Source: securityaffairs.com – Author: Pierluigi Paganini CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog CISA adds two Chrome zero-day vulnerabilities to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added [1,2] the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: CVE-2024-4761 Google Chromium V8 Engine contains an unspecified […]

La entrada CISA adds Google Chrome zero-days to its Known Exploited Vulnerabilities catalog – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Potential Cyberattack on the US Election: A Pressing Concern!

CISA’s Plan To Bolster Cybersecurity in the Upcoming US Election

Source: www.cybertalk.org – Author: slandau EXECUTIVE SUMMARY: Last week, over 40,000 business and cyber security leaders converged at the Moscone Center in San Francisco to attend the RSA Conference, one of the leading annual cyber security conferences and expositions worldwide, now in its 33rd year. Across four days, presenters, exhibitors and attendees discussed a wide […]

La entrada 5 key takeaways for CISOs, RSA Conference 2024 – Source: www.cybertalk.org se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

In the realm of cybersecurity, vigilance is paramount. Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) flagged a critical vulnerability in GitLab, a popular platform for collaborative software development. This GitLab password exploit tracked as CVE-2023-7028, has been actively exploited in the wild, posing significant risks to organizations utilizing GitLab for their development workflows. […]

The post CISA Alert: GitLab Password Exploit – Act Now For Protection appeared first on TuxCare.

The post CISA Alert: GitLab Password Exploit – Act Now For Protection appeared first on Security Boulevard.

CISA, FBI, and DHS Collaborate to Support Cybersecurity for Civil Society

Aiming for Better Protection Against Cyber Threats

Enlarge (credit: Getty Images)

Federal agencies, health care associations, and security researchers are warning that a ransomware group tracked under the name Black Basta is ravaging critical infrastructure sectors in attacks that have targeted more than 500 organizations in the past two years.

One of the latest casualties of the native Russian-speaking group, according to CNN, is Ascension, a St. Louis-based health care system that includes 140 hospitals in 19 states. A network intrusion that struck the nonprofit last week ​​took down many of its automated processes for handling patient care, including its systems for managing electronic health records and ordering tests, procedures, and medications. In the aftermath, Ascension has diverted ambulances from some of its hospitals and relied on manual processes.

“Severe operational disruptions”

In an Advisory published Friday, the FBI and the Cybersecurity and Infrastructure Security Agency said Black Basta has victimized 12 of the country’s 16 critical infrastructure sectors in attacks that it has mounted on 500 organizations spanning the globe. The nonprofit health care association Health-ISAC issued its own advisory on the same day that warned that organizations it represents are especially desirable targets of the group.

Read 10 remaining paragraphs | Comments

Будет! Russian ransomware rascals riled a Roman Catholic healthcare organization.

The post FBI/CISA Warning: ‘Black Basta’ Ransomware Gang vs. Ascension Health appeared first on Security Boulevard.

Source: securityaffairs.com – Author: Pierluigi Paganini As of May 2024, Black Basta ransomware affiliates hacked over 500 organizations worldwide Black Basta ransomware affiliates have breached over 500 organizations between April 2022 and May 2024, FBI and CISA reported. The FBI, CISA, HHS, and MS-ISAC have issued a joint Cybersecurity Advisory (CSA) regarding the Black Basta […]

La entrada As of May 2024, Black Basta ransomware affiliates hacked over 500 organizations worldwide – Source: securityaffairs.com se publicó primero en CISO2CISO.COM & CYBER SECURITY GROUP.

Insight #1

The Cybersecurity and Infrastructure Security Agency’s (CISA’s) Known Exploited Vulnerabilities (KEV) list is shown to increase speed of fixing vulnerabilities, but Verizon’s  Data Breach Investigations Report (DBIR) also shows that remediation is still taking much longer than it should. Does “improvement” mean we will continue to improve, or just that these vulnerabilities change priority and still get fixed as slowly as before? Only time will tell.  

The post Cybersecurity Insights with Contrast CISO David Lindner | 5/10/24 appeared first on Security Boulevard.

Lenovo Joins CISA’s Secure by Design Pledge

Global Cybersecurity Initiative

CISA’s Vulnrichment project is adding important information to CVE records to help improve vulnerability management processes.

The post CISA Announces CVE Enrichment Project ‘Vulnrichment’ appeared first on SecurityWeek.

CISA and the FBI warn of threat actors abusing path traversal software vulnerabilities in attacks targeting critical infrastructure.

The post CISA, FBI Urge Organizations to Eliminate Path Traversal Vulnerabilities appeared first on SecurityWeek.

Government agencies are sharing recommendations following attacks claimed by pro-Russian hacktivists on ICS/OT systems.

The post Russian Hackers Target Industrial Systems in North America, Europe appeared first on SecurityWeek.

The Department of Homeland Security (DHS), in conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) and the Countering Weapons of Mass Destruction Office (CWMD), has announced a suite of initiatives aimed at securing critical infrastructure and guarding against AI threats.

This announcement comes as the DHS marks the 180-day milestone of President Biden’s Executive Order (EO) 14110, “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence (AI)”.

Securing Critical Infrastructure from AI Threats

• Attacks Using AI: This includes the use of AI to plan or execute physical or cyber attacks on critical infrastructure.
• Attacks Targeting AI Systems: Targeted attacks on AI systems supporting critical infrastructure.
• Failures in AI Design and Implementation: Deficiencies or inadequacies in AI systems leading to malfunctions or unintended consequences.

• Govern: Establish an organizational culture prioritizing AI risk management.
• Map: Understand individual AI use contexts and risk profiles.
• Measure: Develop systems to assess, analyze, and track AI risks.
• Manage: Prioritize and act upon AI risks to safety and security.

The CBRN Threat: Preparing for the Unthinkable

All Hands on Deck: Department Unites for Goal

• Artificial Intelligence Safety and Security Board (AISSB): Established to advise DHS and the critical infrastructure community on the safe and secure development and deployment of AI.
• AI Roadmap: A detailed plan for using AI technologies while protecting individuals’ privacy, civil rights, and civil liberties.
• AI Corps: An accelerated hiring initiative aimed at leveraging AI expertise across strategic areas of the homeland security enterprise.

New CISA guidelines categorize AI risks into three significant types and pushes a four-part mitigation strategy.

The post CISA Rolls Out New Guidelines to Mitigate AI Risks to US Critical Infrastructure appeared first on SecurityWeek.

CISA-Listed Honeywell Product Vulnerabilities of High Severity

CISA Shares Mitigations for Honeywell Product Vulnerabilities

In response to this growing threat, the Cybersecurity and Infrastructure Security Agency (CISA) has launched the Ransomware Vulnerability Warning Pilot (RVWP). This initiative focuses on proactive risk reduction through direct communication with the federal government, state, local, tribal, territorial (SLTT) government, and critical infrastructure entities. The goal is to prevent threat actors from accessing and deploying ransomware on their networks.

Ransomware, a persistent threat to critical services, businesses, and communities worldwide, continues to evolve, causing costly and disruptive incidents. Recent industry reports estimate that businesses spend an average of $1.85 million to recover from a ransomware attack.

Moreover, a staggering 80% of victims who paid a ransom were targeted again by these criminals. The economic, technical, and reputational impacts of ransomware incidents pose significant challenges for organizations large and small.

CISA's Ransomware Vulnerability Warning Pilot 

The Success of RVWP in 2023

Taking Action to #StopRansomware

1. Enroll in CISA Cyber Hygiene Vulnerability Scanning: This no-cost service helps organizations raise their cybersecurity posture and reduce business risk by identifying and mitigating vulnerabilities.
2. Review the #StopRansomware Guide: Utilize the valuable checklist on how to respond to a ransomware incident and protect your organization.
3. Report Ransomware Activity: Always report observed ransomware activity, including indicators of compromise and tactics, techniques, and procedures (TTPs), to CISA and federal law enforcement partners.

As the United States gears up for another round of crucial elections, the focus on securing polling locations is more critical than ever. In a bid to fortify security preparedness at the frontline of U.S. elections, the Cybersecurity and Infrastructure Security Agency (CISA) has released the Physical Security Checklist for Polling Locations, a new tool tailored to empower election workers with actionable and accessible security measures.

Simplified Security Measures With Physical Security Checklist

Key Security Principles

1. Identifying Responsibility: Establishing an individual or group responsible for security and safety.
2. Risk Assessment: Utilizing risk assessments to inform security measures.
3. Developing Plans: Developing plans to inform processes and procedures.
4. Refining Measures: Refining security measures before Election Day.
5. Implementing Mitigations: Implementing mitigations and “day of” security measures.
6. Reporting Incidents: Encouraging the reporting of suspicious behavior or potential incidents.

In a concerted effort to fortify the integrity of America's democratic processes, the Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Office of the Director of National Intelligence (ODNI) have jointly released a comprehensive guidance document.

Titled "Securing Election Infrastructure Against the Tactics of Foreign Malign Influence Operations," the comprehensive guidance document delineates the latest tactics employed by foreign adversaries to manipulate U.S. policies, decisions, and discourse, with a particular focus on election infrastructure vulnerabilities.

Comprehensive Guidance Document: Commitment to Defending Democracy

Collaborative Vigilance and Action

Response to the Russian Cyber Campaign

Sean Connelly Leaves CISA to Join Zscaler

From Federal Government to Private Sector

The National Security Agency (NSA) is taking a proactive stance in cybersecurity with the release of a Cybersecurity Information Sheet (CSI) titled “Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems.” This initiative underlines the growing importance of securing artificial intelligence (AI) systems in the face of evolving cyber threats.

NSA Collaborative Effort

Future Directions

The Cybersecurity & Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 4, 2024, in order to protect their devices against active threats. We urge other Roundcube Webmail users to take this seriously too.

Roundcube is a web-based IMAP email client. Internet Message Access Protocol (IMAP) is used for receiving email. It allows users to access their emails from multiple different devices, and it’s why when you read an email on your laptop it’s marked as “read” on your phone too. Reportedly, there are over 132,000 Roundcube servers accessible over the internet. Most of them situated in the US and China.

The affected versions are Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. An update to patch the vulnerability with version 1.6.3 has been available since September 15, 2023. The current version, 1.6.6 at the time of writing, does not have the vulnerability either.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:

CVE-2023-43770, which is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information.

XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped before being displayed. Persistent, or stored XSS, is a type of vulnerability which occurs when the untrusted or unverified user input is stored on a target server.

This means that a persistent XSS attack is possible when the attacker exploits a vulnerable website or web application to inject malicious code, and this code is stored on a server so it will later automatically be served to other users who visit the web page.

In this case it appears that attackers can send plain text emails to Roundcube users with XSS links in them, but Roundcube does not sanitize the links, and, of course, stores the email, creating persistence.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Three Americans were charged this week with stealing more than $400 million in a November 2022 SIM-swapping attack. The U.S. government did not name the victim organization, but there is every indication that the money was stolen from the now-defunct cryptocurrency exchange FTX, which had just filed for bankruptcy on that same day.

A graphic illustrating the flow of more than $400 million in cryptocurrencies stolen from FTX on Nov. 11-12, 2022. Image: Elliptic.co.

An indictment unsealed this week and first reported on by Ars Technica alleges that Chicago man Robert Powell, a.k.a. “R,” “R$” and “ElSwapo1,” was the ringleader of a SIM-swapping group called the “Powell SIM Swapping Crew.” Colorado resident Emily “Em” Hernandez allegedly helped the group gain access to victim devices in service of SIM-swapping attacks between March 2021 and April 2023. Indiana resident Carter Rohn, a.k.a. “Carti,” and “Punslayer,” allegedly assisted in compromising devices.

In a SIM-swapping attack, the crooks transfer the target’s phone number to a device they control, allowing them to intercept any text messages or phone calls sent to the victim, including one-time passcodes for authentication or password reset links sent via SMS.

The indictment states that the perpetrators in this heist stole the $400 million in cryptocurrencies on Nov. 11, 2022 after they SIM-swapped an AT&T customer by impersonating them at a retail store using a fake ID. However, the document refers to the victim in this case only by the name “Victim 1.”

Wired’s Andy Greenberg recently wrote about FTX’s all-night race to stop a $1 billion crypto heist that occurred on the evening of November 11:

“FTX’s staff had already endured one of the worst days in the company’s short life. What had recently been one of the world’s top cryptocurrency exchanges, valued at $32 billion only 10 months earlier, had just declared bankruptcy. Executives had, after an extended struggle, persuaded the company’s CEO, Sam Bankman-Fried, to hand over the reins to John Ray III, a new chief executive now tasked with shepherding the company through a nightmarish thicket of debts, many of which it seemed to have no means to pay.”

“FTX had, it seemed, hit rock bottom. Until someone—a thief or thieves who have yet to be identified—chose that particular moment to make things far worse. That Friday evening, exhausted FTX staffers began to see mysterious outflows of the company’s cryptocurrency, publicly captured on the Etherscan website that tracks the Ethereum blockchain, representing hundreds of millions of dollars worth of crypto being stolen in real time.”

The indictment says the $400 million was stolen over several hours between November 11 and 12, 2022. Tom Robinson, co-founder of the blockchain intelligence firm Elliptic, said the attackers in the FTX heist began to drain FTX wallets on the evening of Nov. 11, 2022 local time, and continuing until the 12th of November.

Robinson said Elliptic is not aware of any other crypto heists of that magnitude occurring on that date.

“We put the value of the cryptoassets stolen at $477 million,” Robinson said. “The FTX administrators have reported overall losses due to “unauthorized third-party transfers” of $413 million – the discrepancy is likely due to subsequent seizure and return of some of the stolen assets. Either way, it’s certainly over $400 million, and we are not aware of any other thefts from crypto exchanges on this scale, on this date.”

The SIM-swappers allegedly responsible for the $400 million crypto theft are all U.S. residents. But there are some indications they had help from organized cybercriminals based in Russia. In October 2023, Elliptic released a report that found the money stolen from FTX had been laundered through exchanges with ties to criminal groups based in Russia.

“A Russia-linked actor seems a stronger possibility,” Elliptic wrote. “Of the stolen assets that can be traced through ChipMixer, significant amounts are combined with funds from Russia-linked criminal groups, including ransomware gangs and darknet markets, before being sent to exchanges. This points to the involvement of a broker or other intermediary with a nexus in Russia.”

Nick Bax, director of analytics at the cryptocurrency wallet recovery firm Unciphered, said the flow of stolen FTX funds looks more like what his team has seen from groups based in Eastern Europe and Russian than anything they’ve witnessed from US-based SIM-swappers.

“I was a bit surprised by this development but it seems to be consistent with reports from CISA [the Cybersecurity and Infrastructure Security Agency] and others that “Scattered Spider” has worked with [ransomware] groups like ALPHV/BlackCat,” Bax said.

CISA’s alert on Scattered Spider says they are a cybercriminal group that targets large companies and their contracted information technology (IT) help desks.

“Scattered Spider threat actors, per trusted third parties, have typically engaged in data theft for extortion and have also been known to utilize BlackCat/ALPHV ransomware alongside their usual TTPs,” CISA said, referring to the group’s signature “Tactics, Techniques an Procedures.”

Nick Bax, posting on Twitter/X in Nov 2022 about his research on the $400 million FTX heist.

Earlier this week, KrebsOnSecurity published a story noting that a Florida man recently charged with being part of a SIM-swapping conspiracy is thought to be a key member of Scattered Spider, a hacking group also known as 0ktapus. That group has been blamed for a string of cyber intrusions at major U.S. technology companies during the summer of 2022.

Financial claims involving FTX’s bankruptcy proceedings are being handled by the financial and risk consulting giant Kroll. In August 2023, Kroll suffered its own breach after a Kroll employee was SIM-swapped. According to Kroll, the thieves stole user information for multiple cryptocurrency platforms that rely on Kroll services to handle bankruptcy proceedings.

KrebsOnSecurity sought comment for this story from Kroll, the FBI, the prosecuting attorneys, and Sullivan & Cromwell, the law firm handling the FTX bankruptcy. This story will be updated in the event any of them respond.

Attorneys for Mr. Powell said they do not know who Victim 1 is in the indictment, as the government hasn’t shared that information yet. Powell’s next court date is a detention hearing on Feb. 2, 2024.

Update, Feb. 3, 12:19 p.m. ET: The FBI declined a request to comment.