Cybersecurity 🔐 And Much More Newsletter 📪 Vol. 3 Num. 06

Greetings, friends.

Welcome to my newsletter, if you are not yet subscribed, please do. It might include books, articles, tech, tips, and cool stuff about cybersecurity.

Enjoy!

What’s Happening

🚨 CISA and FBI Offer Guidance for ESXiArgs Ransomware Virtual Machine Recovery

Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) release this joint Cybersecurity Advisory (CSA) in response to the continuing “ESXiArgs” ransomware campaign.

To acquire access and spread ransomware, malicious actors may attack known vulnerabilities in VMware ESXi servers that are likely running unpatched, out-of-service, or outdated versions of VMware ESXi software. ESXiArgs encrypts configuration data on ESXi servers, leaving virtual machines (VMs) possibly inoperable.

The ESXiArgs recovery script has been published by CISA at github.com/cisagov/ESXiArgs-Recover. Organizations that have been infected by the ESXiArgs ransomware might utilize this script to try file recovery. This CSA contains instructions for using the script.

Globally, ESXiArgs actors have hacked over 3,800 systems. CISA and FBI strongly recommend that all businesses operating VMware ESXi servers harden ESXi hypervisors by deactivating the Service Location Protocol (SLP) service, and ensuring the ESXi hypervisor is not accessible to the public internet.

If malicious actors have infected your company with ESXiArgs ransomware, CISA, and FBI recommend using the script and instructions given in this CSA to try file decryption. (Link)

🇺🇸 The Balloon 🇨🇳

In what is being called “the spy balloon incident,” Chinese forces were found to have launched a surveillance balloon along the US-Mexico border in an apparent attempt to monitor US government activities.

The balloon, discovered near San Diego in California, was part of a Chinese military operation that was first detected in late December and has since been monitored by US intelligence.

According to reports, the balloon was equipped with cameras, sensors, and other surveillance equipment, and was capable of sending video and other data back to China.

The balloon incident has caused alarm among US government officials due to the potential for Chinese espionage activities. It has also raised questions about the security of US borders and the effectiveness of current counter-espionage measures.

The incident has sparked a debate about the need for stronger measures to protect US borders from foreign threats. It is also a reminder of the need for greater vigilance and cooperation between US and Chinese officials to ensure that the security of both countries is not compromised. (Link)

👾 Hackers Actively Exploiting Zero-Day in Fortra’s GoAnywhere MFT

A zero-day flaw in Fortra’s GoAnywhere MFT controlled file transfer program is being exploited in the field.

On Mastodon, security writer Brian Krebs first disclosed the vulnerability to the public. Fortra has not issued any advisory to the public.

The vulnerability is an instance of remote code injection that needs access to the administrative interface of the program; therefore, it is vital that the systems are not accessible from the public internet.

According to security researcher Kevin Beaumont, there are over 1,000 on-premise instances that are openly accessible through the internet, a majority of which are situated in the U.S. (Link)

👀 NY attorney general forces spyware vendor to alert victims

The New York attorney general’s office has issued a $410,000 punishment against a stalkerware developer who unlawfully promoted surveillance equipment through 16 different firms.

Stalkerware (or spyware) platforms allow its clients to monitor other people’s phones without the users’ knowledge. In some, if not most cases, they’re also used to monitor the targets’ internet activities and collect sensitive user information like their location that later might be used for blackmail or many other harmful objectives.

Patrick Hinchy, the spyware seller, has also committed to inform his clients’ victims that their phones are being discreetly watched using one of his several programs, such as Auto Forward, Easy Spy, DDI Utilities, Highster Mobile, PhoneSpector, Surepoint, or TurboSpy.

These surveillance applications permitted Hinchy’s clients to discreetly monitor what other persons were doing on their mobile devices, including location, browser history, phone logs, text messages, photographs and videos, email activity, WhatsApp and Skype chats, and social media activity.

Some of the stalkerware applications “also permitted a user to remotely activate the camera or microphone of the Target Device to enable spying or eavesdropping on the owner of the device,” according to the agreement.

The stalkerware adverts were also used to fool users into believing that eavesdropping was lawful even though putting such software on someone else’s computer without authorization violates various state and federal laws. (Link)

Security Bites

👋 Tips — 🔐 Security — Encrypt/DeCrypt PDFs using Python 🐍

Unauthorized access to sensitive files is a common issue today. To make sure that only the people you authorize can access the content of your files, you can encrypt them before transmission.

You can encrypt PDFs with Python using the [PyMuPDF](<https://pymupdf.readthedocs.io/en/latest/>) library. To get started, install the library with pip install pymupdf, then use the following code to encrypt a file:

import fitz

# encrypt
doc = fitz.open("data.pdf")
doc.save("data.encrypted.pdf", encryption = fitz.FILE_ENCRYPT_RC4, password = "password")
# decrypt
doc = fitz.open("data.encrypted.pdf", password = "password")
doc.save("data.decrypted.pdf")

You can take it one step further and add a script to check if the PDF is already encrypted before applying encryption or decryption. This will help reduce the risk of unnecessary processing.

# check if pdf is encrypted
def is_encrypted(doc):
    if len(doc.getPageText(0)) == 0:
        return True
    else:
        return False

# encrypt
if not is_encrypted(doc):
    doc.save("data.encrypted.pdf", encryption = fitz.FILE_ENCRYPT_RC4, password = "password")
# decrypt
if is_encrypted(doc):
    doc.save("data.decrypted.pdf", password = "password")

By following this code, you can easily encrypt and decrypt PDFs with Python. You can also use this code as a starting point for a more complex program, such as an automated file encryption system.

👋 Tips — 🔐 Security — Cyber Defense — Use MITRE ATT&CK to Stop Implementing Generic Controls

What is wrong?

Defense in depth is the most costly approach you can undertake these days, zero trust architecture (ZTA) seems more reasonable. Still, most companies see it as a set of technologies instead of a holistic approach to risk mitigation.

However, the biggest failure is the compliance-driven approach that follows a prevention-based strategy and evaluates its effectiveness through the success of obtaining certifications such as ISO2700x or audits that are not customized to the organization’s risks and created by non-technical teams who are addicted to spreadsheets and checkboxes.

How do you identify threats?

You should always see your risk exposure and security from a threat actor point of view, not from a compliance perspective, start by understanding the Cyber kill-chain and the MITRE ATT&CK framework, then learn how the threat actors (TA) targeting you or your peers act.

The Cyber Attack Killchain is a concept that describes the stages of a cyber attack and helps organizations identify, analyze, and prevent them. It has seven steps: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives.

The goal of the kill-chain is to help organizations focus their defenses on stopping the attack in the early stages, such as reconnaissance and weaponization before it can reach its objectives.

To do this, organizations must implement specific controls that are tailored to their environment and the type of attack they are trying to prevent. Generic controls, such as those that are used for all types of attacks, are less effective than specific controls and can be bypassed by attackers.

So, organizations should focus on putting in place controls that are unique to their environment and the kind of attack they want to stop.

1. Reconnaissance — This stage involves the gathering of information about the target, such as open ports, services running, and user accounts, in order to gain a better understanding of the environment and potential vulnerabilities.
2. Weaponization — This stage involves taking the data gathered in the reconnaissance phase and using it to craft an attack vector, such as a malicious file or link, which can be used to exploit the target.
3. Delivery — In this stage, the malicious payload is sent to the target, usually via email or a malicious website.
4. Exploitation — This stage involves exploiting the vulnerabilities discovered in the reconnaissance phase to gain access to the target system.
5. Installation — Once access is gained, the attacker will install malicious software on the target system to give them remote control.
6. Command and Control — The attacker will use the installed malicious software to communicate with the compromised system and issue commands to it.
7. Actions on Objectives — In this final stage, the attacker will use the compromised system to achieve their objectives, such as stealing data or disrupting services.

The MITRE ATT&CK framework is a comprehensive knowledge base of adversary tactics and techniques based on real-world observations.

It is used to understand the techniques used by attackers and identify potential weaknesses in the security posture of an organization.

By understanding the techniques used by attackers and applying specific controls that are tailored to their environment and the type of attack they are trying to prevent, organizations can gain a better understanding of their risk exposure and improve their security posture.

To prevent an attack from reaching its objectives, organizations should focus on implementing controls that are specific to their environment and the kind of attack they are trying to prevent. Generic controls, such as those that are used for all types of attacks, are not as effective and can be bypassed by attackers.

What approach to take?

Here are some high-level steps to adopt this customized approach:

1. Identifying the threats that your organization is exposed to from various sources like Threat Intelligence, MITRE ATT&CK Knowledge base, Incidents, Risk Assessments, Pentesting, and Red Teaming reports.
2. Use the MITRE ATT&CK Navigator to understand the TTPs (Tactics, Techniques, and Procedures) that your Industry threat groups are using, and the ones targeting you.
3. Prioritize the threats by impact and likelihood.
4. Use a NIST Mapping to MITRE ATT&CK to identify the controls to use to mitigate each of the risks tied to the TTPs and threats identified. (Link)
5. Evaluate your blue team efforts using the DeTT&CT framework. DeTT&CT assists blue teams in using ATT&CK to score and compare data log source quality, visibility coverage, detection coverage, and threat actor behaviors. This can help organizations become more resilient against attacks.
6. Conduct Purple teaming exercises where your red team and blue team work closely and learn from each other to enhance your defenses and visibility to threats.

My Favorites

🎉 Microsoft Launches New AI-Powered Bing and Edge

To enable people to unleash the thrill of discovery, experience the awe of creativity, and better harness the world’s information, Microsoft is rethinking the search engine and the browser, which are used by billions of people every day, in order to enhance the web’s advantages for the world.

On February 7th, they unveiled an all-new, AI-powered Bing search engine and Edge browser, both of which are available in preview on Bing.com, to provide better search, more thorough answers, a new chat experience, and the opportunity to develop content. They see these technologies as a web-based AI copilot.

“AI will fundamentally change every software category, starting with the largest category of all — search,” said Satya Nadella, Chairman and CEO, of Microsoft. “Today, we’re launching Bing and Edge powered by AI copilot and chat, to help people get more from search and the web.”

Microsoft said that 50 percent of the 10 billion daily search inquiries are not answered. People are utilizing search for purposes for which it was not originally intended. It is excellent for locating a webpage, but it frequently falls short for more difficult inquiries or activities. (Link)

🎉 NIST Selects ‘Lightweight Cryptography’ Algorithms to Protect Small Devices

Security experts at the National Institute of Standards and Technology (NIST) have announced a victor in their program to find a worthy defender of data generated by small devices. The winner, a group of cryptographic algorithms called Ascon, will be published as NIST’s lightweight cryptography standard later in 2023.

The chosen algorithms are designed to protect information created and transmitted by the Internet of Things (IoT), including its myriad of tiny sensors and actuators. They are also made for other small technologies, like medical devices that are implanted, stress sensors in roads and bridges, and keyless entry fobs for cars.

Devices like these need “lightweight cryptography” — protection that uses the limited amount of electronic resources they possess. According to NIST computer scientist Kerry McKay, the newly selected algorithms should be appropriate for most forms of tiny tech.

“The world is moving toward using small devices for lots of tasks ranging from sensing to identification to machine control, and because these small devices have limited resources, they need security that has a compact implementation,” she said. “These algorithms should cover most devices that have these sorts of resource constraints.”

NIST held a development program that took several years to find the best and most secure lightweight algorithms. First, they talked to industry and other groups to find out what they needed, and then in 2018, they asked the world’s cryptography community for ideas.

After getting 57 submissions, McKay and mathematician Meltem Sonmez Turan ran a public review process with multiple rounds. During these rounds, cryptographers looked at the candidates and tried to find flaws in them. Eventually, they got down to 10 finalists, and then the winner was chosen. (Link)

🎉 MITRE ATT&CK v12 is here!

MITRE, a US-based not-for-profit organization, provides a range of technical, cyber, and engineering services to the federal government to advance national security. In 2013, they launched a research project to track cyber threat actors’ behavior. This resulted in the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework.

The MITRE ATT&CK Framework is composed of a taxonomy of threat actor behavior during an attack lifecycle. It is divided into 14 tactics, each containing a set of more specific techniques and sub-techniques (covering the Tactics, Techniques, and Procedures — TTPs). The Framework is split into three distinct matrices: Enterprise (attacks against enterprise IT networks and cloud), Mobile (attacks targeting mobile devices), and Industrial Control Systems (attacks targeting ICS).

Like most previous versions, v12 of MITRE ATT&CK contains new attack techniques (e.g., Compromise Accounts: Cloud Accounts) as well as updates on existing techniques, groups, and software across all matrices based on observed adversary activity.

What sets v12 apart is the addition of detections to the ICS matrix (mirroring the Enterprise matrix) and the introduction of campaigns. According to MITRE, campaigns are “groupings of intrusion activity conducted over a specific period of time with common targets and objectives.” They can be used to detect changes in tactics, techniques, and procedures (TTPs), as well as to identify trends in evolving tactics and the introduction of new techniques.

Each campaign includes a description of the intrusion activity (e.g., targeted countries and sectors), specific commands/steps taken by the actors (which can help identify detection and mitigation opportunities), and is offered in STIX file format.

There’s more to learn about this exciting feature, which you can do using this link.

(Link)

📚 🤩 Books I Recommend Reading 🕹

Title: Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things

Authors: Fotios Chantzis, Ioannis Stais, Paulino Calderon, Evangelos Deirmentzoglou, Beau Woods

Overview:

Drawing from the real-life experiences of five well-known IoT security researchers, Practical IoT Hacking teaches you how to test IoT systems, devices, and protocols to reduce risk.

The book starts by introducing common threats and a threat modeling framework. You’ll develop a security testing approach, learn the art of passive reconnaissance, and evaluate security on all layers of an IoT system. Then, you’ll perform VLAN hopping, crack MQTT authentication, abuse UPnP, create an mDNS poisoner, and craft WS-Discovery attacks.

You’ll explore both hardware hacking and radio hacking, with detailed coverage of attacks against embedded IoT devices and RFID systems. Additionally, you’ll learn how to:

• Write a DICOM service scanner as an NSE module
• Hack a microcontroller through the UART and SWD interfaces
• Reverse engineer firmware and analyze mobile companion apps
• Develop an NFC fuzzer using Proxmark3
• Hack a smart home by jamming wireless alarms, playing back IP camera feeds, and controlling a smart treadmill

Affordable and readily available tools and devices make it easy to put into practice what you learn. Whether you’re a security researcher, an IT team member, or a hacking hobbyist, Practical IoT Hacking is an indispensable resource for hacking all the things.

🎥 Videos — Turkey-Syria Earthquake: See How Advanced Mapping Tech Could Aid Rescuers

The earthquakes in Turkey and Syria caused roads to become blocked or destroyed, making it difficult for rescue teams to access the area. Technology such as drones, satellite mapping, and computational modeling can now be used to help rescuers navigate the destroyed terrain and restore the transport network of the affected countries.

Advanced mapping technology could be a great asset in earthquake rescue efforts. It could provide detailed information about the affected area, such as the location of buildings, roads, and other infrastructure. This data could help responders quickly identify where people are trapped and the best routes to reach them. Additionally, mapping technology could provide real-time updates on the situation, allowing responders to adjust their plans as needed. (Link)

Quote of the Week

“Be authentic and genuine; it’s one of the rarest traits nowadays.”

If you’re interested in starting a career in cybersecurity, watch this one, and don’t forget to subscribe to my channel and leave a comment if there are any topics you’re interested in seeing in my next video.

Check out my other stuff here.