Daily Archives: April 25, 2022

WASHINGTON The United States and allied cybersecurity authorities issued a joint Cybersecurity Advisory today on the increased threat of Russian cyber groups targeting critical infrastructure that could impact organizations both within and beyond the Ukraine region. The Cybersecurity and Infrastructure Security Agency (CISA) authored Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure in partnership with the Federal Bureau of Investigation (FBI), National Security Agency (NSA), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), National Cyber Security Centre New Zealand (NZ NCSC), and the United Kingdoms National Cyber Security Centre (NCSC-UK) and National Crime Agency (NCA), and with contributions from industry members of CISAs Joint Cyber Defense Collaborative.The advisory provides technical details on malicious cyber operations by actors from the Russian Federal Security Service (FSB), Russian Foreign Intelligence Service (SVR), Russian General Staff Main Intelligence Directorate (GRU), and Russian Ministry of Defense, Central Scientific Institute of Chemistry and Mechanics (TsNIIKhM). It also includes details on Russian-aligned cyber threat groups and cybercrime groups. Some of these cybercrime groups have recently publicly pledged support for the Russian government or people and have threatened to conduct cyber operations in retaliation for perceived cyber offensives against Russia or against countries or organizations providing materiel support to Ukraine.The advisory recommends several immediate actions for all organizations to take to protect their networks, which include:

Given recent intelligence indicating that the Russian government is exploring options for potential cyberattacks against U.S. critical infrastructure, CISA along with our interagency and international partners are putting out this advisory to highlight the demonstrated threat and capability of Russian state-sponsored and Russian aligned cybercrime groups, said CISA Director Jen Easterly. We know that malicious cyber activity is part of the Russian playbook, which is why every organization large and small should take action to protect themselves during this heightened threat environment. We urge all critical infrastructure owners and operators as well as all organizations to review the guidance in this advisory as well as visit http://www.cisa.gov/shields-up for regular updated information to protect yourself and your business.Threats to critical infrastructure remain very real," said Rob Joyce, NSA Cybersecurity Director. "The Russia situation means you must invest and take action.Russia has significant cyber capabilities and a demonstrated history of using them irresponsibly, and state-sponsored malicious cyber activity is a real risk to organizations around the world, said Sami Khoury, Head, Canadian Centre for Cyber Security. By joining alongside our partners in releasing todays joint advisory, the Communications Security Establishment and its Canadian Centre for Cyber Security continue to support making threat information more publicly available, while providing specific advice and guidance to help protect against these kinds of risks.In this period of heightened cyber threat, it has never been more important to plan and invest in longer-lasting security measures, said Lindy Cameron, NCSC CEO. It is vital that all organisations accelerate plans to raise their overall cyber resilience, particularly those defending our most critical assets. The NCSC continues to collaborate with our international and law enforcement partners to provide organisations with timely actionable advice to give them the best chance of preventing cyber attacks, wherever they come from.Because evolving intelligence indicates that the Russian government is exploring options for potential cyberattacks, the cybersecurity authorities are providing this robust advisory with several resources and mitigations that can help the cybersecurity community protect against possible cyber threats from these adversarial groups. Executives, leaders, and network defenders are urged to implement recommendations to prepare for and mitigate the varied cyber threats listed in the Cybersecurity Advisory here.This advisory provides immediate actions defenders can take to prepare their information technology (IT) and operational technology (OT) networks against exploitation or destructive operations. It also includes general best practices for keeping networks secure and responding to cyber incidents.

NSA and its partners have assessed there is an increased threat and encourage vigilance as critical infrastructure networks could be targeted with destructive malware, distributed denial-of-service (DDoS), ransomware attacks, and cyber espionage.Read the full joint guidance here. Visit our full library for more cybersecurity information and technical guidance.

Go here to read the rest:
CISA, FBI, NSA, and International Partners Issue Advisory on Demonstrated Threats and Capa - National Security Agency

On 17 April, Delhi Police had arrested 35-year-old Ansar, who was allegedly involved in conspiring the communal clashes, an official said. The key accused, Ansar was also found to be previously involved in two cases of assault and was also arrested earlier under preventive sections and booked five times under the Gambling Act and the Arms Act.

Meanwhile, the Aam Aadmi Party (AAP) and Bharatiya Janata Party (BJP) have been trading claims about Ansar, with AAP leader Atishi claiming on Tuesday that he has links with the BJP.

The AAP leader's claim comes a day after the BJP claimed that Ansar in fact had links with AAP.

Imam alias Sonu was arrested by the special staff of the North West Delhi district police on Monday. A video of him wearing a blue kurta opening fire during the violence had gone viral on social media.

At least 25 people have been arrested in connection with the violence that ensued on 16 April during a Hanuman Jayanti procession in Jahangirpuri. Two juveniles have been apprehended as well.

Go here to see the original:
Jahangirpuri: Five Accused Booked Under NSA Sent to 8 Days of Police Custody - The Quint

Babagana Monguno, Nigerias national security adviser, has said the surrendering and reintegration of repentant Boko Haram elements has not engendered the desired result in stemming insurgency in the country.

Mongonu disclosed this after a meeting the President had with Service Chiefs and other major stakeholders in the country, Thursday.

The retired Major General also expressed President Muhammadu Buharis grief about the countrys security situation.

According to the Security Adviser, President Muhammadu Buhari has remained a sad man as a result of the persistent insecurity in the country which the nations security agencies have been unable to endHe revealed that the President cannot be happy when people are being killed on a daily basis.

Read also:Boko Haram is a perversion of religion- Buhari

He described the recent attacks on the Abuja Kaduna train as the last strawMongonnu noted that Buhari has consequently ordered the rescue of all kidnapped persons unhurt using the train attack as a fulcrum.

The NSA noted that the President feels that enough was not being done by the security agencies despite what has been provided.

Monguno stated that the President alone cannot completely receive the blame for the insecurity in the country as his part is to make strategic decisions which the NAA said he has been doing.

The NSA also spoke on the threats coming from the countrys vast land borders and the need to replicate in them what has been achieved in the maritime borders.

He also stressed the imperative of intelligence from ordinary citizens as he noted that unless the wider society is willing to provide the necessary intelligence, the problem of insecurity will linger beyond the time frame intended to end the menace.The meeting which lasted for over three hours, took place inside the Council Chambers of the Presidential Villa, Abuja,

He disclosed that the government is however intensifying behind the scene efforts to rescue the about 68 passengers abducted inside the Abuja-Kaduna train.

View original post here:
Rehabilitation of 'repentant Boko Haram' not yielding desired result - NSA - Businessday

The Minister of Youth and Sports, Mustapha Ussif, has directed the Director General of the National Sports Authority (NSA), Professor Peter Twumasi to submit a full report on the state of national stadia in a bid to get them in shape to host international matches.

This decision was taken following reports from the Confederation of African Football (CAF) to withdraw the Baba Yara Stadium from hosting category A matches.

According to Jamaludeen Abdullah, a special assistant to the minister, the ministry was ready to begin works to renovate all national stadia in the country to be able to host international matches.

The minister has directed the NSA boss to present to him a full report on the state of our national stadiums in order for him to begin action to get them in shape and fit to host all international games, Mr Abdullah said.

The four national stadia likely to be renovated are the Accra Sports Stadium, Baba Yara Sports Stadium, Cape Coast Sp

Follow this link:
NSA tasked to submit report for renovation of stadia - Graphic Online

All of us at Tripwires Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Heres what cybersecurity news stood out to us during the week of April 18, 2022. Ive also included some comments on these stories.

On April 13, the Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory to warn that certain industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices can be targeted by advanced persistent threat (APT) actors who have the capability to gain full system access, reports Dark Reading.

For those in the CI (Critical Infrastructure) sectors, and more specifically, for those that are responsible for the security of their respective ICS and SCADA Systems, I hope you are paying attention to the news and advisories being published, for good reason.

Mid last week, CISA and a couple of the other lettered, federal agencies (DoE, NSA, FBI) released a new advisory warning that certain ICS and SCADA systems are being targeted by APT (Advanced Persistent Threat) actors to gain full system access and control.

Vulnerable products include:

Once compromised, the threat actors can then use custom-made tools to scan for additional vulnerable devices so they can take control of them too. Noted in the article is that there is a critical issue with Windows-based engineering workstations, whereby they leverage vulnerable motherboard drivers, whether they are in the OT or IT environment. From there, they could elevate their privileges and move laterally across the environment with the potential to cause greater damage.

The Federal Bureau of Investigation (FBI) has issued an alert on a new phishing scheme aimed at tricking victims into making money transfers to accounts controlled by cybercriminals, Security Week reports. The attack moonlights as a legitimate financial institution and targets users of digital payment applications, sending them a text and asking them to confirm that they initiated an instant money transfer.

Phishing schemes and their social engineering techniques appear to be getting more and more sophisticated, which is a problem for people who are unfamiliar with these types of schemes, or for those who may be more vulnerable.

Digital banking and payment apps are beyond commonplace now (pandemic aside, I cant remember the last time I stepped foot inside a physical bank branch), so its unsurprising that phishing has made its way to them. The FBI is warning of a Reverse Instant Payment scam.

As the article notes, if a recipient of an automated text message responds, the cybercriminal will call the potential victim from a spoofed 1-800 number that appears to match that of the financial institution. Additionally, the criminals are typically speaking English with no accent.

Diving a bit deeper into how the scam is perpetrated, the attackers look to have extensive information of the victims background, including past addresses, Social Security numbers, etc. Armed with this, they claim to represent the banks fraud department and walk the victim through a process thats meant to reverse a fake instant payment transaction (that the victim did not initiate in the first place).

From there, the victim is asked to remove their email address from the digital payment app and share it with the cybercriminal, who then adds it to a bank account that is controlled by the cybercriminals.

After the email address has been changed, they ask the victim to initiate a new instant payment transaction address to themselves which will cancel or reverse the original fraudulent payment. What is happening is that the victim is now sending the payment from their bank account to the one now controlled by cybercriminal.

From the FBI:

Cryptocurrency wallet maker MetaMask has warned its 21 million monthly users to be wary of Apple iCloud backing up their apps data by default, after attackers successfully stole $650,000 of funds and NFTs. In a blog on Bitdefender, Graham Cluley explains that once your Apple ID is compromised, hackers can gain access to sensitive data from any of your apps (like MetaMask) that backed up with default settings.

This is an example of how good social engineering and phishing is getting, as well as ensuring you review the default settings on an app when you choose to install it. A cryptocurrency wallet user revealed that he had fallen victim to a social engineering scam and had $650K worth of funds and NFTs stolen.

Here is how the scam was pulled off:

So now the attacker had access to the victims iCloud account. By default, that wont automatically provide access to a users separate cryptocurrency wallet. Here is where checking the app settings to see what is being backed up to your iCloud account is critical.

The default setting of MetaMask (the cryptocurrency wallet used by the victim) is to back up data to the users iCloud account, including the secret 12-word recovery phrase, which would be used in an emergency (by the user) if they cannot remember their password or access their account. There is no warning provided by the app to inform users that data is being backed up to the users iCloud Account, which is critical in my opinion.

The article and victim do not go into detail as to how the attacker then got access to the victims MetaMask encrypted vault, but it does suggest that if they had reused a password, chose an obvious one, or one that could easily be cracked, then they could go on to access everything in the crypto wallet.

Recommendations provided by the article, which I wholeheartedly endorse:

Amazon Web Services (AWS) has fixed four security issues in its hot patch from December that addressed the critical Log4Shell vulnerability (CVE-2021-44228), reports Bleeping Computer. This particular vuln affects cloud or on-premise environments running Java applications with a vulnerable version of the Log4j logging library or containers.

AWS looks to have addressed four issues from its initial hot patch release in December, which was meant to address the Log4Shell vulnerability, which affects Java applications running a vulnerable version of Log4j logging library or containers.

It is important to note that the hot patches are not exclusive to AWS Resources, which allowed escaping a container in the environment and taking control of a host.

For those unfamiliar with containers, and escaping a container, they can be broken down as follows. Containers are:

Escaping a container involves exploiting vulnerabilities which allow an attacker to break free of a containers isolation and access the hosts resources. This presents a large problem as they may be able to elevate privileges and cause additional harm.

Security Researchers discovered that the hot-fix solutions meant to address the Log4j/Log4Shell would keep searching for Java processes and patch them on the fly, without checking to see what restrictions should be enforced by the container. An additional problem that was created because of the patches was that the host processes were all provided with elevated privileges during the Log4Shell patching processes.

AWS Users that applied the initial hot patch can review the security bulletin which details the four new issues and what to do to address them.

This is a fitting example of why vulnerability management is such an important and critical piece of risk management and cybersecurity. If security practitioners and their leadership do not have a good handle on what vulnerabilities exist within their organization and what is being done to address them, then it is only a matter of time before malicious actors exploit these gaps in your digital defenses.

Vulnerability Management is a continuous and on-going exercise, which should feed into the larger cybersecurity policies. Look at the NIST Cybersecurity Framework for starters. While this is geared towards the Critical Infrastructure sectors, it has five distinct functions in its cycle, with specific sub-categories and outputs to help define an entire plan.

Cisco on Wednesday announced the release of patches for several high-severity vulnerabilities in its products, including a bug reported by the National Security Agency (NSA). Tracked as CVE-2022-20783 (CVSS score of 7.5), the NSA-reported flaw is a denial of service (DoS) issue in TelePresence Collaboration Endpoint (CE) and RoomOS software, which could be exploited remotely, without authentication, Security Week noted on April 21.

Cisco released another round of patches of high-severity vulnerabilities. Some key patches include fixes for a denial-of-service vulnerability that the NSA reported in their TelePresence CE and RoomOS software. They also patched an elevation of privilege vulnerability in their VIM product alongside about 10 medium severity vulnerabilities.

Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.

See the original post here:
VERT's Cybersecurity News for the Week of April 18, 2022 - tripwire.com