Home

Reading Time: < 1 minutes

Pegasus is the spyware – that is developed, marketed and licensed to governments around the world by the Israeli company NSO Group.

What is Spyware

It has the capability to infect billions of phones running either iOS or Android operating systems.

Pegasus has evolved from using spear-phishing, a process where an attacker tricks the target to click on a malicious link sent via text message or email, to a more sophisticated method of attack called zero-click attacks. This new form of attack has made the software one of the most dangerous spyware that threatens individual’s privacy.

To gain entry, the software identifies zero-day vulnerabilities, meaning flaws in the OS that are not identified yet and hence have not been patched. Instead of exploiting human error, it banks on flaws in the software and hardware system to gain access to a device.

All the hacker does is simply make a WhatsApp call and that initiates access to the OS by launching the code. After planting the malware, Pegasus alters call log so that the user has no knowledge of what happened.

Reading Time: 2 minutes
Bull’s Eye

An analysis of criminal forums revealed information regarding top trending Common Vulnerabilities and Exposures (CVEs) among cybercriminals. According to researchers, criminal discussions in underground forums reveal information about the most talked-about CVEs.

Analysis of CVEs

The below analysis by Cognyte is an outcome of examining 15 cybercrime forums from January 2020 to March 2021.
  • The top six, also the most famous among cybercriminals, CVEs are CVE-2020-1472 (aka ZeroLogon), CVE-2020-0796 (aka SMBGhost), CVE-2019-19781CVE-2019-0708 (aka BlueKeep), CVE-2017-11882, and CVE-2017-0199.
  • According to the report, most of the discovered CVEs were exploited by nation-state hackers and cybercriminals; for example, ransomware gangs and global attack campaigns aimed at different industries.
  • The researchers discovered that ZeroLogonSMBGhost, and BlueKeep were among the most talked-about vulnerabilities among cybercriminals between January 2020 and March 2021.
  • Moreover, a nine-year-old CVE-2012-0158 was exploited during the onset of the COVID-19 pandemic, which manifests that organizations are still lagging behind in taking these threats seriously.

Recent exploit incidents

The above-mentioned vulnerabilities have been used by several attackers to target their victims in the past few months.
  • In May, APT29, the threat actors allegedly associated with the Russian Foreign Intelligence Service, were observed leveraging several vulnerabilities, including the Citrix flaw CVE-2019-19781, to target its victims.
  • In April, Prometei, a persistent cryptocurrency mining botnet was observed exploiting Microsoft Exchange vulnerabilities—CVE-2021-27065 and CVE-2021-26858—to target victim networks to install malware.
  • Around the same time, a new Chinese APT Backdoor PortDoor was observed exploiting several vulnerabilities in Microsoft’s Equation Editor, including CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802.

Conclusion

The recent analysis provides another great insight into cybercriminals’ interest in the CVEs. This information could help organizations to identify flaws exploited in the wild and help security professionals address the potential weaknesses by applying appropriate security patches.
Reading Time: 3 minutes

 US and EU have accused China of carrying out a major cyber-attack earlier this year.

The attack targeted Microsoft Exchange servers, affecting at least 30,000 organisations globally.

Western security services believe it signals a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns Chinese cyber-behaviour is escalating.

The Chinese Ministry of State Security (MSS) has also been accused of wider espionage activity and a broader pattern of “reckless” behaviour.

China has previously denied allegations of hacking and says it opposes all forms of cyber-crime.

The unified call-out of Beijing shows the gravity with which this case has been taken. Western intelligence officials say aspects are markedly more serious than anything they have seen before.

It began in January when hackers from a Chinese-linked group known as Hafnium began exploiting a vulnerability in Microsoft Exchange. They used the vulnerability to insert backdoors into systems which they could return to later.

The UK said the attack was likely to enable large-scale espionage, including the acquisition of personal information and intellectual property.

It was mainly carried out against specific systems which aligned with Hafnium’s previous targets, such as defence contractors, think tanks and universities.

“We believe that cyber-operators working under the control of Chinese intelligence learned about the Microsoft vulnerability in early January, and were racing to exploit the vulnerability before [it] was widely identified in the public domain,” a security source told the BBC.

If this had been all, it would have been just another espionage operation. But in late February something significant changed.

The targeted attack became a mass pile-in when other China-based groups began to exploit the vulnerability. The targets scaled up to encompass key industries and governments worldwide.

It had turned from targeted espionage to a massive smash-and-grab raid.

Western security sources believe Hafnium obtained advance knowledge that Microsoft intended to patch or close the vulnerability, and so shared it with other China-based groups to maximize the benefit before it became obsolete.

It was the recklessness of the decision to spread the vulnerability that helped drive the decision to call out the Chinese publicly, officials say.

The UK is also understood to have raised the issue of Chinese cyber-activity in private with Beijing over an extended period, including handing over dossiers of evidence.

Microsoft went public about the vulnerability on 2 March and offered a patch to close it. At this point, more hackers around the world had realized its value and piled in.

Around a quarter of a million systems globally were left exposed – often small or medium-sized businesses and organizations – and at least 30,000 were compromised.

Western governments accuse the MSS of using hackers for hire and want it to sever ties with them.

The UK Foreign Office said the Chinese government had “ignored repeated calls to end its reckless campaign, instead allowing state-backed actors to increase the scale of their attacks and act recklessly when caught”.

The White House said it reserved the right to take additional actions against China over its cyber activities.

The EU, meanwhile, said the hack had “resulted in security risks and significant economic loss for our government institutions and private companies”.

But Western spies are still struggling to understand why Chinese behavior has changed. If the hackers were authorized to escalate, it would suggest a step-change in what the country is willing to do and raise the fear that they no longer care about being caught.

That is partly why so many governments have joined together to signal their concerns. Japan, Australia, Canada and New Zealand have joined Nato in issuing a statement in “solidarity”.

The countries also called out wider Chinese behavior which it linked to two groups known as APT 40 and APT 31, which are believed to be linked to the MSS.

Despite the strong language, there are no signs of fresh sanctions against China. In contrast, new sanctions were placed on Russia for the recent SolarWinds campaign which many experts believe was less serious than the Microsoft Exchange campaign linked to China.

Some officials, however, hope China is more sensitive than Russia to international pressure.

The US Department of Justice has announced criminal charges against four MSS hackers which it said were linked to a long-term campaign targeting foreign governments and entities in key sectors in a least a dozen countries.

Ultimately, Western security sources believe the MSS is behind all the activity revealed today and hope co-ordinated international action will put pressure on their activities.

Reading Time: 2 minutes

Since a  long time the Cost of a Data Breach Report is produced jointly between Ponemon Institute and IBM Security. The research is conducted independently by Ponemon Institute, and the results are sponsored, analyzed, reported and published by IBM Security.

The Cost of a Data Breach Report is a global report, combining results from 524 organizations across 17 countries and regions, and 17 industries to provide global averages.

Due to pandemic there were rapid shift  to remote work and  leads to enormous data breaches. Organizations were focused on getting online and security become afterthought. Also security leaders struggling to maintain status que or compliance of organization.

The study identify the following trends among companies:

Healthcare breach cost: Healthcare industry topped in average total cost of a data breach with $7.3 million a 10% increase over the 2019 study. Similarly, the energy sector saw a 13% increase from 2019, to an average of $6.39 million in the 2020 study. Overall, 13 of 17 industries experienced an average total cost decline year over year, with the steepest drops coming in media, education, public sector and hospitality.

Stolen credentials: Stolen or compromised credentials were the most expensive cause of malicious data breaches. One in five companies (19%) that suffered a malicious data breach was infiltrated due to stolen or compromised credentials, increasing the average total cost of a breach for these companies by nearly $1 million to $4.77 million. Overall, malicious attacks registered as the most frequent root cause (52% of breaches in the study), versus human error (23%) or system glitches (25%).

Shift to cloud: Misconfigured clouds were a leading cause of breaches. Security complexity and cloud migration cost companies most. Undergoing an extensive cloud migration at the time of the breach increased the average cost of a breach by more than $267,000, to an adjusted average cost of $4.13 million.

Remote work:  The report found that factors such as remote working has a significant impact on data breach response. Nearly 20% of organizations studied reported that remote work was a factor in data breach, and these

Breach up ending costing companies$4.96 million(nearly 15% more than the average breach)

Investment in incident response teams and plans reduced the data breach cost . companies with incident response team that also tested their incident response plan had an average breach cost of $3.25 million.

 

Reading Time: 2 minutes

Approximately three weeks later a Florida-based software vendor Kaseya which was hit by a widespread ransomware attack, the company now able manage to gets decryption key for REvil ransomware. One of the most hazardous attack in ransomware history world has seen.

The attacks, which exploited now-patched zero-days in the Kaseya Virtual Server Administrator (VSA) platform, affected Kaseya customers in 22 countries using the on-premises version of the platform. Many of which are managed service providers (MSPs) who use VSA to manage the networks of other businesses.

Around 60 direct customers and 1,500 downstream customers of those MSPs were also affected.

The VSA software is used by Kaseya customers to remotely monitor and manage software and network infrastructure.

It’s unclear if Kaseya paid any ransom amount or not. REvil members had demanded a ransom of $70 million an amount that was again negotiated to $50 million later. Or the abrupt appearance of decryption key suggest that it is possible this ransom may have been paid would have been negotiate to a lower price.  but soon after, the ransomware gang mysteriously went off the grid, shutting down their payment sites and data leak portals.

Kaseya is working with Emsisoft to support their customer in recovery of systems and data. And Emsisoft has confirm that its decryption key is working and unlocking victims.

The lesson from the attack was Whenever an organization trusts third parties or vendors with the keys to their business, they are undertaking a serious risk. Its MSP/third party work when access has been given then they should protect their customers aggressively.

Found this article interesting? Follow HackersIdentity on Facebook, Twitter  and LinkedIn to read more exclusive content we post.

Reading Time: 2 minutes

Type of cyber Attack

  1. Malware: in which malicious software is used to attack information systems. Ransomware, spyware and Trojans are examples of malware. Depending on the type of malicious code, malware could be used by hackers to steal or secretly copy sensitive data, block access to files, disrupt system operations or make systems inoperable.
  2. Phishing: in which hackers socially engineer email messages to entice recipients to open them. The recipients are tricked into downloading the malware contained within the email by either opening an attached file or embedded link.
  3. Man-in-the-middle: or MitM, where attackers secretly insert themselves between two parties, such as individual computer users and their financial institution. Depending on the details of the actual attack, this type of attack may be more specifically classified as a man-in-the-browser attackmonster-in-the-middle attack or machine-in-the-middle attack. It is also sometimes called an eavesdropping attack.
  4. DDoS: in which hackers bombard an organization’s servers with large volumes of simultaneous data requests, thereby making the servers unable to handle any legitimate requests.
  5. SQL injection: where hackers insert malicious code into servers using the Structured Query Language programming language to get the server to reveal sensitive data.
  6. Zero-day exploit: which happens when a newly identified vulnerability in IT infrastructure is first exploited by hackers.
  7. Domain name system (DNS) tunneling: a sophisticated attack in which attackers establish and then use persistently available access — or a tunnel — into their targets’ systems.
  8. Drive-by: or drive-by download, occurs when an individual visits a website that, in turn, infects the unsuspecting individual’s computer with malware.

Credential-based attacks happen when hackers steal the credentials that IT workers use to access and manage systems and then use that information to illegally access computers to steal sensitive data or otherwise disrupt an organization and its operations.

How Can You Prevent A Cyber Attack?

There is no guaranteed way for any organization to prevent a cyber attack, but there are numerous cybersecurity best practices that organizations can follow to reduce the risk. Reducing the risk of a cyber attack relies on using a combination of skilled security professionals, processes and technology. Reducing risk also involves three broad categories of defensive action:

  • preventing attempted attacks from actually entering the organization’s IT systems;
  • detecting intrusions; and
  • disrupting attacks already in motion — ideally, at the earliest possible time.

Best practices include the following:

  • implementing perimeter defenses, such as firewalls, to help block attack attempts and to block access to known malicious domains;
    • using software to protect against malware, namely antivirus software, thereby adding another layer of protection against cyber attacks;
    • having a patch management program to address known software vulnerabilities that could be exploited by hackers;
    • setting appropriate security configurations, password policies and user access controls;
    • maintaining a monitoring and detection program to identify and alert to suspicious activity;
    • creating incident response plans to guide reaction to a breach; and
    • training and educating individual users about attack scenarios and how they as individuals have a role to play in protecting the organization.
Reading Time: 2 minutes

cybersecurity-2020

India Rank’s Among Top 10 In Global Cybersecurity Index 2020.

GCI-Global Cybersecurity Index is a yearly survey carried out by ITU (International telecommunication union) the united nations specialized agency for ICT’s. GCI was first launch in 2015. For year 2020 the index maps 82 questions on 194 members state cybersecurity commitments. And the ranking was measured on basis of five pillars:

  • Legal measures
  • Technical measures
  • Organizational measures
  • Capacity development measures
  • Co-operation measures

India rank’s in 10th position with score of 97.5.The list is topped by USA with score 100 followed by United Kingdom and Saudi Arabia in second position with score 99.54. India has also secured the fourth position in the Asia Pacific region underlining its commitments to cybersecurity.

Estonia ranked third with score 99.48. while Korea(Rep of),Singapore, Spain spotted at fourth with score 98.52 also fifth was secured by Russian Federation, United Arab Emirates, Malaysia with score 98.06.

Lithuania holds sixth position with score 97.93, Japan secured seventh with score 97.82.Eight and ninth would be Canada and France with score 97.67 and 97.6.

The goal of GCI is to help countries in identifying areas for improvement in the field of cybersecurity. As well as encourage them to take action towards those areas.

Cybersecurity is multidisciplinary field and its application involves all sector, industries and stakeholders both vertically and horizontally. In order to increase development of national capabilities efforts have to be made by political, economical, by law of enforcement, justice department, educational institutes, private sectors, Public-Private partnership, developers of technology and intra-state cooperation. 

Finally India has worked relentlessly  on all the five pillars over the last few years, resulting in significant improvement in its ranking. We hope GCI will also help in address the gap between developed and developing countries by encouraging knowledge, upskilling, and building competencies.