CYBERSECURITY / DEFENSE / INTELLIGENCE

  • The U.S. Department of Justice (DoJ) on Wednesday announced the arrest of two co-founders of a cryptocurrency mixer called Samourai and seized the service for allegedly facilitating over $2 billion in illegal transactions and for laundering more than $100 million in criminal proceeds. To that end, Keonne Rodriguez, 35, and William Lonergan Hill, 65, have been charged

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Attackers are employing evasion techniques to bypass detection and extend dwell time on compromised systems. This is achieved by targeting unmonitored devices, leveraging legitimate tools, and exploiting zero-day vulnerabilities.Β 

    While defenders are improving detection speed (dwell time decreased from 16 to 10 days), this is partly due to faster ransomware identification and adversary-in-the-middle and social engineering tactics to bypass multi-factor authentication.Β 

    Cloud infrastructure is under attack, with attackers even leveraging cloud resources. Both red and purple teams are exploring AI for better security outcomes as they analyze these trends and offer mitigation strategies to the security community.

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach -Β Download Free Guide

    In 2023, more than half of compromised organizations learned of the incident from an external source, most commonly through a ransom demand from the attacker (70% for ransomware-related intrusions). 

    Ransomware External Notification Source, 2023

    It suggests improved internal detection capabilities, as the percentage of externally notified intrusions decreased compared to 2022 (54% vs. 63%).

    Ransomware events are most often discovered externally (70%), with attacker ransom notes being the dominant notification method (75% of externally discovered ransomware intrusions).Β 

    Investigations into ransomware attacks are on the rise again, reaching 23% of all investigations in 2023, surpassing the 2022 numbers and matching the 2021 levels.

    Organizations are also becoming faster at detecting ransomware than other intrusions, with a median detection time of just 5 days in 2023.Β 

    Global Median Dwell Time by Detection Source

    The improvement is seen across the board, with internal detection dropping to 6 days and external notification leading to a 5-day detection window.

    Overall, dwell time (time attackers remain undetected) continues to decrease, highlighting the urgency of rapid response to security incidents. 

    Mandiant’s 2023 incident response investigations showed financial, business, and professional services, high tech, retail and hospitality, and healthcare as the most targeted industries.Β 

    Global Industries Targeted, 2023

    These sectors hold sensitive data like PII, PHI, and financial information, and the most typical initial infection vector was an exploit (38%), followed by phishing (17%) and prior compromises (15%). This suggests that attackers are increasingly using exploits and leveraging existing network breaches to gain access.

    There was a rise in financially motivated cyberattacks in 2023, with ransomware being the most common culprit. Data theft also remained prevalent, though slightly less frequent than in 2022.Β 

    In some cases, stolen data was directly sold for extortion, while other attackers used a combination of data theft, ransomware deployment, and extortion threats.

    Data breaches involving intellectual property and targeted theft by espionage groups were also identified.Β 

    Observed Threat Groups by Goal, 2023

    They tracked a vast number of threat actors, encountering over 300 unique groups during incident response in 2023. A significant portion (719) were newly identified, with over half exhibiting financial motivations.Β 

    It aligns with the rise in ransomware observed in 2023, as espionage and other objectives saw a modest decline, while a substantial number (36%) remains challenging to categorize definitively due to limited evidence.Β 

    In 2023, a consistent distribution of malware categories was observed, with backdoors (33%), downloaders (16%), droppers (15%), credential stealers (7%), and ransomware (5%) being the top five.Β 

    Credential stealers re-entered the top five in 2023, while ransomware families decreased from 7% in 2022 to 5% in 2023. This suggests a rise in preexisting ransomware strains like LOCKBIT, ALPHV, BASTA, and ROYALLOCKER.

    Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security AwarenessΒ Training -> Try Free DemoΒ 

    The post Cyber Attack Defenders Up For Battle: Huge Uptick In Timely Attack Detections appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • The telecom company AeroNet Wireless announced the launch of its new 10Gbps speed Internet plan, marking an important landmark for the telecommunications sector in Puerto Rico.

    β€œWe have invested millions to expand and strengthen our network, demonstrating our commitment to launching Puerto Rico to the next level of connectivity and Internet services.

    Our new 10Gbps plan is the first of its kind on the island, and we are confident that it will position AeroNet and Puerto Rico’s telecommunications industry as a force to be reckoned with nationwide,” said AeroNet’s President and Founder, Gino Villarini, at an event held at Parallel 18 facilities, in San Juan.Β 

    The new 10Gbps speed service exemplifies a statement of ambition by AeroNet to lead the way with innovation through the latest technology in the telecommunications business on the island.

    The launch of AeroFiber 10Gbps Nex-Gen represents a leap in business connection speed, as 10 Gbps equals 10,000 Mbps (megabits per second).

    β€œThis means an exceptional data transfer capacity that allows the realization of complex tasks and the execution of advanced applications at an unprecedented speed.

    To grasp the magnitude of this speed, AeroFiber 10Gbps is 100 times faster than conventional internet connections,” explained Villarini during the launch of the new service.

    According to the telecommunications businessman, the innovative service is designed to meet the growing demands of the commercial sector, offering a connection that drives efficiency, productivity, and competitiveness.

    This aims to ensure that businesses in Puerto Rico have access to a robust network capable of meeting the challenges of the digital age.

    β€œAeroNet is the only hybrid provider in Puerto Rico that offers the service through fiber optic and microwave. The service is available throughout the island, including Vieques and Culebra,” he added.

    AeroNet has designed a highly competitive pricing scale to make its new 10Gbps service affordable for the entire commercial sector, seeking to transform how businesses operate and compete.

    β€œWe not only ensure an ultra-fast connection; we support every interaction with a highly trained and professional technical support team, enhancing productivity and peace of mind for our customers for a seamless service experience.”

    Contact
    Marketing Manager
    Meredith Lugo
    AeroNet Wireless
    mlugo@aeronetpr.com

    The post AeroNet Wireless Launches 10Gbps Internet Plan: A Landmark Moment in Puerto Rico’s Telecommunications Industry appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Cisco has released critical security updates to address multiple vulnerabilities in its Adaptive Security Appliance (ASA) devices and Firepower Threat Defense (FTD) software, collectively known as the “ArcaneDoor” vulnerabilities.

    If exploited, these vulnerabilities could allow a cyber threat actor to take control of an affected system.

    The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog, indicating active exploitation in the wild.

    Recently, GBHackers on Security reported that a sophisticated cyber espionage campaign dubbed β€œArcaneDoor” conducted by a state-sponsored threat actor tracked as UAT4356 to exploit these 2 zero-day vulnerabilities (CVE-2024-20353 and CVE-2024-20359) in Cisco’s Adaptive Security Appliance (ASA) firewalls.

    Combat Email Threats with Free Phishing Simulations: Email Security AwarenessΒ Training ->Try Free DemoΒ 

    CVE-2024-20353 and CVE-2024-20359: Persistent Remote Code Execution Vulnerabilities

    These two vulnerabilities tracked as CVE-2024-20353 and CVE-2024-20359, are persistent remote code execution vulnerabilities in Cisco ASA and FTD software.

    They allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system with root-level privileges.

    The vulnerabilities exist due to improper handling of certain HTTP requests and improper sanitization of user-supplied data.

    An attacker could exploit these vulnerabilities by sending crafted HTTP requests to a targeted device, potentially leading to complete system compromise.

    “To determine whether a device that is running Cisco ASA Software or FTD Software is affected, use theΒ show asp table socket | include SSLΒ command and look for an SSL listen socket onΒ anyΒ TCP port.”

    If a socket is present in the output, the device should be considered vulnerable. The following example shows the output for a Cisco ASA device with two SSL listen sockets on TCP port 443 and TCP port 8443:

    ciscoasa#  show asp table socket | include SSL
    SSL 00185038 LISTEN 172.16.0.250:443 0.0.0.0:*
    SSL 00188638 LISTEN 10.0.0.250:8443 0.0.0.0:*

    Cisco has confirmed active exploitation of these vulnerabilities and has released software updates to address them. No workarounds are available, and users are strongly encouraged to apply the necessary updates immediately.

    CVE-2024-20358: Web Services Denial of Service Vulnerability

    CVE-2024-20358 is a denial of service (DoS) vulnerability in the management and VPN web servers of Cisco ASA and FTD software.

    An unauthenticated, remote attacker could cause the affected device to reload unexpectedly, resulting in a DoS condition.

    The vulnerability is due to incomplete error checking when parsing an HTTP header.

    An attacker could exploit this vulnerability by sending a crafted HTTP request to a targeted web server on the device, causing it to reload and become unavailable.

    This vulnerability affects the Cisco ASAΒ restoreΒ CLI command that is described in theΒ Software and ConfigurationsΒ chapter of theΒ Cisco ASA Series General Operations CLI Configuration Guide.

    This vulnerability does not affect the backup restore functionalities documented in the System Management chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager and the Backup and Restore chapter of the Firepower Management Center Configuration Guide.

    Cisco has released software updates to address this vulnerability, and there are no workarounds available.

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach -Β Download Free Guide

    The post Alert! Cisco Releases Critical Security Updates to Fix 2 ASA Firewall 0-Days appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Cybersecurity experts at Seqrite Labs have reported a surge in cyberattacks against Indian government entities.

    These attacks have been attributed to Pakistani Advanced Persistent Threat (APT) groups, which have been intensifying their malicious activities.

    Attack Methods

    The recent campaigns uncovered by Seqrite Labs’ APT team reveal a sophisticated level of cyber warfare.

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

    The Pakistani-linked APT group SideCopy has been particularly active, deploying its commonly used AllaKore Remote Access Trojan (RAT) in three separate campaigns.

    Attack Chain of SideCopy
    Attack Chain of SideCopy

    In each of these campaigns, two instances of the RAT were used simultaneously, showcasing the group’s aggressive tactics.

    Simultaneously, Transparent Tribe (APT36), the parent group of SideCopy, has been consistently utilizing the Crimson RAT.

    However, they have modified their approach by encoding or packing the RAT differently to evade detection.

    Targets

    The primary targets of these cyberattacks are Indian defense and government entities.

    SideCopy and APT36 have been persistent in their efforts to infiltrate these sectors since at least 2019.

    The decoy files used in previous campaigns in February-March 2023 have been observed.Β 

    β€œGrant_of_Risk_and_HardShip_Allowances_Mar_24.pdf.” As the name suggests, it is an advisory from 2022 on allowance grants to Army officers under India’s Ministry of Defence.

    Decoy Files
    Decoy Files

    Their arsenal is not limited to AllaKore and Crimson RATs but includes other malicious tools such as Ares RAT, Action RAT, Reverse RAT, and Margulas RAT.

    The impact of these cyberattacks is significant, as they compromise the security and integrity of critical government systems.

    The persistent targeting of these entities threatens national security and puts sensitive data at risk of being exploited.

    Countermeasures

    In response to these escalating threats, Indian cybersecurity forces are urged to strengthen their defenses and remain vigilant.

    This includes updating security protocols, conducting regular system checks, and training personnel to effectively recognize and respond to cyber threats.

    As geopolitical tensions continue influencing the cyber threat landscape, India remains a prime target for APT groups.

    Seqrite Labs’ recent findings underscore the need for robust cybersecurity measures to protect against these sophisticated and persistent threats.

    Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

    The post Pakistani APT Hackers Attacking Indian Govt Entities With Weaponized Shortcut Files appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Google has once again pushed its plans to deprecate third-party tracking cookies in its Chrome web browser as it works to address outstanding competition concerns from U.K. regulators over its Privacy Sandbox initiative. The tech giant said it’s working closely with the U.K. Competition and Markets Authority (CMA) and hopes to achieve an agreement by the end of the year. As part of the

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • In a joint advisory released by cybersecurity agencies across Canada, Australia, and the United Kingdom, IT professionals and managers in government and critical sectors are alerted to sophisticated cyber-attacks targeting CISCO ASA VPN devices.

    Background on the Cyber Threat

    The Canadian Centre for Cyber Security and its international counterparts have been monitoring a series of cyber-attacks since early 2024.

    These incidents have primarily affected CISCO ASA devices, specifically the ASA55xx series running firmware versions 9.12 and 9.14.

    The attacks believed to be espionage efforts by a state-sponsored actor, have not shown signs of prepositioning for a disruptive or destructive network attack.

    Is Your Network Under Attack? - Read CISO’s Guide to Avoiding the Next Breach - Download Free Guide

    However, the level of sophistication observed is a cause for concern.

    CVE Details and Impact

    CVE-2024-20359

    The first vulnerability identified is CVE-2024-20359, allowing persistent local code execution.

    This flaw enables attackers to maintain a presence on the affected device even after it has been rebooted.

    CVE-2024-20353

    The second vulnerability, CVE-2024-20353, can lead to a denial of service within the Cisco Adaptive Security Appliance and Firepower Threat Defense Software’s web services.

    This vulnerability could be exploited to disrupt operations and deny access to network resources.

    Malicious actors have exploited both vulnerabilities to gain unauthorized access through WebVPN sessions, often associated with Clientless SSLVPN services.

    The agencies have not disclosed any specific hacker groups involved, but the capabilities point to a well-resourced and sophisticated actor.

    Exploiting these vulnerabilities poses a significant risk to organizations that rely on the affected CISCO ASA VPN devices.

    Unauthorized access to these devices can lead to data breaches, espionage, and potentially a foothold for future attacks against critical infrastructure.

    Mitigation Strategies

    In response to these threats, the advisory encourages organizations to:

    • Review logs for unknown, unexpected, or unauthorized device access or changes.
    • Update affected devices to the latest firmware versions as soon as possible.
    • Visit the Cisco Security Advisories portal and the Cisco Talos Blog for additional information and guidance on mitigation.
    • Implement network segmentation and access control lists to limit the traffic allowed to and from the affected devices.
    • Employ multi-factor authentication to access VPNs and reduce the risk of unauthorized access.

    The alert serves as a reminder of the ever-present cyber threats facing organizations and the importance of maintaining robust cybersecurity practices.

    As the situation develops, further updates and recommendations are expected to be issued by the involved cybersecurity agencies.

    Combat Email Threats with Easy-to-Launch Phishing Simulations: Email Security Awareness Training -> Try Free Demo 

    The post Authorities Warned that Hackers Are Exploiting Flaws in CISCO ASA VPNs appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • A new malware campaign leveraged two zero-day flaws in Cisco networking gear to deliver custom malware and facilitate covert data collection on target environments. Cisco Talos, which dubbed the activity ArcaneDoor, attributing it as the handiwork of a previously undocumented sophisticated state-sponsored actor it tracks under the name UAT4356 (aka Storm-1849 by Microsoft). ”

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

  • Compliance requirements are meant to increase cybersecurity transparency and accountability. As cyber threats increase, so do the number of compliance frameworks and the specificity of the security controls, policies, and activities they include. For CISOs and their teams, that means compliance is a time-consuming, high-stakes process that demands strong organizational and

    Go to source

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ

    ΒΆΒΆΒΆΒΆΒΆ