Bad cyber weather under the weekly cyber !

Hopefully you use threat intelligence. I have a chance to leverage Flare Systems on a regular basis. As any tool, it's how you use it, how you work on the data, that define the value you get out of it.

One has to know what to read and how to read. One of the metrics I use, is the amount of new ransomware victims per day (out of intelligence feed), and this week, I saw an average of 30 organizations a day, falling victim of attacks and leakages. This is why I speak about bad cyber weather (I also watch the tor leak sites and so on, lot of OSINT).

I've been on another incident response too, aside of the ongoing one, and it's so annoying, an organization I spoke to, a few weeks ago, and told them about their posture that really needed some basic enhancements (and given actionable recommendations, such as enable MFA, patch the systems, get an inventory / know what you have etc.) ! Sadly, understaffed teams, could not do what they wanted to, due to lack of resources.

We were about to deploy a managed secured solution to relieve them, just one day too late, and instead of a simple alert, that could have been a minor issue handled with the SOC, it ended being a major event. Sentinelone was as useless as usual (always end up replacing it with managed Cynet, as at this time, there is a huge difference from my experience) ! I don't understand sentinelone XDR, there must be something wrong with the default deployment people do or so. It's not a product I use, but it's the product in place in more than 80% of organizations in which I deal with incident response. It's the product that failed to protect (lack of good configuration again ?! ), and funnily, it's the product cyber insurances install to try to correct the situation. I don't understand how we get to this.

If you have sentinelone, make sure your provider did deploy it right with enforced controls configuration, because in most case I've seen, it's not done, and the thing don't even see ransomware attacks, or shelldrop. In one incident, we had to call the SOC, which finally went and did dig in sentinel logs to actually confirm there was an incident.... well, customer realized it before the SOC sadly. Don't know what to say, this is straight from the field.

I'm not paid to share this, this is my take, from what I face in the field. I bet there are tons of successful deployments, otherwise the product would not be rated in the top XDR either. Chose your partners wisely. They should know their stuff.

Security by design and by default is still a target to reach.

Anyway, back to an higher level, what happened this week and key info I think you should not miss !

1 - I ?do like this take, expecially the WFA as work from anywhere - Beyond the Buzz: Practical Approaches to Make Zero Trust Work for Your Organization

2 - The least apps you install, the less risk you take as the cloud (the app store here, in the cloud) is massively poisoned - Newly found Android malware records audio, tracks your location

3 - Aligned with the point I made above, How reliable is this provider ? Where does their responsibility start, where does it stop ? What happens when they fail ? Prioritizing Third-Party Assessments By Leveraging Inherent Risk

4 - Chromium patch time ! Chromium Devs Fixed A “Crazy” HTML Parser Bug - Chromium is the browser project on which Google took over to build Chrome.

5 - How are you protecting your?#clowd ?workloads ? Cloud Native Application Protection Platform (CNAPP): An Evolving Approach to Cloud Security

6 - One less transnational crime money pipeline - Germany Shuts Down Russian Hydra Darknet Market; Seizes $25 Million in Bitcoin

7 - The threat landscape is worldwide, and you are targeted - Researchers Trace Widespread Espionage Attacks Back to Chinese 'Cicada' Hackers

8 - The?#clowd ?is hacked - Hackers Breach Mailchimp Email Marketing Firm to Launch Crypto Phishing Scams

9 - Frightening and creepy news ! Windows 365, the PC in which you have no control, you own nothing, and big tech will watch your every move, every file, anything you type, copy, share, chat ! The ultimate big brother experience !

10 - Insider threat is always a big issue. One can wonder if the least privileges and need to know principles were applied - Cash App notifies 8.2 million US customers about data breach

11 - 2022, after thousands of organizations got hacked due to zero day for decades, finally : Microsoft adds on-premises Exchange, SharePoint to bug bounty program

12 - it's android patch time ! Google’s monthly Android updates patch numerous “get root” holes (if your phone didn't get an update, it most likely is no longer supported, you might want to address this -> New phone, or aftermarket OS)

13 - Capabilities of threat actors are continuously evolving, and you should have a solid security posture for all your attack surface to minimize the likelihood of incidents and their impact - New Borat remote access malware is no laughing matt er

14 - Interesting tool coming here as Ermetic is launching a new open-source tool - Access Undenied on AWS

15 - Do not fall for the scam ! If you don't absolutely need the app, do not install it ! Criminal Hackers Distributing Fake Shopping Apps to Steal Banking Data of Malaysian Users (even legit apps are often a privacy nightmare)

16 - AMD owners are overclocking geeks, want it or not ?? - AMD confirms GPU driver bug overclocks CPUs without permission

17 - Do not fall for the voice message scam ! Attackers Spoof WhatsApp Voice-Message Alerts to Steal Info

18 - Such a sad stat - Nearly Two-Thirds of Ransomware Victims Paid Ransoms Last Year, Finds "2022 Cyberthreat Defense Report"

19 - It's Palo alto patch time ! Palo Alto Networks firewalls, VPNs vulnerable to OpenSSL bug

20 - Retail being heavily targeted lately - UK retail chain The Works shuts down stores after cyberattack

21 - it's?#vmware ?patch time ! VMware warns of critical vulnerabilities in multiple products

22 - Cloud security practitioners can learn about the best practices that reduce the threat of cyber attacks from groups like Lapsus$ - Lessons Learned in Cloud Security from Lapsus$ Surfacing

23 - The cloud is a huge target, a spof in lot of cases, and fail to bring the shift expected in risk transfer. Seeing a malware able to attack lambda, the famous serverless computing supposed to bring you peace of mind without having to manage the system, is actually hacked (root cause undefined yet) ! bad. First Malware Targeting AWS Lambda Serverless Platform Discovered

24 - Just don't install anything else than the strict minimum to reduce your attack surface - Android apps with 45 million installs used data harvesting SDK

25 - Repeated offense ! Server side request forgery - SSRF Flaw in Fintech Platform Allowed for Compromise of Bank Accounts

26 - I'm sure you are all familiar with SQL injections, well, time are changing as we are now in the NoSQL database era, so it's also time for the NoSQL Injection - How To Test And Prevent NoSQL Injections

27 - Enjoy gitlab hardcoded password - Gitlab hardcoded password allows to bypass Oauth, saml, and ldap while OmniAuth enabled . Try password 123qweQWE!@#000000000

28 - Are you a Google cloud master JEDI ? (yes obvious reference to a big cloud contract that went sideways :) ) - Hidden Risk in the Default Roles of Google-Managed Service Accounts

29 - Github getting better and aiming toward security by design and by default. This is very good ! GitHub can now alert of supply-chain bugs in new dependencies

30 - It's Ruby patch time ! straight, on rails - Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now!

And that's it for this week ! Wishing you a great weekend ! Leave your comments, are you a sentinelone expert ? What are the typical deployment failures ? If not, I suggest you always go for a fully managed solution. So as you know you are not thrown a tool and can only hope for it to work, while it may not.

See you in the next posts or next week !