Netizen Blog and News

The Netizen team sharing expertise, insights and useful information in cybersecurity, compliance, and software assurance.

recent posts

about

  • Netizen Cybersecurity Bulletin (January 31st, 2024)

    Overview:

    • Phish Tale of the Week
    • Microsoft’s Response to the Midnight Blizzard Cyberattack
    • Environmental Services Industry Faces Unprecedented DDoS Attacks
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as Netflix and informing you that action needs to be taken regarding your payment method on your account. The message politely explains that our account is on hold until we update our payment information, and that they’re notifying us so that we can take action. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this phishing link:

    1. The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their email address, and a simple look at the sender’s address makes it very apparent that the email is not from Netflix. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases like “Update your account now” and “Your account is on hold.” Additionally, the word “customer” is misspelled. Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
    3. The final warning sign for this email is the lack of legitimate Netflix information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. While this specific email includes a small footer at the bottom, a quick investigation proves that it’s just for show. This email lacks all of the parts of a credible Netflix email and can be immediately detected as a phishing attempt.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your email. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    Microsoft’s Response to the Midnight Blizzard Cyberattack

    The cyberattack on Microsoft by the Russian state-sponsored group Midnight Blizzard, detected in January 2024, serves as a critical reminder of the persistent and sophisticated cyber threats facing global corporations. This extended analysis delves deeper into the nature of the attack, Microsoft’s response, and the broader implications for the cybersecurity landscape.

    Midnight Blizzard’s strategy utilized a password spray attack, a method where common passwords are used against numerous accounts to gain unauthorized access. This technique is particularly effective against systems still relying on single-factor authentication. The targeted nature of the attack, focusing on specific Microsoft corporate email accounts, including those of senior leadership, underscores the high level of sophistication and strategic intent behind the operation.

    Microsoft’s response to the breach was multifaceted and swift. Following the detection and initial mitigation efforts, they conducted an extensive investigation, revealing that the attack had begun in November 2023. Their approach included notifying affected employees and ensuring that no customer data was compromised. Microsoft’s commitment to transparency was evident in their detailed public disclosures and SEC filings, aligning with evolving regulatory standards and expectations.

    A pivotal aspect of Microsoft’s response was the acceleration of its Secure Future Initiative (SFI). This initiative marks a significant shift in Microsoft’s cybersecurity approach, highlighting the urgency of enhancing security measures, particularly for legacy systems. SFI is focused not only on addressing immediate threats but also on preparing for future cybersecurity challenges, demonstrating a proactive stance.

    Microsoft’s handling of the Midnight Blizzard breach highlights the evolving role of regulatory compliance in cybersecurity. Their transparent reporting, adhering to new SEC guidelines, emphasizes the importance of immediate and ongoing disclosure. This approach signals to other corporations the necessity of integrating regulatory compliance into their cybersecurity strategies.

    In response to the Midnight Blizzard breach, key defensive strategies have been highlighted, including enhanced password security through enterprise password management solutions, upgrading to multi-factor authentication, adopting a least privilege approach with endpoint privilege management, and implementing identity threat detection and response systems.

    The implications of the Midnight Blizzard attack extend beyond Microsoft, serving as a cautionary tale for the wider industry. Organizations are advised to adopt continuous monitoring and threat detection systems, enhance their cybersecurity frameworks to be adaptive and responsive, and regularly update and train their workforce on cybersecurity best practices.

    In conclusion, the Midnight Blizzard breach at Microsoft is a reflection of the complex and evolving challenges in the global cybersecurity landscape. The insights gained from Microsoft’s experience are invaluable for organizations worldwide as they navigate through an increasingly sophisticated and threat-laden digital environment. This incident underscores the need for heightened security measures, proactive response strategies, and transparent communication in facing modern cyber threats.

    To read more about this article, click here.

    Environmental Services Industry Faces Unprecedented DDoS Attacks

    The environmental services industry, a sector not traditionally in the crosshairs of cybercriminals, has recently faced an alarming spike in cyber threats. Reports indicate a significant surge in HTTP-based distributed denial-of-service (DDoS) attacks, accounting for an unprecedented portion of the industry’s HTTP traffic. The environmental services sector has witnessed a drastic increase in DDoS attacks, marking a sharp rise compared to the previous year. This surge represents a significant percentage of the industry’s total HTTP traffic, highlighting the intensity and focus of these cyber assaults.

    Interestingly, the timing of these cyberattacks coincides with major environmental events and conferences. This pattern suggests a deliberate targeting of the industry, especially during periods when environmental issues are in the global spotlight. Such a trend points to a disturbing development where environmental milestones are becoming triggers for sophisticated cyberattacks. These recurring cyber threats during key environmental events underscore an emerging nexus between environmental issues and cybersecurity. This intersection is increasingly becoming a focal point for attackers, indicating a shift in the motives and targets of cybercriminals in the digital age.

    While the environmental services sector is emerging as a new target, other industries continue to face the brunt of cyberattacks. Sectors like cryptocurrency, gaming, gambling, and telecommunications remain high on the list of targeted industries, underlining the diverse range of sectors vulnerable to cyber threats. The origins of these cyberattacks are geographically diverse, with significant contributions from several key countries. This global distribution of attack sources reflects the widespread nature of cyber threats and the challenges in pinpointing and mitigating these attacks effectively.

    The landscape of DDoS attacks is evolving, with a noted increase in their frequency, duration, and sophistication. Cybercriminals are employing more complex strategies, targeting a wider range of IP destinations and employing multiple vectors in their attacks. This evolution in tactics underscores the need for advanced cybersecurity measures. This rise in cyberattacks against the environmental services industry and other sectors highlights the critical need for robust cybersecurity defenses. As cyber threats evolve, organizations across industries must enhance their security protocols, employ advanced monitoring and mitigation techniques, and remain vigilant against the ever-changing tactics of cybercriminals.


    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

  • Netizen: January 2024 Vulnerability Review

    Netizen: January 2024 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from January that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2023-6549

    A Buffer Overflow vulnerability in NetScaler ADC and NetScaler Gateway could lead to Unauthenticated Denial of Service. This vulnerability has diverging NIST CVSSv3 base score ratings, with NIST rating it as 7.5/10 and Citrix Systems, Inc. rating it as 8.2/10, both considered HIGH. It affects NetScaler Application Delivery Controller versions from 12.1 up to 12.1-55.302, 13.0 up to 13.0-92.21, 13.1 up to 13.1-51.15, and 14.1 up to 14.1-12.35, as well as NetScaler Gateway versions from 13.0 up to 13.0-92.21, 13.1 up to 13.1-51.15, and 14.1 up to 14.1-12.35. The vulnerability arises due to improper restriction of operations within the bounds of a memory buffer, leading to potential exploitation without user interaction (UI:N). The attack complexity is low (AC:L), and no privileges are required for exploitation (PR:N). This CVE is listed in CISA’s Known Exploited Vulnerabilities Catalog, indicating a higher risk and urgency. Mitigation measures include applying vendor-recommended mitigations or discontinuing the use of the product if mitigations are unavailable. For more technical details or proof of concept, refer to Citrix’s security bulletin at https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549.

    CVE-2023-6548

    This vulnerability pertains to Improper Control of Generation of Code (‘Code Injection’) in NetScaler ADC and NetScaler Gateway, allowing an attacker with access to NSIP, CLIP, or SNIP with management interface to perform Authenticated (low privileged) remote code execution on the Management Interface. The severity scores for this vulnerability show significant variation, with NIST assigning a base score of 8.8/10 (HIGH) and Citrix Systems, Inc. rating it at 5.5/10 (MEDIUM). The discrepancy arises due to differences in the assessment of attack vector, impact on confidentiality, integrity, and availability. The vulnerability affects various versions of NetScaler Application Delivery Controller and NetScaler Gateway, specifically versions from 12.1 up to 12.1-55.302, 13.0 up to 13.0-92.21, 13.1 up to 13.1-51.15, and 14.1 up to 14.1-12.35. The technical aspect of the vulnerability involves code injection due to improper control in the generation of code, classified under CWE-94. The attack complexity is low (AC:L), requiring low-level privileges (PR:L), and does not need user interaction (UI:N). The impacts are considered high on confidentiality, integrity, and availability in the NIST assessment, indicating a significant threat if exploited. As this CVE is listed in CISA’s Known Exploited Vulnerabilities Catalog, it underscores the urgency and existing risk. The recommended mitigation is to apply vendor-specified mitigations or discontinue the use of the product if no mitigations are available, as per the advisory dated 01/17/2024 with an action due date of 01/24/2024. For more detailed information and mitigation instructions, refer to Citrix’s security bulletin at https://support.citrix.com/article/CTX584986/netscaler-adc-and-netscaler-gateway-security-bulletin-for-cve20236548-and-cve20236549.

    CVE-2024-0519

    This vulnerability involves Out-of-Bounds Memory Access in the V8 engine of Google Chrome. It affects versions of Google Chrome prior to 120.0.6099.224. A remote attacker could potentially exploit this vulnerability to cause heap corruption through a crafted HTML page. This issue has been classified with high severity by Chromium’s security team. The NIST CVSSv3 base score for this vulnerability is 8.8/10, indicating a HIGH severity level. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, meaning the vulnerability can be exploited remotely (AV:N), with low attack complexity (AC:L), without requiring privileges (PR:N) but needing user interaction (UI:R). The scope is unchanged (S:U), and the impacts on confidentiality, integrity, and availability are high (C:H/I:H/A:H). The specific technical weakness is categorized under CWE-787 (Out-of-bounds Write), where the software writes data past the end, or before the beginning, of the intended buffer, leading to memory corruption. This CVE is listed in CISA’s Known Exploited Vulnerabilities Catalog, suggesting that it has been actively exploited and emphasizing the importance of timely mitigation. Google Chrome users are urged to update to version 120.0.6099.224 or later as soon as possible. Failure to apply the necessary updates may leave systems vulnerable to attacks. For detailed information and specific update instructions, users should refer to the Google Chrome Release Notes available at https://chromereleases.googleblog.com/2024/01/stable-channel-update-for-desktop_16.html and follow any additional guidelines provided by Google or relevant cybersecurity advisories.

    CVE-2023-34048

    This vulnerability is an out-of-bounds write issue found in the vCenter Server’s implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server could potentially exploit this vulnerability to execute remote code. This vulnerability is critical, with VMware assigning it a CVSS base score of 9.8/10, and NIST concurring with this assessment. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It indicates that the vulnerability can be exploited remotely (AV:N), with low attack complexity (AC:L), without requiring any user privileges (PR:N) or user interaction (UI:N). The scope of the vulnerability is unchanged (S:U), and it has a high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This vulnerability falls under CWE-787 (Out-of-bounds Write), where the software writes data past the end or before the beginning of the intended buffer. This could lead to memory corruption, possibly enabling remote code execution. The CVE is listed in CISA’s Known Exploited Vulnerabilities Catalog, which underscores the criticality and the known active exploitation of the vulnerability. The affected software versions are various configurations of VMware vCenter Server, including a wide range of versions from 4.0 up to the latest in the 8.0 series. The required action for mitigating this vulnerability, as per CISA’s directive, is to apply the recommended mitigations per VMware’s instructions or discontinue use of the product if mitigations are unavailable. The due date for these actions is set for 02/12/2024. For detailed guidance and mitigation steps, users and administrators are advised to consult VMware’s security advisory at https://www.vmware.com/security/advisories/VMSA-2023-0023.html. It is crucial to address this vulnerability promptly due to its high severity and the potential for active exploitation.

    CVE-2023-46604

    This critical vulnerability is found in the Java OpenWire protocol marshaller, affecting Apache ActiveMQ. The vulnerability allows remote attackers with network access to either a Java-based OpenWire broker or client to execute arbitrary shell commands. This is achieved by manipulating serialized class types in the OpenWire protocol, leading to the instantiation of any class on the classpath. As a result, it could lead to remote code execution. The severity of this vulnerability is underscored by the differing CVSS scores provided by NIST and the Apache Software Foundation (CNA). NIST rates it with a base score of 9.8/10 (CRITICAL), while Apache rates it even higher at 10.0/10 (CRITICAL). The discrepancy is due to different evaluations of the scope; NIST considers the scope unchanged (S:U), whereas Apache assesses it as changed (S:C). Both agree on the high impact on confidentiality, integrity, and availability (C:H/I:H/A:H), low attack complexity (AC:L), and no requirement for privileges or user interaction (PR:N/UI:N). The technical issue is classified under CWE-502 (Deserialization of Untrusted Data), where the software deserializes data that an attacker can modify, leading to an execution of malicious code. Affected Apache ActiveMQ versions are up to and including 5.15.16, 5.16.0 to 5.16.7, 5.17.0 to 5.17.6, and 5.18.0 to just before 5.18.3. The issue also affects the Apache ActiveMQ Legacy OpenWire Module. To mitigate this vulnerability, users are advised to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3, which contain fixes for this issue. Considering this CVE is in CISA’s Known Exploited Vulnerabilities Catalog, the urgency for addressing this vulnerability is high. The required action, as per CISA, is to apply mitigations as per vendor instructions or discontinue use of the product if mitigations are not available, with a due date set for 11/23/2023. For more information and detailed guidance, users and administrators should refer to the vendor advisory provided by Apache at https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt and follow any additional guidelines or advisories from relevant cybersecurity sources.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • AI-Powered SIEM: The Future of Threat Detection and Monitoring

    AI-Powered SIEM: The Future of Threat Detection and Monitoring

    In an era where data volumes are skyrocketing and cyber threats are becoming more sophisticated, the integration of AI into SIEM tools is not just an enhancement; it’s a strategic imperative. This evolution from traditional to AI-enhanced SIEM systems represents a significant leap in cybersecurity, transforming these tools into more efficient, accurate, and proactive components of an organization’s security infrastructure. As we delve into the nuances of this integration, it becomes clear that AI is not just an add-on but a fundamental component reshaping the very fabric of cybersecurity strategies.

    Enhanced Detection and Analysis with AI

    The adoption of AI, especially Machine Learning (ML), has revolutionized the capabilities of SIEM tools in threat detection and analysis. Traditional SIEM systems, primarily reliant on rule-based algorithms, often falter under the immense volume and diversity of data. AI-enhanced SIEMs, however, excel in identifying patterns and anomalies indicative of potential threats. This is critical in a landscape where the global average cost of a data breach has escalated significantly.

    Necessity of AI in Cybersecurity

    A report by the Capgemini Research Institute reveals that nearly two-thirds of firms believe they cannot identify critical threats without AI. This underscores the growing reliance on AI technologies in cybersecurity. The rapid adoption of AI is evident, with almost three-quarters of firms actively testing AI in various cybersecurity use cases, highlighting the increasing confidence and investment in AI technologies to bolster cybersecurity defenses.

    APTs and Proactive Threat Hunting

    AI’s predictive capabilities in SIEM tools enable proactive threat hunting. This approach is vital in reducing the time to identify and contain breaches. AI-driven SIEMs are instrumental in curtailing this timeframe, thereby enhancing response and mitigation efforts. AI’s efficacy is particularly notable in identifying insider threats and advanced persistent threats (APTs). These types of threats are notoriously difficult to detect with traditional security measures. AI-enhanced SIEM tools can discern subtle behavioral changes that may signal malicious activities, such as data exfiltration by compromised insiders.

    Emerging Trends in AI and Cybersecurity

    Recent insights from Gartner highlight significant trends shaping the future of AI in cybersecurity:

    1. Cloud Data Ecosystems: The shift towards cloud-native solutions is accelerating, with 50% of new system deployments in the cloud expected to be based on cohesive cloud data ecosystems in 2024.
    2. Edge AI: More than 55% of all deep neural network data analysis is predicted to occur at the edge by 2025, emphasizing the growing importance of Edge AI in real-time threat detection.
    3. Responsible AI: The concentration of pretrained AI models among a small percentage of vendors by 2025 raises concerns about responsible AI as a societal issue.
    4. Data-Centric AI: In 2024, 60% of data for AI is expected to be synthetic, enhancing threat simulation and detection capabilities in SIEM systems.
    5. Accelerated AI Investment: Over $10 billion is predicted to be invested in AI startups relying on foundation models by the end of 2026, reflecting the increasing investment in AI technologies, including those used in SIEM systems.

    Conclusion

    The integration of AI into SIEM tools marks a significant advancement in cybersecurity. With capabilities like enhanced detection, proactive threat hunting, and bridging the skills gap, AI-powered SIEM tools are becoming an essential component of modern cybersecurity strategies. As technological advancements continue at a rapid pace, the synergy between AI and cybersecurity will undoubtedly be pivotal in creating a more secure digital environment.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • The FTC’s Crackdown on Location Data Misuse: InMarket’s Landmark Settlement

    The FTC’s Crackdown on Location Data Misuse: InMarket’s Landmark Settlement

    The Federal Trade Commission’s (FTC) January 18th enforcement actions signal a significant shift in the regulatory landscape concerning consumer privacy and data protection. One of the most striking instances of this change is the proposed settlement with InMarket Media, a Texas-based data aggregator. This case is noteworthy not only for its direct implications for InMarket but also for the broader message it sends to the industry about the handling of sensitive consumer data, particularly location information.

    The Case Against InMarket

    InMarket, known for collecting location data through various sources, including its apps and third-party applications, faced FTC charges for not fully informing consumers or obtaining their consent before using their location data for marketing purposes. The company’s practices included creating audience segments based on consumers’ visits to specific locations, enabling targeted advertising. What is alarming is the scope of this data collection, with InMarket maintaining nearly 2,000 audience segment lists with categories as specific as “parents of preschoolers” and “Christian churchgoers.”

    FTC’s Stance: Protecting Consumer Privacy

    FTC Chair Lina M. Khan’s statement underscores the agency’s stance on protecting Americans from “unchecked corporate surveillance.” The FTC’s complaint highlights that InMarket did not obtain informed consent from users of its apps, such as CheckPoints and ListEase, while also failing to ensure third-party apps using its SDK had obtained this consent. Furthermore, the FTC criticized the company’s policy of retaining geolocation data for five years as excessive and risky.

    The Settlement: A New Precedent in Data Privacy

    Under the proposed order, InMarket is to cease selling or licensing precise location data, a first for the FTC. This includes a comprehensive set of actions to protect consumer data, such as deleting previously collected location data, providing mechanisms for consumer consent withdrawal, and establishing a privacy program. These measures reflect an unprecedented level of regulatory intervention in the realm of data privacy, particularly concerning location information.

    Implications and Future Outlook

    This case, along with the FTC’s action against X-Mode Social and Outlogic earlier this month, represents a growing trend in stringent enforcement against the misuse of consumer data. The penalties are severe, with each violation of the order potentially resulting in a civil penalty of up to $51,744. These actions signal a clear message to companies about the importance of informed consent and responsible data handling. As the industry adapts to these changes, we may see a significant shift in how companies collect, use, and protect consumer data, with a heightened focus on privacy and transparency.

    A Turning Point in Data Privacy

    The FTC’s recent actions, particularly the InMarket settlement, mark a turning point in data privacy regulation. These developments are likely to have far-reaching implications, not only for data aggregators but for all entities involved in the collection and use of consumer data. As regulatory bodies intensify their focus on protecting consumer privacy, companies must reevaluate their data practices to align with these evolving standards, ensuring that consumer rights are at the forefront of their operations.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • OpenAI: New Ventures in Military Collaboration

    OpenAI: New Ventures in Military Collaboration

    In a significant shift, OpenAI, the creator of ChatGPT, has announced collaboration with the Pentagon on various software projects, including those related to cybersecurity. This announcement marks a substantial departure from the organization’s prior stance, as it had previously imposed a ban on employing its artificial intelligence technology for military purposes.

    Military Engagement and Ethical Boundaries

    Anna Makanju, OpenAI’s Vice President of Global Affairs, stated at the World Economic Forum, “Because we previously had what was essentially a blanket prohibition on military, many people thought that would prohibit many of these use cases, which people think are very much aligned with what we want to see in the world.” This statement underscores the organization’s revised approach towards military engagements, focusing on defensive and humanitarian applications rather than offensive military capabilities​​.

    Silicon Valley’s Changing Perspective

    Reflecting a broader trend in Silicon Valley, attitudes towards military collaboration have softened. The contrast is stark compared to 2018, when internal protests at Google highlighted the tech industry’s reluctance to engage with military projects. This change in stance can be attributed to various global factors, including geopolitical tensions and the pressing need for advanced technological solutions in national defense.

    AI in Military Operations

    In terms of AI’s integration into military operations, the potential and risks are substantial. For example, Bernard Montel, EMEA Technical Director at Tenable, expressed caution, noting, “While AI has made astronomical technological advancements in the last 12 to 24 months, allowing an autonomous device to make the final judgment is incomprehensible today. While AI is capable of quickly identifying and automating some actions that need to be taken, it’s imperative that humans are the ones making critical decisions on where and when to act from the intelligence AI provides”​​. This highlights the critical balance between leveraging AI for efficiency and ensuring human oversight in decision-making, especially in the sensitive context of military applications.

    The Role of AI in Elections

    Moreover, OpenAI CEO Sam Altman emphasized the organization’s commitment to ethical use of AI, particularly in relation to elections, stating, “Elections are a huge deal. I think it’s good that we have a lot of anxiety”​​. His statement reflects the company’s focus on the responsible and ethical use of AI, particularly in the context of societal impacts like elections.

    Conclusion

    As OpenAI navigates this new territory, it faces the challenge of balancing technological advancements with ethical considerations and safety concerns. The change in policy, significant in its implications for AI’s role in military applications, reopens the debate on AI safety and the ethical boundaries of its use. The evolving landscape of AI and defense collaboration highlights the critical role of ongoing discussions in shaping the future of military technology and the ethical use of AI.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Thread-Hijacking: The Escalating Threat of Pikabot Malware

    Thread-Hijacking: The Escalating Threat of Pikabot Malware

    The emergence of Pikabot malware, employed by the group Water Curupira, represents a significant shift in cyber threat tactics, with its deployment closely linked to sophisticated phishing strategies like email conversation thread hijacking.

    Pikabot and Its Operational Tactics

    Pikabot operates as a loader malware with two components: a loader and a core module. This sophisticated design enables unauthorized remote access and the execution of arbitrary commands via a command-and-control server. Initially used in various campaigns for dropping backdoors such as Cobalt Strike, leading to ransomware attacks like Black Basta, Pikabot primarily infiltrates systems through spam emails containing archives or PDF attachments. These emails employ thread-hijacking techniques, making the attacks highly effective due to the established trust in ongoing email conversations.

    Phishing Campaigns and Thread-Hijacking

    Central to the operation of Pikabot is the use of phishing campaigns. These campaigns are meticulously crafted, employing a technique known as thread-hijacking. Email conversation thread hijacking, or email reply chain attacks, is an advanced phishing method that leverages existing email conversations to spread malicious content. Attackers gain access to a victim’s email account, monitor ongoing threads, and then insert malicious emails, effectively exploiting the trust between the original conversation participants. The bond of trust and context already established in these threads significantly increases the likelihood of recipients interacting with the malicious content. Recipients of these emails are much more easily tricked into interacting with malicious links or attachments, as they appear to be part of a legitimate ongoing conversation. Malware families like Gozi ISFB/Ursnif, Emotet, Ursnif, and Valak have also adopted this technique for their phishing campaigns.

    Pikabot’s Mechanism of Action

    Once a recipient of a Pikabot phish interacts with the email attachment, the malware kicks into action. “The attached archive contains a heavily obfuscated JavaScript (JS) with a file size amounting to more than 100 KB. Once executed by the victim, the script will attempt to execute a series of commands using conditional execution,” as detailed in Trend Micro’s report​​. This process is essential for Pikabot to establish its foothold in the system. The malware is designed to avoid detection and activation in systems with Russian or Ukrainian language settings, which might suggest geopolitical motivations or affiliations of the threat actor.

    Impact and Significance

    Pikabot’s emergence and capabilities underscore the evolving and adaptive nature of cyber threats. Its association with the Black Basta ransomware attacks through Cobalt Strike backdoors highlights a growing trend of sophistication in cyber attacks. The malware’s ability to infiltrate systems via phishing, execute arbitrary commands, and establish unauthorized remote access presents a formidable challenge to cybersecurity defenses.

    Defending Against Sophisticated Phishing Attacks

    To combat these sophisticated attacks, a combination of advanced email filtering technologies and heightened user awareness is crucial. Traditional methods like trusting emails from known senders are no longer sufficient. Organizations must emphasize continuous education and awareness programs to help employees recognize and avoid these attacks. Incorporating regular phishing training, social engineering exercises, and robust endpoint detection solutions can significantly reduce the risk posed by such advanced phishing techniques.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • SMTP Smuggling: The New Technique Threatening Email Security by Exploiting Protocol Discrepancies

    SMTP Smuggling: The New Technique Threatening Email Security by Exploiting Protocol Discrepancies

    SMTP smuggling, a novel cybersecurity threat, has emerged as a significant concern due to its ability to exploit vulnerabilities in the Simple Mail Transfer Protocol (SMTP). This protocol is widely used by mail servers for the transmission, reception, and relaying of emails. Discovered by Timo Longin from SEC Consult, SMTP smuggling allows malicious actors to bypass established email authentication protocols and send spoofed emails, undermining the integrity and reliability of email communications.

    Technical Overview: SMTP Smuggling

    The vulnerability central to SMTP smuggling lies in the varying interpretations of the end-of-data sequence (“<CR><LF>.<CR><LF>”) among different SMTP servers. This sequence is critical in SMTP communications as it signifies the end of the email message content. SMTP, as a protocol, uses these specific character sequences to delineate different parts of an email. In this context, “<CR><LF>” represents the carriage return and line feed characters, which are standard text delimiters used to mark the end of a line in electronic text.

    In a typical SMTP communication, when an email is sent, the end-of-data sequence signals to the server that the email body has concluded, and what follows should be treated as part of the SMTP protocol communication, rather than the email content. However, due to the inconsistent handling of this sequence across various SMTP implementations, attackers have found a way to exploit these inconsistencies to insert, or “smuggle,” additional SMTP commands into the email content.

    Here’s a breakdown of how the exploitation works:

    1. Differing Interpretations: Some SMTP servers might interpret the end-of-data sequence in a non-standard way. For example, while one server might strictly adhere to the “<CR><LF>.<CR><LF>” sequence to denote the end of the message, another might accept just “<LF>.<LF>” as a valid end-of-data marker.
    2. Manipulating the End-of-Data Sequence: An attacker can craft an email message that includes what appears to be an end-of-data sequence, followed by additional SMTP commands. Due to the inconsistent interpretations, some servers will treat these additional commands as part of the email content, while others will execute them as SMTP commands.
    3. Spoofing and Bypassing Security Checks: By exploiting these discrepancies, attackers can manipulate the SMTP conversation to insert commands that spoof the sender’s email address or perform other malicious activities. This allows them to bypass security mechanisms like SPF, which are designed to validate the origin of email messages.
    4. Resulting in Spoofed Emails: The outcome is that emails can be sent that appear to originate from legitimate sources, but are actually crafted by attackers. These emails can bypass checks that would normally prevent spoofing, making them effective for phishing and other malicious activities.

    SMTP smuggling, therefore, represents a significant security concern because it undermines the trust and reliability of email communications. The ability to bypass SPF and other email authentication mechanisms can lead to increased success in phishing attacks, where unsuspecting recipients may trust and act upon emails that appear to come from legitimate sources.

    Affected Products and Services

    This vulnerability predominantly impacts products from several key vendors, including Microsoft, GMX, and Cisco. Notably, Cisco Secure Email Gateway and Cisco Secure Email Cloud Gateway are among the affected products. The vulnerability is also present in open-source mail transfer agents like Postfix (CVE-2023-51764), Sendmail (CVE-2023-51765), and Exim (CVE-2023-51766).

    Recommendations for Mitigation

    To mitigate this risk, it is advised to change the default handling of carriage returns and line feed configurations in affected systems, particularly the Cisco Secure Email Cloud Gateway and Cisco Secure Email Gateway, to “Allow” instead of “Clean”. This simple yet critical adjustment prevents the exploitation of the vulnerability, enhancing the security of email communications.

    In addition to these specific recommendations, organizations using affected SMTP servers should conduct thorough reviews of their email security protocols and configurations. Regular updates and patches provided by vendors should be applied promptly to address any emerging threats.

    Conclusion

    SMTP smuggling represents a significant challenge in the realm of email security, highlighting the ever-evolving nature of cyber threats. The ability of attackers to circumvent traditional security measures such as SPF, DKIM, and DMARC through this technique calls for a heightened level of vigilance and adaptive security measures. Organizations must stay informed about such vulnerabilities and take proactive steps to safeguard their email infrastructure against these sophisticated attack methods.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Angel Drainer: The Rise of ‘Scam-as-a-Service’ in Cryptocurrency Phishing

    Angel Drainer: The Rise of ‘Scam-as-a-Service’ in Cryptocurrency Phishing

    The year 2023 marked a significant surge in phishing attacks targeting cryptocurrency wallets, highlighting the increasing sophistication of cybercriminal activities in the blockchain space. These attacks, impacting a wide range of networks including Ethereum, Binance Smart Chain, Polygon, Avalanche, and nearly 20 others, have led to substantial financial losses, totaling nearly $295 million stolen from approximately 324,000 victims.

    The Sophistication of Modern Phishing Scams

    The tactics used in these phishing scams have evolved significantly. Scammers have employed various methods to lure victims, including the creation of counterfeit websites that mimic legitimate cryptocurrency platforms. These sites often use malvertising schemes, exploiting the vulnerabilities in ad networks to spread malicious content. Unsolicited emails and social media messages are also common tools for these scams.

    In one notable instance, fake ads for cryptocurrency platforms on Google and X (formerly Twitter) redirected users to these fraudulent sites, leading to the draining of funds from their digital wallets. The scammers induced users to interact with malicious smart contracts under the guise of claiming airdrops, which stealthily increased the attacker’s allowance through functions like ‘approve’ or ‘permit,’ thereby granting them access to the victims’ funds.

    The ‘Scam-as-a-Service’ Model

    Central to this surge of phishing attacks is the emergence of the ‘Scam-as-a-Service’ model, similar to the already prevalent ‘Ransomware-as-a-Service’ model that has been plaguing the community over the past few years. Threat actor groups like Angel Drainer and Inferno Drainer, which recently announced its shutdown, have been instrumental in facilitating these scams. They provide wallet-draining scripts and other services to other cybercriminals, charging a percentage (typically 20-30%) of the stolen amount as their fee.

    Core Features of the ‘Scam-as-a-Service’ Model

    1. Tool Provisioning: At the heart of this model is the provision of tools and scripts that enable other criminals to carry out cryptocurrency wallet phishing. These tools are sophisticated and tailored to exploit vulnerabilities in various blockchain networks and digital wallet systems. They include wallet-draining scripts that can siphon funds from unsuspecting victims’ wallets.
    2. Business-Like Operations: The entities behind these services operate in a manner reminiscent of legitimate businesses. They have service offerings, pricing models (often a percentage of the stolen funds), customer support, and even marketing strategies. This business-like approach enhances their appeal and accessibility to a broader range of criminals, not just those with advanced technical skills.
    3. Revenue Model: Revenue is generated by taking a cut from the stolen funds. Groups like Angel Drainer and Inferno Drainer are known to charge around 20% to 30% of the stolen cryptocurrency. This model incentivizes the continual improvement of their tools to ensure higher success rates in theft, thus maximizing their earnings.
    4. Anonymity and Security: These services operate with a high degree of anonymity. Communication is often conducted over encrypted channels, and transactions are made using cryptocurrencies, which can be further obscured through techniques like mixing or laundering. This makes it difficult for law enforcement to track and identify the individuals behind these services.
    5. Adaptation and Evolution: The ‘Scam-as-a-Service’ model is highly adaptable, with service providers constantly evolving their tools and techniques to bypass emerging security measures and exploit new vulnerabilities. This continual adaptation means that the threat they pose is always changing, requiring constant vigilance from cybersecurity professionals.
    6. Collaboration and Community: These services foster a sense of community among cybercriminals. There is often collaboration and sharing of best practices within this community, further enhancing the effectiveness of their scams. This collaborative aspect also means that when one service shuts down, as seen with Inferno Drainer, others quickly emerge to fill the void, perpetuating the cycle of cybercrime.

    In response to these threats, the crypto community and cybersecurity experts have been advocating for enhanced security measures. They recommend the use of hardware wallets, which are considered more secure than software wallets, as they store the user’s private keys in a physical device, making it harder for hackers to access them remotely.

    Furthermore, verifying the legitimacy of smart contracts and regularly reviewing wallet allowances for any signs of suspicious activity are crucial steps in mitigating the risks posed by these scams. Platforms like Scam Sniffer have emerged, specializing in the detection and analysis of such scams, and providing crucial information for users to protect themselves.

    The Implications for Cybersecurity

    The emergence of the ‘Scam-as-a-Service’ model signifies a significant shift in the cybercrime landscape. It highlights not only the increasing sophistication of cybercriminals but also their ability to organize and operate in a manner akin to legitimate businesses. This presents new challenges for cybersecurity, necessitating innovative and proactive approaches to detection, prevention, and enforcement. As this model continues to evolve and adapt, it becomes increasingly important for individuals and organizations to remain vigilant, employing advanced security measures and staying informed about the latest trends in cybercrime.​

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen: December 2023 Vulnerability Review

    Netizen: December 2023 Vulnerability Review

    Security vulnerabilities are a common occurrence in managing any business’s organizational security. The prompt patching and remediation of any new vulnerabilities are critical to reducing the outside attack surface. Netizen’s Security Operations Center (SOC) has compiled five vulnerabilities from December that should be immediately patched or addressed if present in your environment. Detailed writeups below:

    CVE-2023-36019:

    This vulnerability affects the Microsoft Power Platform Connector and is considered critical due to its spoofing nature, with a CVSS score of 9.6/10. It primarily affects the Microsoft Power Platform Connector and requires user interaction, as exploitation depends on the victim clicking a specially crafted URL. The vulnerability lies in the web server, but the malicious scripts are executed in the victim’s browser. Microsoft has addressed this issue by updating OAuth 2.0 connectors to use a per-connector redirect URI, thereby reducing the risk of spoofing attacks. Users are strongly advised to update their systems with these security improvements to mitigate this threat. The detailed technical specifics about the attack vector and complexity, beyond the requirement for user interaction, are not extensively detailed in the available public resources. For more information, see the NIST documentation.

    CVE-2023-7024:

    CVE-2023-7024 is a high-severity vulnerability identified in Google Chrome’s WebRTC framework, characterized as a heap-based buffer overflow bug. Although the exact CVSS score is not specified, its critical nature is underscored by the fact that it has been exploited in the wild. The flaw was discovered by Google’s Threat Analysis Group and could lead to arbitrary code execution or crashes in the Chrome browser. Due to the severity of this issue, Google has promptly rolled out security updates. Given WebRTC’s open-source nature and support by other browsers like Mozilla Firefox and Apple Safari, the broader impact of this flaw beyond Chrome and Chromium-based browsers remains a concern. Users are advised to update to the latest versions of Chrome (version 120.0.6099.129/130 for Windows and 120.0.6099.129 for macOS and Linux) to protect against potential exploits. The specific attack complexity and user interaction requirements are not fully detailed, but the urgency of the update suggests a significant risk​. For more information, check out the NVD’s vulnerability documentation.

    CVE-2023-50164:

    Apache Struts, a popular open-source framework for building Java web applications, has a critical vulnerability identified as CVE-2023-50164, with a high CVSS score of 9.8/10. This vulnerability affects versions 2.5.0 to 2.5.32 and 6.0.0 to 6.3.0 of Apache Struts. It allows attackers to manipulate file upload parameters to achieve path traversal, leading to potential remote code execution. Given its widespread use in commercial and open-source projects, this vulnerability poses a significant risk. Apache has responded by releasing patches for affected versions, and it is highly recommended for users to update their Apache Struts installations to the secure versions. Detailed information about the attack complexity and user interaction requirements are not provided, but the high CVSS score suggests a severe impact. Check out the NIST documentation for more information.

    CVE-2023-51385:

    The SSH ProxyCommand feature is compromised by CVE-2023-51385, a critical vulnerability with a CVSS score of 9.8/10. This flaw enables attackers to perform shell injection on servers using SSH ProxyCommand, which is used for proxying SSH connections. The vulnerability arises due to the handling of invalid usernames or hostnames containing shell metacharacters when passed to SSH. Attackers could exploit this in scenarios like untrusted Git repositories containing submodules with shell metacharacters in a username or hostname. Patches have been issued by various vendors, including LibSSH, OpenSSH, and Debian. Users of affected SSH implementations are advised to update their systems with these patches. The exact attack complexity and user interaction requirements are not explicitly detailed in the available advisories. For more information on this vulnerability, check out the NIST documentation.

    CVE-2023-49070:

    Apache OFBiz, a widely used open-source enterprise resource planning system, faced a critical authentication bypass vulnerability identified as CVE-2023-49070. This vulnerability allows unauthorized users to bypass authentication mechanisms under certain conditions, posing a significant security risk. The vulnerability was discovered in the OFBiz’s XML-RPC service, where specific request parameters could be manipulated to bypass authentication checks. This flaw was particularly concerning due to its potential impact on the confidentiality and integrity of data managed by OFBiz applications. The vulnerability was addressed swiftly by the Apache OFBiz team with a patch that effectively resolved the issue. The patch involved code changes that corrected the flawed authentication logic, ensuring that the system no longer allowed unauthorized access under the conditions exploited by the vulnerability. This vulnerability has been documented as severe, with the National Institute of Standards and Technology (NIST) assigning a high CVSS 3.x base score of 9.8, indicating its critical nature. Users and administrators of Apache OFBiz systems are strongly advised to apply the patch as soon as possible to protect against potential exploits. More information can be found in the NVD vulnerability summary here.

    Conclusion:

    In conclusion, software vulnerabilities are a common nuisance to IT and security teams everywhere. Organizations that prioritize the remediation and patching of these vulnerabilities will drastically reduce their attack surface and ensure no doors into their environment are left unlocked.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans. 

    Questions or concerns? Feel free to reach out to us any time –

    https://www.netizen.net/contact

  • Netizen Cybersecurity Bulletin (December 27th, 2023)

    Overview:

    • Phish Tale of the Week
    • The Cyberattack on Ukraine’s Largest Mobile Network: Kyivstar
    • Teen Members of LAPSUS$ Gang Sentenced in UK for Hacking Spree
    • How can Netizen help?

    Phish Tale of the Week

    Often times phishing campaigns, created by malicious actors, target users by utilizing social engineering. For example, in this text message, the actors are appearing as LinkedIn, the social media platform, and informing you that action needs to be taken regarding your account. The message politely explains that someone else may have accessed our LinkedIn account, and that they’re notifying us so that we can take action. It seems both urgent and genuine, so why shouldn’t we visit the link they sent us? Luckily, there’s plenty of reasons that point to this being a scam.

    Here’s how we can tell not to click on this phishing link:

    1. The first red flag in this message is the senders’ addresses. Always thoroughly inspect the sender’s address to ensure it’s from a trusted sender. In this case, the actors neglected to spoof their email address, and a simple look at the sender’s address makes it very apparent that the email is not from LinkedIn. In the future, review the sender’s address thoroughly to see if the email could be coming from a threat actor.
    2. The second warning signs in this email is the messaging. This message tries to create a sense of urgency by using different phrases like “require you to verify” and “To prevent us from blocking.” Phishing scams commonly attempt to create a sense of urgency in their emails in order to get you to click their link without thinking about it first. Always be sure to thoroughly inspect the messaging of all emails in your inbox before clicking on a link in your email.
    3. The final warning sign for this email is the lack of legitimate LinkedIn information. Fortune 500 companies and similar organizations standardize all email communications with customers. Support links, addresses, acceptable use policies, and other information is always provided at the bottom of each email, along with options to unsubscribe or change messaging preferences. While this specific email includes a small footer at the bottom, a quick investigation proves that it’s just for show. This email lacks all of the parts of a credible LinkedIn email and can be immediately detected as a phishing attempt.


    General Recommendations:

    phishing attack will typically direct the user to click on a link where they will then be prompted to update personal information, such as a password, credit card, social security, or bank account information. A legitimate company already has this sensitive information and would not ask for it again, especially via your text messages. 

    1. Scrutinize your messages before clicking anything. Have you ordered anything recently? Does this order number match the one I already have? Did the message come from a store you don’t usually order supplies from or a service you don’t use? If so, it’s probably a phishing attempt.
    2. Verify that the sender is actually from the company sending the message.
    3. Did you receive a message from someone you don’t recognize? Are they asking you to sign into a website to give Personally Identifiable Information (PII) such as credit card numbers, social security number, etc. A legitimate company will never ask for PII via instant message or email.
    4. Do not give out personal or company information over the internet.
    5. Do not click on unrecognized links or attachments. If you do proceed, verify that the URL is the correct one for the company/service and it has the proper security in place, such as HTTPS.

    Many phishing messages pose a sense of urgency or even aggressiveness to prompt a form of intimidation. Any email requesting immediate action should be vetted thoroughly to determine whether or not it is a scam. Also, beware of messages that seek to tempt users into opening an attachment or visiting a link. For example, an attachment titled “Fix your account now” may draw the question “What is wrong with my account?” and prompt you to click a suspicious link.

    Cybersecurity Brief

    In this month’s Cybersecurity Brief:

    The Cyberattack on Ukraine’s Largest Mobile Network: Kyivstar

    The December cyberattack on Kyivstar, Ukraine’s largest mobile network, serving over 24 million people, marked a pivotal moment in the digital aspect of the ongoing Russia-Ukraine conflict. This event is more than a disruption of a commercial entity; it signifies the vulnerability of crucial digital infrastructures in areas of geopolitical tension. Kyivstar’s network, a crucial communication lifeline for millions, faced a complete shutdown that impacted both voice and data services nationwide, demonstrating the extensive reach and impact of modern cyber warfare.

    This attack wasn’t an isolated event but rather part of a larger strategy of digital warfare tactics used in the conflict. The comprehensive nature of the shutdown underscores the critical role and reliance on mobile communication in contemporary society. The attribution of this cyberattack to Russian groups Killnet and Solntsepek, particularly with ties to the GRU’s Sandworm group, suggests a sophisticated, state-level approach to cyber warfare. These groups are known for their disruptive cyber activities, and their involvement in this incident points to a calculated effort to weaken Ukraine’s communication capabilities. The connection with the Sandworm group, known for its role in significant cyberattacks, raises serious concerns.

    The consequences of the Kyivstar cyberattack are wide-ranging. For the Ukrainian military, which heavily depends on mobile networks for coordinating operations and intelligence, the disruption posed a severe threat to their defense capabilities. For civilians, the loss of mobile communication networks meant challenges in emergency response, information sharing, and maintaining general connectivity, adding to the hardships already faced during the conflict.

    In response to this cyberattack, Kyivstar, under CEO Oleksandr Komarov, likely took swift action to restore its services and strengthen its cyber defenses. This incident has undoubtedly triggered both national and international conversations on the necessity of securing critical digital infrastructure, especially in regions facing conflict.

    The Kyivstar cyberattack is emblematic of a significant shift in modern warfare, where digital attacks complement traditional military strategies. It underscores the imperative for nations and companies to invest in robust cybersecurity measures. As digital infrastructure becomes increasingly central to civilian life and military operations, ensuring its security is crucial for national security. This incident serves as a reminder of the evolving nature of conflict in the digital era and the need for heightened vigilance and preparedness in cybersecurity.

    To read more about this article, click here.

    Teen Members of LAPSUS$ Gang Sentenced in UK for Hacking Spree

    On December 24, 2023, two British teenagers associated with the LAPSUS$ cybercrime and extortion gang were sentenced for their involvement in a series of high-profile attacks against various companies. The first teen, Arion Kurtaj, an 18-year-old from Oxford, received an indefinite hospital order. Kurtaj was still fixated on hacking and likely to reoffend, as noted by the judge during his sentencing.

    The second member, a 17-year-old whose identity remains undisclosed due to legal protections for minors, was handed an 18-month Youth Rehabilitation Order. This includes a three-month intensive supervision and surveillance requirement. He was found guilty on multiple counts, including two counts of fraud, two under the Computer Misuse Act, and one of blackmail.

    These individuals were initially arrested in January 2022 and subsequently re-arrested in March 2022. Notably, Kurtaj continued to engage in hacking activities even after being granted bail, leading to another arrest in September.

    Their criminal activities spanned from August 2020 to September 2022, targeting notable organizations such as BT, EE, Globant, LG, Microsoft, NVIDIA, Okta, Revolut, Rockstar Games, Samsung, Ubisoft, Uber, and Vodafone. LAPSUS$, the group they were part of, includes members from the UK and Brazil, with a third member arrested in Brazil in October 2022.

    The LAPSUS$ group is known for its use of SIM-swapping attacks and exploiting vulnerabilities in victim networks. They also publicized their operations and extorted their victims through a Telegram channel. The Cyber Safety Review Board of the U.S. Department of Homeland Security highlighted the group’s tactics in a report, noting the ease with which they breached corporate security systems, raising concerns about the effectiveness of existing cybersecurity measures against such threats.

    These cases underline the growing concern over cybercrime committed by young individuals and the challenges in dealing with juvenile offenders in this sphere. The City of London Police emphasized the dangers of the online environment for young people and the serious consequences that can result from such criminal activities.


    To read more about this article, click here.

    How Can Netizen Help?

    Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time. 

    We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type. 

    Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.

    Netizen is a CMMI V2.0 Level 3, ISO 9001:2015, and ISO 27001:2013 (Information Security Management) certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.