Aggregator

本次报告将讨论近几年在构建完全开源、透明和自主的代码大模型方面的一些探索和经验（如StarCoder2和Magicoder等）。同时，会简要探讨代码大模型对软件质量保证带来的新机遇和挑战。

This week, the Republican National Convention was hosted in Milwaukee, Wisconsin from July 15 to 18, 2024. We examined traffic shifts and cyberattacks since June 2024 to see how these events have impacted the Internet

本次报告从模型的解释与解释的模型两个角度来介绍我们最近的工作。本次报告的前半部分介绍我们关于模型的解释工作；本报告的后半部介绍用来解释的模型设计，我们认为决策系统在设计时应当考虑解释生成本身。

A faulty software update from cybersecurity vendor Crowdstrike crippled countless Microsoft Windows computers across the globe today, disrupting everything from airline travel and financial institutions to hospitals and businesses online. Crowdstrike said a fix has been deployed, but experts say the recovery from this outage could take some time, as Crowdstrike's solution needs to be applied manually on a per-machine basis.

CrowdStrike、Palo Alto Networks等头部网安公司发力重点与产品方向。

法国电信巨头数据遭泄露，加密货币平台损失2.3亿美元……

CISA’s red team acted like a nation-state attacker in its assessment of a federal agency’s cybersecurity. Plus, the Cloud Security Alliance has given its cloud security guidance a major revamping. Meanwhile, a Google report puts a spotlight on insecure credentials. And the latest on open source security, CIS Benchmarks and much more!

Dive into six things that are top of mind for the week ending July 19.

1 - CISA’s red team breaches fed agency, details lessons learned

A new, must-read report from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) outlines how the agency’s red team probed a large federal agency’s network, quickly found a way in and stayed undetected for months.

The 29-page report details the so-called SilentShield assessment from CISA’s red team, explains what the agency’s security team should have done differently and offers concrete recommendations and best practices you might find worth reviewing.

Mimicking the modus operandi of a typical nation-state attacker, CISA’s red team exploited a known vulnerability on an unpatched web server, gaining access to the agency’s Solaris environment. Separately, the red team also breached the network’s Windows environment via a phishing attack. 

Once inside, the red team was able to exploit other weaknesses, such as unsecured admin credentials, to extend the scope of the breach, which went undetected for five months. At that point, CISA alerted the agency about the SilentShield operation.

CISA has authorization to conduct SilentShield assessments, whose purpose is to work with the impacted agency and help its security team strengthen its cyberdefenses.

Here’s a brief sampling of the assessed agency’s security weaknesses:

• Lack of sufficient prevention and detection controls, including an inadequate firewall between its perimeter and internal networks; and insufficient network segmentation
• Failure to effectively collect, retain and analyze logs, which hampered defensive analysts’ ability to gather necessary information
• Bureaucratic processes and siloed teams
• Reliance on flagging “known” indicators of compromise (IOCs) instead of using behavior-based detection
• Lack of familiarity with the identity and access management system (IAM), which wasn’t tested against credential-manipulation techniques nor were its anomalous-behavior alerts monitored

Recommendations include:

• Deploy internal and external firewalls
• Implement strong network segmentation
• Enroll all accounts in the IAM system, and make sure it’s not vulnerable to credential manipulation
• Centralize logging and use tool-agnostic detection

To get more details, read the report, titled “CISA Red Team’s Operations Against a Federal Civilian Executive Branch Organization Highlights the Necessity of Defense-in-Depth.”

For more information about the threat from nation-state cyberattackers:

• “What CISOs Need to Know About Nation-State Actors” (InformationWeek)
• “4 Ways to Defend Against Nation-State Attacks” (BankInfoSecurity)
• “Growing Nation-State Alliances Increase U.S. Cyber Risks” (Government Technology)
• “Nation-State Hackers Leverage Zero-Day Vulnerabilities to Penetrate MITRE Cybersecurity Research Network” (CPO Magazine)

2 - Cloud Security Alliance’s cloud sec guide gets revamped 

The Cloud Security Alliance (CSA) has given a major makeover to its “Security Guidance for Critical Areas of Focus in Cloud Computing,” including adding new topics like artificial intelligence (AI), and boosting coverage of areas like data security and IAM.

The guide is aimed at helping organizations understand cloud computing components and cloud security best practices. Version 5, released this week, replaces version 4, which was published in 2017.

“We have completely revamped this updated 5th version to align with modern technologies and challenges,” reads the CSA blog “New Cloud Security Guidance from CSA.”

 

Here’s some of what’s new:

• Increased coverage of cloud workloads, application security, CI/CD, data security and DevSecOps
• New topics such as AI and zero trust
• Less emphasis on laws and regulations

The guide is organized into 12 sections, including:

• Cloud computing concepts and architectures
• Cloud governance and strategies
• Risk, audit and compliance
• IAM
• Cloud workload security
• Data security

For more information about cloud security, check out these Tenable resources:

• “Tag, You’re IT! Tagging Your Way to Cloud Security Excellence” (blog)
• “Leveraging CIEM to Secure Cloud Identities and Entitlements at Scale” (on-demand webinar)
• “Understanding Customer Managed Encryption Keys in AWS, Azure and GCP” (blog)
• “Secure Your Cloud-Native Applications” (on-demand webinar)
• “Cloud Workload Protection: The Key to Decreasing Cloud Security Risks” (blog)

3 - Google: Credential gaps top initial-access vectors for cloud breaches

When it comes to gaining an initial foothold in a cloud environment, attackers’ best friends are weak or simply non-existent credentials. That’s according to the latest “Google Cloud Threat Horizons Report,” which is based on data gathered during the first half of 2024.

Specifically, weak or no credentials accounted for 47.2% of initial-access vectors in cloud compromises observed by Google Cloud in customer environments.

(Source: Google Cloud Threat Horizons Report, July 2024)

Meanwhile, using the compromised system for cryptomining ranked as attackers’ top intrusion motivation (58.8%).

(Source: Google Cloud Threat Horizons Report, July 2024)

For more information about identity and access management security:

• “Poor Identity Hygiene at Root of Nation-State Attack Against Microsoft” (Tenable)
• “What is identity and access management? Guide to IAM” (TechTarget)
• “What is IAM? Identity and access management explained” (CSO)
• “Multifactor Authentication Is Not Enough to Protect Cloud Data” (Dark Reading)

4 - CISA working on OSS security framework, assessment tool

As part of its efforts to help improve the security of open source software (OSS), CISA is crafting a framework and backing the development of an automated tool for assessing whether an OSS component is trustworthy.

“As work on both the framework and supporting tools continue to progress, we will improve our capability to assess OSS trustworthiness at scale,” reads CISA’s blog “Continued Progress Towards a Secure Open Source Ecosystem.”

The assessment framework will evaluate four aspects of the development of an OSS component:

• Its project, including the number of active contributors and unexpected ownership changes
• The product, including whether it contains known vulnerabilities or outdated dependencies
• Its protections, such as whether developer accounts require MFA
• Its policies, such as requirements for code reviews and vulnerability disclosures

“Taken together, the collected measurements can be grouped into these four categories to provide software users and choosers a consistent way to evaluate the trustworthiness of a particular OSS component,” wrote blog author Aeva Black, CISA’s Section Chief of Open Source Software Security.

To automate the framework’s measurement process and combine the measurement results, CISA is funding the development of an open source tool called Hipcheck, which is designed to “automatically assess and score software repositories for supply chain risk,” according to its Github page.

For more information about open source software security:

• “Establishing a security baseline for open source projects” (Help Net Security)
• “OWASP Top 10 Risks for Open Source Software” (OWASP)
• “Create an open source security policy for your organization” (TechTarget)
• “How to Navigate Open-Source Security Without Stifling Innovation” (Infosecurity)
• “Study finds that SW developers lack cybersecurity skills” (Tenable)

5 - Banks get guidance on secure cloud adoption

Banks and other financial services institutions looking for fresh guidance on adopting cloud securely can check out new best-practices documents published this week.

The documents, published by the U.S. Treasury Department and the Financial Services Sector Coordinating Council (FSSCC) industry non-profit group, seek to accomplish goals such as:

• Establishing a common cloud-computing terminology for banks and regulators.
• Crafting best practices for reducing cloud-related third-party risk
• Improving transparency and monitoring of cloud services
• Creating a framework for cloud services adoption

“Today’s publications mark a significant step forward by providing a roadmap and helpful resources for banks of all sizes,” Acting Comptroller of the Currency Michael J. Hsu said in a statement. “These documents also clarify cloud service providers’ responsibilities for ensuring a secure and resilient financial system.”

To get more details, check out the Treasury’s announcement “Treasury and the Financial Services Sector Coordinating Council Publish New Resources on Effective Practices for Secure Cloud Adoption.”

For more information about cybersecurity in the financial sector:

• “The cyber clock is ticking: Derisking emerging technologies in financial services” (McKinsey)
• “A Cyber Defense Guide for the Financial Sector” (Center for Internet Security)
• “4 steps to secure your treasury operations from cyberattacks” (J.P. Morgan)
• “Global financial stability at risk due to cyber threats” (World Economic Forum)
• “The rise of cyberattacks on financial institutions highlights the need to build a security culture” (SC Magazine)

6 - CIS updates Benchmarks for Apple, Google, Red Hat products

Apple’s macOS. Microsoft’s Windows Server. Red Hat’s Enterprise Linux. Google’s Kubernetes Engine.

Those are among the products included in the latest round of updates for the popular CIS Benchmarks from the Center for Internet Security.

Specifically, these new secure-configuration recommendations were updated in June:

• CIS AlmaLinux OS 9 Benchmark v2.0.0
• CIS Apple macOS 12.0 Monterey Benchmark v3.1.0
• CIS Apple macOS 13.0 Ventura Benchmark v2.1.0
• CIS Apple macOS 14.0 Sonoma Benchmark v1.1.0
• CIS Google Kubernetes Engine (GKE) Benchmark v1.6.0
• CIS Microsoft Windows Server 2019 Stand-alone Benchmark v2.0.0
• CIS NGINX Benchmark v2.1.0
• CIS Oracle Linux 9 Benchmark v2.0.0
• CIS Red Hat Enterprise Linux 9 Benchmark v2.0.0
• CIS Red Hat OpenShift Container Platform Benchmark v1.6.0
• CIS Rocky Linux 9 Benchmark v2.0.0

 

In addition, CIS released brand new Benchmarks for AWS storage services, including Amazon Simple Storage Service (S3), and for Microsoft Azure database services, including Azure SQL.

Organizations can use the CIS Benchmarks’ secure-configuration guidelines to harden products against attacks. Currently, there are more than 100 Benchmarks for 25-plus vendor product families. Categories include cloud platforms; databases; desktop and server software; mobile devices; operating systems; and more.

To get more details, read the CIS blog “CIS Benchmarks July 2024 Update.” For more information about the CIS Benchmarks list, check out its home page, as well as:

• “Getting to Know the CIS Benchmarks” (CIS)
• “Security Via Consensus: Developing the CIS Benchmarks” (Dark Reading)
• “How to Unlock the Security Benefits of the CIS Benchmarks” (Tenable)
• “CIS Benchmarks Communities: Where configurations meet consensus” (Help Net Security)
• “CIS Benchmarks: DevOps Guide to Hardening the Cloud” (DevOps)

Businesses across the world have been hit by widespread disruptions to their Windows workstations stemming from a faulty update pushed out by cybersecurity company CrowdStrike. "CrowdStrike is actively working with customers impacted by a defect found in a single content update for Windows hosts," the company's CEO George Kurtz said in a statement. "Mac and Linux hosts are not impacted. This is

Two Russian nationals have pleaded guilty in a U.S. court for their participation as affiliates in the LockBit ransomware scheme and helping facilitate ransomware attacks across the world. The defendants include Ruslan Magomedovich Astamirov, 21, of Chechen Republic, and Mikhail Vasiliev, 34, a dual Canadian and Russian national of Bradford, Ontario. Astamirov was arrested in Arizona by U.S. law

If a software update process fails, it can lead to catastrophic consequences, as seen today with widespread blue screens of death blamed on a bad update by CrowdStrike

检测业务是否受到此漏洞影响，请联系长亭应急服务团队！

检测业务是否受到此漏洞影响，请联系长亭应急服务团队！

Note: CISA will update this Alert with more information as it becomes available.

Update 12:30 p.m., EDT, July 26, 2024: 

• CrowdStrike’s Counter Adversary Operations blog lists various reports of malicious cyber activity leveraging last week’s outage. 
• CISA encourages users and administrators to remain vigilant and maintain robust cybersecurity measures, including:
  • Only follow guidance from legitimate sources.
  • Block malicious domains.
  • Follow CrowdStrike’s recommendations to protect against the outage-related phishing activity listed in their Counter Adversary Operations reports.
• CrowdStrike also continues to provide updated information through its remediation and guidance hub.

Update 12:00 p.m., EDT, July 24, 2024: 

• CrowdStrike continues to provide updates to its guidance, including:
  • An instructional video to guide users through a self-remediation process.
  • An update to their initial remediation that accelerates remediation of impacted systems; CrowdStrike encourages customers to “follow the Tech Alerts for latest updates as they happen.”
  • A “Preliminary Incident Review,” which provides answers to why and how the outage occurred and how they will prevent such outages going forward.
• CrowdStrike also published a list of domains impersonating the CrowdStrike brand, which threat actors could use to deliver malicious content. 

Update 9:45 a.m., EDT, July 21, 2024: 

• Microsoft released a recovery tool that uses a USB drive to boot and repair affected systems. 
• Microsoft also published a blog post that provides links to various remediation solutions and outlines their actions in response to the outage, which include working with CrowdStrike to expedite restoring services to disrupted systems.
• In the blog post, Microsoft estimates the outage affected 8.5 million Windows devices. Microsoft notes that this number makes up less than one percent of all Windows machines.

Update 12:30 p.m., EDT, July 20, 2024: 

• CrowdStrike continues to provide updated guidance on yesterday’s widespread IT outage, including remediation steps for specific environments.
• CrowdStrike released technical details that provide:
  • A technical summary of the outage and the impact.
  • Information on how the update to the CrowdStrike Falcon sensor configuration file, Channel File 291, caused the logic error that led to the outage.
  • A discussion of the root cause analysis CrowdStrike is undertaking to determine how the logic error occurred.
• Cyber threat actors continue to leverage the outage to conduct malicious activity, including phishing attempts. CISA continues to work closely with CrowdStrike and other private sector and government partners to actively monitor any emerging malicious activity.
  • According to a new CrowdStrike blog, threat actors have been distributing a malicious ZIP archive file. This activity appears to be targeting Latin America-based CrowdStrike customers. The blog provides indicators of compromise and recommendations.

Update 7:30 p.m., EDT, July 19, 2024: 

• The CrowdStrike guidance is updated with additional guidance regarding impacts to specific environments, e.g., Azure, AWS. 
• For additional information:
  
  • Update from the United Kingdom's National Cyber Security Centre (NCSC-UK)
  • Update from the Australian Cyber Security Centre (ACSC)
  • Update from the Canadian Centre for Cyber Security (CCCS)
• Threat actors continue to use the widespread IT outage for phishing and other malicious activity. CISA urges organizations to ensure they have robust cybersecurity measures to protect their users, assets, and data against this activity.

CISA continues to monitor the situation and will update this Alert to provide continued support.

Initial Alert (11:30 a.m., EDT, July 19, 2024):

CISA is aware of the widespread outage affecting Microsoft Windows hosts due to an issue with a recent CrowdStrike update and is working closely with CrowdStrike and federal, state, local, tribal and territorial (SLTT) partners, as well as critical infrastructure and international partners to assess impacts and support remediation efforts. CrowdStrike has confirmed the outage:

• Impacts Windows 10 and later systems.
• Does not impact Mac and Linux hosts.
• Is due to the CrowdStrike Falcon content update and not to malicious cyber activity.

According to CrowdStrike, the issue has been identified, isolated and a fix has been deployed. CrowdStrike customer organizations should reference CrowdStrike guidance and their customer portal to resolve the issue.

Of note, CISA has observed threat actors taking advantage of this incident for phishing and other malicious activity. CISA urges organizations and individuals to remain vigilant and only follow instructions from legitimate sources. CISA recommends organizations to remind their employees to avoid clicking on phishing emails or suspicious links.

青藤，让云更安全

360终端安全一体化解决方案强势守护

在各个方面均表现优异

Learn about critical threats that can impact your organization and the bad actors behind them from Cybersixgill’s threat experts. Each story shines a light on underground activities, the threat actors involved, and why you should care, along with what you can do to mitigate risk.  In the current cyber threat landscape, the protection of personal and corporate identities has become vital.