threat

now browsing by tag

 
 

Microsoft Announces General Availability of Threat …

Source: National Cyber Security – Produced By Gregory Evans

Microsoft made several security announcements ahead of RSA Conference, including its decision to bring Microsoft Defender to iOS and Android.

Microsoft today announced the general availability of its Threat Protection and Insider Risk Management platforms, as well as the decision to bring Microsoft Defender Advanced Threat Protection to iOS and Android. The announcements come amid a wave of security product news ahead of RSA Conference.

When Microsoft Threat Protection (MTP) arrived in public preview last December, it was described as an “integrated solution” built on the Microsoft 365 security suite: Defender Advanced Threat Protection (ATP) for endpoints, Office 365 ATP for email and collaboration, Azure ATP for identity alerts, and Microsoft Cloud App Security (MCAS) for software-as-a-service applications.

MTP is designed to bring the capabilities of all of these Microsoft systems together into a single tool and, in doing so, to coordinate threat detection and response. It looks across domains to understand a chain of events, pinpoint affected assets, and protect resources. MTP prioritizes incidents for investigation and response, terminates malicious processes on endpoints, and removes mail-forwarding rules an attacker may have put in place. It’s meant to give admins greater visibility, stop attacks from spreading, and automatically fix assets affected in an attack.

Insider Risk Management, built into Microsoft 365 and launched in preview at last year’s Ignite, aims to help security teams address a threat that has become a primary concern among CISOs. It started with an internal demand at Microsoft to use machine learning to detect threats based on user behavior, explains Ann Johnson, corporate vice president of cybersecurity at Microsoft.

“It’s one of those solutions that when we brought it to market, the demand was instant,” she says. Insider Risk Management uses the same technology that classifies and protects 50 billion documents for Microsoft users; it’s meant to bring signals, sensitivity labels, and content into a single view so admins can get a picture of what’s happening and take appropriate action.

Many insider threat cases are not inherently malicious, Johnson explains. In one preview case, an employee had forwarded a work email to their personal email because there was data they wanted to access, and they didn’t realize the email contained confidential proprietary data. In another, the tool picked up on users authenticating into applications from different locations.

The preview process taught Microsoft about how companies approach insider threats, which the company believed would be more of a compliance issue, Johnson says. “What we’ve learned is a lot of customers consider insider risk management solely a SOC problem,” she explains. Going forward, a goal is to add new capabilities to educate customers on how they can integrate insider threat management into their broader risk management platforms.

In addition to making MTP and Insider Risk Management generally available, Microsoft is bringing Defender ATP to Linux in public preview and plans to bring the security platform to Android and iOS later this year. Mobile apps for both platforms will be demonstrated at next week’s RSA Conference. Defender ATP is already available on Windows and Mac platforms.

Among Microsoft’s announcements are changes and capabilities to Azure Sentinel, first debuted in February 2019 and made generally available in September. The cloud-native SIEM narrows down high volumes of signals into the significant incidents security teams should prioritize. In December, Microsoft used Sentinel to evaluate nearly 50 billion suspicious signals and generated 25 high-confidence alerts for the security operations team to investigate.

Microsoft is bringing in new data connectors and workbooks from Forcepoint, Zimperium, Quest, CyberArk, Squadra, and other partners to enable easier data collection. A new connector for Azure Security Center for IoT lets admins onboard data workloads from the Internet of Things into Azure Sentinel from deployments managed in the IoT Hub. It’s also releasing new developer documents, guides, samples, validation criteria, and updated GitHub Wiki.

To show how Azure Sentinel can pull security insights from across the enterprise, Microsoft is letting new and current Azure Sentinel users import Amazon Web Services CloudTrail logs at no additional cost from Feb. 24 through June 30, 2020.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial … View Full Bio

More Insights

Source link

The post Microsoft Announces General Availability of Threat … appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | VERT Threat Alert: January 2020 Patch Tuesday Analysis

Source: National Cyber Security – Produced By Gregory Evans

Today’s VERT Alert addresses Microsoft’s January 2020 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-866 on Wednesday, January 15th. 

In-The-Wild & Disclosed CVEs

CVE-2020-0601

While there are no in-the-wild and disclosed CVEs in the January patch drop, there is a lot of discussion around CVE-2020-0601. The vulnerability allows for Elliptic Curve Cryptography (ECC) spoofing due to the way these certificates are validated. This vulnerability was reported to Microsoft by the NSA and rumors in various publications indicate that certain government agencies and enterprises were given advance notice of this vulnerability.

Microsoft has rated this as a 1 (Exploitation More Likely) on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis.

Tag
CVE Count
CVEs
Windows Update Stack
1
CVE-2020-0638
Windows Hyper-V
1
CVE-2020-0617
Windows Subsystem for Linux
1
CVE-2020-0636
ASP.NET
2
CVE-2020-0602, CVE-2020-0603
Microsoft Windows
8
CVE-2020-0601, CVE-2020-0608, CVE-2020-0616, CVE-2020-0620, CVE-2020-0621, CVE-2020-0624, CVE-2020-0635, CVE-2020-0644
Apps
1
CVE-2020-0654
.NET Framework
3
CVE-2020-0605, CVE-2020-0606, CVE-2020-0646
Microsoft Graphics Component
4
CVE-2020-0607, CVE-2020-0622, CVE-2020-0642, CVE-2020-0643
Microsoft Scripting Engine
1
CVE-2020-0640
Common Log File System Driver
3
CVE-2020-0615, CVE-2020-0639, CVE-2020-0634
Microsoft Dynamics
1
CVE-2020-0656
Windows Media
1
CVE-2020-0641
Microsoft Windows Search Component
12
CVE-2020-0613, CVE-2020-0614, CVE-2020-0623, CVE-2020-0625, CVE-2020-0626, CVE-2020-0627, CVE-2020-0628, CVE-2020-0629, CVE-2020-0630, CVE-2020-0631, CVE-2020-0632, CVE-2020-0633
Microsoft Office
5
CVE-2020-0647, CVE-2020-0650, CVE-2020-0651, CVE-2020-0652, CVE-2020-0653
Windows RDP
5
CVE-2020-0609, CVE-2020-0610, CVE-2020-0611, CVE-2020-0612, CVE-2020-0637

 

Other Information

There were no new advisories released today. However, it is worth mentioning that today marks the final day of support for Windows 7, Windows Server 2008, and Windows Server 2008 R2. These platforms are now considered end of life and (Read more…)

Source link

The post #cybersecurity | #hackerspace |<p> VERT Threat Alert: January 2020 Patch Tuesday Analysis <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Weekly Threat Briefing: Colorado Town Wires Over $1 Million To BEC Scammers

Source: National Cyber Security – Produced By Gregory Evans

The intelligence in this week’s iteration discuss the following threats: BabyShark, Fraud, Maze Ransomware, North Korea, POS malware, Ransomware, Rowhammer, Ryuk Ransomware, Thallium. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.

Figure 1 – IOC Summary Charts.  These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Source link

The post Weekly Threat Briefing: Colorado Town Wires Over $1 Million To BEC Scammers appeared first on National Cyber Security.

View full post on National Cyber Security

#comptia | #ransomware | High-Impact Windows 10 Security Threat Revealed As App-Killing Malware Evolves

Source: National Cyber Security – Produced By Gregory Evans New research reveals alarming Windows 10 ‘Clop’ app-killing threat Getty The Federal Bureau of Investigation (FBI) issued a high-impact threat warning to U.S. businesses and organizations on October 2, 2019. That threat was ransomware, and the FBI warned that cybercriminals “upgrade and change their techniques to […] View full post on AmIHackerProof.com

Kaspersky Web Traffic Security Gains Threat Detection

Source: National Cyber Security – Produced By Gregory Evans by Dan Kobialka • Dec 27, 2019 Kaspersky, a Russian antivirus and anti-malware solutions provider, has integrated Kaspersky Anti Targeted Attack threat detection capabilities into its Kaspersky Web Traffic Security offering. In doing so, organizations can leverage Kaspersky Web Traffic Security in combination with Kaspersky Anti […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | First Amendment Fight: Twitter Threat Ends in Conviction

Source: National Cyber Security – Produced By Gregory Evans First amendment rights in the United States only go so far. Shout “fire” in a crowded room for thrills or threaten to kill someone and you will find yourself on the wrong side of the First Amendment interpretation of what constitutes free speech. Joseph Cecil Vandevere […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | Avast Threat Labs Uncovers Brazil Cyberattacks | Avast

Source: National Cyber Security – Produced By Gregory Evans In late November the Avast Threat Labs team discovered cyberattacks that exploited Brazilian users’ routers to send them to phishing pages designed to look like actual websites the victim wanted to visit. In this case, sites included Brazilian banking, and news sites, as well as Netflix.  […] View full post on AmIHackerProof.com

Weekly Threat Briefing: New Banking Trojan Infects Victims via McDonald’s Malvertising

Source: National Cyber Security – Produced By Gregory Evans The intelligence in this week’s iteration discuss the following threats: Backdoors, Cryptocurrency, Data breaches, Malware, and Trojans. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity. Figure 1: IOC Summary Charts.  These […] View full post on AmIHackerProof.com

#city | #ransomware | Ransomware attacks shaking up threat landscape — again

Source: National Cyber Security – Produced By Gregory Evans

Ransomware is changing the threat landscape yet again, though this time it isn’t with malicious code.

A spike in ransomware attacks against municipal governments and healthcare organizations, coupled with advancements in the back-end operations of specific campaigns, have concerned security researchers and analysts alike. The trends are so alarming that Jeff Pollard, vice president and a principal analyst at Forrester Research, said he expects local, state and city governments will be forced to seek disaster relief funds from the federal government to recover from ransomware attacks.

“There’s definitely been an uptick in overall attacks, but we’re seeing municipality after municipality get hit with ransomware now,” Pollard said. “When those vital government services are disrupted, then it’s a disaster.”

In fact, Forrester’s report “Predictions 2020: Cybersecurity” anticipates that at least one local government will ask for disaster relief funding from their national government in order to recover from a ransomware attack that cripples municipal services, whether they’re electrical utilities or public healthcare facilities.

Many U.S. state, local and city governments have already been disrupted by ransomware this year, including a massive attack on Atlanta in March that paralyzed much of the city’s non-emergency services. A number of healthcare organizations have also shut down from ransomware attacks, including a network of hospitals in Alabama.

The increase in attacks on municipal governments and healthcare organizations has been accompanied by another trend this year, according to several security researchers: Threat actors are upping their ransomware games.

Today’s infamous ransomware campaigns share some aspects with the notable cyberattacks of 20 years ago. For example, the ILoveYou worm used a simple VB script to spread through email systems and even overwrote random files on infected devices, which forced several enterprises and government agencies to shut down their email servers.

But today’s ransomware threats aren’t just using more sophisticated techniques to infect organizations — they’ve also built thriving financial models that resemble the businesses of their cybersecurity counterparts. And they’re going after targets that will deliver the biggest return on investment.

New approaches

The McAfee Labs Threats Report for August showed a 118% increase in ransomware detections for the first quarter of this year, driven largely by the infamous Ryuk and GandCrab families. But more importantly, the vendor noted how many ransomware operations had embraced “innovative” attack techniques to target businesses; instead of using mass phishing campaigns (as Ryuk and GandCrab have), “an increasing number of attacks are gaining access to a company that has open and exposed remote access points, such as RDP [remote desktop protocol] and virtual network computing,” the report stated.

The concept of ransomware is no longer the concept that we’ve historically known it as.
Raj SamaniChief scientist, McAfee

“The concept of ransomware is no longer the concept that we’ve historically known it as,” Raj Samani, chief scientist at McAfee, told SearchSecurity.

Sophos Labs’ 2020 Threat Report, which was published earlier this month, presented similar findings. The endpoint security vendor noted that since the SamSam ransomware attacks in 2018, more threat actors have “jumped on the RDP bandwagon” to gain access to corporate networks, not just endpoint devices. In addition, Sophos researchers found more attacks using remote monitoring and management software from vendors such as ConnectWise and Kaseya (ConnectWise’s Automate software was recently used in a series of attacks).

John Shier, senior security advisor at Sophos, said certain ransomware operations are demonstrating more sophistication and moving away from relying on “spray and pray” phishing emails. “The majority of the ransomware landscape was just opportunistic attacks,” he said.

That’s no longer the case, he said. In addition to searching for devices with exposed RDP or weak passwords that can be discovered by brute-force attacks, threat actors are also using that access to routinely locate and destroy backups. “The thoroughness of the attacks in those cases are devastating, and therefore they can command higher ransoms and getting higher percentage of payments,” Shier said.

Jeremiah Dewey, senior director of managed services and head of incident response at Rapid7, said his company began getting more calls about ransomware attacks with higher ransomware demands. “This year, especially earlier in the year, we saw ransomware authors determine that they could ask for more,” he said.

With the volume of ransomware attacks this year, experts expect that trend to continue.

The ransomware economy

Samani said the new strategies and approaches used by many threat groups show a “professionalization” of the ransomware economy. But there are also operational aspects, particularly with the ransomware-as-a-service (RaaS) model, that are exhibiting increased sophistication. With RaaS campaigns such as GandCrab, ransomware authors make their code available to “affiliates” who are then tasked with infecting victims; the authors take a percentage of the ransoms earned by the affiliates.

In the past, Samani said, affiliates were usually less-skilled cybercriminals who relied on traditional phishing or social engineering tactics to spread ransomware. But that has changed, he said. In a series of research posts on Sodinokibi, a RaaS operation that experts believe was developed by GandCrab authors, McAfee observed the emergence of “all-star” affiliates who have gone above and beyond what typical affiliates do.

“Now you’re seeing affiliates beginning to recruit individuals that are specialists in RDP stressing or RDP brute-forcing,” Samani said. “Threat actors are now hiring specific individuals based on their specialties to go out and perform the first phase of the attack, which may well be the initial entry vector into an organization.”

And once they achieve access to a target environment, Samani said, the all-stars generally lie low until they achieve an understanding of the network, move laterally and locate and compromise backups in order to maximize the damage.

Sophos Labs’ 2020 Threat Report also noted that many ransomware actors are prioritizing the types of data that certain drives, files and documents encrypt first. Shier said it’s not surprising to see ransomware campaigns increasingly use tactics that rely on human interaction. “What we’ve seen starting with SamSam is more of a hybrid model — there is some automation, but there’s also some humans,” he said.

These tactics and strategies have transformed the ransomware business, Samani said, shifting it away from the economies of scale-approach of old. “All stars” affiliates who can not only infect the most victims but also command the biggest ransoms are now reaping the biggest rewards. And the cybercriminals behind these RaaS operations are paying close attention, too.

“The bad guys are actively monitoring, tracking and managing the efficiency of specific affiliates and rewarding them if they are as good as they claim to be,” Samani said. “It’s absolutely fascinating.”

Silver linings, dark portents

There is some good news for enterprises amid the latest ransomware research. For one, Samani said, the more professional ransomware operations were likely forced to adapt because the return on investment for ransomware was decreasing. Efforts from cybersecurity vendors and projects like No More Ransom contributed to victims refusing to pay, either because their data had been decrypted or because they were advised against it.

As a result, ransomware campaigns were forced to improve their strategies and operations in order to catch bigger fish and earn bigger rewards. “Return on investment is the key motivator to the re-evolution or rebirth of ransomware,” Samani said.

Another positive, according to Shier, is that not every ransomware campaign or its affiliates have the necessary skills to emulate a SamSam operation, for example. “In terms of other campaigns implementing similar models and techniques, it’s grown in the past 18 months,” he said. “But there are some limitations there.”

On the downside, Shier said, cybercriminals often don’t even need that level of sophistication to achieve some level of success. “Not everyone has the technical expertise to exploit BlueKeep for an RDP attack,” he said. “But there’s enough exposed RDP [systems] out there with weak passwords that you don’t need things like BlueKeep.”

In addition, Samani said the ransomware operations that earn large payments will be in a position to improve even further. “If you’ve got enough money, then you can hire whoever you want,” Samani said. “Money gives you the ability to improve research and development and innovate and move your code forward.”

In order to make the most money, threat actors will look for the organizations that are not only most vulnerable but also the most likely to pay large ransoms. That, Samani said, could lead to even more attacks on government and healthcare targets in 2020.

Shier said most ransomware attacks on healthcare companies and municipal governments still appear to be opportunistic infections, but he wouldn’t be surprised if more sophisticated ransomware operations begin to purposefully target those organizations in order to maximize their earnings.

“[Threat actors] know there are organizations that simply can’t experience downtime,” Shier said. “They don’t care who they are impacting. They want to make money.”

Source link

The post #city | #ransomware | Ransomware attacks shaking up threat landscape — again appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | There’s A New Cyber Threat Targeting Netflix Users

Source: National Cyber Security – Produced By Gregory Evans

There’s a new phishing scam targeting Australian Netflix customers – and it’s incredibly easy to be fooled by it. The highly convincing email requests users to update their payment information via a link to an official looking website. Whatever you do, do not click that link. Here’s what you need to know.

Australian Netflix users have been hit by a fresh wave of phishing scams designed to steal your money. The email uses official branding and even uses the customer’s username – just like a real Netflix email. The supplied link also looks legit.

Despite being outed by the media last Friday, the scam is still reaching potential victims. I know this because my wife just received the below email:

“Sorry for the interruption, but we are having trouble authorising your Credit Card,” the email states. “Please visit www.netflix.com/youraccountpayment to enter your payment information again or to use a different payment method. When you have finished, we will try to verify your account again. If it still does not work, you will want to contact your credit card company.”

Clicking on the link takes you to a phishing site that looks just like the real Netflix site. Typing in your credit card details will result in currency theft and the locking of your Netflix account.

The only signs that something dodgy is afoot are the sender’s email address and the URL permalink (which is different to the supplied hyperlink.) While these red flags are obvious to tech-savvy users, I imagine there are many casuals out there who would fail to notice.

Needless to say, if you receive one of these emails you should delete it without clicking on any of the supplied links. You can read up on how to identify and avoid email scams here as well as in the video below.


10 Steps To Avoid Falling Victim To An Email Phishing Scam

One of the most popular ways for cybercriminals to steal personal information is by using email phishing scams. Cybercriminals often use this method of attack to trick employees from large organisations into clicking onto malicious links so they can gain access to corporate networks that contain valuable data. Here are 10 tips on how to avoid becoming a email phishing victim.

Read more

Source link

The post #cyberfraud | #cybercriminals | There’s A New Cyber Threat Targeting Netflix Users appeared first on National Cyber Security.

View full post on National Cyber Security