Hi readers,
Every Monday, I share insights from leading CISOs through exclusive interviews, podcast summaries, and thought leadership articles. In this issue, Bruce Potter, CISO at Expel, discusses the challenges and opportunities of being a CISO during the COVID-19 pandemic.
Of course, this issue also includes the popular CYBER BREACH MONDAY feature, a summary of the latest data breaches from around the world, and a CYBERSECURITY MASTERCLASS with IDC's Joseph C. Pucciarelli, who recommends that CISOs take the lead in advising their organization's C-suite and board in moving to the "new normal" work environment.
On Wednesday, I am running my PATCH WATCH column to ensure you never miss a critical security update from leading vendors. On Thursday, I present my SECURITY TRENDS and PODCAST NOTES features.
To enjoy this great content and more, upgrade to premium! For a limited time, we are offering a 14-day free trial of our premium content.
Thanks for supporting my work during these unprecedented times!
|
Fred
|
|
|
|
Expel's Bruce Potter, who once worked as a senior technical advisor for President Obama’s Commission on Enhancing National Cyber Security, discusses the challenges and opportunities of being a CISO during the COVID-19 pandemic.
On the COVID-19 pandemic: "As a company, we are much more reliant on our technology than we were before the pandemic, particularly with respect to collaboration and communication tools."
On the biggest security threats: "From the latest Twitter hack to some of the earliest attacks on the Internet, social engineering is still the number one way companies get compromised."
On the evolving role of the CISO, he observed: "I expect CISOs to be elevated in organizational charts and be responsible for broader swaths of risk, not just cyber."
Click here to upgrade to premium and read the full interview!
|
|
President Donald Trump has approved a deal that would result in Oracle and Walmart teaming with TikTok to form a U.S. company. Under the agreement, Oracle would take a 12.5% stake and Walmart would take a 7.5% stake in the new TikTok, as part of an initial public offering of stock within the next year. Oracle would take over responsibility for hosting all TikTok's U.S. user data and securing computer systems to meet U.S. national security and data security requirements.
More:
- As reported by Inside Security, the Department of Commerce issued an order Friday that would have banned TikTok and WeChat from U.S. stores beginning Sunday. Commerce said Saturday that it would delay the order for TikTok until the end of day Sept. 27.
- A California court judge has temporarily blocked the Commerce Department's ban of the WeChat app
- President Trump said that TikTok would be making a $5bn contribution to fund U.S. educational efforts as part of the deal, a claim that TikTok's parent company ByteDance disputes.
- ByteDance said it will retain an 80% stake in TikTok under the agreement. However, Oracle and Walmart issued a joint statement that U.S. investors will own a majority stake in a new company called TikTok Global that will emerge from the deal.
AP
|
|
CYBER BREACH MONDAY:
Every Monday, I summarize the most important breaches, so you stay up-to-date on the latest cybersecurity incidents. In today's issue:
College of Nurses of Ontario (Ontario, Canada): 195,000 breach victims; personal information on nurses who are members of the college may have been compromised in a ransomware attack.
Children's Minnesota (Minn.): 160,268 breach victims; network server hacking incident.
To read more, click here to upgrade to premium!
To read the rest of today's data breaches and get access to full newsletters on a daily basis, take advantage of our 14-day free trial offer for premium content!
UPGRADE NOW
|
|
|
|
Fileless malware is the most common attack method used by hackers against enterprises, making up 30% of all attacks. The second most popular attack vector is dual-use PowerShell tools (24%), followed by credential dumping tools (21%), ransomware (8%), worms (7%), remote access trojans (4%), and banking trojans (3%). The data was compiled by Cisco from its endpoint security product during the first half of 2020.
More from Cisco:
- Fileless malware is malicious code that runs in memory after the initial infection, instead of through files stored on the hard drives. Examples include Kovter, Poweliks, Divergent, and LemonDuck.
- Dual-use PowerShell tools can be used for legitimate purposes, such as penetration testing, as well as malicious activity. Examples include PowerShell Empire, CobaltStrike, Powersploit, and Metasploit.
- Credential dumping tools are used by attackers to scrape login credentials from a compromised computer. In the first half of 2020, the most popular of these tools was Mimikatz.
- Cisco also detected ransomware such as Ryuk, Maze, BitPaymer, and others; worms such as Ramnit and Qakbot; RATs like Corebot and Glupteba; and banking trojans such as Cridex, Dyre, Astaroth, and Azorult.
CISCO
|
|
CYBERSECURITY MASTERCLASS:
Joseph C. Pucciarelli, IDC group vice president and IT executive advisor, recommends that CIOs and CISOs take the lead in advising the organization's C-suite and board in the transition to the "new normal" work environment...
To read the rest of today's piece and receive this feature weekly, start your FREE 14-day trial of Inside Security Premium!
To read more of this post or any of Inside Security's other masterclasses--including last week's masterclass featuring IDC analyst Meredith Whalen who predicts that companies will be prioritizing technology that supports a secure remote work environment this fall--take advantage of our 14-day FREE trial for our premium content!
UPGRADE NOW
|
|
|
|
Google's App Engine subdomains can be exploited to launch phishing attacks without being detected by enterprise security products. Marcel Afrahim, a cybersecurity researcher with JPMorgan Chase, found that the App Engine's subdomain generator could be abused to bypass security controls and send victims to malicious landing pages.
More:
- Cloud-based Google App Engine enables application developers to build web and mobile backends in any programming language on a serverless platform.
- Afrahim explained that an attacker could set up many invalid subdomains that direct victims to a central malicious app while hiding from security tools.
- Another researcher, Yusuke Osami, identified a list of more than 2,000 subdomains generated by App Engine that could be used as phishing landing pages disguised as a Microsoft sign-in portal.
TECH RADAR
|
|
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to patch the Netlogon remote protocol vulnerability in Windows Server by 11:59 pm EDT Monday. The bug could enable an attacker with network access to a domain controller to compromise all Active Directory identity services. Microsoft issued a patch for the bug on Aug. 11.
More:
- CISA is also giving federal agencies until 11:59 pm EDT on Wednesday to verify that the patch has been applied.
- As reported in Inside Security, Dutch security firm Secura discovered that attackers could exploit the Netlogon bug to become a domain administrator of an enterprise network "with one click."
- The attack, dubbed Zerologon by Secura, exploits a weak algorithm used in Netlogon's authentication process.
CISA
|
|
Maze ransomware attackers are using a technique developed by the Radnar Locker hackers, which distributes ransomware inside of a virtual machine (VM) to avoid detection. The Maze attackers distributed ransomware on the VM's virtual hard drive, which was delivered inside of a Windows .msi installer file larger than 700MB, explained Sophos' Managed Threat Response team.
More:
- In the Radnar Locker incident, the attackers deployed the ransomware inside an Oracle VirtualBox Windows XP virtual machine.
- The Ragnar Locker ransomware group conducts reconnaissance on its target's network and steals sensitive data before encrypting systems.
- The Maze group demanded a $15M ransom, but the victim did not pay it.
SOPHOS
|
|
Distributed denial-of-service (DDoS) attackers targeted Tutanota, a German-based encrypted email service provider. The DDoS threat actors launched two attacks: one against the company's website and another against its Domain Name System providers. The second one caused the most disruption, taking down the service for millions of users for several hours last week.
More:
- Tutanota said it could not change the DNS entries for its domain quickly enough to prevent the shutdown.
- Other leading encrypted email service providers include ProtonMail, Posteo, Kolab Now, Mailfence, and mailbox.org.
- As Inside Security reported last week, DDoS attacks surged 151% year-over-year in the first half of 2020.
BLEEPING COMPUTER
|
|
QUICK HITS:
- Federal government and private sector organizations are urging power companies to adopt security best practices in their incident response and recovery plans.
- The Mozi botnet has led to a spike in Internet of Things botnet activity, according to IBM.
- A bug in Mozilla's Firefox browser could enable a hacker to hijack nearby mobile browsers using Wi-Fi.
- Iranian group Rampant Kitten is targeting anti-regime organizations in a cyberattack campaign.
- Brands see 18.5% of e-commerce revenue from SMS marketing. See 6 top SMS campaigns here.*
*This is sponsored content.
|
|
|
|
Fred Donovan is a professional writer, editor, and content specialist with decades of experience, most recently in the areas of information technology and cybersecurity. He has written for such publications as HealthITSecurity.com, FierceITSecurity, InfoSecurity Magazine, Report on Patient Privacy, TechGenix, and NetDefense. Fred has a B.A. from Harvard University in government and an M.S. in national security from Georgetown University.
|
|
Editor
|
Sheena Vasani is a journalist and UC Berkeley, Dev Bootcamp, and Thinkful alumna who writes Inside Dev and Inside NoCode.
|
|