Request Demo

Connective Platform™

Connective Shield

Connective Identity

Connective Vigilance

Solutions

Partners

Support

Company

Blog

Career

About Us

+1-303-423-4500

Contact Us

Where can we view the lock out triggers / logs?

The log itself is in  – this provides you with all the information about what  is doing.  is the process that keeps track of many things: login failures (technically it is called the “login failure daemon”) but also other irregularities on a hosting platform: long running processes, user-run script executions, root logins, things like that.

Another way is to look at the output of the ‘csf -g’ command.
Its full use is: csf -g ip.address.goes.here

This will show you real-time whether or not a certain ip is accepted or dropped (denied). If the IP does not show up when searched this way, then csf/lfd have no blocks or accepts on the IP in particular, at which point server-wide firewall settings will still apply; for example a server-wide deny to a certain port.

To manually unblock, you can use the ‘‘

More usage information on csf is in the output of the ‘‘ command, as well as the author’s website at  .

Where can we view the lock out triggers / logs? There are a few ways to do it. The log itself is in /var/log/lfd.log – this provides you with all the information about what lfd is doing. lfd is the process that keeps track of many things: login failures (technically it is called the “login […]

CSF / LDF user / IP lock out info

Analytics

Big Data

Billing

Business

Business Intelligence

Cloud Computing

Consulting

Cybersecurity

Data Warehouse

News

Services

Technology

Testing as a Service

We focus on reliability, quality, and value.

A shocking discovery by cybersecurity researchers has put thousands of LG smart TV owners at risk of having their devices remotely hijacked. The vulnerability, impacting an estimated 91,000 TVs, allows attackers to gain complete control over affected devices, potentially stealing data, installing malware, or even using the compromised TV as a launching pad for further attacks on the user's network.

The security flaws, identified as CVE-2023-6317 and CVE-2023-6318, were discovered by Bitdefender and reported to LG. While LG addressed the vulnerabilities with a patch released in March 2024, many users remain unaware of the risk and have not yet updated their devices.

Experts warn that these vulnerabilities pose a significant threat, allowing attackers to take over a victim's TV without their knowledge. The consequences could be severe, ranging from privacy invasion and data theft to financial loss and broader network compromise.

Experts urge all LG smart TV owners to take immediate action to protect themselves:

Update your TV's software: This is the single most important step. Go to your TV's settings and check for available software updates. Install them immediately to patch the vulnerabilities.

Be cautious of suspicious apps: Only download apps from the official LG Content Store and avoid installing anything from unknown sources.

Beware of phishing scams: Be vigilant against emails or messages claiming to be from LG and prompting you to click on links or download files. These could be attempts to install malware on your devices.

LG smart TV owners are encouraged to take these precautions seriously to ensure their devices remain secure and their personal information protected. 

A security vulnerability impacting a significant number of LG smart TVs was recently disclosed. This flaw could allow attackers to remotely seize control of susceptible devices. Researchers at Bitdefender discovered two critical vulnerabilities (CVE-2023-6317 and CVE-2023-6318) that, when combined, could grant unauthorized users complete control over a targeted LG smart TV.

91,000 Smart LG TV Devices Vulnerable to Remote Takeover

Even though the cybersecurity pros I work with haven't fallen for the latest LinkedIn scam, seeing it hit my inbox made me realize just how dangerous and believable these attacks are. The sophistication of this one surprised even me, and that's concerning. Luckily, no damage was done this time, but as LinkedIn usage grows, we need to be prepared. Here's how to protect yourself before these scams evolve even further...

These attacks start with a super convincing fake email that looks like it's from Microsoft. It might warn you about suspicious activity and make you panic. You click, get taken to a website that looks exactly like the Microsoft login page, and enter your credentials. But here's the trick – even with your password, they need that one-time security code sent to your phone or email. The fake email pressures you to hand over that code, and once you do, the attackers are in control of your entire account.

These scams aren't going away, they'll only get trickier. Taking a few precautions now is much better than dealing with a hacked account later.

Scrutinize the Sender: I never trust an email address at first glance. One wrong letter, an extra domain (.co instead of .com), is a red flag, no matter how official it looks.

Resist Clicking: If an email makes me nervous or claims there's an urgent problem, I never click links. I go to the company website directly and log in that way.

Codes are Sacred: Codes sent to my phone or email are my last line of defense. At work, we're told to never share these with anyone, and that's my rule for everything now.

If you're unsure about phishing in general, there are great resources online Security Awareness Training | KnowBe4 And if your company offers any security training, take advantage! Before you open an unknown email – Stop, think, and don't be uninformed.

Even though the cybersecurity pros I work with haven't fallen for the latest LinkedIn scam, seeing it hit my inbox made me realize just how dangerous and believable these attacks are. The sophistication of this one surprised even me, and that's concerning.

This LinkedIn Scam Got Me (Almost)...and It Should Scare You Too

A hacking competition called Pwn2Own 2024 in Vancouver awarded over $1.1 million to participants who discovered vulnerabilities in various software and devices. This security competition incentivizes hackers to discover and report vulnerabilities in widely used software and devices. By finding these vulnerabilities, companies can patch them before malicious actors exploit them for criminal purposes.

The biggest winners were those who found exploits compromising Tesla cars. On the first day, hackers earned a combined $732,500 for finding 19 zero-day vulnerabilities. These vulnerabilities affected Tesla cars, along with popular operating systems and programs like Windows, Ubuntu, and Adobe Reader.

The top prize of $200,000 went to a team from Synacktiv for hacking a Tesla's electronic control unit (ECU), which could potentially allow them to manipulate the car. The second day's top earner was Manfred Paul, who won $100,000 for a critical Firefox exploit. Paul's exploit allowed for remote code execution and escaping the program's sandbox protections. Overall, Paul won more than $200,000 during the competition by also hacking other browsers as well.

A hacking competition called Pwn2Own 2024 in Vancouver awarded over $1.1 million to participants who discovered vulnerabilities in various software and devices. This security competition incentivizes hackers to discover and report vulnerabilities in widely used software and devices. 

Tesla, OS, Software Exploits Earn Hackers $1.1 Million at Pwn2Own 2024

Cybercriminals are looking for ways to integrate large language models (LLMs) into their attacks, and they have three main options: trying to bypass the safeguards on existing LLMs, building their own LLMs, or using uncensored open-source models.

One recent example is Dark Gemini, an underground service that appears to modify prompts sent to a legitimate LLM in order to bypass restrictions. While Dark Gemini's abilities weren't very impressive, it demonstrates how cybercriminals can leverage existing LLMs to enhance phishing attacks, for instance, by generating more convincing text.

Security researchers are concerned that nation-state actors are already using LLMs to improve their operations. Additionally, some researchers believe the safeguards on LLMs can be easily bypassed. However, it seems that using LLMs for more complex tasks, like creating malware, will still be difficult due to the current limitations.

In conclusion, cybercriminals are actively looking for ways to exploit LLMs, and while there are challenges, even basic use of LLMs can improve the effectiveness of existing attacks.

Cybercriminals Weigh Options for Using LLMs: Buy, Build, or Break?

In a proactive measure to enhance user security, Google has announced an update to its Chrome browser, effectively patching a series of vulnerabilities, including the zero-day flaw CVE-2024-3159, unveiled at the Pwn2Own hacking contest in March 2024. This critical issue, an out-of-bounds memory access in the V8 JavaScript engine, was exploited by Edouard Bochin and Tao Yan from Palo Alto Networks, earning them a $42,500 reward.

CVE-2024-3159 is the third zero-day discovered at Pwn2Own 2024 to be addressed by Google, following earlier fixes for vulnerabilities in WebCodecs and WebAssembly. In addition to CVE-2024-3159, the latest update also corrects two other vulnerabilities reported by external researchers, with Google disbursing $10,000 in total bounties.

The updated Chrome versions—123.0.6312.105/.106/.107 for Windows and macOS, and version 123.0.6312.105 for Linux—are currently being deployed. 

The diligent response from Google emphasizes the tech giant's commitment to user security and the pivotal role of ethical hacking competitions like Pwn2Own in identifying and mitigating potential threats. These contests not only help in uncovering hidden vulnerabilities but also foster a culture of proactive security measures among tech companies. Users are strongly advised to update their browsers to the latest version to ensure they have the most up-to-date defenses against this specific vulnerability and others that may pose a risk. Google's commitment to security, combined with the collaborative efforts of the cybersecurity community, continues to play a vital role in maintaining the integrity and safety of the digital landscape.

Source: SecurityWeek 04/03/2024

In a proactive measure to enhance user security, Google has announced an update to its Chrome browser, effectively patching a series of vulnerabilities, including the zero-day flaw CVE-2024-3159, unveiled at the Pwn2Own hacking contest in March 2024. 

Google Updates Chrome to Patch Zero-Day Flaw Exposed at Pwn2Own

It’s been three months since the Securities and Exchange Commission’s cyber disclosure rules took effect and rather than creating a deluge of incident revelations, only a trickle has emerged. Companies have submitted 12 initial Form 8-K, Item 1.05 filings, the form the SEC began requiring businesses to file for material cybersecurity incidents on Dec. 18. Each of these filings mention an “incident,” and all but two said the activity or access was “unauthorized.” While the language businesses use in Item 1.05 filings are ultimately crafted to notify regulators and investors of potential risks, these words also signal how a company detects, mitigates, contains and recovers from cyberattacks. Across the filings Cybersecurity Dive analyzed, none of the businesses described the incident as a breach or data breach in the filing with the SEC — and that was likely by design.

“Words like ‘breach’ and ‘data breach’ have very specific legal meanings and consequences, and they also have a particular meaning within what I’ll call the public consciousness,” said Travis Brennan, partner and chair of the privacy and data security practice at Stradling. “It’s just become a very loaded term, generally, and I think it’s one that companies in these disclosures will studiously avoid using in most cases,” Brennan said. “Once there has been a breach, as opposed to merely an incident, that suggests that the risk of harm has just gone up a few notches.” 

It’s been three months since the Securities and Exchange Commission’s cyber disclosure rules took effect and rather than creating a deluge of incident revelations, only a trickle has emerged. 

How companies describe cyber incidents in SEC filings

APIs were the target of 29% of web attacks in 2023, with cybercriminals exploiting the swiftly growing API economy for new avenues of attack, according to a report from Akamai. The commerce sector experienced the highest number of attacks, accounting for about 44%. Business services followed at nearly 32%. Attacks ranged from Local File Inclusion (LFI) and SQL Injection (SQLi) to Cross-Site Scripting (XSS).

Akamai’s findings underscore the escalating concerns in the industry surrounding API security threats. In 2021, Gartner predicted API abuse and data breaches would double by 2024. In 2023, the Open Web Application Security Project (OWASP) released a dedicated list of API-specific risks, highlighting the growing concern. “APIs are increasingly critical to organizations, but their security is often not designed into the capability, or the security team is not able to keep up with the rapid deployment of new technology,” Steve Winterfeld, advisory CISO of Akamai, said in the State of the Internet (SOTI) report.

APIs are pivotal in developing new capabilities within companies. However, their security often receives inadequate attention, either overlooked in early planning stages or failing to match the pace of rapid technological deployment. Akamai pointed out two distinct issues in this regard — posture and runtime problems.

API implementation flaws in an enterprise can lead to posture problems. Most common among them include shadow endpoints, unauthenticated resource access, sensitive data in a URL, a permissive cross-origin resource sharing (CORS) policy, and excessive client errors.

Runtime problems, on the other hand, are active threats demanding immediate action. These include unauthenticated resource access attempts, API activity with unusual JSON payloads, path parameter fuzzing attempts, illogical API timestamps, geolocation, or sequence, and data scraping. 

Adopting a comprehensive API security program provides organizations with unparalleled visibility across their digital ecosystem. This includes discovering all APIs within the organization, auditing their risk levels, detecting abnormal behaviors indicative of abuse, and enabling expert-led investigations to hunt for hidden threats.

APIs were the target of 29% of web attacks in 2023, with cybercriminals exploiting the swiftly growing API economy for new avenues of attack, according to a report from Akamai. 

A third of web attacks targeted APIs in 2023, threatening the expanding API economy

DDoS attacks against the financial services sector historically accounted for about 10-15% of all attacks, however that trend began to rise in 2021, the FS-ISAC and Akamai found. “Financial services companies are prime targets because successfully disrupting operations, for even just a moment, can lead to severe reputational risks and distrust in the global financial system,” Teresa Walsh, chief intelligence officer and managing director, EMEA, at FS-ISAC, said via email.

Akamai in September said it prevented a DDoS attack on a major U.S. financial institution. The attack peaked at 633.7 gigabits per second and 55 million packets per second. The increased activity was driven in large part by hacktivist groups using DDoS as a tool to disrupt institutions at a time of rising geopolitical tensions.

U.S. authorities in July warned that threat groups were potentially targeting multiple sectors using DDoS capabilities, including one group which claimed to have targeted the Treasury Department’s Electronic Federal Tax Payment System. By October, security researchers warned a novel zero day vulnerability, known as HTTP/2 Rapid Reset, was being used to launch some of the most powerful DDoS attacks ever recorded.  

DDoS attacks against the financial services sector historically accounted for about 10-15% of all attacks, however that trend began to rise in 2021, the FS-ISAC and Akamai found. 

Financial services sees sharp increase in DDoS attacks as geopolitical tensions rise

The NIST Cybersecurity Framework (CSF) 2.0, an evolution of its predecessor, is a comprehensive guide designed to assist organizations across various sectors in managing and mitigating cybersecurity risks effectively. This framework, while not prescribing specific actions, offers a taxonomy of high-level cybersecurity outcomes, enabling organizations, regardless of their size, sector, or maturity, to better understand, assess, prioritize, and communicate their cybersecurity efforts.

The CSF 2.0 emphasizes the importance of communication and integration in cybersecurity risk management. It advocates for a shared understanding and approach to managing cybersecurity risk, not just within an organization but also in its interactions with third parties. This shared understanding is crucial for making informed decisions about cybersecurity expenditures and actions, ultimately enhancing an organization’s cybersecurity posture.  The NIST Cybersecurity Framework 2.0 serves as a foundational resource for organizations seeking to navigate the complex landscape of cybersecurity risks. It encourages a proactive, nuanced approach to cybersecurity, emphasizing flexibility, adaptability, and continuous improvement. 

The NIST Cybersecurity Framework (CSF) 2.0, an evolution of its predecessor, is a comprehensive guide designed to assist organizations across various sectors in managing and mitigating cybersecurity risks effectively.

An Overview of the NIST Cybersecurity Framework 2.0

Google’s new Security Command Center Enterprise (SCC Enterprise) could streamline cloud risk management through AI automation, saving security teams time, experts say. Enhanced with Mandiant threat intelligence and generative AI, SCC Enterprise aims to offer comprehensive insights across the cloud security lifecycle. Google Cloud has identified gaps in the protection provided by current cloud-native application protection platforms (CNAPPs) and introduced SCC Enterprise as a solution to better guard against emerging threats.

“There are two things that Security Command Center Enterprise addresses compared with previous solutions: tighter integration between cloud and enterprise security and coverage across multi-cloud rather than just operating in silos,” Narayana Pappu, CEO at Zendata, a San Francisco-based provider of data security and privacy compliance solutions said in an interview. “Automation and integration of Gen AI brings efficiencies that will save teams time as well.”

According to Suni Potti, VP/GM of Google Cloud Security, the new platform integrates Mandiant Threat Intelligence with modern SecOps capabilities, enabling swift responses to cloud security incidents through “SIEM-powered visibility and SOAR-driven accountability.”

“Security teams can get a single view of their posture controls, active threats, cloud identities, data, and more, while integrating remediation and issue accountability into the end-to-end workflows of a converged cloud risk management platform,” Potti wrote in a blog post.

Google’s new Security Command Center Enterprise (SCC Enterprise) could streamline cloud risk management through AI automation, saving security teams time, experts say. Enhanced with Mandiant threat intelligence and generative AI, SCC Enterprise aims to offer comprehensive insights across the cloud security lifecycle.

Google’s Security Command Center Enterprise fills gaps across cloud security lifecycle

Lookout recently discovered an advanced phishing kit exhibiting novel tactics to target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices. Following the tactics of groups like Scattered Spider, this kit enables attackers to build carbon copies of single sign-on (SSO) pages, then use a combination of email, SMS, and voice phishing to trick the target into sharing usernames, passwords, password reset URLs and even photo IDs from hundreds of victims, mostly in the United States.

Lookout first flagged this phishing kit when our automated analysis discovered a suspicious new domain registration that matched a common format used by Scattered Spider, as mentioned in a recent warning by CISA.  The domain in question was fcc-okta[.]com, which is only a single character different from the legitimate FCC Okta Single Sign On (SSO) page. This phishing kit first asks the victim to complete a captcha using hCaptcha. This is a novel tactic that prevents automated analysis tools from crawling and identifying the phishing site. It may also give the illusion of credibility to the victim, as typically only legitimate sites use captcha. Once the captcha is completed, the login page mimics the FCC’s legitimate Okta page. Upon providing their credentials, the victim can be sent to wait, sign in, or ask for the MFA token.

Unlike typical phishing kits, which attempt to harvest credentials as quickly as possible, this one seems to be aware of modern security controls organizations have put in place such as MFA. 

Lookout researchers saw that there is an administrative console that the operator uses to monitor the phishing page. While we were unable to directly access this console, we were able to access its javascript and css and piece together much of its functionality.  Each time a victim visited the page and entered information, we observed that a new row was populated on a table. Once the victim enters their username and password, the admin is able to select from a long list of options of where to send them next. The attacker likely attempts to log in using these credentials in real time, then redirects the victim to the appropriate page depending on what additional information is requested by the MFA service the attacker is trying to access, For example, they can be redirected to a page that asks for their MFA token from their authenticator app or a page requesting an SMS-based token.  

We were also able to investigate the phishing kit, which gave us additional insight into targets and tactics used. The kit contains numerous references to cryptocurrency platforms and SSO services. While the version of the kit targeted at the FCC impersonates the FCC’s specific Okta page by default, the kit is able to impersonate many different company’s brands. 

Lookout recently discovered an advanced phishing kit exhibiting novel tactics to target cryptocurrency platforms as well as the Federal Communications Commission (FCC) via mobile devices.

CryptoChameleon: New Phishing Tactics Exhibited in FCC-Targeted Attack

The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates’ money by pretending the FBI seized their site and infrastructure. The gang announced they are now selling the source code for the malware for the hefty price of $5 million. On a hacker forum, ALPHV said that they decided "to close the project" because of "the feds," without providing additional details or a clarification. However, a national law enforcement agency listed on the seizure banner confirmed to BleepingComputer that they were not involved in any recent disruption of ALPHV infrastructure.

The ransomware gang started the exit-scam operation on Friday, when they took their Tor data leak blog  offline. On Monday, they further shut down the negotiation servers, saying that they decided to turn everything off, amid complaints from an affiliate that the operators stole a $20 million Change Healthcare ransom from them." Yesterday, the gang's status on Tox changed to 'GG' ('good game') - hinting at the end of the operation, and later to "selling source code 5kk," indicating that they wanted $5 million for their malware. In a message on a hacker forum shared by Recorded Future's Dmitry Smilyanets, the administrators of the operation said that they "decided to completely close the project" and "we can officially declare that the feds screwed us over. At the time of writing, the ALPHV leak site shows a fake banner announcing that the Federal Bureau of Investigation (FBI) seized the server in a “coordinated law enforcement action taken against ALPHV Blackcat Ransomware.

Rumors of a possible exit scam from ALPHV started when a longtime ALPHV partner, a so-called "Notchy," claimed that the gang had closed their account and robbed them of a $22 million payment from the ransom allegedly paid by Optum for the Change Healthcare attack.

The BlackCat ransomware gang is pulling an exit scam, trying to shut down and run off with affiliates’ money by pretending the FBI seized their site and infrastructure.

BlackCat ransomware shuts down in exit scam, blames the "feds"

Chris Betz is neither fearful nor overly optimistic about the role of generative AI in cybersecurity. Instead Betz, CISO at AWS, balances both ends of the spectrum — he treats it just as he does any other burgeoning technology. “For what it’s worth, I’m not sure that the sky is falling,” Betz told Cybersecurity Dive.

The security industry has not yet seen evidence that substantiates broad concerns about threat actors using generative AI to initiate cyberattacks more quickly, more often or with more damaging outcomes.

While researchers expect AI to amplify the impact for defenders and attackers, threat actors’ use of AI in their operations is limited, according to Crowdstrike’s annual global threat report. “Throughout 2023, generative AI was rarely observed supporting malicious computer network operations development and/or execution,” the firm said last month in the report.

It’s tough and too early to say if the advantages afforded by generative AI rest with defenders or attackers, according to Betz. Threat actors and security professionals are leveraging the technology in scenarios that play to their strengths. For defense, generative AI can resolve problems faster and more efficiently. Organizations can use AI to scan for hard-to-find vulnerabilities and determine steps for remediation.

“There’s a ton of information for security analysts to understand. There’s a ton of information for an application security engineer to understand. That ability to synthesize, to help answer questions, to help lead and find the right data and bring it together in a usable way is incredibly powerful for defenders,” Betz said. “That’s perhaps the place where attackers are not quite in the same place. They don’t have that rich data about the people that they’re attacking. And so this could be a case where there’s an advantage to the defender.”

AWS CISO: Generative AI is just a tool, ‘not a magic wand’

Despite arrests, infrastructure seizure and international law enforcement efforts, LockBit ransomware has resurfaced, promising robust security and threatening aggressive cyber attacks on UK and USA government sectors.

The leader of the LockBit ransomware, whose identity is still unknown to authorities, admitted negligence in letting the FBI and the UK’s National Crime Agency control its servers via a PHP attack but promised backups and continued operations. The announcement comes only a week after the group was neutralized in Operation Cronos, a multinational law enforcement investigation, reportedly neutralized the ransomware gang.

The message from the gang’s admin which directly addressed the FBI and the NCA, revealed that servers without PHP installed in backup blogs are unaffected and will continue to release stolen data from targeted companies, even after the FBI hack, and stolen data will be published on the LockBit blog.

The admin claims that Operation Cronos was successful because of their negligence and irresponsibility in “not updating PHP settings on their servers in good time.” They denied Operation Cronos investigators’ claims regarding arresting their two alleged affiliates, the gang donating to a Crimea-based Russian propagandist (Sevastapol Colonel Cassad), and recovering a high number of decryptors.  

LockBit Ransomware Gang Returns, Taunts FBI and Vows Data Leaks

NIST on Feb 26th announced the official release of version 2.0 of its Cybersecurity Framework (CSF), the first major update since its creation a decade ago.

The cybersecurity framework was originally aimed at critical infrastructure organizations, but it has been widely used and widely recommended and NIST highlighted that CSF 2.0 is designed to help all organizations reduce risks, regardless of sector, size, or level of security sophistication. 

Based on the feedback it received on the draft of the Cybersecurity Framework 2.0, NIST expanded the core guidance and created additional resources to help organizations use the CSF to its full potential. 

Users are provided implementation examples and quick-start guides that are tailored to their specific needs. The CSF 2.0 also offers a searchable catalog of references that enables organizations to map guidance to over 50 other relevant cybersecurity documents.

“The CSF has been a vital tool for many organizations, helping them anticipate and deal with cybersecurity threats,” said NIST Director Laurie E. Locascio. “CSF 2.0, which builds on previous versions, is not just about one document. It is about a suite of resources that can be customized and used individually or in combination over time as an organization’s cybersecurity needs change and its capabilities evolve.” 

NIST Cybersecurity Framework 2.0 Officially Released

Google is testing a new feature to prevent malicious public websites from pivoting through a user's browser to attack devices and services on internal, private networks. More simply, Google plans to prevent bad websites on the internet from attacking a visitor's devices (like printers or routers) in your home or on your computer. People usually consider these devices safe as they're not directly connected to the internet and are protected by a router. "To prevent malicious websites from pivoting through the user agent's network position to attack devices and services which reasonably assumed they were unreachable from the Internet at large, by virtue of residing on the user's local intranet or the user's machine," Google described the idea in a support document.

The proposed "Private Network Access protections" feature, which will be in a "warning-only" mode in Chrome 123, conducts checks before a public website (referred to as "site A") directs a browser to visit another site (referred to as "site B") within the user's private network. 

While in the warning stage, even if the checks fail, the feature won't block the requests. Instead, developers will see a warning in the DevTools console, giving them time to adjust before stricter enforcement begins. The motivation behind this development is to prevent malicious websites on the internet from exploiting flaws on devices and servers in users' internal networks, which were presumed safe from internet-based threats.

Google is testing a new feature to prevent malicious public websites from pivoting through a user's browser to attack devices and services on internal, private networks. More simply, Google plans to prevent bad websites on the internet from attacking a visitor's devices (like printers or routers) in your home or on your computer. 

New Google Chrome feature blocks attacks against home networks

Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System (DNS) security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet. DNS servers translate website URLs into IP addresses and, mostly invisibly, carry all Internet traffic.

The team behind the discovery is from ATHENE National Research Center for Applied Cybersecurity in Germany. They named the security vulnerability "KeyTrap," tracked as CVE-2023-50387. According to their new report on the KeyTrap DNS bug, the researchers found that a single packet sent to a DNS server implementation using the DNSSEC extension to validate traffic could force the server into a resolution loop that causes it to consume all of its own computing power and stall. If multiple DNS servers were exploited at the same time with KeyTrap, they could be downed at the same time, resulting in widespread Internet outages, according to the team of academics.

In testing, the length of time the DNS servers remained offline after an attack differed, but the report noted that Bind 9, the most widely deployed DNS implementation, could remain stalled for up to 16 hours. According to the Internet Systems Consortium (ISC), which oversees DNS servers worldwide, 34% of DNS servers in North America use DNSSEC for authentication and are therefore vulnerable to this flaw.

The good news is that there is no evidence of active exploit so far, according to the report and ISC.

Although it's been sitting there since 2000, researchers were just recently able to suss out a fundamental design flaw in a Domain Name System (DNS) security extension, which under certain circumstances could be exploited to take down wide expanses of the Internet. 

'KeyTrap' DNS Bug Threatens Widespread Internet Outages

Apple on Wednesday unveiled PQ3, a new post-quantum cryptographic protocol for iMessage that is designed to protect encrypted communications even against future quantum computing attacks. End-to-end encryption is present by default in many popular messaging applications, but the actual level of protection depends on the cryptographic protocols they use and how they are implemented. 

Apple describes three levels of encryption in messaging apps: level 0, apps that don’t provide end-to-end encryption by default; level 1, apps that provide end-to-end encryption by default via traditional cryptography; level 2, apps that provide post-quantum security in the initial encryption key establishment; and level 3, apps that provide post-quantum security in both key establishment and ongoing message exchanges. The privacy-focused application Signal recently reached ‘level 2’, when it announced support for the Post-Quantum Extended Diffie-Hellman (PQXDH) protocol, but Apple says the PQ3 protocol puts iMessage in ‘level 3’, ensuring that communications are protected even if an encryption key is compromised. 

The tech giant says iMessage will be the only messaging application that limits the number of past and future messages that can be decrypted by an attacker who has obtained a single encryption key. This is done by automatically changing post-quantum keys on an ongoing basis. Apple says PQ3 has been designed to combine post-quantum algorithms with classic Elliptic Curve cryptography, requiring an attacker to defeat both the classic and the post-quantum cryptography in order to gain access to communications. The company notes that PQ3 has been designed to amortize the message size to avoid excessive overhead.

While we may be many years away from practical quantum computing attacks, Apple says the introduction of PQ3 is useful now against so-called ‘Harvest Now, Decrypt Later’ attacks. This refers to threat actors collecting and storing encrypted communications now with the goal of decrypting them in the future when quantum computers become available.

Apple on Wednesday unveiled PQ3, a new post-quantum cryptographic protocol for iMessage that is designed to protect encrypted communications even against future quantum computing attacks.

Apple Adds Post-Quantum Encryption to iMessage

Email attacks relying on QR codes surged in the last quarter, with attackers specifically targeting corporate executives and managers, reinforcing recommendations that companies place additional digital protections around their business leadership. Making matters worse, phishing emails using QR codes (aka "quishing") can often get by spam filters, with attacks targeting users of Microsoft 365 and DocuSign successfully landing in email inboxes, according to a report published this week by Abnormal Security, a provider of cloud email security.

In the fourth quarter of 2023, the average top executive in the C-suite saw 42 times more phishing attacks using QR codes compared to the average employee. Other managerial roles suffered an increase in attacks as well, although significantly smaller, with these non-C-suite executives encountering five times more QR-code-based phishing attacks, according to the company's report. 

Overall, the data demonstrates that attackers have executives — and other privileged users — in their sites, says Mike Britton, CISO for Abnormal Security. "If I'm an attacker, I want to attack the people that have the ability for me to get paid and have credentials that give me access to the most interesting information," he says. "Or I want to pretend to be those people, because once again, social engineering requires that trust, [for a victim to think,] hey, this VP of sales or this VP of HR is asking me to do something, [making them] typically more likely ... to take action."

While QR codes have been around for three decades, they became much more popular during the pandemic, as restaurants and other businesses directed customers to contact-free and online ordering. In a business context, a top use case for QR codes is offering links to ease the sign-up process for multifactor authentication (MFA). Cyberattackers have hopped on: More than a quarter of QR code attacks (27%) in Q4 were fake notices of MFA, for example, while about one-in-five attacks (21%) were fake notifications about a shared document, according to Abnormal Security's report.

Email attacks relying on QR codes surged in the last quarter, with attackers specifically targeting corporate executives and managers, reinforcing recommendations that companies place additional digital protections around their business leadership.

QR Code 'Quishing' Attacks on Execs Surge, Evading Email Security

Ransomware operators were especially successful targeting critical zero-day vulnerabilities in widely used IT products.

Last year’s surge in ransomware attacks was driven in part by zero-day exploit sprees targeting the MOVEit and GoAnywhere file-transfer services, Citrix networking devices and print management software PaperCut, according to Unit 42. 

Unit 42's analysis discerned a correlation between an upsurge in posts on ransomware leak sites and the periods when these four vulnerabilities were most heavily exploited. However, they caution that the volume of posts on these leak sites does not necessarily provide an exhaustive or accurate representation of the ransomware landscape.

Certain ransomware groups initiate operations without resorting to these 'name and shame' sites. Furthermore, organizations that promptly acquiesce to ransom demands often remain unlisted on a group’s leak site. Consequently, the true extent of ransomware attacks may vary significantly from what is suggested by these platforms, as noted by Unit 42 in their report.

Blockchain analysis company Chainalysis echoed similar concerns about tracking ransom payments. The firm stated, "The ransomware landscape is not only prolific but continually expanding, making it challenging to monitor every incident or trace all ransom payments made in cryptocurrencies."

Federal cyber officials have consistently emphasized the need for more comprehensive and timely information on attacks as they unfold. A pervasive lack of reporting by victims of ransomware attacks impedes law enforcement's ability to take effective action, allowing for a significant portion of criminal activity to persist undetected in the shadows.

Videos

CSF / LDF user / IP lock out info

Where can we view the lock out triggers / logs?

You may also like