Aggregator

The discovery of the NGate malware by ESET Research is another example of how sophisticated Android threats have become

For just a few days, the mWise cybersecurity conference is rolling back registration pricing to the Early Bird rate. Hurry, sale ends Wednesday, September 4. Learn more from mWISE Conference on how to get this discount. [...]

Steeds meer systemen die vandaag zijn getroffen door de netwerkstoring worden hersteld. Daardoor kunnen de werkprocessen gefaseerd opstarten. Naar verwachting neemt dit nog enige uren in beslag.

Written by: Ofir Rozmann, Asli Koksal, Sarah Bock

Today Mandiant is releasing details of a suspected Iran-nexus counterintelligence operation aimed at collecting data on Iranians and domestic threats who may be collaborating with intelligence and security agencies abroad, particularly in Israel. 

The data collected by this campaign may support the Iranian intelligence apparatus in pinpointing individuals who are interested in collaborating with Iran’s perceived adversarial countries. The collected data may be leveraged to uncover human intelligence (HUMINT) operations conducted against Iran and to persecute any Iranians suspected to be involved in these operations. These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran.

Mandiant assesses with high confidence this campaign was operated on behalf of Iran’s regime, based on its tactics, techniques, and procedures (TTPs), themes, and targeting. In addition, we observed a weak overlap between this campaign and APT42, an Iran-nexus threat actor suspected to operate on behalf of Iran’s IRGC Intelligence Organization (IRGC-IO). This campaign’s activities are in line with Iran’s IRGC and APT42’s history of conducting surveillance operations against domestic threats and individuals of interest to the Iranian government. Despite the possible APT42 connection, Mandiant observed no relations between this activity and any U.S. elections-related targeting as previously reported by Google's Threat Analysis Group.

The activity used multiple social media accounts to disseminate a network of over 35 fake recruiting websites containing extensive Farsi decoy content, including job offers and Israel-related lures, such as images of Israeli national symbols, hi-tech offices, and major city landmarks. Upon entry, the targeted users are required to enter their personal details as well as their professional and academic experience, which are subsequently sent to the attackers. 

The suspected counterintelligence operations started as early as 2017 and lasted at least until March 2024. In the past, similar campaigns were deployed in Arabic, targeting individuals affiliated with Syria and Hezbollah intelligence and security agencies. This may indicate Iran’s counterintelligence activities extend beyond its own security and intelligence apparatus, possibly in support of its allies in Syria and Lebanon. 

Mandiant worked to help ensure this activity was blocked and disrupted, the threat actor’s accounts were terminated, and Google Chrome users and the users of other browsers were protected.

Attack Lifecycle

This activity leverages a network of fake recruitment websites posing as Israel-based human resources firms that use similar imagery in attempts to socially engineer Farsi-speaking individuals into providing personal details. The websites were disseminated online including through fake social media accounts, and used similar templates. The attack lifecycle is depicted in Figure 1.

Figure 1: Attack lifecycle

The activity consists of several stages.

Step 1: Disseminate Links to Fake Recruitment Websites

Mandiant identified multiple fake social media accounts promoting the websites on various social platforms, such as X (formerly Twitter) and Virasty, commonly used in Iran. 

The following X post contains a link to the malicious website, topwor4u[.]com, as well as the following description translated from Farsi:

“In the past year, we were able to attract hundreds of information and cyber professionals and achieve unique successes at the global level.

If you have information and cyber work experience, join us”.

Figure 2: Posts by @MiladAzadihr, a Twitter profile promoting the fake recruitment website topwor4u[.]com

Figure 3: Post by @A_Soleimani_Far, a Virasty (Iranian social network) profile promoting the fake recruitment website joinoptimahr[.]com

Step 2: Fake Job Offer Websites Presenting Israel-Related Decoy Content

Upon entering the website, the user is presented with the alleged purpose of the fake human resources firms: “[to] recruit employees and officers of Iran’s intelligence and security organizations.” 

• The fake recruitment websites share templates and content, posing as HR firms, like “Optima HR” or “Kandovan HR.”

• The websites contain an elaborate description written in Farsi, presenting the alleged human resources firm as “active in the fields of international information and security/cyber consulting and research worldwide”. 

• The websites contain a Farsi description of the “Terms of Cooperation” with the fake HR firm:

“Having relevant documented experience and resume in the field of information and cyber in related institutions and organizations (Mandatory).

Protecting your privacy is our priority.
Excellent salary for the chosen ones.

Our center invites you to contact us to submit a job offer and receive special and unique projects!!

 Join us to help each other impact the world.
Our duty is to protect your privacy.”

• Mandiant observed both desktop and mobile versions of the websites beparas[.]com displaying similar contents and lures affiliated with Israel, including Israel’s flag and major city landmarks.

Figure 4: Mobile version of the fake website beparas[.]com, used between January and March 2024

Figure 5: Desktop and mobile versions of the website beparas[.]com used in February 2024; the left web page also includes a form and a Telegram contact link

• The websites contain Telegram contact links, using handles that contain “IL” (Israel) references, further enhancing the perceived Israel-affiliation of the campaign. For example:

hxxps://t[.]me/PhantomIL13

hxxps://t[.]me/getDmIL 

• Several fake recruitment websites also contained a link to join a Telegram chat:

hxxps://t[.]me/joinchat/AAAAAFgDeSXaWr2r_AQImw

• Further inspection of the domain beparas[.]com indicated the WordPress user data for the website is publicly available and lists the username “miladix” as well as Gravatar URLs likely affiliated with this user (see the following screenshot). The value "b7e2f4a5bc67256189e6732fbce86520" in the Gravatar URLs is the Sha256 value of the user’s email, according to Gravatar documentation.

• The nickname "Miladix" might be related to “Milad Azadi,” the name of the X account used by the campaign and previously mentioned. In addition, "Milad" is a Persian name, further strengthening the campaign’s affiliation to Iran. 

• Mandiant observed a domain miladix[.]com, affiliated with an Iranian software developer, although no links were found tying the campaign to miladix[.]com or its operator.

Figure 6: Screenshot of the WordPress user's URL of beparas[.]com

Step 3: Targeted User Fills Out Form, Personal and Professional details Sent to Attackers

The fake recruitment websites contain a form that includes the fields: name, birth date, email, home address, education, and professional experience. 

Figure 7: Fake personal details form

“Axis of Resistance”: Historic Operations Targeting Syria and Hezbollah

Close inspection of the fake “Optima HR” websites revealed a previous network of fake recruitment websites that targeted Farsi speakers as well as Arabic speakers affiliated with Syria and Lebanon (Hezbollah) masquerading as a different HR firm named “VIP Human Solutions.”

The “VIP Human Solutions” sites used very similar imagery and themes, purporting to recruit for security- and intelligence-related jobs using Israel-affiliated decoy content, as can be seen in the Figure 8.

Figure 8: Logos of VIP Human Solutions (2020–2023, left) and Optima HR (2022–2024, right)

Figure 9: dreamy-jobs[.]com, a fake “VIP Human Solutions” website used in 2022

The “VIP Human Solutions” website’s contents, template, and personal details form are almost identical to the “Optima HR” website. The headline translates to:

“VIP job selection is a recruitment center for respected personnel and employees of Iran's security and intelligence organizations and institutions.”

Mandiant observed significant overlaps between the historic “VIP Human Solutions” campaign and the ongoing “Optima HR” campaign, and considers both to be deployed by the same threat actor. The activity was mentioned publicly in the past and was suspected to be related to the Israeli Mossad.

Figure 10: A Tweet from January 2021 mentioning “VIP Human Solutions”

• Mandiant observed the aforementioned Telegram group chat active, which has been active since at least 2021 and used by the two clusters:

hxxps://t[.]me/joinchat/AAAAAFgDeSXaWr2r_AQImw

• The same link was embedded in multiple “VIP Human Solutions” websites, occasionally along with Israel (+972) phone numbers and additional Telegram accounts:

hxxps://t[.]me/DreamyJobs_com
hxxps://t[.]me/wazayif_IL
“wazayif” is the English transcription of the word “jobs” in Arabic (وظايف)

The “VIP Human Solutions” recruitment websites were likely in use from at least 2018 to at least 2023. In addition to Farsi websites, the cluster used Arabic websites with similar templates.

Translation of the Arabic website’s title: 

“VIP Recruitment, a center for recruiting respected military personnel into the army, security services and intelligence from Syria and Hezbollah, Lebanon.”

Figure 11: wazayif-halima[.]com, an Arabic-language “VIP Human Solutions” website, used in 2021–2022 to target Syria and Hezbollah's intelligence personnel

Mandiant also observed another version of the same website in 2023, which includes the “Loren Ipsum” dummy text in Arabic, possibly indicating that the updated version of the website was not operational yet. The template includes the Syrian flag and map, an Israeli phone number (+972), and a Telegram contact link: hxxps://t[.]me/DreamyJobs_com.

Figure 12: An updated version of wazayif-halima[.]com observed in July 2023

While the “VIP Human Solutions” domains were registered beginning in 2020, Mandiant observed further historic evidence suggesting that the campaign has been active since at least 2018. 

Specifically, a YouTube channel named “VIP Human Solutions” was created by “Alireza Ebrahimpoor” in November 2018. The channel contains a single video by “VIP Jobs Global,” with a Farsi description very similar to the fake recruitment websites’, presented as a “recruitment center for retirees and employees of Iran’s security and intelligence organizations and institutions”. The threat actor-controlled YouTube channel is no longer available.

Figure 13: “VIP Human Solutions” YouTube channel: hxxps://www[.]youtube[.]com/@vipjobsglobal1819

The video has very similar content and theme as the fake recruitment websites, including the use of the unique logo of “VIP Human Solutions.”

Figure 14: Screenshot of the “VIP Human Solutions” video

The video also contains the following contact details:

• Email address: sendcv@vipjobsglobal[.]com. The domain vipjobsglobal[.]com was registered in March 2018.

• Facebook page: hxxps://facebook[.]com/358690841262928, which started operating in December 2017 and is no longer active.

The following table compares the historic activity with the new activity described in the previous section:

 

“VIP Human Solutions”

“Optima HR”

Years Active

2017-2022

2022-2024

Languages

Farsi

Arabic

Farsi

Targeted Regions

Iran, Syria and Hezbollah 

Iran

Example Domains (full list in the IOCs section)

bilal1com[.]com (Farsi)

jomehjob[.]com (Farsi)

dreamy-job[.]com (Farsi)

damavand-hr[.]me (Arabic)

wazayif-halima[.]org (Arabic)

optima-hr[.]com

joinoptimahr[.]com

opthrltd[.]me

beparas[.]com

darakeh[.]me

topwor4u[.]com

Contact Details

hxxps://t[.]me/DreamyJobs_com

hxxps://t[.]me/wazayif_IL

hxxps://t[.]me/joinchat/
AAAAAFgDeSXaWr2r_AQImw

+972 (Israel) phone numbers

hxxps//t[.]me/PhantomIL13

hxxps://t[.]me/getDmIL 

hxxps://t[.]me/joinchat/
AAAAAFgDeSXaWr2r_AQImw

Outlook and Implications

Mandiant estimates this activity supports Iranian counterintelligence efforts to identify individuals affiliated (or interested in working) with intelligence and security agencies.

Specifically, the activities described in this blog post are of concern to Iranian individuals who are suspected to be collaborating with countries Iran might perceive as adversaries. These may include Iranian dissidents, activists, human rights advocates, and Farsi speakers living in and outside Iran.

The campaign casts a wide net by operating across multiple social media platforms to disseminate its network of fake HR websites in an attempt to expose Farsi-speaking individuals who may be working with intelligence and security agencies and are thus perceived as a threat to Iran’s regime. The collected data, such as addresses, contact details, as well as professional and academic experience, might be leveraged in future operations against the targeted individuals.

Additional Protection Information for Google Cloud Customers

For Google Chronicle Enterprise+ customers, Chronicle rules have been released to the Emerging Threats rule pack, and IOCs listed in this blog post are available for prioritization with Applied Threat Intelligence.

Indicators of Compromise (IOCs)

A Google Threat Intelligence Collection featuring IOCs related to the activity described in this post is now available for registered users.

Cluster 1: “Optima HR”, “Kandovan HR” and “Paras IL”, active 2022-2024

beparas[.]com

parasil[.]me

darakeh[.]me

kandovani[.]org

topwor4u[.]com

opthrltd[.]me

joinoptimahr[.]com

optimax-hr[.]com

optimac-hr[.]com

optima-hr[.]com

titanium-hr[.]com

 

Cluster 2: “VIP Human Solutions”, active 2017-2023

azadijobs[.]me

bilal1com[.]com

damavand-hr[.]me

damkahill[.]com

dream-jobs[.]org

dream-jobs[.]vip

dreamy-job[.]com

dreamy-jobs[.]com

dreamycareer[.]com

golanjobs[.]me

hat-cast[.]com

irnjobs[.]me

jomehjob[.]com

radabala[.]com

rostam-hr[.]vip

salamjobs[.]me

shirazicom[.]com

syrtime[.]me

topiranjobs[.]me

trnjobs[.]me

vipjobsglobal[.]com

wazayif-halima[.]com

wazayif-halima[.]org

wehatcast[.]com

youna101[.]me

younamesh[.]com

   

Welcome to our deep dive into the world of Kubernetes, where we share some of the top lessons our site reliability engineers (SREs) have learned from years of managing this complex yet essential cloud-native technology. During a recent Kubernetes Clinic webinar, SRE Brian Bensky joined me, and we talked through our extensive experience managing K8s for clients, helping clients go beyond just running clusters to using Kubernetes as a platform that enables you to run applications successfully. Let’s walk through these lessons learned to help anyone navigating Kubernetes.

The post Top 10 Lessons Learned from Managing Kubernetes from the Trenches appeared first on Security Boulevard.

With the right processes and tools, organizations can implement advanced AI security frameworks that make hidden risks visible, enabling security teams to track and address them before impact.

A South Korea-aligned cyber espionage has been linked to the zero-day exploitation of a now-patched critical remote code execution flaw in Kingsoft WPS Office to deploy a bespoke backdoor dubbed SpyGlace. The activity has been attributed to a threat actor dubbed APT-C-60, according to cybersecurity firms ESET and DBAPPSecurity. The attacks have been found to infect Chinese and East Asian users

The recent standardization of first three post-quantum cryptography (PQC) encryption and digital signature algorithms by the U.S. National Institute of Standards and Technology (NIST) has officially kicked off the race to PQC readiness. In its PQC press release, NIST cites predictions that within the next decade, a cryptographically-relevant quantum computer (CRQC) capable of running Shor’s […]

The post Quantum Computing and the Risk to Classical Cryptography appeared first on Security Boulevard.

新 Zen5 性能未达到预期，AMD 表示一个原因是 Windows 11 v23H2 未包含分支预测优化代码，将在未来几个月释出的 v24H2 会包含优化代码，将能显著改进从 Zen3 到 Zen5 处理器的性能。现在 AMD 用户无需等待几个月时间。微软释出了可选更新 KB5041587（Windows 更新——高级选项——可选更新），将 v24H2 的分支预测优化代码移植到了 v23H2。AMD 发言人表示，安装 KB5041587 后的预期性能提升类似从 v23H2 和 v24H2。

A joint Cybersecurity Advisory highlights Iran-based cyber actor ransomware activity targeting U.S. organizations. The advisory includes CVEs exploited, alongside techniques, tactics and procedures used by the threat actors.

Background

On August 28, the Cybersecurity and Infrastructure Security Agency (CISA) published a joint Cybersecurity advisory (CSA) in coordination with The Federal Bureau of Investigation (FBI) and the Department of Defense Cyber Crime Center (DC3). The advisory highlights the recent activities of Iranian threat actors conducting ransomware operations against US organizations across several industries including local government, defense, finance, education and healthcare as well as other countries including Israel, Azerbaijan and the United Arab Emirates.

The threat actors named in the advisory go by a few monikers including Pioneer Kitten, Fox Kitten, UNC757, Parasite, RUBIDIUM and Lemon Sandstorm. These actors have been observed to be collaborating with ransomware groups including NoEscape, Ransomhouse and ALPHV (aka BlackCat) to extort their victims. The technical aspects of the advisory highlight what techniques, tactics and procedures (TTPs) the threat actors have been observed using, including indicators of compromise (IOCs). The advisory flags six specific CVEs that are leveraged by the threat actors in the initial access phase of their attacks:

CVEDescriptionCVSSv3VPRCVE-2024-3400PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect1010CVE-2024-24919Check Point Security Gateway Information Disclosure Vulnerability8.68.3CVE-2019-19781Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Directory Traversal Vulnerability9.89.4CVE-2023-3519Citrix Application Delivery Controller (ADC) and Gateway (formerly NetScaler ADC and Netscaler Gateway) Unauthenticated Remote Code Execution Vulnerability9.89CVE-2022-1388F5 BIG-IP iControl REST Remote Code Execution Vulnerability9.88.4CVE-2024-21887Ivanti Connect Secure and Ivanti Policy Secure Command Injection Vulnerability9.110

*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on August 28 and reflects VPR at that time.

Analysis

CVE-2024-3400 is a remote code execution vulnerability that arises from a combination of two distinct bugs in PAN-OS, specifically affecting the GlobalProtect service. The first bug is related to how the GlobalProtect service handles session IDs. The service did not sufficiently validate the format of session IDs before storing them. This oversight allowed an attacker to store an empty file with a filename of their choosing, effectively setting the stage for the exploit. The second bug involves the assumption that filenames used within the system were system-generated and therefore trustworthy. This bug enabled the filenames, which were injected by the attacker in the first step, to be used as part of a command. An attacker can exploit these two bugs to execute remote shell commands without any prior authentication. Earlier this year, this vulnerability was exploited in-the-wild as a zero-day vulnerability and was tracked at the time by Palo Alto Networks Unit 42, calling the activity Operation MidnightEclipse.

CVE-2024-24919 is an information disclosure vulnerability affecting CheckPoint Security Gateway devices configured with either the remote Access VPN or Mobile Access Software Blades enabled. This vulnerability allows an unauthenticated remote attacker to read the contents of arbitrary files located on the affected appliance. This could allow an attacker to read sensitive files. An example of one such attack path is accessing the ‘/etc/shadow’ file, which could result in the extraction of password hashes for local accounts that could potentially be decrypted. This vulnerability was also exploited in-the-wild as a zero-day, around the same time security researchers also published a proof-of-concept (PoC).

CVE-2019-19781 is a directory traversal vulnerability in Citrix Application Delivery Controller (ADC) and Gateway, formerly known as NetScaler ADC and Netscaler Gateway. This vulnerability allows an attacker to send a specially crafted HTTP request that exploits the path traversal issue, enabling unauthorized access to restricted directories on the device. Through this access, the attacker can execute arbitrary code without any need for authentication, potentially resulting in remote code execution (RCE) on the affected device. This vulnerability has been widely abused by multiple threat actors over the years and has been featured prominently in our 2020, 2021 and 2022 Threat Landscape Reports. Additionally, it has been featured in multiple blogs from Tenable Research and has been included in multiple CSA’s from CISA and other government entities across the globe.

CVE-2023-3519 is a critical RCE vulnerability in Citrix ADC and Citrix Gateway that allows an unauthenticated attacker to execute arbitrary code on the vulnerable appliances. The attack can be performed over the network, making it particularly dangerous in environments where these devices are exposed to the internet. The vulnerability stems from improper handling of specific request data, leading to memory corruption that can be exploited to gain control of the system.

CVE-2022-1388 is an iControl REST RCE vulnerability in F5 BIG-IP devices stemming from an authentication bypass bug. The flaw resides in the iControl REST interface, where improper access control allows unauthenticated users to execute arbitrary system commands with root privileges. This vulnerability is particularly dangerous because it does not require user interaction or authentication, making it easy for attackers to exploit. Successful exploitation of CVE-2022-1388 can lead to complete system compromise, enabling attackers to take full control of the device, modify configurations, exfiltrate sensitive data and use the compromised device as a launching point for further attacks within the network.

CVE-2024-21887 is a command injection vulnerability in Ivanti Connect Secure and Ivanti Policy Secure that allows remote attackers to execute arbitrary commands on the affected devices. This vulnerability occurs due to insufficient input validation in the administrative interface, which can be exploited by sending specially crafted HTTP requests. Successful exploitation can result in full system compromise, providing the attacker with the ability to execute commands with the highest privileges, potentially leading to data loss, system disruption or further propagation of malicious activity.

Legacy Vulnerabilities Remain a Looming Threat

An analysis of metadata performed by Tenable Research provides us with unique insight to two of these legacy CVEs, CVE-2019-19781 and CVE-2022-1388. From our research only about half of impacted assets have been successfully remediated. Legacy vulnerabilities present a significant risk, as threat actors frequently exploit unpatched vulnerabilities, particularly in SSL VPNs. This trend has been consistently highlighted by the Tenable Security Response Team (SRT) in their annual Threat Landscape Reports as mentioned in the section for CVE-2019-19781. To mitigate these risks, it is imperative to prioritize the remediation of legacy vulnerabilities alongside newer threats, ensuring a more comprehensive and robust security posture.

Source: Tenable Research

Ten of Thousands of Internet Facing Instances May Be Affected

It’s not surprising that threat actors are leveraging these vulnerabilities for initial access given that there are tens of thousands of potentially vulnerable devices for each of the relevant technologies discoverable on Shodan.io.

Source: Shodan.io

The results in the image above are based query results at the time this blog was composed and were obtained using the queries in the table below:

TechnologyDetection LogicQuery LinkPalo Alto Networks PAN-OSSearches for any PAN-OS instances.QueryF5 BIG-IPThe presence of "BIG-IP®- Redirect" in the title likely indicates a redirection page typically used in login portals or other access control scenarios managed by a BIG-IP device.QueryCitrix Application Delivery Controller (ADC) and GatewaySearches for favicon hash values for Citrix ADC, Gateway, AAA and VPN.QueryCheck Point Security GatewayQuery looks for servers with "Check Point SVN Foundation". This is intrinsically linked to Check Point Security Gateway devices, especially those configured with the Remote Access VPN or Mobile Access Software Blades.QueryIvanti Connect Secure and Ivanti Policy SecureQuery looks for a CGI script named "welcome.cgi" that is used to display a logo page component on the welcome or login page used by Ivanti / Pulse Secure.QuerySolution

Each of the vulnerabilities described in the CSA have been around for a period of time and each of the vendors have released the respective patches and mitigations. We recommend reviewing each of the vendors advisories shown below:

• Palo Alto Networks Security CVE-2024-3400 Advisory
• Check Point 2024-2024-24919 Advisory
• Citrix CVE-2019-19781 Advisory
• Citrix CVE-2023-3519 Advisory
• F5 CVE-2022-1388 Advisory
• Ivanti CVE-2024-21887 Advisory

Additionally, the CSA provides IoCs and technical details that may aid organizations in their incident response processes. We highly recommend reviewing the details outlined in the CSA. If your organization has assets that have not been patched for the CVE’s listed above, it’s possible that unpatched devices have been impacted due to the severity and frequency of attacks involving these vulnerabilities. As such, careful review of these systems and incident response processes may be needed to determine impact and scope of a potential compromise of unpatched systems.

Identifying affected systems

Tenable offers several solutions to help identify potential exposures and attack paths as well as identifying systems vulnerable to the CVEs mentioned in the CSA. For a holistic approach, we recommend Tenable One. The Tenable One Exposure Management Platform extends beyond traditional vulnerability management, which concentrates on the discovery and remediation of publicly disclosed CVEs. A foundational part of any exposure management program, Tenable One includes data about configuration issues, vulnerabilities and attack paths across a spectrum of assets and technologies — including identity solutions (e.g., Active Directory); cloud configurations and deployments; and web applications.

Tenable Plugin Coverage

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE page’s for CVE-2024-3400, CVE-2024-24919, CVE-2019-19781, CVE-2023-3519, CVE-2022-1388 and CVE-2024-21887. This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Detection of legitimate tools used by adversaries and mentioned in the CSA:

ToolDetection Plugin IDAnyDesk

Plugin ID 189953 - AnyDesk Installed (Windows)

Plugin ID 189955 - AnyDesk Installed (macOS)

Plugin ID 189973 - AnyDesk Installed (Linux)

Tenable Attack Path Techniques

MITRE ATT&CK IDDescriptionTenable Attack Path TechniquesT1012Query RegistryT1012_WindowsT1059.001Command and Scripting Interpreter: PowerShellT1059.001_WindowsT1078.002Valid Accounts: Domain AccountsT1078.002_WindowsT1078.003Valid Accounts: Local AccountsT1078.003_WindowsT1098Account Manipulation: Additional Cloud Credentials/Roles

T1098.001_AWS

T1098.001_Azure

T1098.003_AWS

T1098.003_Azure

T1133External Remote Services

T1133_AWS

T1133_Azure

T1133_Windows

T1053Scheduled Task/Job: Scheduled TaskT1053.005_WindowsT1219Remote Access SoftwareT1219_WindowsT1482Domain Trust DiscoveryT1482_Windows

Tenable Identity Exposure Indicators of Exposure and Indicators of Attack

MITRE ATT&CK IDDescriptionIndicatorsT1078Dormant AccountsC-SLEEPING-ACCOUNTST1078Account with Possible Empty PasswordC-PASSWORD-NOT-REQUIREDT1078User Account Using Old PasswordC-USER-PASSWORDT1078Last Change of the Microsoft Entra SSO Account PasswordC-AAD-SSO-PASSWORDT1078AdminCount Attribute Set on Standard UsersC-ADMINCOUNT-ACCOUNT-PROPST1078Reversible Passwords in GPOC-REVER-PWD-GPOT1078Potential Clear-Text PasswordC-CLEARTEXT-PASSWORDT1078User Primary GroupC-DANG-PRIMGROUPIDT1078Domain Controllers Managed by Illegitimate UsersC-DC-ACCESS-CONSISTENCYT1078Accounts With Never Expiring PasswordsC-PASSWORD-DONT-EXPIRET1078Kerberos Configuration on User AccountC-KERBEROS-CONFIG-ACCOUNTT1078Privileged Authentication Silo ConfigurationC-AUTH-SILOT1078ADCS Dangerous MisconfigurationsC-PKI-DANG-ACCESST1078Last Password Change on KRBTGT accountC-KRBTGT-PASSWORDT1078Dangerous Sensitive PrivilegesC-DANGEROUS-SENSITIVE-PRIVILEGEST1078Logon Restrictions for Privileged UsersC-ADMIN-RESTRICT-AUTHT1078Native Administrative Group MembersC-NATIVE-ADM-GROUP-MEMBERST1078Privileged Accounts Running Kerberos ServicesC-PRIV-ACCOUNTS-SPNT1078Application of Weak Password Policies on UsersC-PASSWORD-POLICYT1078Detection of Password WeaknessesC-PASSWORD-HASHES-ANALYSIST1078Recent Use of the Default Administrator AccountC-ADM-ACC-USAGET1078Domain with Unsafe Backward-Compatibility ConfigurationC-DSHEURISTICST1098Dangerous Rights in the AD SchemaC-ABNORMAL-ENTRIES-IN-SCHEMAT1098Mapped Certificates on AccountsC-SENSITIVE-CERTIFICATES-ON-USERT1098Vulnerable Credential Roaming Related AttributesC-CREDENTIAL-ROAMINGT1098Ensure SDProp ConsistencyC-SDPROP-CONSISTENCYT1098Verify Permissions Related to Microsoft Entra Connect AccountsC-AAD-CONNECTT1098User Primary GroupC-DANG-PRIMGROUPIDT1098Domain Controllers Managed by Illegitimate UsersC-DC-ACCESS-CONSISTENCYT1098Shadow CredentialsC-SHADOW-CREDENTIALST1098Missing MFA for Non-Privileged AccountMISSING-MFA-FOR-NON-PRIVILEGED-ACCOUNTT1098First-Party Service Principal With CredentialsFIRST-PARTY-SERVICE-PRINCIPAL-WITH-CREDENTIALST1098Missing MFA for Privileged AccountMISSING-MFA-FOR-PRIVILEGED-ACCOUNT

Tenable Web App Scanning

MITRE ATT&CK IDDescriptionIndicatorsT1190Exploit Public-Facing ApplicationT1190_WASCVEDescriptionPlugin IDCVE-2024-3400Palo Alto PAN-OS GlobalProtect Remote Code Execution114282CVE-2024-24919Check Point Quantum Gateway Directory Traversal114291CVE-2024-21887Ivanti Connect Secure 9.x / 22.x Authentication Bypass114165Get more information

• Joint Cybersecurity Advisory: AA24-241A: Iran-based Cyber Actors Enabling Ransomware Attacks on US Organizations
• Tenable Blog: CVE-2024-3400: Zero-Day Vulnerability in Palo Alto Networks PAN-OS GlobalProtect Gateway Exploited in the Wild
• Tenable Blog: CVE-2024-24919: Check Point Security Gateway Information Disclosure Zero-Day Exploited in the Wild
• Tenable Blog: CVE-2019-19781: Critical Vulnerability in Citrix ADC and Gateway Sees Active Exploitation While Patches are Still Not Available
• Tenable Blog: CVE-2019-19781: Exploit Scripts for Remote Code Execution Vulnerability in Citrix ADC and Gateway Available
• Tenable Blog: CVE-2023-3519: Critical RCE in Netscaler ADC (Citrix ADC) and Netscaler Gateway (Citrix Gateway)
• Tenable Blog: CVE-2022-1388: Authentication Bypass in F5 BIG-IP
• Tenable Blog: CVE-2023-46805, CVE-2024-21887: Zero-Day Vulnerabilities Exploited in Ivanti Connect Secure and Policy Secure Gateways
• Tenable Blog: CVE-2023-46805, CVE-2024-21887, CVE-2024-21888 and CVE-2024-21893: Frequently Asked Questions for Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways
• Tenable Blog: CISAs 2022 Top Routinely Exploited Vulnerabilities (AA23-215A)
• Tenable’s 2020 Threat Landscape Retrospective
• Tenable’s 2021 Threat Landscape Retrospective
• Tenable’s 2022 Threat Landscape Report

Join Tenable's Security Response Team on the Tenable Community.

Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Сторонники свободного ПО активно поддерживают перспективную инициативу.

Azul announced Java Hero Awards for 17 organizations and individuals who have achieved innovative world-class results with Java.

The post We Celebrate Our Customers’ Successes with Java appeared first on Azul | Better Java Performance, Superior Java Support.

The post We Celebrate Our Customers’ Successes with Java appeared first on Security Boulevard.

DSPM solutions provide a comprehensive, up-to-date view into cloud-based data and risk. An integrated CNAPP and DSPM solution elevates this analysis to expose toxic combinations and security gaps across cloud environments.

As organizations ramp up their use of cloud-native applications, the amount of sensitive data stored in the cloud grows – as does the difficulty in managing and scaling data-related risk management and compliance. Hackers are motivated to get at data stored in the cloud. Employee data, customer information, business IP – it’s all (un)fair game. 

Enter cloud native application protection (CNAPP) solutions. In light of the massive increase in data-related breaches - and their cost, integrating data security posture management (DSPM) in CNAPP is essential to reduce risk. It also simplifies security efforts, improves compliance and ensures that data security is an integral part of your overall security strategy.

See the demo

The superpower of a unified CNAPP

A quick concept review.

A CNAPP offers security and compliance for cloud-native applications throughout their lifecycle, across multiple clouds. Its superpower lies in providing a unified view and contextual analysis across infrastructure, workloads, identities and more. A CNAPP isolates exposures, including hidden toxic combinations, and pinpoints how to fix them. 

DSPM tools – a $94 billion market projected to double by 2031(InsightScan) – focus specifically on security and compliance-readiness for data in the cloud. These tools continuously scan the environment to find data, including databases, object storage and data lakes, across cloud and service providers, flowing to or from, any location. They classify and protect data assets, ensure audit security policies and requirements, and detect data-related threats. 

Using DSPM alone makes it difficult to maintain a centralized and deep view into sensitive data; where it’s stored, what kind it is, who can access it and how it is used. It’s like getting a view into the stars but not the galaxy. Inside a CNAPP, DSPM gives the needed illumination and context.

Let’s explore how a DSPM works.

Comprehensive visibility into data assets

A key DSPM function is to continuously provide a comprehensive, up-to-date view into cloud based data assets and risk. When joined with cloud security posture, this data analysis exposes discreet security gaps and toxic combinations and, importantly, the impact on data if exploited. Teams gain greater prioritization accuracy and focus around findings, mitigating alert fatigue. 

Figure - Integrated DSPM in a CNAPP enables powerful permission queries into specific types of sensitive data, such as digital identities, for prioritized focus on risk exposure Better data security and compliance 

By implementing a DSPM-integrated CNAPP, you can reduce the risk of data breaches and non-compliance. DSPM solutions continuously assess compliance posture and ensure that cloud data is classified, protected and accessed according to policies and frameworks such as GDPR, HIPAA, and CCPA. You can automate policy enforcement and generate comprehensive, audit-ready reports to reduce compliance fire drills. Users can act quickly upon discovering misconfigurations, unauthorized access and potential security threats discovered in near real-time.

Managing data risk proactively 

Proactive risk management is a cornerstone of cloud security. Integrating DSPM empowers teams to detect potential data risks, as well, and take action early, before they become big problems. Through the use of advanced analytics, DSPM capabilities detect anomalous patterns and behaviors that can indicate a security threat to your sensitive data. A DSPM integrated CNAPP provides actionable insights and recommendations for improving your overall data security posture, ensuring your organization stays a step ahead of evolving threats.

Faster, streamlined incident response

In the event of a security incident, time and action is everything. Integrated DSPM plays a vital role in streamlining the incident response process. By providing near real-time alerts and detailed forensic data, the solution helps security teams quickly identify the scope and impact of a breach. These insights speed up the process, enabling stakeholders to achieve containment and remediation and minimize potential damage. DSPM's integration with other CNAPP components, such as workload protection and cloud security posture management, enables a coordinated, efficient incident response, reducing downtime and maintaining business continuity. 

Use case: Tenable Cloud Security with integrated DSPM

Tenable Cloud Security isolates and eradicates cloud risks across infrastructure, workloads, identities and data. Having recently acquired Eureka Security, we are now integrating leading DSPM capabilities into our CNAPP context mix - stay tuned as new features roll out.

In this use case, we show how you can use powerful permission querying to detect and filter for resources with certain types of sensitive data, such as digital identity or financial information, to understand and explore your risk exposure, and focus on prioritized security findings. 

Conclusion

Integrated DSPM is an indispensable component of a robust CNAPP strategy. It extends comprehensive visibility and deep risk context to data assets, safeguarding data and keeping your security posture strong through automation and actionability.

“对技术的追求的根本是源于本心，而不是其他什么” 致敬志同道合的“同道”们！期待KCon 2025！

Платформа обучена на крупнейшей базе данных.

The Oregon Zoo's recent data breach serves as a stark reminder of the urgent need for robust cybersecurity measures in today's digital landscape. With over 117,000 payment card details potentially compromised, this incident underscores the vulnerabilities that organizations face when it comes to eSkimming (client-side) attacks and PCI DSS compliance.

The post Oregon Zoo Data Breach Exposes Payment Card Information appeared first on Source Defense.

The post Oregon Zoo Data Breach Exposes Payment Card Information appeared first on Security Boulevard.

今年夏天芬兰南部报告有大批松树死亡，研究人员将这一现象与气候变化关联起来。自 4 月以来，芬兰南部报告了逾 1,350 片松树死亡。图尔库大学地理学教授 Risto Kalliola 将这一现象称为是松树的局部大规模死亡。邻国瑞典也报告了类似的松树死亡事件。Kalliola 称松树死亡芬兰最近才普遍发生。他认为造成树死亡的因素有很多，比如害虫和真菌疾病，而全球暖化加剧了其严重性。他指出，炎热的夏季，伴随着热浪和数周无雨，生长在土壤贫瘠地区的树木容易死亡。他表示需要认真对待自然界的现象。

Комментарии в соцсетях эффективно загоняют в ловушку ничего не подозревающих родственников.

构建高效交付体系 实现企业与客户双赢！