Recently, a Windows zero-day vulnerability—CVE-2024-38193—has been exploited by North Korea’s Lazarus APT group. This flaw, discovered in the Windows Ancillary Function Driver (AFD.sys), allowed the hackers to install a sophisticated rootkit known as FudModule. This article explores the details of the vulnerability, how Lazarus leveraged it, and what this means for cybersecurity as a whole.
The Vulnerability: CVE-2024-38193
What is CVE-2024-38193?
CVE-2024-38193 is a “use after free” vulnerability found in AFD.sys, a critical component of Windows that handles network communication via the Winsock API. In technical terms, a “use after free” error happens when an application continues to use a memory location after it has been freed. In this case, the flaw is in a kernel-mode driver, which can be exploited to gain SYSTEM-level privileges.
Why is it a Big Deal?
Exploiting this vulnerability gives attackers the highest level of access on Windows systems. They can execute arbitrary code, manipulate system settings, and install additional malicious software. This kind of access is especially dangerous because it lets attackers bypass standard security measures and gain control over sensitive system areas.
Lazarus APT’s Exploitation
How Lazarus Used the Vulnerability
Lazarus, a well-known hacking group backed by North Korea, took advantage of CVE-2024-38193 to deploy FudModule, a highly advanced rootkit. The FudModule rootkit operates deep within the Windows kernel, making it extremely hard to detect.
What is FudModule?
FudModule, also known as LIGHTSHOW, is a sophisticated user-mode DLL rootkit deployed by the Lazarus Group. Its primary function is to gain unauthorized access to and manipulate arbitrary kernel memory using the “bring your own vulnerable driver” (BYOVD) technique. Once in place, FudModule disables Windows system monitoring features by altering kernel variables and removing kernel callbacks. This stealthiness can interfere with a range of security products, including Endpoint Detection and Response (EDR) systems, firewalls, antivirus software, and digital forensics tools.
How It Was Installed
Initially, Lazarus deployed earlier versions of FudModule using the BYOVD technique, which involves exploiting known vulnerabilities in legitimate drivers to gain kernel-level access. For the latest version, they exploited a flaw in appid.sys, a driver integral to Windows AppLocker. AppLocker manages application policies, making it a strategic target for these attacks.
Detection Issues
The stealth capabilities of FudModule enable it to evade many traditional security defenses. Its ability to disable monitoring features means it can bypass conventional security measures such as EDRs and antivirus programs, complicating detection and removal efforts.
Broader Impact
Lazarus’s exploitation of CVE-2024-38193 reflects a growing trend in state-sponsored cyberattacks, where sophisticated techniques are employed to breach and manipulate high-value targets. The stealthy nature of the FudModule rootkit, in particular, poses serious risks for critical sectors such as cryptocurrency and aerospace. The potential for such a breach to cause substantial financial damage and operational disruption highlights the urgent need for advanced defensive measures.
What Can Be Done?
Apply Patches Quickly: Microsoft released a patch for CVE-2024-38193 on August 13, 2024. It’s crucial for organizations to apply this update as soon as possible to close the vulnerability.
Improve Monitoring: Invest in advanced monitoring tools that can detect unusual activities at the kernel level. These tools can help identify and address rootkit infections before they cause significant damage.
Secure Drivers: Regularly review and update drivers, and be cautious with third-party drivers. Ensure they come from trusted sources and apply updates promptly.
Have an Incident Response Plan: Develop and maintain a comprehensive incident response plan to address potential rootkit infections. This plan should include detection, containment, and remediation strategies.
Another Vulnerability: CVE-2024-38178
In addition to CVE-2024-38193, CVE-2024-38178 is another serious vulnerability exploited by North Korean hackers. This flaw, found in the Windows Scripting Engine, allows remote code execution through malicious links. It’s another example of the growing range of threats organizations face.
Conclusion
Lazarus APT’s use of CVE-2024-38193 shows just how crucial it is for organizations to stay on top of their cybersecurity posture. Promptly applying patches and strengthening security measures are essential steps to guard against these advanced threats. By grasping the methods used by groups like Lazarus, businesses can better protect their systems and data from increasingly sophisticated attacks.
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
OpenAI Shuts Down Iranian Influence Campaign Leveraging ChatGPT
Ransomware Attack Cripples Flint, Michigan’s Online Services: City Scrambles to Restore Operations
How can Netizen help?
OpenAI Shuts Down Iranian Influence Campaign Leveraging ChatGPT
Last Friday, OpenAI announced the suspension of several accounts tied to a covert Iranian influence operation known as Storm-2035. This campaign used OpenAI’s ChatGPT to generate content aimed at swaying opinions around the U.S. presidential election and other hot-button issues. The operation has raised alarms about the potential misuse of artificial intelligence in geopolitical schemes.
The Storm-2035 operation focused on creating content that targeted audiences across the political spectrum in the United States. According to OpenAI, “This week we identified and took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation identified as Storm-2035.” The content spanned topics from U.S. politics to the Gaza conflict, Israel’s role in the Olympic Games, and politics in Venezuela.
The operation aimed to stir division by engaging with both conservative and progressive audiences, appearing to align with their respective viewpoints. The articles were published on five websites posing as legitimate news outlets, each tailored to appeal to different segments of the U.S. population. “The first workstream produced articles on U.S. politics and global events, published on five websites that posed as both progressive and conservative news outlets,” OpenAI noted.
Despite its widespread efforts, the operation didn’t really take off. OpenAI pointed out that most of the content didn’t get much attention on social media platforms. “Similar to the covert influence operations we reported in May, this operation does not appear to have achieved meaningful audience engagement,” the company explained. Using Brookings’ Breakout Scale, the operation was categorized as being at the low end of Category 2. This means that while there was some activity across multiple platforms, there was no sign that real people picked up or widely shared the content.
The operation’s limited success extended beyond social media. OpenAI found “no indication that the web articles created using ChatGPT were shared on social media platforms.” Moreover, the attempt to generate engagement by mixing political content with lighter posts about fashion and beauty—probably to appear more authentic or build a following—also fell flat.
Storm-2035 used ChatGPT to create both long-form articles and shorter social media comments in English and Spanish. These were posted across multiple accounts on platforms like X (formerly Twitter) and Instagram. The operation had a strategy: asking ChatGPT to rewrite existing social media comments to push the campaign’s agenda. “Some of the X accounts posed as progressives, and others as conservatives. They generated some of these comments by asking our models to rewrite comments posted by other social media users,” OpenAI elaborated.
The topics covered were diverse, ranging from U.S. domestic politics to international issues like the Gaza conflict and Scottish independence. This content was then strategically mixed with lighter topics like fashion to create a more diversified and seemingly genuine online presence.
The disruption of Storm-2035 is part of a broader effort by tech companies and governments to combat foreign influence operations. Microsoft, for example, had previously highlighted the activities of Storm-2035 in its reports, describing it as an Iranian network “actively engaging U.S. voter groups on opposing ends of the political spectrum with polarizing messaging.” This network was known for trying to manipulate public opinion on issues like the U.S. presidential candidates, LGBTQ rights, and the Israel-Hamas conflict.
Additionally, Microsoft identified similar tactics used by other foreign influence operations, including those linked to Russian networks like Ruza Flood (also known as Doppelganger), Storm-1516, and Storm-1841 (also known as Rybar). These operations have been characterized by their use of AI and social media to amplify misleading or outright false information across multiple platforms.
One concerning trend in these influence operations is the evolution of tactics as they adapt to increased enforcement by social media companies and governments. For instance, Meta reported that Doppelganger had shifted its focus towards non-political posts and ads in an attempt to evade detection. These posts often spoofed entertainment and lifestyle news outlets, using compromised accounts to create ads that, when clicked, redirected users to politically charged content on counterfeit domains. “The posts contain links that, when tapped, redirect users to a Russia war- or geopolitics-related article on one of the counterfeit domains mimicking entertainment or health publications,” Meta noted.
The adaptation of such tactics highlights the ongoing challenge of securing democratic processes against foreign interference, particularly in the context of the 2024 U.S. election. As OpenAI pointed out, “Notwithstanding the lack of meaningful audience engagement resulting from this operation, we take seriously any efforts to use our services in foreign influence operations.”
In response to these threats, OpenAI emphasized its commitment to transparency and proactive measures to prevent the misuse of its AI technologies. The company has been actively sharing threat intelligence with government agencies, campaign teams, and industry stakeholders to support a coordinated response against foreign influence operations. “OpenAI remains dedicated to uncovering and mitigating this type of abuse at scale by partnering with industry, civil society, and government, and by harnessing the power of generative AI to be a force multiplier in our work,” the company stated.
This collaborative approach is crucial as the methods used by influence operations continue to evolve. By leveraging AI tools to detect and disrupt these activities, OpenAI and other tech companies aim to protect the integrity of information and democratic processes worldwide.
Ransomware Attack Cripples Flint, Michigan’s Online Services: City Scrambles to Restore Operations
Flint, Michigan, USA – January 23, 2016: Downtown Flint, Michigan and it’s digital sign welcoming visitors.
The City of Flint, Michigan, finds itself in the throes of a severe ransomware attack that has left critical online services crippled since August 14, 2024. The attack, which has drawn the attention of both federal and state authorities, has had widespread repercussions, affecting various aspects of daily operations and leaving residents and city officials alike grappling with uncertainty.
The ransomware attack has hit Flint hard, especially in terms of its ability to process payments and maintain communication with its residents. The city’s core payment processing system, BS&A, was among the hardest hit. This disruption means that residents have been unable to make online or credit card payments for essential services like water, sewer, and taxes. In response, city officials have moved quickly to ensure that residents are not penalized during this period of turmoil. “We want to assure everyone that no late fees will be applied, and water shutoffs are not going to happen while we work through this,” a city spokesperson said.
Beyond payment processing, the attack has had significant implications for the city’s communication infrastructure. Flint’s GIS maps have been taken offline, and there are major gaps in the city’s email, phone, and voicemail systems. These disruptions have made it challenging for city employees to maintain regular contact with residents, adding to the overall sense of disarray.
Despite these setbacks, Flint’s public safety services, including 911, dispatch, law enforcement, and fire operations, have remained fully operational. Public works services, including waste collection and water utilities, are also functioning normally, providing some relief amid the chaos.
Flint Mayor Sheldon Neeley addressed the public with a mix of resolve and concern as the city continues to grapple with the fallout. “We are working tirelessly to resolve this issue and minimize the impact on Flint residents. I want to thank our staff and partners for their hard work and dedication during this difficult time,” Mayor Neeley stated.
The attack is being treated with the utmost seriousness, with both the FBI and the Michigan Attorney General’s Office now involved in the investigation. Cybersecurity experts have been called in to assess the full extent of the damage and to help the city in its recovery efforts. However, despite the best efforts of all parties involved, there is no clear timeline for when the city’s systems will be fully restored.
One of the most pressing concerns for city officials is the potential exposure of sensitive personal data belonging to Flint’s residents and employees. The city is actively investigating whether any such data has been compromised in the attack. “We are investigating whether resident or employee personal data has been impacted. As always, we encourage individuals to take action to protect themselves from identity theft,” read a statement from the city. This ongoing uncertainty has understandably left many residents feeling anxious and concerned about their personal security.
Flint’s struggles are part of a larger, disturbing trend that has seen municipalities and organizations across Michigan targeted by increasingly sophisticated cyberattacks in recent months. While the situation in Flint is particularly severe, other cities in the state have faced similar challenges, forcing them to take drastic measures to protect their systems and services.
Flint’s response, however, has been bolstered by the unfortunate fact that they are not alone in facing such challenges. The city is able to draw on tested resources and strategies from these previous incidents as it works to bring its services back online. Mayor Neeley expressed confidence that, despite the current difficulties, the city would emerge stronger and more resilient in the face of these cyber threats.
As the city works to restore normal operations, Flint has implemented several temporary measures to ensure that essential services can continue.
Payments: Given that the BS&A system is offline, residents are now limited to making payments via cash or check. While this is far from ideal, city officials have emphasized that it is a necessary step to prevent further disruptions.
Communication: The city’s phone and voicemail systems are currently unreliable, and while some employees are able to access email, communication remains a challenge. Residents have been urged to be patient and persistent in their attempts to reach city services.
Website Access: The city’s website, hosted on a separate server, remains largely intact, but several linked platforms, including the billing system and GIS maps, are unavailable. Despite these challenges, the website continues to serve as a vital source of information for residents seeking updates on the situation.
Public health services have fortunately remained fully operational throughout the ordeal. Flint residents can still access water testing kits and filters at designated locations, ensuring that this essential service remains uninterrupted.
While the full impact of the ransomware attack on Flint is still unfolding, city officials have been steadfast in their commitment to overcoming this crisis. The involvement of federal and state law enforcement agencies, as well as top-tier cybersecurity experts, underscores the seriousness of the situation and the city’s determination to address it head-on.
“We are working around the clock to restore our systems and to ensure that this kind of disruption doesn’t happen again,” said Mayor Neeley. The road to recovery may be long and fraught with challenges, but Flint’s leadership and residents alike remain hopeful that the city will emerge stronger from this ordeal.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
The cybersecurity industry continues to experience rapid growth, driven by the increasing frequency and sophistication of cyber threats. For those looking to start a career in this field, there are numerous entry-level opportunities that offer a solid foundation and promising career trajectory. This guide provides an overview of some common entry-level cybersecurity roles, highlighting key responsibilities, essential skills, and educational requirements.
Information Cybersecurity Analyst
An Information Cybersecurity Analyst plays a critical role in safeguarding an organization’s computer networks and systems. They are responsible for monitoring, detecting, and responding to cyber threats. Their tasks include implementing security measures, conducting risk assessments, and educating staff on security protocols. This role is essential in defending against cyber attacks and maintaining the integrity of an organization’s data.
Key Responsibilities:
Monitoring network traffic for security incidents.
Implementing and updating security measures and controls.
Conducting vulnerability assessments and penetration testing.
Responding to and mitigating cyber threats and incidents.
Essential Skills:
Proficiency in using security platforms and tools.
Strong understanding of network security principles.
Ability to analyze and interpret security logs and alerts.
Knowledge of regulatory standards and compliance requirements.
Educational Requirements:
Bachelor’s degree in Computer Science, Information Technology, or a related field.
Certifications such as CompTIA Security+ or Certified Ethical Hacker (CEH) are beneficial.
System Administrator
System Administrators are responsible for the day-to-day operation of an organization’s computer systems and networks. They ensure that systems are running efficiently and securely. Their duties include installing and configuring hardware and software, managing user accounts, and troubleshooting technical issues.
Key Responsibilities:
Maintaining and updating system software and hardware.
Ensuring system security and data integrity.
Performing regular backups and recovery operations.
Monitoring system performance and troubleshooting issues.
Essential Skills:
Proficiency with various operating systems (Windows, Linux, macOS).
Understanding of networking concepts and protocols.
Ability to automate tasks using scripting languages like PowerShell or Python.
Strong problem-solving and analytical skills.
Educational Requirements:
Bachelor’s degree in Information Technology, Computer Science, or a related field.
Certifications like Red Hat Certified Engineer (RHCE) or Cisco Certified Network Associate (CCNA) are advantageous.
IT Support Specialist
An IT Support Specialist provides technical support and assistance to users within an organization. They help troubleshoot and resolve hardware and software issues, ensuring that users can effectively utilize technology in their daily tasks.
Key Responsibilities:
Providing technical support to end-users.
Installing and configuring computer systems and applications.
Troubleshooting and resolving hardware and software issues.
Maintaining system documentation and IT asset inventory.
Essential Skills:
Strong technical knowledge of computer systems and software.
Excellent problem-solving and communication skills.
Ability to work under pressure and handle multiple tasks simultaneously.
Familiarity with remote support tools and helpdesk software.
Educational Requirements:
Associate’s or bachelor’s degree in Information Technology or a related field.
Entry-level certifications such as CompTIA A+ or Network+ are helpful.
Junior Forensic Analyst
A Junior Forensic Analyst assists in investigating cybercrimes by analyzing digital evidence. They work under the supervision of senior analysts to uncover and interpret electronic data that can be used in legal proceedings.
Key Responsibilities:
Collecting and preserving digital evidence from electronic devices.
Analyzing data to identify signs of cybercrime or security breaches.
Documenting findings and preparing reports for legal proceedings.
Assisting in the recovery of deleted or encrypted data.
Essential Skills:
Knowledge of digital forensics tools and techniques.
Understanding of file systems and storage technologies.
Attention to detail and strong analytical skills.
Ability to follow established forensic procedures and protocols.
Educational Requirements:
Bachelor’s degree in Cybersecurity, Computer Forensics, or a related field.
Certifications such as GIAC Certified Forensic Analyst (GCFA) or IACIS Certified Forensic Computer Examiner (CFCE) are beneficial.
Junior Penetration Tester
A Junior Penetration Tester, or ethical hacker, tests the security of an organization’s systems by attempting to exploit vulnerabilities. They help identify and fix security weaknesses before malicious actors can take advantage of them.
Key Responsibilities:
Conducting penetration tests on networks, applications, and systems.
Identifying and documenting security vulnerabilities.
Collaborating with development and IT teams to remediate findings.
Staying updated on the latest security threats and testing techniques.
Essential Skills:
Proficiency with penetration testing tools such as Metasploit, Nmap, and Burp Suite.
Strong understanding of network protocols and security mechanisms.
Ability to think like an attacker and creatively find security flaws.
Excellent report-writing and communication skills.
Educational Requirements:
Bachelor’s degree in Cybersecurity, Information Technology, or a related field.
Certifications like Offensive Security Certified Professional (OSCP) or Certified Penetration Tester (CPENT) are highly recommended.
Source Code Auditor
A Source Code Auditor examines software source code to identify security vulnerabilities and ensure compliance with coding standards. They play a crucial role in preventing security breaches by ensuring that software is secure and reliable.
Key Responsibilities:
Reviewing source code for security vulnerabilities and coding errors.
Ensuring compliance with industry standards and best practices.
Collaborating with development teams to fix identified issues.
Conducting static and dynamic code analysis.
Essential Skills:
Proficiency in multiple programming languages (e.g., Python, Java, C++).
Strong understanding of secure coding principles.
Attention to detail and ability to identify subtle code issues.
Knowledge of automated code analysis tools.
Educational Requirements:
Bachelor’s degree in Computer Science, Software Engineering, or a related field.
Experience in software development and familiarity with code review processes.
Security Auditor
A Security Auditor evaluates an organization’s information systems to ensure they comply with security policies and standards. They identify vulnerabilities and provide recommendations to improve security posture.
Key Responsibilities:
Conducting security assessments and audits.
Evaluating compliance with security policies and regulations.
Identifying and documenting security risks and vulnerabilities.
Providing recommendations for improving security controls.
Essential Skills:
Strong understanding of information security frameworks and standards.
Experience with audit tools and methodologies.
Ability to analyze and interpret audit results.
Excellent communication and report-writing skills.
Educational Requirements:
Bachelor’s degree in Information Security, Computer Science, or a related field.
Certifications such as Certified Information Systems Auditor (CISA) are highly beneficial.
Junior Security Analyst
A Junior Security Analyst assists in protecting an organization’s computer networks and systems. They monitor for security breaches, analyze threats, and help implement protective measures.
Key Responsibilities:
Monitoring security alerts and responding to incidents.
Assisting in risk assessments and vulnerability management.
Supporting the implementation of security measures and controls.
Documenting security incidents and maintaining logs.
Essential Skills:
Proficiency in using security information and event management (SIEM) tools.
Understanding of cybersecurity principles and best practices.
Strong analytical and problem-solving skills.
Ability to work collaboratively in a team environment.
Educational Requirements:
Bachelor’s degree in Cybersecurity, Information Technology, or a related field.
Certifications such as CompTIA Cybersecurity Analyst (CySA+) are recommended.
Conclusion
Entering the field of cybersecurity offers a rewarding career path with numerous opportunities for growth. By acquiring the necessary skills and certifications, gaining hands-on experience, and staying updated with the latest industry trends, aspiring professionals can build a strong foundation and excel in various entry-level cybersecurity roles. Continuous learning and adaptability are key to succeeding in this dynamic and ever-evolving field.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Firewalls play a crucial role in safeguarding data and preventing unauthorized access. As cyber threats have evolved, so too have firewall technologies, resulting in the development of Next Generation Firewalls (NGFWs). This analysis examines the distinctions between traditional firewalls and NGFWs, highlighting their features and respective contributions to modern cybersecurity.
Traditional Firewalls
Traditional firewalls serve as a fundamental component of network security, primarily offering stateful inspection of network traffic. These devices monitor and control data flow based on state, port, and protocol, providing essential protection at the network’s entry and exit points. Additionally, traditional firewalls typically include Virtual Private Network (VPN) capabilities. However, they are increasingly inadequate in countering the varied cyber threats encountered today.
Next Generation Firewalls (NGFWs)
Next Generation Firewalls (NGFWs) represent an advanced evolution in firewall technology. Beyond the stateful inspection capabilities of traditional firewalls, NGFWs incorporate a multitude of features designed to address contemporary cybersecurity challenges comprehensively. NGFWs, often abbreviated as NGFW, offer enhanced security through a combination of advanced technologies and integrated solutions.
Key Features of NGFWs
NGFWs distinguish themselves with several advanced capabilities:
Application Awareness and Control: Ability to identify, monitor, and manage applications.
Integrated Intrusion Prevention System (IPS): Combines firewall functions with intrusion prevention for real-time threat mitigation.
Deep Packet Inspection (DPI): Analyzes the content of data packets beyond just the header information.
Cloud-Delivered Threat Intelligence: Utilizes real-time threat data from cloud-based sources for enhanced protection.
SSL and SSH Inspection: Decrypts and inspects encrypted traffic to detect hidden threats.
Sandboxing: Employs isolated environments to safely execute and analyze potentially malicious code.
Performance Efficiency: Maintains robust security without compromising network performance.
Advanced Threat Protection: Defends against complex threats, including zero-day exploits.
Web Filtering: Controls and restricts access to potentially harmful websites.
Integrated Antivirus, Antispam, and Antimalware: Offers comprehensive protection against a range of malware.
What is the Difference Between a NGFW and a Traditional Firewall?
Traditional Firewall
Next Generation Firewall
Primarily provides stateful inspection of network traffic.
Combines stateful inspection with advanced security features.
Represents an older generation of firewall technology.
Embodies advanced, modern firewall technology.
Offers limited application visibility and control.
Provides comprehensive application visibility and control.
Operates at OSI layers 2 to 4.
Extends functionality across OSI layers 2 to 7.
Lacks application-level awareness.
Supports detailed application-level awareness.
Does not include reputation and identity services.
Integrates reputation and identity services.
Expensive to manage separate security tools.
Simplifies management with integrated security tools, reducing costs.
Does not offer a complete security package.
Provides a full suite of security technologies.
Cannot decrypt and inspect SSL traffic.
Capable of decrypting and inspecting SSL traffic in both directions.
Supports basic NAT, PAT, and VPN functionalities.
Enhances NAT, PAT, and VPN with advanced threat management features like sandboxing.
IPS and IDS are separate components.
Fully integrates IPS and IDS for streamlined security management.
Conclusion
While traditional firewalls continue to play a vital role in network security, they fall short in addressing the sophisticated threats of the modern digital landscape. Next Generation Firewalls (NGFWs) offer a comprehensive and advanced security solution, integrating features such as application awareness, deep packet inspection, and SSL inspection. These capabilities make NGFWs indispensable for robust and effective network protection. Selecting the appropriate firewall technology depends on an organization’s specific security needs and risk profile, with NGFWs providing a superior option for comprehensive threat defense.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
With the surge in popularity and capability of large language models such as ChatGPT in recent years, cybersecurity professionals are increasingly concerned about the potential misuse of these advanced tools. The question on everyone’s mind: Can these models autonomously launch effective cyberattacks? Recent studies by cybersecurity researchers provide sobering answers. Their conclusion: LLMs, particularly GPT-4, are alarmingly proficient at exploiting both one-day and zero-day vulnerabilities.
Understanding One-Day and Zero-Day Vulnerabilities
One-day vulnerabilities, also known as zero-day vulnerabilities after they are publicly disclosed but before a patch is available, represent a critical window of opportunity for attackers. These vulnerabilities are documented in the Common Vulnerabilities and Exposures (CVE) database and are known to be exploitable until a patch is issued and deployed. In a recent effort, cybersecurity researchers focused on 15 real-world one-day vulnerabilities affecting various platforms, including websites, container management software, and Python packages.
Zero-day vulnerabilities, on the other hand, are those that are not yet known to the hacker community at large. These vulnerabilities are particularly dangerous because there is no patch available, and their existence is unknown to defenders.
The Study’s Setup and Key Findings
One-Day Vulnerabilities
The researchers equipped the GPT-4 model with several capabilities to simulate a real-world hacking scenario:
Web Browsing Elements: To retrieve HTML content and interact with web elements.
Terminal Access: For executing commands directly on the system.
Search Results: To gather information dynamically from the web.
File Creation and Editing: To manipulate files necessary for exploitation.
Code Interpreter: To understand and execute code.
A detailed prompt of 1,056 tokens (tokens are necessary to power GPT-4), containing 91 lines of code, including debugging and logging statements, was provided to guide the GPT-4 model. Notably, this prompt did not include sub-agents or a separate planning module, ensuring that the model’s actions were a direct result of the prompt and its integrated capabilities.
The results were startling. GPT-4 successfully exploited 87% of the one-day vulnerabilities presented, far outperforming other tested methods, including GPT-3.5 and open-source vulnerability scanners. The other models and tools failed to exploit any vulnerabilities, underscoring the advanced capabilities of GPT-4.
Zero-Day Vulnerabilities and HPTSA Method
A separate team of researchers University of Illinois Urbana-Champaign expanded their study to include zero-day vulnerabilities, using a novel approach called hierarchical planning with task-specific agents (HPTSA). This method assigns tasks to multiple agents, monitors their progress, and reallocates resources as needed. It mirrors project management methodologies used by humans and significantly boosts the efficiency of finding vulnerabilities.
Using this approach, multiple instances of a modified version of GPT-4 acted as agents. When benchmarked against real-world applications, the HPTSA method proved to be 550% more efficient in finding vulnerabilities compared to traditional methods.
Implications for the Threat Landscape
The findings from these studies have significant implications for the cybersecurity threat landscape. The ability of GPT-4 to autonomously exploit both one-day and zero-day vulnerabilities highlights the increasing sophistication and potential danger of AI-driven cyberattacks. Several key impacts are anticipated:
Increased Attack Automation: The high success rate of GPT-4 in exploiting vulnerabilities suggests that future cyberattacks could be more automated and efficient, leading to a higher frequency of attacks.
Rapid Exploitation of New Vulnerabilities: With LLMs like GPT-4 capable of quickly exploiting vulnerabilities once they are disclosed, the window of opportunity for defenders to patch systems before they are attacked is drastically reduced.
Enhanced Targeting and Precision: The ability of GPT-4 to perform complex, multi-step attacks means that cybercriminals could carry out more targeted and precise attacks, potentially breaching high-value targets more effectively.
Greater Accessibility of Hacking Tools: As LLMs become more integrated into hacking tools, the barrier to entry for conducting sophisticated cyberattacks lowers, potentially enabling less skilled hackers to execute complex attacks.
Challenges in Detection and Response: AI-driven attacks may be harder to detect and mitigate due to their adaptive and evolving nature. Traditional security measures might struggle to keep up with the speed and variability of AI-powered exploits.
Ethical Considerations and Defensive Measures
Given the study’s findings, it’s crucial for the cybersecurity community to take proactive measures. This includes:
Developing Defensive LLMs: Utilizing LLMs to bolster defensive measures and quickly identify and patch vulnerabilities.
Regulating LLM Deployment: Implementing stricter controls and guidelines for the deployment of highly capable LLMs to prevent misuse.
Enhancing Vulnerability Management: Improving the speed and efficiency of patch deployment to minimize the window of vulnerability.
Is the Use of LLMs in Cybersecurity Good or Bad?
Is the ability of GPT-4 to autonomously exploit vulnerabilities a boon or a bane for cybersecurity? On one hand, the efficiency and precision of AI-driven vulnerability exploitation highlight the potential for these tools to significantly aid in defensive measures. They could be used to identify and patch vulnerabilities faster than ever before, potentially reducing the window of exposure and improving overall security resilience. On the other hand, the same capabilities could be wielded by malicious actors, automating and scaling cyberattacks to an unprecedented level. This duality poses a profound ethical dilemma: while the advancements in AI offer promising tools for improving cybersecurity, they also present new challenges and risks that must be carefully managed. The path forward requires a balanced approach, leveraging AI for defense while implementing stringent controls to prevent its misuse.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Today marks Microsoft’s August 2024 Patch Tuesday, addressing a total of 89 security flaws, including six actively exploited zero-day vulnerabilities and three publicly disclosed zero-days. Among these, one critical zero-day vulnerability remains unfixed, though Microsoft is actively working on a resolution.
Summary of Critical Updates
This Patch Tuesday resolves eight critical vulnerabilities across various categories, such as elevation of privileges, remote code execution, and information disclosure. Below is the distribution of the vulnerabilities by category:
36 Elevation of Privilege Vulnerabilities
4 Security Feature Bypass Vulnerabilities
28 Remote Code Execution Vulnerabilities
8 Information Disclosure Vulnerabilities
6 Denial of Service Vulnerabilities
7 Spoofing Vulnerabilities
It is important to note that these counts do not include vulnerabilities in Microsoft Edge that were disclosed earlier this month.
Zero-Day Vulnerabilities: An Overview
Among the vulnerabilities patched today, six are classified as zero-day flaws, meaning they were exploited in the wild before a fix was available. Notably, half of these zero-days pertain to local privilege escalation, which allows attackers to gain higher-level privileges on a compromised system.
CVE-2024-38106, CVE-2024-38107, and CVE-2024-38193 are three such local privilege escalation vulnerabilities. They enable attackers to achieve SYSTEM-level privileges on vulnerable machines, though they affect different components of the Windows operating system. The details provided by Microsoft are sparse, particularly for the last two flaws, but they are recognized as being exploited actively.
CVE-2024-38106 resides in the Windows Kernel and is currently being exploited, with Microsoft noting its high attack complexity. This complexity stems from the need for attackers to navigate a race condition, a situation that can vary in difficulty. Trend Micro’s ZeroDay Initiative (ZDI) emphasizes that despite the high complexity rating, the presence of real-world exploitation suggests that the vulnerability is readily actionable by attackers.
CVE-2024-38178 is a remote code execution vulnerability found in the Internet Explorer Mode of the Windows Edge browser. This mode, while not enabled by default, is used for legacy websites and applications. The active exploitation of this flaw indicates that attackers are targeting environments where this mode is in use.
CVE-2024-38213 allows malware to bypass the “Mark of the Web” security feature, which is responsible for alerting users about files downloaded from the internet. Although this vulnerability is not directly exploitable on its own, it is often part of a larger exploit chain. It may be used to alter malicious documents or executable files to evade detection before distribution.
CVE-2024-38189 is a remote code execution flaw affecting Microsoft Project. This vulnerability is only exploitable in environments where notifications about the risks of running VBA Macros are disabled. Given the history of malware hiding within Office Macros, this flaw poses a significant risk to affected users.
Adobe’s Security Updates
In addition to Microsoft’s updates, Adobe has released 11 security bulletins addressing at least 71 vulnerabilities across its products, including Illustrator, Photoshop, InDesign, and Acrobat. Adobe has indicated that there is no current evidence of active exploitation of these vulnerabilities.
Best Practices for Users
Given the critical nature of these updates, it is crucial for users to stay up-to-date with the latest security patches from Microsoft and Adobe. While it’s recommended to install these updates promptly, waiting a day or two can be prudent. This approach allows time for any immediate issues with the updates to be addressed. Furthermore, backing up data or imaging the Windows drive before applying new updates can prevent data loss in case of problems during the update process.
For a detailed breakdown of the vulnerabilities addressed, refer to the SANS Internet Storm Center’s list. Administrators managing large Windows environments should also keep an eye on Askwoody.com for insights into any issues specific updates may cause.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Nearly 3 Billion Individuals’ PII Leaked from National Public Data Breach
Inside the Polymorphic Trojan: How Browser Extensions are Exploited for Cyber Attacks
How can Netizen help?
Nearly 3 Billion Individuals’ PII Leaked from National Public Data Breach
In a recent cybersecurity breach involving National Public Data, a background checking company, approximately 2.7 billion records containing sensitive personal information of U.S. citizens were leaked on a hacking forum, leading to a significant class-action lawsuit. The breach has exposed names, Social Security numbers, physical addresses, and possible aliases of individuals across the United States. None of this information was encrypted in any fashion.
The lawsuit was filed by the plaintiff against National Public Data. It centers around the company’s failure to safeguard the personal identifiable information (PII) of its users. According to the lawsuit, National Public Data had a legal duty to protect the PII of the plaintiff. They also had an ethical duty to protect class members. This duty arises from several sources. These sources include the Federal Trade Commission (FTC) Act, contractual obligations, industry standards, and representations made to customers. The complaint argues that National Public Data didn’t adopt reasonable enough measures to protect the PII from unauthorized access and disclosure.
The plaintiff claims that National Public Data derived substantial economic benefits from collecting and using the PII of its customers. The lawsuit alleges that without the submission of this sensitive information, the company could not have provided its services. National Public Data needed this information to operate. National Public Data assumed legal and fair duties by obtaining, collecting, and using the PII. It failed to protect this information from disclosure.
The exact details of how and when the breach occurred are not fully disclosed. The lawsuit provides information suggesting that a cybercriminal group known as “USDoD” gained access to National Public Data’s network before April 2024. The cybercriminals were able to exfiltrate billions of unencrypted PII records stored on the company’s network.
On April 8, 2024, USDoD posted a database titled “National Public Data” on the Dark Web hacker forum “Breached.” They claimed that the database contained 2.9 billion records of U.S. citizens and offered it for sale at $3.5 million. According to reports from VX-Underground, a malware repository, the database contained extensive details. These details were about individuals who had not used data opt-out services. These details included:
First and last names
Current and historical addresses spanning over three decades
Social Security numbers
Information about family members, including parents, deceased relatives, and siblings
Malware repository VX-Underground confirmed the authenticity of the data after reviewing the 277.1 GB uncompressed file. The report highlighted that individuals who had used data opt-out services were not present in the database. Those who had not opted out were immediately found.
Following the first sale attempt by USDoD, portions of the stolen data were released by other threat actors. On August 6, 2024, a hacker named “Fenice” leaked the most complete version of the stolen records. The records were posted for free on the Breached forum. Fenice clarified that the breach was actually carried out by another hacker named “SXUL.”
The leaked data consisted of two text files totaling 277GB and containing approximately 2.7 billion plaintext records. While it is unknown whether the leak included data for every individual in the U.S., many individuals have verified that their and their family members’ information was included, even for deceased relatives.
The breach has led to multiple class-action lawsuits against Jerico Pictures, the entity believed to be operating as National Public Data, for failing to protect people’s information adequately.
Questions You Might Have
1. What legal obligations did National Public Data have to protect my information? The lawsuit argues that National Public Data had obligations under the FTC Act, contractual agreements, industry standards, and representations made to customers. These obligations required the company to keep your PII confidential and protect it from unauthorized access.
2. How does the lawsuit claim National Public Data benefited from my information? The lawsuit alleges that National Public Data derived substantial economic benefits from collecting and using your PII. The company could not provide its services without requiring customers to submit this sensitive information.
3. What should I do if I suspect my information was part of the breach? If you believe your information was compromised in this breach, it is crucial to monitor your credit report for fraudulent activity. You should also be vigilant against phishing attempts and scams that may try to exploit your compromised data.
This data breach has exposed the personal information of millions of people, leading to serious legal and security concerns. As the aforementioned lawsuit progresses, it will likely provide more insights into the breach’s causes and the potential consequences for National Public Data and those affected.
Inside the Polymorphic Trojan: How Browser Extensions are Exploited for Cyber Attacks
Web browser extensions have evolved from niche tools into essential components of the Internet ecosystem, enabling various functionalities and enhancements for users. Many users have extensions that are quintessential for their browsing experience, like uBlock origin for adblock or Honey for discounts. Nautrally, with this rise in utility comes an increased risk, as bad actors exploit these tools as a new vector for malware distribution. The ReasonLabs Research Team has recently identified a large-scale polymorphic malware campaign. This campaign targets web browsers by forcefully installing malicious extensions. These extensions range from simple adware to complex scripts designed to steal sensitive information and execute unauthorized commands.
The malware, active since 2021, proliferates through imitation download websites, particularly those part of online games and video streaming. These sites deceive users into downloading seemingly legitimate software while actually delivering a trojan that installs harmful extensions. This campaign has affected at least 300,000 users across Google Chrome and Microsoft Edge. Unfortunately, most antivirus engines have yet to detect the installer and the extensions, leaving countless users vulnerable.
The initial phase of the attack begins with imitation websites. These websites promise popular software like Roblox FPS Unlocker, YouTube, VLC, or KeePass. Users who download software from these lookalike sites unwittingly get a trojan instead. The trojan typically registers a scheduled task using a pseudonym that mimics legitimate system processes, such as Updater_PrivacyBlocker_PR1, MicrosoftWindowsOptimizerUpdateTask_PR1, and NvOptimizerTaskUpdater_V2. These tasks are configured to run PowerShell scripts stored in critical system directories, such as C:/Windows/System32/NvWinSearchOptimizer.ps1. This script then downloads additional malicious payloads from a remote server and executes them on the affected machine.
The malicious PowerShell script contains several functions, each critical to the success of the malware:
Registry Manipulation: The script adds specific registry keys to force the installation of the malicious extensions on Chrome and Edge. These keys ensure the extensions remain active, hijacking search queries and redirecting them to adversary-controlled search engines. Moreover, these extensions cannot be disabled by the user, even with Developer Mode enabled. This manipulation results in the browser displaying the message, “Your browser is managed by your organization,” further complicating detection.
Tampering with Browser Shortcuts: The script modifies browser shortcut files (.lnk) to include parameters that load the local extension dropped by the malware. This local extension focuses on stealing search queries and communicating with a command-and-control (C2) server, making it difficult for users to detect or remove.
Communication with C2 Servers: The script frequently contacts a C2 server to report the malware’s status and receive instructions for further actions. These instructions often involve tampering with browser DLL files, such as msedge.dll, to override default settings like the search engine. The C2 domain used for these communications is relatively new, and few security systems currently recognize it as malicious.
The PowerShell script employed in this malware campaign is both precise and detailed, designed to carry out multiple stages of the attack with precision. Below is a detailed breakdown of the script’s key components:
addRegKeys Function: This function is responsible for adding necessary registry paths to ensure the extensions are force-installed. It checks if the relevant registry keys exist and creates them if they do not. The script then uses these keys to install the malicious extensions on Chrome and Edge.
addRegVal Function: After establishing the registry paths, the script contacts the C2 server to receive specific instructions, including which extensions to install. The C2 response contains variables that dictate the installation parameters, such as the extension IDs and registry paths. The script then applies these values, ensuring the extensions are installed and active.
removeUpdates Function: To maintain persistence, the script disables all updates for Chrome and Edge. Browser updates often reset settings to their default state, which would disrupt the malware’s activities. By disabling updates, the script ensures that its modifications remain intact.
Main Function: The final stage of the script involves modifying browser shortcuts and downloading additional files from the C2 server. The script checks the current version of the extension installed and, if necessary, downloads and installs the latest version from the C2. It then traverses all .lnk files on the system, injecting parameters to load the malicious extension. These parameters include disabling Chrome’s outdated build detector and removing protections for Chrome’s sensitive pages.
Command Execution: The script also has a mechanism for executing more commands received from the C2 server. These commands often involve downloading and executing new scripts, ensuring the malware can adapt and evolve over time.
The widespread nature of this malware campaign highlights the significant threat posed by malicious browser extensions. By leveraging PowerShell scripts and C2 communication, the attackers have created a highly persistent and adaptable form of malware. The impact on affected users is severe. There are stolen search queries, unauthorized command execution, and the potential for further data exfiltration.
To mitigate this threat, it is crucial to stay vigilant when downloading software, especially from unverified sources. Users should also regularly review their browser extensions and system processes for any signs of unusual activity. Organizations should consider implementing more security measures, like endpoint protection solutions, to detect and block such attacks.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
KnowBe4, a cybersecurity firm based in Florida that specializes in providing phishing training simulations recently faced a security incident involving a threat. The situation unfolded in mid July when KnowBe4 hired an employee who was later discovered to have used an identity to gain access, to their systems. This individual, initially hired as a Principal Software Engineer, had been posing as a candidate with the help of an AI generated photo and a stolen US based identity.
On July 15th, 2024, KnowBe4 sent the employee a Mac workstation. Upon receiving and starting up the workstation it initiated the installation of malware, which triggered alerts from KnowBe4s endpoint detection and response software. The Security Operations Center (SOC) team observed activities originating from the employees account at 9;55 pm EST. The SOC team contacted the hire to investigate these anomalies. The individual initially attributed the issues to troubleshooting actions on their router; however further scrutiny revealed attempts to alter session history files, transfer files and run software. It was also discovered that the perpetrator utilized a Raspberry Pi device to facilitate the download of malware.
Initially cooperative with SOC inquiries, the new hire later stopped responding. By 10:20 pm EST the security operations center successfully managed to secure the device and stop any activities. Further inquiries, in cooperation with Mandiant and the FBI revealed that the person involved was a North Korean agent who had assumed a false identity. The deployment of malware was deliberate. Formed part of a plan that also included utilizing VPNs and gaining remote access, from North Korea.
Impact
This incident raised significant concerns; however, it’s worth noting that KnowBe4’s systems remained secure, with no data compromised (or malware executed). Once the suspicious activity was detected, KnowBe4’s SOC acted swiftly to contain the threat. The hacker had access only to basic communication tools—such as email, Slack, and Zoom—with no permissions to enter sensitive systems, customer data, or the company’s internal networks. The workstation provided to the hacker was also highly restricted, containing no preloaded data and equipped solely with endpoint security and management tools. Quick detection and isolation prevented any unauthorized data access, or malware execution.
What the incident did do, however, was reveal weaknesses in KnowBe4’s hiring and vetting processes, especially concerning remote employees. Consequently, the company has tightened these procedures; this includes implementing more stringent steps for shipping workstations and verifying the identities of new hires.
Although there were no direct financial losses or legal consequences, the company did incur various costs related to investigating the breach, reinforcing security, and updating hiring practices. These measures are essential for maintaining the organization’s ongoing integrity and security.
The impact and overview provided here are based on public statements and FAQs from KnowBe4 regarding the incident. While Netizen did not directly assist KnowBe4 in this case, the tactics used in this attack are similar to those observed in other social engineering incidents handled by Netizen for various clients.
What Can Be Learned From This?
In addressing insider threats similar to the North Korean hacker case reported by KnowBe4, organizations can implement several preventive measures to enhance their security posture and through that mitigate the effects of such threats.
One of the most effective strategies for preventing insider threats is comprehensive end-user awareness and training. Insiders, whether malicious or inadvertently negligent, often contribute to security breaches through a lack of knowledge or improper behavior. Regular training sessions—ideally conducted on a quarterly basis—should focus on educating employees about the dangers of insider threats, recognizing suspicious activity, and adhering to best practices for data protection. Training should cover topics such as maintaining strong passwords, recognizing phishing attempts, and understanding the importance of reporting unusual behavior. For example, employees should be instructed on how to handle confidential information and the importance of verifying unusual requests or communications.
User and Entity Behavior Analytics (UEBA) tools are essential for identifying potential insider threats. UEBA tools analyze user behavior patterns to detect anomalies that may indicate malicious activity. A notable example is Splunk UBA, which helps establish baselines for normal user activities and flags deviations. Data loss prevention solutions also play an important role in monitoring and controlling the movement of sensitive data. Symantec Data Loss Prevention is a widely used DLP tool that can help organizations prevent unauthorized access and data transfers.
Multifactor Authentication (MFA) is another very important component of a layered security approach designed to ward off insider threats. While MFA is often associated with mitigating external threats, it is also proven effective in preventing unauthorized access by insiders. MFA requires users to provide multiple forms of verification before gaining access to critical systems or data, including verification methods like one-time passcodes, biometric verification, or hardware tokens. By implementing MFA, organizations add an additional layer of security—reducing the risk of unauthorized access, even if credentials are compromised.
Implementing network segmentation and strict access controls helps to contain and limit the potential impact of insider threats. By segmenting the network into distinct areas and applying access controls based on job roles and responsibilities, organizations can ensure that sensitive data and systems are accessible only to authorized personnel. For instance, a finance department should have separate network segments from other departments, with restricted access controls in place. This approach not only prevents unauthorized access but also limits the spread of malicious activity within the network.
Effective monitoring and incident response are essential for managing insider threats. Continuous monitoring of user activities and network traffic can help identify unusual behavior that may indicate a potential threat. SIEM tools like Wazuh provide scalable and flexible log and event monitoring—enabling organizations to track user actions and detect anomalies. Coupled with a well-defined incident response plan, organizations can ensure that any suspicious activities are promptly investigated and addressed. This includes having clear procedures for handling and mitigating security incidents.
Policy and procedure documentation is vital for managing insider threats. Organizations should develop and maintain detailed policies that outline procedures for reporting suspicious behavior, handling data breaches, and conducting regular security audits. Clear documentation helps ensure that all employees are aware of their responsibilities and the steps to take if they suspect malicious activity. Well-defined policies and procedures contribute to a structured and effective response to insider threats—minimizing confusion and improving overall security posture.
By adopting these preventive measures, organizations can better safeguard against insider threats and reduce the impact of any potential incidents. Effective training, detection tools, access controls, and monitoring systems are key components of defense strategies—helping to protect sensitive information and maintain organizational security.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
A Policy Enforcement Point (PEP) is a critical component within the Attribute-Based Access Control (ABAC) architecture, ensuring the protection of enterprise data by enforcing access control. ABAC, also known as policy-based access control for Identity and Access Management (IAM), determines a subject’s authorization to perform specific operations by evaluating attributes associated with the subject, object, requested operations, and environmental factors.
ABAC Architecture Overview
ABAC comprises several key components:
Policy Enforcement Point (PEP): PEPs are responsible for protecting applications and data. They inspect requests and generate authorization requests, which are then sent to the Policy Decision Point (PDP).
Policy Decision Point (PDP): PDPs evaluate incoming requests against configured policies, returning a Permit/Deny decision. They may also use Policy Information Points (PIPs) to retrieve missing metadata.
Policy Information Point (PIP): PIPs connect the PDP to external attribute sources, such as LDAP or databases.
Policy Administration Point (PAP): PAPs manage policies, providing a centralized repository for policy administration.
How Does a Policy Enforcement Point Work?
In the ABAC architecture, a PEP functions by intercepting a user’s request to access a resource. It forms an authorization request based on the user’s attributes, the resource in question, the intended action, and other relevant details. This request is then sent to the PDP, which evaluates it against existing policies and decides whether access should be granted. The decision is communicated back to the PEP, which either allows or denies access based on the PDP’s evaluation.
Importance of Policy Enforcement Points
PEPs play a crucial role in maintaining security within an application by ensuring access control is enforced consistently and independently at multiple points. They work closely with PDPs to interpret policies and control access, without requiring complex authorization logic. This decentralized approach is particularly effective in SaaS applications, APIs, microservices, or any part of the application requiring stringent access control.
PEP Implementation
Implementing a PEP involves determining where access control enforcement should occur within an application. It is recommended to integrate PEPs at API endpoints to serve as logical checkpoints between different application functions. In monolithic applications, PEPs may be embedded within the application’s logic.
The PEP requests an authorization decision from the PDP, typically by sending a request to a RESTful API exposed by the PDP. The PDP returns the decision in JSON format, which the PEP then evaluates to determine whether access should be granted. For more complex scenarios, PEPs may need to interpret more detailed JSON responses. Packaging PEP code as a reusable library or artifact in the preferred programming language can streamline integration across the application.
Conclusion
Policy Enforcement Points (PEPs) are essential for robust access control in modern applications. They ensure that access policies are enforced consistently, adapt to changing security requirements, and provide logging and monitoring capabilities for compliance and post-incident analysis. By effectively implementing PEPs, organizations can enhance their security posture, reduce the risk of unauthorized access, and ensure compliance with security policies.
Microsoft researchers identified a critical vulnerability in ESXi hypervisors that ransomware operators could exploit to gain full administrative permission over the domain-joined hypervisor. ESXi is an advanced bare-metal hypervisor that allows for direct control over the underlying resources. It’s a host for virtual machines, often quite important ones within a network. In case of a ransomware attack, this grants full administrative access to an ESXi hypervisor, where threat actors could encrypt the file system, thus affecting the functionality of the hosted servers. Moreover, threat actors gain access to all hosted VMs, allowing data exfiltration or lateral movement within the network.
The vulnerability, identified as CVE-2024-37085, was created by a default domain group in ESXi hypervisors that gives full administrative access without proper validation. Microsoft has now disclosed this finding to VMware through Coordinated Vulnerability Disclosure via Microsoft Security Vulnerability Research. This led to VMware releasing a security update. Microsoft recommends that ESXi server administrators apply these updates and follow the mitigation and protection guidelines therein.
Vulnerability Analysis and Exploitation Techniques
Microsoft security researchers observed ransomware operators like Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest exploiting this vulnerability. In many cases, these attacks led to deployments of Akira and Black Basta ransomware. The exploitation technique involves running commands to create a group named “ESX Admins” in the domain and adding a user to it:
net group “ESX Admins” /domain /add
net group “ESX Admins” username /domain /add
This method leverages the vulnerability in domain-joined ESXi hypervisors, allowing attackers to elevate privileges to full administrative access. The vulnerability arises because ESXi hypervisors consider any member of a group named “ESX Admins” to have full administrative access by default, even if the group did not originally exist. This group is not a built-in group in Active Directory and does not exist by default, and the membership is determined by name rather than security identifier (SID).
Researchers identified three exploitation methods:
Creating the “ESX Admins” Group: This method, actively exploited in the wild, involves creating the “ESX Admins” group and adding a user to it. Any domain user with the ability to create a group can escalate privileges by creating such a group and adding themselves or other users to it.
Renaming a Group: This method involves renaming any group in the domain to “ESX Admins” and adding a user or using an existing member to escalate privileges. This method has not been observed in the wild by Microsoft.
Privileges Refresh: Even if the network administrator assigns another group to manage the ESXi hypervisor, the full administrative privileges of the “ESX Admins” group are not immediately removed, allowing threat actors to abuse it. This method also has not been observed in the wild by Microsoft.
Ransomware Operators Targeting ESXi Hypervisors
Over the past year, ransomware actors have increasingly targeted ESXi hypervisors. ESXi hypervisors are popular in corporate networks and are often targeted due to the limited visibility and protection offered by many security products. Encrypting an ESXi hypervisor file system enables one-click mass encryption, impacting hosted VMs and allowing threat actors more time and complexity for lateral movement and credential theft.
Microsoft has observed various ransomware operators, including Storm-0506, Storm-1175, Octo Tempest, and Manatee Tempest, supporting or selling ESXi encryptors like Akira, Black Basta, Babuk, Lockbit, and Kuiper. The number of Microsoft Incident Response engagements involving ESXi hypervisor attacks has more than doubled in the last three years.
Black Basta Ransomware Deployment by Storm-0506
This critical hypervisor vulnerability has been exploited in the wild, and to great effect. Earlier this year, an engineering firm in North America was hit by a Black Basta ransomware deployment by Storm-0506. The attack exploited the CVE-2024-37085 vulnerability to gain elevated privileges on ESXi hypervisors. The threat actor initially accessed the organization via a Qakbot infection, followed by exploiting a Windows CLFS vulnerability (CVE-2023-28252) to elevate privileges on affected devices. They used Cobalt Strike and Pypykatz to steal domain administrator credentials and move laterally to domain controllers.
On the compromised domain controllers, the attacker installed persistence mechanisms using custom tools and a SystemBC implant. They attempted to brute force RDP connections and installed Cobalt Strike and SystemBC on multiple devices. The attacker then created the “ESX Admins” group, added a new user, and used this access to encrypt the ESXi file system, affecting the hosted VMs. Microsoft Defender Antivirus and automatic attack disruption in Microsoft Defender for Endpoint stopped encryption attempts on devices with the unified agent installed.
Mitigation and Protection Guidance
Microsoft advises organizations using domain-joined ESXi hypervisors to apply the security update released by VMware to address CVE-2024-37085. Additional recommendations include:
Install Software Updates: Ensure the latest security updates from VMware are installed on all domain-joined ESXi hypervisors. If updates cannot be installed immediately, validate the “ESX Admins” group exists in the domain and is hardened. Manually deny access to this group in the ESXi hypervisor settings, change the admin group, and add custom detections in XDR/SIEM for new group names.
Credential Hygiene: Protect highly privileged accounts by enforcing multifactor authentication (MFA), enabling passwordless authentication methods, and isolating privileged accounts from productivity accounts.
Improve Critical Assets Posture: Identify and protect critical assets such as ESXi hypervisors and vCenters with the latest security updates, proper monitoring procedures, and backup and recovery plans.
Identify Vulnerable Assets: Deploy authenticated scans of network devices using SNMP via the Microsoft Defender portal to identify vulnerabilities in network devices like ESXi.
Detection and Threat Intelligence
Microsoft Defender for Endpoint and Microsoft Defender for Identity provide alerts that can indicate associated threat activity, such as suspicious modifications to the “ESX Admins” group, suspicious Windows account manipulation, and compromised accounts conducting hands-on-keyboard attacks. Microsoft customers can use reports in Microsoft Defender Threat Intelligence to get up-to-date information about threat actors and techniques. Hunting queries are available for Microsoft Defender XDR and Microsoft Sentinel to detect related activities.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –
Netizen Blog and News 
You must be logged in to post a comment.