1. Home
  2. Cybersecurity Events

Take action on the latest cybersecurity events

Cybersecurity advisories and events as they happen, with a clear action you can take.

State of (in)security - Week 32
published: Aug. 14, 2023
In the week of August 7th-14th, 2023 security teams have 14 advisory/vulnerability actions to address and 23 data breach incidents to learn from. Amidst this mess, 42,255,138 individuals were caught in the data breach crossfire, with the UK Electoral Commission breach stealing the spotlight as the worst incident. Industries hit hardest were Healthcare and Government, while the battle against third party breaches and ransomware continued.
Take action: The "lazy human syndrome" to educate and push back on: Storing credentials in source code instead of environment or parameter stores, attaching the source sensitive data with the summary report, sending emails to wrong recipients for years, ignoring a vulnerability for 5 years and then fixing it with the finesse of a bulldozer.
Don't be lazy in patching - hackers love it - Zyxel, Fortinet and Magento examples
published: Aug. 11, 2023
Ignoring security advisories and delaying patching can lead to hacker exploitation of unpatched vulnerabilities, as demonstrated by the Gafgyt botnet's exploitation of a five-year-old vulnerability in Zyxel routers, an ongoing exploit campaign targeting Magento 2 ecommerce sites, and exploiting of hundreds of thousands of unpatched Fortinet's Forti OS and FortiProxy systems.
Take action: Patching is hard. So many systems are left unpatched because of fear of breaking things, not enough time, being lazy or infinite optimism. But hackers love us for all of this. Do the work, and don't be optimistic. You don't get an award for patching but when a five year old vulnerability gets exploited, you will get A LOT of questions.
State of (in)security - Week 31
published: Aug. 7, 2023
Between July 31, 2023, and August 7, 2023, there were 9 advisory/vulnerability events, 26 incident/data breach events, and 4 practical knowledge items shared, indicating a slight downward trend from the previous week with 3 fewer incidents and 2 fewer critical vulnerabilities.
Take action: When you are presented with a vulnerability, take time to learn more about the different perspectives of the risk finding. No matter which side of the table you are on - the researcher who discovered an issue or the vendor making the product, make a reasonable discussion and if needed argumented pushback to get to the proper risk perspective. Just never ever ignore a vulnerability for 7 years and then rush to patch it in the most heavy-handed approach you can think of.
Fun story, Serious Risk of data leak via email typos: US military emails go to Mali
published: Aug. 7, 2023
About a decade ago, a major bank employee accidentally sent an NSFW image to the entire company due to an auto-fill typo; while the situation was managed, the recurring issue of typos is a major cybersecurity blunder. The latest one is emails intended for the US military misdirected to Mali due to a consistent .MIL to .ML typo. Despite warnings, the problem persists, even with measures in place to intercept these emails, signaling the need for a combined awareness/tech approach.
Take action: We are all rushing to send an email, and the autofill function is great for entering the recepients. But if you are working with sensitive data, stop before clicking send, and re-read the recepient list. Out loud to yourself if needed. The twenty seconds of reading can save you hours and days of interviews with cybersecurity, lawyers and typing up reports.
Everyone should do better than Veritas who's fixing seven year old vulnerability by deleting the program
published: Aug. 5, 2023
Veritas is VERY belatedly addressing multiple long-standing vulnerabilities, including seven years old critical CVE-2016-0799, in their IT Analytics product data collection process. Veritas is issuing an Advisory and releasing a patch that involves deleting the vulnerable binaries and stopping data colection. So much confusion, it deserves a rant.
Take action: The customers of Veritas will rightly ask why would they pay for maintenance of Veritas software if the security update that's seven years old and amounts to "shift-delete of adapter.exe" and stop of data collection schedule?
CyFox vs Stremio - a primer in risk perception and discussion on vulnerability findings
published: Aug. 3, 2023
A great example of varying interests and perspectives in scoring a vulnerability severity. Cybersecurity research firm CyFox reported a supposed critical DLL hijacking vulnerability in Stremio 4.4, a popular software platform for streaming movies and TV shows. Stremio, however, disputes the severity of the vulnerability, claiming it's more of a general Windows issue. Both parties have different perspectives on the risk. The actual risk to users is present, but not critical, and requires prior compromise of the Windows device. Stremio can implement best practices to mitigate the risk.
Take action: When you are presented with risk severity of a vulnerability, take time to learn more about the different perspectives of a risk finding. No matter which side of the table you are on - the researcher who discovered an issue or the vendor making the product, make a reasonable discussion and if needed argumented pushback to get to the proper risk perspective. This is a necessary step, especially when working with auditors.
Attack Methods on Air-Gapped or Network-Isolated ICS Systems
published: Aug. 3, 2023
The traditional practice of air-gapping industrial control systems (ICS) for security has faced a new challenge. Researchers from Kaspersky ICS-CERT have discovered a sophisticated second-stage malware that can bypass air-gapped defenses. The attackers gain initial access through known vulnerabilities and then deploy malware on removable storage drives to exfiltrate sensitive data from the isolated ICS networks, showcasing their advanced tactics and patient approach to achieve their malicious goals.
Take action: Start educating your organization on the risks of using USBs to transfer data to and from the air-gapped systems in the organization. And make sure that only a few, well controlled and well protected computers (usually linux, with full antimalware active and strict access controls) are the source of USB devices that are used to transfer data to and from the air-gapped systems. If possible disable use of USB on the other parts of the IT network.
AWS Security design review - Risk of AWS SSM Agent use as Remote Access Trojan
published: Aug. 2, 2023
Cybersecurity researchers have discovered that the AWS Systems Manager Agent (SSM Agent), a legitimate tool used by AWS administrators, can be exploited as a remote access trojan (RAT) in both Windows and Linux environments. Attackers can abuse the SSM Agent to maintain access to compromised instances and perform malicious activities. Mitigation techniques include securing endpoints, removing SSM binaries from antivirus allow lists, and using VPC endpoints for Systems Manager to ensure secure and private communication between EC2 instances and the Systems Manager service.
Take action: An awareness topic for your DevOps and Architects team, so you educate them to use a more locked down process of using AWS infrastructure. Persuading the DevOps team that they are at risk will not be trivial since most think they are impervious to cybersecurity attacks. But it's good to educate and raise awareness, it will have them reconsider a bit on the next implementation.
State of (in)security - Week 30
published: July 31, 2023
The cyber awareness summary for the week between July 24, 2023, and July 31, 2023, includes 11 advisory/vulnerability events, 29 incident/data breach events, and the importance of patching critical vulnerabilities in various systems to protect against cyberattacks.
Take action: Custom and proprietary cryptography is always a terrible idea. No matter how good you think you are at cryptography math, you are still one person and can make mistakes, or be pressured into designing something that's intentionally less secure. Always use well known and publicly reviewed cryptography.
How (not) to get hacked in MS office - the latest MS Office Phishing and Exploit Campaign
published: July 27, 2023
A critical security vulnerability in MS Office is used by hackers to execute remote code on targeted systems through a phishing campaign involving a malicious Word document. There is no official patch, only a workaround. So it's time for a little bit of awareness and education.
Take action: As always, if a message is unexpected and either urgent, too good to be true or triggers some emotion, don't trust it. Definitely don't open anything in the message - link or file.