Securing Oracle Cloud Infrastructure (OCI)

Introduction

OCI is a cloud computing service provided by Oracle Corporation. It has a plethora of features that allow you to create anything you want on the cloud.

Getting access to your own instance of OCI is simple and free. You can register for a free trial at https://cloud.oracle.com. You will be prompted for a valid credit card, but the card will not be charged at the end of the trial unless you explicitly opt-in.

Every environment has both Pros & Cons, and this implies to the Cloud environment as well. Failure in securing the cloud environment result in external Threat and loss of Data and compromise of infrastructure.

Organizations may lessen the risk of security threats for cloud workloads with the aid of Oracle Cloud Infrastructure (OCI) Security. Oracle enables clients to quickly embrace and secure their cloud infrastructure, data, and apps with the help of easy, prescriptive, and integrated security capabilities built into the OCI platform.

Security Best Practices

Cloud Guard

Cloud Guard detects misconfigured resources and insecure activity within a tenancy and provides security administrators with the visibility to resolve these issues. Upon detection, Cloud Guard can suggest, assist, or take corrective actions to mitigate these issues. Cloud Guard should be enabled in the root compartment of your tenancy with the default configuration, activity detectors, and responders.

Restrict Resource Movement:

This policy will not let any user move any resource (block volume, compute, database, networking, object storage, etc.) from the security zone compartment to a standard (non-security zone) compartment. Also, a resource from a standard compartment can’t be moved into a security zone unless it satisfies all security zone policies.

Restrict Resource Association:

 This policy will ensure that all the individual components (or resources) you are putting together to build your secure infrastructure are selected from within the security fortress. The individual resources like block volumes, compute instances, OSS buckets, databases, networking, etc.,

Deny Public Access:

This policy makes sure all resources are private by denying any internet gateways, public buckets, etc. Restricting public access will give peace of mind to many organizations out there.

Require Encryption:

By default, Oracle encrypts all the data at rest with Oracle-managed keys. This policy enforces Customer Managed Keys by utilizing Oracle Cloud Vault service for block volume and object storage.

Ensure Data Durability:

This policy will deny any database resources without any automatic backups configured.

Ensure Data Security:

This policy focuses on the databases by ensuring that a database can’t be created in a standard compartment by sourcing from a clone or backup of a database in the security zone.

Oracle Approved Images:

This policy ensures that all compute and database resources created in the security zone are sourced from Oracle-approved platform images.

Network Sources A network source is a set of defined IP addresses. The IP addresses can be public IP addresses or IP addresses from VCNs within your tenancy. After creating the network source, it can be referenced in an IAM policy to control access based on the originating IP address.

OCI Security Audit

The Oracle Cloud Infrastructure Vulnerability Screening Service regularly scans compute instances and container images for potential vulnerabilities to assist strengthen the security posture.

There are several ways to conduct security assessments, including using tools and manually reviewing services in accordance with security requirements.

To manage their environment’s security posture, cloud security providers offer built-in capabilities. The restricted functionality of these tools calls for the use of third-party solutions.  Below listed are a few third-party tools for scanning and securing OCI.

CloudSploit Scans (https://github.com/cloudsploit/scans)

CloudSploit scans is an open-source project designed to allow the detection of security risks in cloud infrastructure accounts. These scripts are designed to return a series of potential misconfigurations and security risks.

It’s a great tool that supports AWS, Azure, GCP, and even the Oracle cloud assessments.

ScoutSuite – formerly Scout2 (https://github.com/nccgroup/ScoutSuite)

Scout Suite is an open-source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.

It supports AWS, Azure, GCP, Oracle, and even Alibaba clouds!

Resources Manual Assessment

https://hub.steampipe.io/mods/turbot/oci_compliance/controls/benchmark.cis_v110

https://www.cisecurity.org/benchmark/oracle_cloud

https://docs.oracle.com/en/solutions/oci-security-checklist/security-controls.html

References

https://akanuri.medium.com/oci-operations-d8ba3fe79be9

https://docs.oracle.com/en-us/iaas/Content/Security/Concepts/security_features.htm

RansomExx Upgrades to Rust

IBM Security X-Force Threat Researchers have discovered a new variant of the RansomExx ransomware that has been rewritten in the Rust programming language, joining a growing trend of ransomware developers switching to the language.

Malware written in Rust often benefits from lower AV detection rates (compared to those written in more common languages) and this may have been the primary reason to use the language. For example, the sample analyzed in this report was not detected as malicious in the VirusTotal platform for at least 2 weeks after its initial submission. As of the time of writing, the new sample is still only detected by 14 out of the 60+ AV providers represented in the platform.

RansomExx is operated by the DefrayX threat actor group (Hive0091), which is also known for the PyXie malware, Vatet loader, and Defray ransomware strains. The newly discovered ransomware version is named RansomExx2 according to strings found within the ransomware and is designed to run on the Linux operating system. The group has historically released both Linux and Windows versions of their ransomware, so it is likely that a Windows version is also in the works.

RansomExx2 has been completely rewritten using Rust, but otherwise, its functionality is similar to its C++ predecessor. It requires a list of target directories to encrypt to be passed as command line parameters and then encrypts files using AES-256, with RSA used to protect the encryption keys.

The Rust programming language has been steadily increasing in popularity among malware developers over the course of the past year, thanks to its cross-platform support and low AV detection rates. Like the Go programming language, which has experienced a similar surge in usage by threat actors over the past few years, Rust’s compilation process also results in more complex binaries that can be more time-consuming to analyse for reverse engineers.

Several ransomware developers have released Rust versions of their malware including BlackCat, Hive, and Zeon, with RansomExx2 being the most recent addition. X-Force has also analysed an ITG23 crypter written in Rust, along with the CargoBay family of backdoors and downloaders.

Analysis

The newly identified RansomExx2 sample has MD5 hash 377C6292E0852AFEB4BD22CA78000685 and is a Linux executable written in the Rust programming language.

Notable source code path strings within the binary indicate that the ransomware is a variant of RansomExx and likely named RansomExx2.

/mnt/z/coding/aproject/ransomexx2/ransomexx/src/parallel_iter.rs

ransomexx/src/ciphers/aes256_impl.rs

ransomexx/src/footer.rs

ransomexx/src/logic.rs

ransomexx/src/ransom_data.rs

The website operated by the ransomware group has also been updated with the page title now listed as ‘ransomexx2’.

Zz1kNTkzYTVkNjZhODQxMWVkYTY5ZjhhY2MyOTAyZjJlYQ==?token=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOlsiZDU5M2E1ZDY2YTg0MTFlZGE2OWY4YWNjMjkwMmYyZWEiXSwiZXhwIjoxNjY5MTQzMjM4fQ._S0Tka4iPAYUT3F70vlu8bfxiEKrCfzsDJ77MnvKisAFigure 1 — A screenshot of the ransomware group’s website showing the page title configured as ‘ransomexx2’

Overall, the functionality of this ransomware variant is very similar to previous RansomExx Linux variants.

The ransomware expects to receive a list of directory paths to encrypt as input. If no arguments are passed to it, then it does not encrypt anything. The following command line format is required by the ransomware in order to execute correctly.

<ransomexx2_sample> –do <target_path_to_encrypt> [<additional_paths_to_encrypt> (optional)]

Upon execution, the ransomware iterates through the specified directories, enumerating and encrypting files. All files greater than or equal to 40 bytes are encrypted, with the exception of the ransom notes and any previously encrypted files.

Each encrypted file is given a new file extension. It is common for RansomExx ransomware file extensions to be based on a variation of the target company name, sometimes followed by the numbers such as ‘911’ or random characters.

A ransom note is dropped in each directory where file encryption occurs. The ransom note is named:

!_WHY_FILES_ARE_ENCRYPTED_!.txt

The contents of this note are as follows:

Hello!

First of all it is just a business and the only thing we are interested in is money.

All your data was encrypted.

Please don’t try to modify or rename any of encrypted files, because it can result in serious data loss and decryption failure.

Here is your personal link with full information regarding this accident (use Tor browser):

http://rnsm777cdsjrsdlbs4v5qoeppu3px6sb2igmh53jzrx7ipcrbjz5b2ad.onion/<victim_id>/

Files are encrypted using AES-256 and a randomly generated key. The AES key is itself encrypted using RSA and a hardcoded public key, and appended to the end of the encrypted file. As a result of this encryption method, the corresponding RSA private key, held by the attacker, would be required to decrypt the files.

The following RSA public key was used in the analysed sample:

—–BEGIN PUBLIC KEY—–

MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAnU8bw0DQKJjkX1QWFUM8

o52NWkUNz4zvrGRJEwhGpJZ99ho0A/BqG5kK7X9pq3GOICD3+6g928JBo6d/3cNM

Ql5lS0LaZN3bxgiNPCWFEnYjLAagRMmi8unfZmGLjc3DDKT62Q0hrI86s1zB3ZhX

6biNhXmwMaKEenpuqRBzGDqmIP9Uc9jK75SqF9T7nK1L9j+nKhYqWpeRDjDuvYPY

XHdstU0TN/OmKvPosiQaIrcIs2MNQXP7rLtMbr9knJucwLymCkF+IpMky/NTKt3u

DR+OJZZMSbmWCBATmz7P9E9Vp8jwrLzhMzEgs0G8yeseMQ2ZpZEm+MKabqkro74M

xldocxoK2AL51ZE8c5TLYGOYbG2PAsdk/rlyRDk1diI07mCw/R4RlPcJRFDJO1eF

b1A8yp6pQjD7rg+Y38b0Z8AZzmf3aKj2B8sHOtKoNR8hKJQRtWhqKAgpQtsJY81/

2SaMLdU7yOqY34QWrGwiRei1WoJKzeyMvJjzmbTbYQYePxlbWeoV/fJ0P0IboYPH

iZ+WzXGG5Cxf7+zfZiCrbZuMqgCZdqc6ntQRcZqvw66a2Pxx4dO8AmGmxIJNzDnK

lA6CHTwDeH7BgzYDD3IJxA7ofAAzqpw8H2eyRxsqLKTI2SAnmFqk85xpxWptmhOS

BshihPaOu5a2ZXaPDeg6Lw8CAwEAAQ==

—–END PUBLIC KEY—–

Elements such as RSA key, file extension, and the ransomware note name and contents, are encrypted within the binary and decrypted by xoring the encrypted data with an equal-sized key.
Conclusion
X-Force assesses it is highly likely that more threat actors will experiment with Rust going forward. RansomExx is yet another major ransomware family to switch to Rust in 2022 (following similar efforts with Hive and Blackcat). While these latest changes by RansomExx may not represent a significant upgrade in functionality, the switch to Rust suggests a continued focus on the development and innovation of the ransomware by the group, and continued attempts to evade detection.

KmsdBot, a new evasive bot for cryptomining activity and DDoS attacks

Researchers spotted a new evasive malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak credentials.

Akamai Security Research discovered a new evasive Golang-based malware, tracked as KmsdBot, that infects systems via an SSH connection that uses weak login credentials.

The malware was employed in cryptocurrency mining campaigns and to launch denial-of-service (DDoS) attacks. KmsdBot supports multiple architectures, including Winx86, Arm64, and mips64, x86_64, and does not stay persistent to avoid detection.

The malicious code was used in attacks targeting multiple sectors including the gaming industry, technology industry, and luxury car manufacturers. The first DDoS attack observed by Akamai targeted a gaming company named FiveM, which allows gamers to host custom private servers for Grand Theft Auto Online. The malware employed specific targeted attacks along with generic Layer 4 and Layer 7 attacks.

“we found an interesting log entry: A cryptominer with distributed denial-of-service (DDoS) functionality tailored to the gaming industry. It’s not often we see these types of botnets actively attacking and spreading, especially ones written in Golang.” reads the post published by Akamai. “The targets range from gaming companies to luxury car brands to security companies — this malware is almost erratic with regard to its targets.”

The analysis of the ksmdx sample reveals functions to perform scanning operations, software updates and crypto mining activities.

Once a system has been infected, the ksmdx binary notifies the C2 that by sending it an HTTP POST request with the notification of ‘Bruh Started:’.

The bot downloads a list of login credentials to use when it scans for open SSH ports.

When analyzing the cryptomining activity, the experts noticed that operators used crypto wallets allegedly chosen randomly to contribute to various mining pools.

The bot does implement its own functionality to launch cryptomining activity, however, it is actually launching a renamed xmrig binary.

“This botnet is a great example of the complexity of security and how much it evolves. What seems to have started as a bot for a game app has pivoted into attacking large luxury brands. What’s new is how it infects — via an SSH connection that uses weak login credentials.” concludes the report. “The good news is that the same techniques we recommend to keep most organizations’ systems and networks secure still apply here.

  • Don’t use weak or default credentials for servers or deployed applications.
  • Ensure you’re keeping those deployed applications up-to-date with the latest security patches, and check in on them from time to time.
  • Use public key authentication for your SSH connections. This is the best way to prevent this type of system compromise.”

‘Eternity malware’ offers Swiss Army knife of cybercrime tools

A one-stop shop for data and crypto kleptomaniacs

Malware that steals passwords, cookies, and payment card data from web browsers is being sold via a Telegram channel and a Tor website, security researchers have discovered.

Collectively named the ‘Eternity Project’ by its architects, the suite of malware already includes stealers, clippers, worms, miners, and ransomware, with a Distributed Denial of Service (DDoS) bot apparently under development.

A Telegram channel provides information about forthcoming software updates and videos documenting the malware’s functionality to around 500 subscribers.

“Interestingly, individuals who purchase the malware can utilize the Telegram Bot to build the binary,” according to a blog post by Cyble Research Labs.

“The TAs [threat actors] provide an option in the Telegram channel to customize the binary features, which provides an effective way to build binaries without any dependencies.”

Versatile

A Stealer module, which costs $260 for an annual subscription, also exfiltrates AutoFill data, tokens, history, and bookmarks from Chrome, Chromium, Firefox, Edge, Opera, and more than 20 other browsers.

Other data extracted from infected machine to the threat actor’s Telegram bot are various system credentials, and cryptocurrency via a wide range of crypto-wallets and browser cryptocurrency extensions.

Eternity ransomware, meanwhile, can encrypt documents, photos, and databases on disks, local shares, and USB drives on compromised machines.

The ransomware facility – the most expensive option at $490 – offers offline encryption, an encryption algorithm combining AES and RSA, and the option to set a time limit after which files cannot be decrypted.

The Eternity worm, priced at $390, propagates through infected machines via local files and local network shares; Google Drive, OneDrive, and DropBox; and Discord, Telegram, and Python Interpreter.

For $110, budding cybercrooks can harness clipper malware that supports multiple address formats for BTC, LTC, ZEC, and BCH, while a $90-a-year cryptocurrency mining module offers silent Monero mining and automatic restarts.

Cybercrime increase

Researchers suspect the developer behind the Eternity Project is repurposing code in the ‘DynamicStealer’ GitHub repository, and have identified possible links with the threat actor behind the Jester Stealer malware Cyble documented in February.

Cyble Research Labs said it had recently “observed a significant increase in cybercrime through Telegram channels and cybercrime forums”.

Individuals and organizations are advised to protect themselves by installing reputable security software, enabling automatic software updates if practicable, regularly backing up data and keeping backups offline or on a separate network, and refraining from opening untrusted links and email attachments without verifying their authenticity.

Medical doctor charged with creating the Thanos ransomware builder

Venezuelan cardiologist allegedly tied to cybercrime scams through multiple OpSec mistakes

A cardiologist turned alleged malware developer has been charged with creating the Thanos ransomware builder.

Moises Luis Zagala Gonzalez, 55, a citizen of France and Venezuela who resides in Ciudad Bolivar, Venezuela, engaged in attempted computer intrusions and conspiracy to commit computer intrusions, according to a US criminal complaint that was unsealed on Monday (May 16).

Zagala is alleged to have both sold and leased ransomware packages he developed to cybercriminals.

He is also accused of training would-be attackers on how to use his wares to extort victims, and subsequentially boasted about successful attacks, according to US prosecutors.

RaaS platform

The self-taught part-time programmer allegedly designed several ransomware tools, malicious packages designed to encrypt files on a compromised systems before demanding extortionate payments in exchange for a decryption key.

Zagala developed a ransomware tool called ‘Jigsaw v.2’ before designing a more sophisticated private ransomware builder called Thanos, a reference to either the Marvel supervillain or the figure ‘Thanatos’ from Greek mythology, according to the DoJ.

The Thanos platform could be used to develop ransomware campaigns with custom ransom notes, features designed to frustrate security researchers and a “data stealer” facility that could be used to extract files from compromised systems.

Zagala allegedly profited from the ransomware-as-a-service (Raas) operation by licensing his software to other cybercriminals, obtaining payments in either cryptocurrency or fiat currencies.

The ransomware products and services allegedly offered by Zagala were advertised and marketed through online forums frequented by cybercriminals.

OpSec mistakes

A number of OpSec mistakes allowed investigators to identify Zagala as a suspect, the DoJ said.

In September 2020, an undercover FBI agent allegedly purchased a license for Thanos from Zagala and downloaded the software. In addition, an FBI informant spoke with Zagala about the possibility of establishing an affiliate program using Thanos, according to the DoJ filing.

In addition, Zagala is said to have publicly boasted about how an Iranian state-sponsored hacking group’s use of Thanos to attack Israeli companies.

The Thanos software was designed to make periodic contact with a server in Charlotte, North Carolina, to check on licences. This system was apparently linked back to Zagala.

Moreover, a Florida-based relative of Zagala was interviewed by law enforcement on May 3, 2022, and admitted that their PayPal account was used by Zagala to receive illicit funds.

According to the DoJ, the relative used an email address to contact Zagala that matched the registered email for malicious infrastructure associated with the Thanos malware.

Prosecutors do not state how much Zagala made from his alleged malfeasance, but if convicted the suspect faces up to five years’ imprisonment for attempted computer intrusion, and five years’ imprisonment for conspiracy to commit computer intrusions.

PHP’s Git Server Hacked to Insert Secret Backdoor to Its Source code

In yet another instance of a software supply chain attack, the official PHP GitHub repository was tampered with to insert unauthorized updates.

The two malicious commits were pushed to the “php-src” repository hosted on the git.php.net server, illicitly using the names of Rasmus Lerdorf, the author of the programming language, and Nikita Popov, a software developer at Jetbrains.

The changes are said to have been made yesterday on March 28.

“We don’t yet know how exactly this happened, but everything points towards a compromise of the git.php.net server (rather than a compromise of an individual git account,” Popov said in an announcement.

The changes, which were committed as “Fix Typo” in an attempt to slip through undetected as a typographical correction, involved provisions for the arbitrary execution of arbitrary PHP code. “This line executes PHP code from within the useragent HTTP header, if the string starts with ‘zerodium’,” PHP developer Jake Birchall said.

Besides reverting the changes, the maintainers of PHP are said to be reviewing the repositories for any corruption beyond the aforementioned two commits. Additionally, contributing to the PHP project will now require developers to be added as a part of the organization on GitHub.

It’s not immediately clear if the tampered codebase was downloaded and distributed by other parties before the changes were spotted and reversed.

We have reached out to the maintainers of PHP for more comments, and we will update the story if we hear back.

Found this article interesting? Follow THN on

Facebook

,

Twitter

and

LinkedIn

to read more exclusive content we post.

Read the Full Article here: >The Hacker News [ THN ]

2021 Global Cybersecurity Policy Challenges and Highlights

For many global policymakers, the transformative impact of the COVID-19 pandemic has reinforced the need to adopt new cybersecurity and privacy policies. Here’s a look at what we can expect in the year ahead.

The COVID-19 pandemic and resulting global economic downturn represent new challenges for government security leaders. Indeed, the massive shift to remote work for both the public and private sectors has forced businesses, governments and other organizations to adapt security practices, processes and policies to account for the significant range of new devices and assets which are now connected to enterprise networks. Both governments and enterprises have seen increases in COVID-19 related phishing and other cyberattacks against employees during the pandemic. Unpatched hardware, software and configuration vulnerabilities in home devices can now be exploited and leveraged to attack enterprise networks. 

For many global policymakers, the transformative impact of the pandemic has reinforced the need to adopt new cybersecurity and privacy policies, many of which were under consideration before the pandemic, in order to strengthen trust in the digital economy. These include efforts to promote data privacy and protection, raise baseline security standards of care, and implement cybersecurity certification regimes. 

At Tenable, we’ve identified the following global privacy and cybersecurity policy challenges and expected developments that cybersecurity professionals need to monitor in 2021: 

European Union Network and Information Systems (NIS) Directive review and implementation of the EU Cybersecurity Act

Since the current NIS Directive entered into force in 2016, the cyberthreat landscape has been evolving. The EU Commission has launched a public consultation on a proposed revision of the Directive. This will be an opportunity to clarify minimum cyber hygiene standards, consider the expanded threat landscape of cloud computing and operational technology (OT) risks and harmonize security standards across the EU. Much of this harmonization will likely come through implementation of the cybersecurity certification schemes under the EU Cybersecurity Act. While the cybersecurity authorities of the member state — including BSI in Germany and  ANSSI in France — will play lead roles in driving these certifications in their respective countries, we also expect them to work closely with the European Commission and the European Agency for Network and Information Security (ENISA) in order to drive towards greater convergence. Certifications under consideration in 2021 include new E.U.-wide certification standards for EU Common Criteria for critical infrastructure, as well as certification regimes for cloud services, artificial intelligence, and 5G. 

Brazil data security and Latin America regional influence

It has been more than two years since the European General Data Protection Regulation (GDPR) came into effect and changed the landscape of global data security. The “data protection by default” approach of the GDPR is now being mirrored in Brazil with the Lei Geral de Proteção de Dados Pessoais (LGPD), with some key differences. The LGPD, which went into effect in August 2020, has a broad scope and applies to any organization that processes Brazilian citizen data. With digital transformation underway at many of the organizations which routinely process Brazilian citizens’ data, it will be critical to understand these new requirements and to avoid penalties. The Brazilian government is expected to clarify some of the provisions of this law in 2021. Brazil is influential across the Americas and its minimum security standards will be impactful for data security practices.

Continued development of minimum data security standards

Japan, Brazil, Canada, India and New Zealand all made updates in 2020 on regulations impacting data security standards. All of these countries moved closer to the EU model of minimum cybersecurity standards and substantial fines for non-compliance. This trend is likely to continue, with governments reviewing their basic cybersecurity standards in light of the changing threat landscape and concerns for data privacy. Expect to see more extraterritorial reach for these laws as governments mandate basic cybersecurity requirements and leverage fines to organizations who ignore security.

Focus on critical infrastructure and operational technology standards in APAC

Because there is a wide range of maturity for OT security policy across APAC, there is a need for developing and harmonizing security best practices. Regional industry groups are likely to drive alignment with international, consensus-driven standards. As an example, the ASEAN Ministerial Conference on Cybersecurity (AMCC) agreed in 2018 to subscribe in principle to 11 voluntary, non-binding norms as well as to focus on regional capacity-building in implementing these norms. These norms include critical infrastructure protection and OT protection. In 2018 Singapore published its Master Plan for Operational Technology standards. These efforts are likely to grow across APAC in 2021 as 5G technology is adopted and the OT threat landscape risk grows. Additional country-specific activity in the region includes:

  • Australia: Earlier this year, Australia launched a consultation on a proposed enhanced regulatory framework for operators of critical infrastructure and systems of national significance. This focus on critical infrastructure stems from Australia’s Cyber Security Strategy 2020, where the government noted that highly sophisticated nation states and state-sponsored actors continue to target governments and critical infrastructure providers. In response, the strategy calls for critical infrastructure businesses to improve baseline security, and states that the government will invest funds in cyber situational awareness, research on cyberthreats, and vulnerability assessment.

  • India: Government leaders in India have been increasingly focused on the security of their industrial technology infrastructure against cyberattacks. Critical infrastructure cybersecurity will therefore likely be a major focus area in India’s National Cyber Security Strategy 2020 and early implementation of the strategy is expected in 2021.
  • Japan: Japan continues to implement provisions of the Cyber Physical Security Framework, released by the Ministry of Economy, Trade and Industry (METI) in 2019 and focused on security for consumer and industrial IoT. As part of this implementation, METI released a draft IoT Security Safety Framework earlier this year, focusing on security for the layer of mutual connections between physical devices and cyberspace. METI will likely develop further guidance on Cyber Physical Security in 2021, especially as the Tokyo Summer Olympics, which constitute a prime target for cyber attackers, have been rescheduled for next summer.

Brexit and data security

As Brexit is finalized with the U.K., there will continue to be concerns about data privacy standards and enforcement across borders. This will be tested with new reviews and examination of data privacy enforcement and adherence to agreed upon standards. While the UK has committed to implementing both the GDPR and the NIS Directive, data security remains a sensitive issue that the EU and U.K. governments will continue to review.

Regulatory Harmonization of Cybersecurity Regulations for Financial Services

This year, we saw further progress in the U.S. regarding efforts to harmonize the regulatory requirements for cybersecurity in financial services and the growing acceptance of a risk profile model that could be examined across multiple regulatory agencies. The framework is largely based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity. There is also continued discussion of harmonization in Europe and APAC. And we expect additional review of these requirements in Europe in the year ahead as banks seek to reduce duplication across national agencies and limit burdensome regulatory requirements. This is hopefully an opportunity to focus on critical risks and maintaining harmonized standards for cybersecurity.

U.S. Energy and Critical Infrastructure Security

Over the last year, the U.S. Congress has worked on the American Energy Innovation Act, which contains numerous cybersecurity provisions to strengthen the cybersecurity of the nation’s energy infrastructure through public-private partnerships, rate incentives for cybersecurity investments and advanced cybersecurity technology and application research and development. While this bill is unlikely to pass before the end of this Congress, we expect to see similar legislative efforts on strengthening energy sector cybersecurity in 2021. The U.S. Department of Energy (DoE) and Department of Homeland Security (DHS) will also continue to prioritize energy grid and industrial cybersecurity through policy guidance and updated standards. Questions regarding whether these approaches will take a more voluntary or regulatory approach in 2021 may depend on presidential and congressional election outcomes. Additional U.S. activity includes:

  • Supply chain protections: With a COVID-19 vaccine expected by 2021, the U.S. and other global governments will continue to focus on supply chain security to protect the manufacturing and distribution of vaccines.

  • Transportation and infrastructure: Congress is also expected to consider a major transportation and infrastructure package in 2021. This legislation is expected to include provisions on smart, digital infrastructure. Therefore, critical infrastructure and OT cybersecurity considerations will need to be addressed as well.

  • Vendor certifications: Implementation of the U.S. Department of Defense (DoD) Vendor Cybersecurity Certification Program The Cybersecurity Maturity Model Certification (CMMC), part of the DoD unified standard for implementing cybersecurity across the defense industrial base (DIB), will become more impactful in defense acquisition processes in 2021. As before, contractors will remain responsible for implementing critical cybersecurity requirements to protect sensitive defense information. However, the CMMC requires third-party assessments of contractors’ compliance with mandatory practices, procedures and capabilities to prevent cyberattacks from new and evolving threats. Due to the size and complexity of the defense industrial base, it’s likely that the CMMC will face technical and logistical hurdles as it is implemented on a much larger scale. However, it also represents an important opportunity for the DoD to improve its cybersecurity posture and close the cyber exposure gap for the DoD and its contractors by creating incentives for stronger cybersecurity processes and practices.


Conclusion

Understanding the policy landscape helps security and business leaders to stay prepared for new trends and requirements. In the modern connected world, policy trends in one region often influence government actions in another region. Governments are increasingly scrutinizing data privacy and security. This trend is likely to continue. Awareness of the above trends can help leaders to stay aware of government concerns and this helps avoid costly fines and regulatory problems.

Learn more:

Read the Full Article here: >Tenable Network Security

Phishers bypass Microsoft 365 security controls by spoofing Microsoft.com

A domain spoofing email phishing campaign that very convincingly impersonates Microsoft and successfully tricks legacy secure email gateways has recently been spotted by Ironscales.

It also led them to discover that Microsoft servers are not currently enforcing the DMARC protocol. “This is especially perplexing when considering Microsoft frequently ranks as a top 5 most spoofed brand year after year,” said Lomy Ovadia, the company’s VP of research and development.

The phishing campaign

The phishing emails in question look like this:

OPIS

The attackers:

  • Spoofed the sender’s domain to make it look like the email comes from Microsoft
  • Used a relatively new Microsoft 365 capability (to review quarantined messages) as a pretext to trick users into following the offered link
  • Attempted to create a sense of urgency

The link takes users to a fake login page that “asks” for Microsoft 365 login credentials. Needless to say, users who enter them are effectively handing them over to the phishers.

“What’s interesting about this campaign is that exact domain spoofs aren’t incredibly sophisticated attacks for gateway controls to detect,” Ovadia noted.

“The reason why SEGs [secure email gateways] can traditionally stop exact domain spoofing is because, when configured correctly, this control is compliant with Domain-based Message Authentication, Reporting and Conformance (DMARC).”

DMARC is an email authentication protocol designed to help email domain owners protect their domain from unauthorized use.

“Any other email service that respects and enforces DMARC would have blocked such emails. It remains unknown as to why Microsoft is allowing a spoof of their very own domain against their own email infrastructure,” Ovadia concluded.

The phishing campaign has been aimed at Microsoft 365 enterprise users within various verticals (finsec, healthcare, insurance, manufacturing, utilities, telecom, etc.).

Read the Full Article here: >Help Net Security – News

New TSX Speculative Attack allows stealing sensitive data from latest Intel CPUs

ZombieLoad 2, aka TSX Asynchronous Abort, is a new flaw that affects the latest Intel CPUs that could be exploited to launch TSX Speculative attack.

ZombieLoad 2, aka TSX Asynchronous Abort, is a new vulnerability tracked as CVE-2019-11135 that affects the latest Intel CPUs that could be exploited to launch TSX Speculative attack.

The flaw affects the Transactional Synchronization Extensions (TSX) feature in Intel processors, it could be exploited by a local attacker or malicious code to steal sensitive data from the underlying operating system kernel.

The ZombieLoad 2 attack also targets the speculative execution implemented in modern CPU to improve performance.

In the past months, security researchers devised several speculative -channel RIDL (Rogue In-Flight Data Load), Fallout, Microarchitectural Data Sampling (MDS attack), and ZombieLoad.

Unlike Meltdown, Spectre, and Foreshadow attacks, MDS attakes target CPU’s microarchitectural data structures.

News of the day is that a new version of the ZombieLoad attack was devised by researchers, it also impacts processors in the Intel Cascade Lake CPU family that are not impacted by other attacks.

The Zombieload 2 attack only affects CPU supporting the Intel TSX instruction-set extension, a condition that is true in all Intel CPUs manufactured since 2013.

The TSX feature allows improving performance by leveraging a hardware transactional memory, any operation on this memory doesn’t impact on the overall performance of the systems.

“The TSX Asynchronous Abort (TAA) vulnerability is similar to Microarchitectural Data Sampling (MDS) and affects the same buffers (store buffer, fill buffer, load port writeback data bus).” reads the security advisory published by Intel.

“Intel TSX supports atomic memory transactions that are either committed or aborted. When an Intel TSX memory transaction is aborted, either synchronously or asynchronously, all earlier memory writes inside the transaction are rolled back to the state before the transaction start. While an Intel TSX asynchronous abort (TAA) is pending, certain loads inside the transaction that are not yet completed may read data from microarchitectural structures and speculatively pass that data to dependent operations. This may cause microarchitectural side effects, which can later be measured to infer the value of the data in the microarchitectural structures.”

Experts discovered that aborting memory transactions may allow processes to compute the data found in other running processes, including operating system kernel data. An attacker could exploit the flaw to steal sensitive data, including passwords and encryption keys.

Harmonisation of Turn Around Time (TAT) and customer compensation for failed transactions using authorised Payment Systems

The principle behind the TAT is based on the following:

(a). If the transaction is a ‘credit-push’ funds transfer and the beneficiary account is not credited while the debit to originator has been effected, then credit is to be effected within the prescribed time period failing which the penalty has to be paid to the beneficiary;

(b). If there is delay in the initiation of a transaction at the originator bank’s end beyond the TAT, then penalty has to be paid to the originator.

(c). A ‘failed transaction’ is a transaction which has not been fully completed due to any reason not attributable to the customer such as failure in communication links, non-availability of cash in an ATM, time-out of sessions, etc. Failed transactions shall also include the credits which could not be effected to the beneficiary account on account of lack of full information or lack of proper information and delay in initiating a reversal transaction.

Here is the link to RBI circular 20-sep-19Harmonisation of TAT using authorised Payment Systems.PDF