Introduction to
Cybersecurity for Commercial Satellite Operations: 2nd Draft of NISTIR 8270 is
Available for Comment

Space operations are vital to advancing the security, economic
prosperity, and scientific knowledge of the Nation. However, cyber-related
threats to space assets and their supporting infrastructure pose increasing
risks to the economic promise of emerging markets in space. This second draft of NISTIR 8270, Introduction to
Cybersecurity for Commercial Satellite Operations,
presents a specific method for applying the Cybersecurity Framework (CSF) to
commercial space business and describes an abstracted set of cybersecurity
outcomes, requirements, and suggested controls.

The draft also:

• Clarifies scope with an
  emphasis on the satellite itself,
• Updates examples for clarity,
• Adds more detailed steps for
  developing a current and target profile and risk analysis, and
• Provides references for
  relevant regulations around commercial space.

Reviewers are asked to provide feedback on additional threat
models that might help in the development of organization profiles, informative
references on the application of security controls to satellites, and standards
or informative references that might benefit all readers.

The
public comment period is open through April 8, 2022. See the publication
details for a copy of the draft and instructions for submitting
comments

 TeaBot, posing as “QR Code Scanner: Add-On”, is downloaded from two specific GitHub repositories created by the user feleanicusor. It has been verified that those repositories contained multiple TeaBot samples starting from Feb 17, 2022:

As reported at TeaBot is now spreading across the globe | Cleafy Labs

Background and key points

Final Ransomware Risk Management Cybersecurity Framework Profile & Quick
Start Guide Released Today!

 Our new UpdraftPlus release, 1.22.3 (free version) / 2.22.3 (paid versions) is a security release. The short version is: you should update. To get the details, read on!

On the evening of February 15th, we received a security defect report from security researcher Marc-Alexandre Montpas of Automattic, who during an audit of UpdraftPlus found a previously unknown defect in current versions of UpdraftPlus, which has had a CVE identifier reserved of CVE-2022-23303.

This defect allows any logged-in user on a WordPress installation with UpdraftPlus active to exercise the privilege of downloading an existing backup, a privilege which should have been restricted to administrative users only. This was possible because of a missing permissions check on code related to checking current backup status. This allowed the obtaining of an internal identifier which was otherwise unknown, and could then be used to pass a check upon permission to download.

This means that if your WordPress site allows untrusted users to have a WordPress login, and if you have any existing backup, then you are potentially vulnerable to a technically skilled user working out how to download the existing backup. Affected sites are at risk of data loss / data theft via the attacker accessing a copy of your site’s backup, if your site contains anything non-public. I say “technically skilled”, because at that point, no public proof of how to leverage this exploit has been made. At this point in time, it relies upon a hacker reverse-engineering the changes in the latest UpdraftPlus release to work it out. However, you should certainly not rely upon this taking long, but should update immediately. If you are the only user on your WordPress site, or if all your users are trusted, then you are not vulnerable, but we still recommend updating in any case.

Users who are using UpdraftPlus Premium’s feature for encrypting your database backup are protected against data loss/theft from this problem, assuming that you have kept your encryption password secret. (There is no known vulnerability allowing the attacker to also access this). In such cases, only any confidential information in the backup of your files is at risk (and then usually only your media/upload files, since plugins and themes are usually only public code that contains nothing sensitive, being downloadable from their original supplier/author by any member of the public). Note also that the WordPress database, following modern security standards, hashes stored passwords. This means that your WordPress login password is protected even from someone who has obtained even an unencrypted copy of it.

This information is now being released approximately a day after updated, secured versions of UpdraftPlus became available. During that time, the majority of sites have been updated.

Again, we urge all users to update if they have not done so already. We at UpdraftPlus sincerely apologise for any and all inconvenience that has been caused, and wish to thank Marc for working together with us. From the moment we received the report, it was “all hands on deck”. An update was pushed to Premium users within the hour. We have lost a good amount of sleep, because your sites and their backups matter to us, and we will continue working hard to make sure that continues to be the case.

(Addendum: versions 1.22.4 / 2.22.4 have subsequently been released, which deals with a conflict with a bug in a popular third-party plugin, via adding a work-around (we have also reported the issue to the plugin author)).

From https://updraftplus.com/updraftplus-security-release-1-22-3-2-22-3/

 Share
a Free Entry-Level Cybersecurity

Certification Exam Voucher

Share the Link: www.isc2.org/Voucher-Offer 

Share the Code: CYBERSTART

 The bug (CVE-2021-45388) was discovered by researchers at SentinelOne. Researchers claim the high-severity flaw exists in the KCodes NetUSB kernel module used by a large number of network device vendors.

According to the researchers, NetUSB is a product by KCodes, that allows remote devices in a network to interact with USB devices connected to a router.

“For example, you could interact with a printer as though it is plugged directly into your computer via USB. This requires a driver on your computer that communicates with the router through this kernel module,” writes Max Van Amerongen, the author of the report.

Vendors like Netgear, TP-Link, Tenda, EDiMAX, DLink, Western Digital, and others are among the users of the module.

Threat actors could use the CVE-2021-45388 to execute code in the kernel module that doesn’t validate the size of a kernel memory allocation call, causing an integer overflow.

While Amerongen claims that code restrictions make it rather difficult to exploit the vulnerability, it isn’t impossible, which means that users of affected devices should look for firmware updates.

SentinelOne disclosed their finding to KCodes in September, and Netgear issued a security advisory for remediation in late December.

“While we are not going to release any exploits for it, there is a chance that one may become public in the future despite the rather significant complexity involved in developing one,” claims the report.

(ISC)² has begun the exciting process of exploring the creation of a new certification. To fill the cybersecurity workforce gap, we need to address the workforce shortage facing the industry, especially among entry- and junior-level positions. A foundational cybersecurity certification will help (ISC)² build a pathway to a rewarding career in cybersecurity for many around the world.

There are five domains to this certification, listed below. For further details, visit the Exam Outline.

When will (ISC)² begin administering the entry-level cybersecurity certification pilot exam?

The pilot exam administration period will begin Jan. 31, 2022. Registration for the pilot exam is now open with appointments currently available until May 31, 2022. Please note that the pilot exam administration period may be shortened or extended depending on the number or participants taking the exam. We recommend that any interested candidates schedule their exam as early as possible. Any unused vouchers or undelivered exams that are a part of this pilot will be converted to the regular certification program when it becomes available.

All standard (ISC)² exam policies and practices, including rescheduling and special accommodations, also apply to the pilot exam program. Learn more here. For questions, please contact ExamAdministration@isc2.org

To learn more go here

Microsoft 365 Zero Trust deployment plan

This article provides a deployment plan for building Zero Trust security with Microsoft 365. Zero Trust is a new security model that assumes breach and verifies each request as though it originated from an uncontrolled network. Regardless of where the request originates or what resource it accesses, the Zero Trust model teaches us to “never trust, always verify.”

Zero Trust security architecture

A Zero Trust approach extends throughout the entire digital estate and serves as an integrated security philosophy and end-to-end strategy.

This illustration provides a representation of the primary elements that contribute to Zero Trust.

In the illustration:

• Security policy enforcement is at the center of a Zero Trust architecture. This includes Multi Factor authentication with conditional access that takes into account user account risk, device status, and other criteria and policies that you set.
• Identities, devices, data, apps, network, and other infrastructure components are all configured with appropriate security. Policies that are configured for each of these components are coordinated with your overall Zero Trust strategy. For example, device policies determine the criteria for healthy devices and conditional access policies require healthy devices for access to specific apps and data.
• Threat protection and intelligence monitors the environment, surfaces current risks, and takes automated action to remediate attacks.

For more information about Zero Trust, see Microsoft’s Zero Trust Guidance Center.

Deploying Zero Trust for Microsoft 365

Microsoft 365 is built intentionally with many security and information protection capabilities to help you build Zero Trust into your environment. Many of the capabilities can be extended to protect access to other SaaS apps your organization uses and the data within these apps.

This illustration represents the work of deploying Zero Trust capabilities. This work is broken into units of work that can be configured together, starting from the bottom and working to the top to ensure that prerequisite work is complete.

In this illustration:

• Zero Trust begins with a foundation of identity and device protection.
• Threat protection capabilities are built on top of this foundation to provide real-time monitoring and remediation of security threats.
• Information protection and governance provide sophisticated controls targeted at specific types of data to protect your most valuable information and to help you comply with compliance standards, including protecting personal information.

To read the rest of the blog go here 

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of compromises affecting a number of U.S. government agencies, critical infrastructure entities, and other private sector organizations by a cyber threat actor—or actors—beginning in June 2020 or earlier related to vulnerabilities in certain Ivanti Pulse Connect Secure products. Since March 31, 2021, CISA and Ivanti have assisted multiple entities whose vulnerable Pulse Connect Secure products have been exploited by a cyber threat actor. 

These entities confirmed the malicious activity after running the Pulse Secure Connect Integrity Tool. To gain initial access, the threat actor is leveraging multiple vulnerabilities, including CVE-2019-11510, CVE-2020-8260, CVE-2020-8243, and the newly disclosed CVE-2021-22893. 

The threat actor is using this access to place webshells on the Pulse Connect Secure appliance for further access and persistence. The known webshells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching.

Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian) architecture. 

•     Persistence is maintained throughout the legitimate device firmware update process. 
•     Implements a modular framework consisting of a core component and additional modules that
  are executed as child processes. 
•         Modules to download/upload files, extract device information, and update the malware have
  been built-in and are executed at startup. 
•         Command and control (C2) communication uses a custom binary protocol underneath TLS,
  and messages are individually encrypted. 

Introduction
Cyclops Blink is a malicious Linux ELF executable, compiled for the 32-bit PowerPC (big-endian)
architecture. NCSC, FBI, CISA, NSA and industry analysis has associated it with a large-scale botnet
targeting Small Office/Home Office (SOHO) network devices. This botnet has been active since at
least June 2019, affecting WatchGuard Firebox and possibly other SOHO network devices.
This report covers the analysis of two samples recently acquired by the FBI from WatchGuard Firebox
devices known to have been incorporated into the botnet.

Read the full repost here