Status details of PCI control 10.1, with list of associated actions and test results
Tailor remediation efforts with resource-level evidence
Compliance Manager provides clear implementation steps to help you tackle the necessary configuration changes, then goes the extra mile with resource-level details showing you exactly where changes are needed.
Figure 4: Action drilldown with instructions for enabling Firewall rule logging in GCP
In the case of enabling firewall rule logging for GCP, all firewall rules across your selected GCP accounts are displayed alongside their logging status, allowing an admin to jump into GCP and follow the provided guidance to enable logging where it’s needed. This saves time and effort and helps reduce unnecessary changes. Once the changes are complete, Compliance Manager will update the status of each rule on its next test pass and preserve the record of the change for auditing and evidence collection.
Figure 5: Detail view of GCP Firewall rules and their logging status
Figure 6: The GCP firewall rule configuration page reached by following the deeplink on the Compliance Manager action
Simplify posture management and maintenance
Purview Compliance Manager also helps you maintain your compliance posture and retain the progress you’ve made – we do this by ensuring that our regulatory guidance incorporates the latest updates, as well as adding and updating our action recommendations as new features are released across supported clouds. These capabilities allow Purview Compliance Manager to be your one-stop shop for your compliance posture needs across your clouds, informing you of relevant changes, monitoring your configuration and recommending changes, and helping you reduce risk and keep your multi-cloud enterprise running smoothly.
Explore more Purview Compliance Manager resources We are thrilled to share these announcements with you. Here is a summary of the next steps and other resources to help you and your organization get started with these capabilities:
Compliance Manager is part of the Microsoft Purview suite of solutions designed to help organizations manage, govern and protect their data. If you would like to experience Compliance Manager and other Purview solutions for yourself, check out our E5 Purview trial.
If you’re interested in learning more about Compliance Manager’s multi-cloud capabilities and how you can upgrade your own Assessments to multi-cloud, visit our guide to multicloud support.
Figure 1: Compliance Manager dashboard showing multicloud posture assessments
Figure 2: Detail view of PCI DSS posture assessment
Figure 3: Status details of PCI control 10.1, with list of associated actions and test results
Figure 4: Action drilldown with instructions for enabling Firewall rule logging in GCP
Figure 5: Detail view of GCP Firewall rules and their logging status
Figure 6: The GCP firewall rule configuration page reached by following the deeplink on the Compliance Manager action