CYBER SECURITY WEEKLY NEWS
1. The US bans Kaspersky pointing to security risks
2. Microsoft’s Security bug that allows anyone to spoof Microsoft employee emails
3. AMD data breach investigation
4.RansomHub’s Linux version of ransomware targets VMware ESXi
5. Top 10 SOC Tools 2024
6. Hackers Can Crack Down 59% Of real-world Passwords Within An Hour
7. How Android overlays are used to trick people
1. The US bans Kaspersky software pointing to security risks
Kaspersky has been raising a lot of security concerns since 2017 when the US banned federal agencies from using the software.
The US announced its blockage of Kaspersky’s operations due to the potential national security risks. The ban also extends to its affiliate and subsidiary companies.
The concern is that Kaspersky is under the control of the Russian government giving the Kremlin access to US information while installing malicious software for spying or withholding critical updates
The ban was made after an “extreme investigation” and US Commerce Secretary Gina Raimondo added that “Russia has shown its capacity in exploiting Russian companies like Kaspersky to collect and weaponize the personal information of Americans”.
Kaspersky released a statement denying the allegations, stating that the decisions were made based on the present geopolitical climate and theoretical concerns rather than a detailed evaluation of Kaspersky’s products and services.
Kaspersky will be banned from selling to US consumers from July 20, and provide antivirus signature updates to existing customers until September 29.
2. Microsoft’s Security bug that allows anyone to spoof Microsoft employee emails
A security researcher found a bug in Microsoft that allowed anyone to spoof Microsoft corporate Outlook accounts, increasing the success rate of phishing.
A researcher, Vsevolod Kokorin also known as Slonser on X shared his findings publicly after Microsoft failed to approve his report claiming that they could not reproduce it. This was after months of communication with Microsoft, which was not fruitful.
However Slonser did not provide a proof of concept(POC) to prevent exploitation, so details of the bug are still not publicly known.
The post appears to have caught Microsoft’s attention and it is reopening the investigation.
This is not the first time Microsoft has ignored security flaws and this could be devastating if not fixed.
3. AMD data breach investigation
AMD has launched an investigation after a notorious hacker known as intel broker claims to be selling AMD data on breach forums. Intel broker is a hacker who has been associated with high-level breaches in the past
According to intel broker, the data includes source code, future AMD projects, financial records, employee personal information, firmware, customer databases, ROMs, property files, and internal communications.
The threat actor shared samples of the stolen data on the forum as proof.
The data breach places AMD at risk of reputation damage and even future attacks as this could highlight weaknesses within the AMD security infrastructure.
AMD is yet to give updates on this breach and is working with law enforcement and a third-party hosting partner to investigate the matter.
4.RansomHub’s Linux version of ransomware targets VMware ESXi
The use of virtual machines has been adopted by a lot of people for server hosting due to their good management and performance capabilities and due to this, ransomware groups such as RansomHub have decided to target these servers. RansomHub runs a ransomware-as-a-service platform that targets Windows, Linux, and ESXi systems.
RansomHub employs a Linux encryptor to encrypt VMware ESXi environments within corporate attacks
According to securityaffairs the experts at Insikt Group noticed that the ESXi version of RansomHub creates a file named /tmp/app.pid to ensure the exclusive execution of RansomHub processes. The experts found a bug in the malware code, modifying the contents of the file to -1 will prevent the RansomHub from performing encryption and cause it to run in an endless loop.
“After processing command-line arguments and decrypting the configuration, RansomHub ESXi leverages the file /tmp/app.pid to check whether it is already running. If /tmp/app.pid does not exist, RansomHub will create it and write the process ID there. If /tmp/app.pid exists on startup, RansomHub will print to console ”already running…”, read the process ID in the file, attempt to kill that process, and then exit if the process was killed.” reads the analysis published by Insikt Group. “If the file /tmp/app.pid is created with “-1” written inside, then the ransomware will end up in a loop trying to kill process ID “-1”, which should never exist, and no encryption of files or other harm to the system will take place.”
5. Top 10 SOC Tools 2024
“Sleep is for the weak, but security is for the strong” is the Security Operations Center (SOC) motto.
SOC’s work is to monitor, detect, analyze, and respond to security incidents with SOC tools such as security information and event management(SIEM), intrusion prevention systems(IPS), intrusion detection systems(IDS), threat intelligence platforms, vulnerability management platforms, and endpoint detection and response tools(EDR).
Here are the top 10 SOC tools of 2024 according to cybersecuritynews
- TrendMicro XDR: Comprehensive extended detection and response with advanced threat correlation.
- SolarWinds Security Event Manager: Real-time event log monitoring and automated threat response.
- Splunk: Powerful data analytics platform for security information and event management.
- Trellix Platform: Integrated security operations with advanced threat detection and response.
- Exabeam: User and entity behavior analytics for efficient threat detection.
- Rapid7 Insight Platform: Unified cloud-based security management and vulnerability assessment.
- CrowdStrike Falcon: Endpoint protection with real-time threat intelligence and response.
- Log360: Comprehensive log management and network security monitoring.
- McAfee ESM (Enterprise Security Manager): Centralized security information management with advanced analytics.
- ArcSight: Scalable SIEM solution with real-time threat detection and compliance reporting.
6. Hackers Can Crack Down 59% of real-world passwords within an Hour
According to an analysis by Kaspersky 45% of the 193 million real-world passwords ( 87 million passwords) could be cracked by the smart algorithm in less than a minute, 59% within an hour and only 12% took more than a year.
All it takes is a smart brute-force guessing algorithm which is very effective as humans are predictable, considering that we use common passwords such as spouse names, important dates, and pet names among others, making it easier for the algorithm to guess.
According to Kaspersky, even when attempting to have random characters in our passwords, most people tend to choose keys in the middle of the keyboard. A survey by a Youtube channel also asked people to pick a number between 1-100, and more than 200,000 people picked 7, 42,77,37,73, and 69, which shows how predictable humans are.
Takeaways
Always Remember to use stronger passwords.
Do not store passwords in browsers.
Do not reuse passwords across different sites.
Generate strong passwords using good password managers.
Enable 2FA.
Check how easily your password can be cracked. Password checkers can be found online.
7. How Android overlays are used to trick people
An Android overlay is a feature that allows an app to appear on top of another app. They often blend with the application’s original interface
Attackers can take advantage of this feature to:
-request for permissions, enabling the attackers to escalate privileges.
-to steal and intercept important information, enabling the compromising of accounts or theft.
-to perform click-jacking, which tricks a user into clicking on a button or a link when they intend to click on another button or link.
-to deliver malware
How to prevent:
Android 12 released a feature that protected Android devices against overlay attacks, however, this is not enough as it can be bypassed.
Ensure you have a good antivirus solution check which apps have permissions to use overlays and disable those that do not need the permission.
