Although the group relies on good old phishing to deliver Royal ransomware, researchers say DEV-0569 regularly uses new and creative discovery techniques to lure victims.

It generally starts with malvertising and ends with the deployment of Royal ransomware, but a new threat group has distinguished itself by its ability to innovate the malicious steps in between to lure in new targets.

The cyberattack group, tracked by Microsoft Security Threat Intelligence as DEV-0569, is notable for its ability to continuously improve its discovery, detection evasion, and post-compromise payloads, according to a report this week from the computing giant.

"DEV-0569 notably relies on malvertising, phishing links that point to a malware downloader posing as software installers or updates embedded in spam emails, fake forum pages, and blog comments," the Microsoft researchers said.

In just a few months, the Microsoft team observed the group's innovations, including hiding malicious links on organizations' contact forms; burying fake installers on legitimate download sites and repositories; and using Google ads in its campaigns to camouflage its malicious activities.

"DEV-0569 activity uses signed binaries and delivers encrypted malware payloads," the Microsoft team added. "The group, also known to rely heavily on defense evasion techniques, has continued to use the open-source tool Nsudo to attempt disabling antivirus solutions in recent campaigns."

The group's success positions DEV-0569 to serve as an access broker for other ransomware operations, Microsoft Security said.

**How to Combat Cyberattack Ingenuity**

New tricks aside, Mike Parkin, senior technical engineer at Vulcan Cyber, points out the threat group indeed makes adjustments along the edges of their campaign tactics, but consistently relies on users to make mistakes. Thus, for defense, user education is the key, he says.

"The phishing and malvertising attacks reported here rely entirely on getting users to interact with the lure," Parkin tells Dark Reading. "Which means that if the user doesn't interact, there is no breach."

He adds, "Security teams need to stay ahead of the latest exploits and malware being deployed in the wild, but there is still an element of user education and awareness that's required, and will always be required, to turn the user community from the main attack surface into a solid line of defense."

Making users impervious to lures certainly sounds like a solid strategy, but Chris Clements, vice president of solutions architecture at Cerberus Sentinel, tells Dark Reading it's "both unrealistic and unfair" to expect users to maintain 100% vigilance in the face of increasingly convincing social engineering ploys. Instead, a more holistic approach to security is required, he explains.

"It falls then to the technical and cybersecurity teams at an organization to ensure that a compromise of a single user doesn't lead to widespread organizational damage from the most common cybercriminal goals of mass data theft and ransomware," Clements says.

**IAM Controls Matter**

Robert Hughes, CISO at RSA, recommends starting with identity and access management (IAM) controls.

"Strong identity and access governance can help control the lateral spread of malware and limit its impact, even after a failure at the human and endpoint malware prevention level, such as stopping authorized individual from clicking on a link and installing software that they are allowed to install," Hughes tells Dark Reading. "Once you've ensured that your data and identities are safe, the fallout of a ransomware attack won't be as damaging — and it won't be as much of an effort to re-image an endpoint."

Phil Neray from CardinalOps agrees. He explains that tactics like malicious Google Ads are tough to defend against, so security teams must also focus on minimizing fallout once a ransomware attack occurs.

"That means making sure the SoC has detections in place for suspicious or unauthorized behavior, such as privilege escalation and the use of living-off-the-land admin tools like PowerShell and remote management utilities," Neray says.

DEV-0569 Ransomware Group Remarkably Innovative, Microsoft Cautions

How far can its government — or any government or private company — go to proactively disrupt cyber threats without causing collateral damage?

The Australian government's defiant proclamation recently that it would hack back against hackers that sought to target organizations in the country represents a break from the usual cautious manner in which nations have approached international cyber threats.

How effective the country's newly announced "joint standing operation against cybercriminal syndicates" will be remains an open question, as does the issue of whether other nations will follow suit. Also unclear is how far exactly law enforcement is willing to go to neutralize infrastructure that it perceives as being used in cyberattacks against Australian entities.

**Pressure for Hack-Back Legislation May Be Mounting**

"As it becomes more obvious that the majority of organizations are poorly prepared to defend themselves, I think it is justifiable for well-resourced governments to step in," says Richard Stiennon, chief research analyst at IT-Harvest. "I fully expect hack-back legislation to pass in response to some devastating attack that is visible to lots of voters. But I do not expect it to have teeth or change the landscape much."

Australian prime minister Anthony Albanese's government on Nov. 12 announced a joint initiative between the Australian Federal Police and the Australian Signals Directorate to "investigate, target and disrupt cybercriminal syndicates with a priority on ransomware threat groups."

The government launched the initiative following two major cyberattacks — one on telecommunications company Optus and the other on health insurer Medibank — that together exposed personally identifiable information (PII) and other sensitive information belonging to more than one-third of Australia's total population of some 26 million people.

The cyberattacks were among the largest in scope in the country's history and sparked considerable outrage and concern, especially after attackers began publicly leaking medical records (including abortion records) following Medibank's refusal to pay a demanded $10 million ransom. Some security researchers have pinned the blame for the ransomware attack on Medibank on Russia's notorious REvil threat group.

The Australian counter-hacking operation will prioritize cyber threats perceived as presenting the greatest threat to national interests. It will focus on intelligence gathering, identifying cybercrime ring leaders and networks, so law enforcement can intercept and disrupt operations and actors regardless of where they are operating from. Media outlets including the _Guardian_ quoted Australian home affairs minister Clare O'Neil promising to "day in, day out hunt down the scumbags" responsible for the recent attacks.

"The smartest and toughest people in our country are going to hack the hackers," the Guardian quoted O'Neil as saying.

**An Ongoing Practice**

The strong language notwithstanding, it's unclear how far exactly the Australian government will go — or can go — beyond what is already being done to disrupt cyber threats, especially those originating from outside its jurisdiction. Law enforcement and intelligence agencies in several countries, including the US, UK, and Australia itself, routinely are engaged in the kind of intelligence gathering and tracking down of cybercriminals that the Australian government said it would carry out under the new initiative.

"It is my belief that the U.S. has been taking action in the cyber-domain since at 2010 when US Cyber Command was stood up," Stiennon says. "Other countries like the Netherlands and Israel have also demonstrated their abilities to strike back at sophisticated attackers."

Such efforts have resulted in numerous infrastructure takedowns and arrests, indictments and convictions of cybercrime gang members and leaders over the years. Even major U.S. technology companies — often acting under the authority of court orders — have participated in these efforts: Examples include Microsoft's participation in the takedown of the Zloader botnet operation and its more recent disruption of the Seaborgium phishing operation out of Russia.

"Cybercriminal groups, despite the level of impunity they often operate under, are vulnerable to disruption," says Casey Ellis, founder and CTO of Bugcrowd. "In my opinion this makes proactive hunting a viable pursuit," he says, pointing to examples like law enforcement's takedown of the Conti and REvil group operations.

Since the sort of activity that the Australian government announced has been going on for quite some time now, Ellis says the recent announcement represents a doubling down on those efforts, designed to send a signal.

"Cybercriminal groups are far less effective when they distrust each other or feel as though they are actively targeted," Ellis says.

US lawmakers have on a few occasions attempted — and failed — to pass bills that would offer some legal backing for organizations that hack back against cyberattackers. One notable example was H.R. 4036, the Active Cyber Defense Certainty Act (ACDC) of 2017, which would have allowed hacking back as a defense measure on an organization's own network under certain circumstances.

Another bill in 2021, titled "Study on Cyber-Attack Response Options Act," would have required the US Department of Homeland Security to assess the benefits and consequences of amending the nation's current computer abuse law to provide provisions for hacking back at attackers.

The initiatives failed amid controversy, largely around concerns that innocent entities could be caught in the crossfire.

**The Need for Caution**

Security researchers too have long advocated the need for caution around proactive efforts to disrupt criminal infrastructure — or to hack back against operators — because of the difficulties around attribution and collateral damage.

Innocent organizations, for instance, can get disrupted from the takedown of a hosting provider that a threat actor might have used to launch attacks. The ability for threat actors to launch attacks that appear to originate from somewhere else is another reason why critics have noted hack-back initiatives are dangerous.

"In general, truly attributing an attack is quite difficult," says Erick Galinkin, principal researcher at Rapid7, a company that has been a staunch critic of hack-back bills such as ACDC. "Attribution may be one of the hardest problems in all of cybersecurity."

There are a number of reasons for this, but among the main ones is that attackers are happy to use victims to target other victims. This means that when a victim hacks back, they may in fact be targeting another victim rather than an attacker, he says. "Moreover, allowing private sector hack back is incredibly challenging from an oversight and accountability perspective — how could a determination be made about who took the first offensive action?" he asks.

There are also potential legal landmines to consider. A law that Georgia's state legislature passed in 2018 — but which the Governor later vetoed — contained a provision that in essence would have protected a company against legal liability if it conducted a hack-back operation against another entity so long as it was part of "active defense."

As Rapid7 has noted, the term "active defense" as used in the bill could have been interpreted in any number of ways, leading to potential misuse and unintended consequences. "Here is a hypothetical: Remotely breaking into and searching another person's computers to see if that person possesses stolen passwords that could potentially be used for unauthorized access," the company said.

The main con is that you don't want to get it wrong, especially when operating under government authority, Ellis from Bugcrowd agrees. "This type of activity certainly has the potential to escalate into an international incident," he says. "The upside is the opportunity to use the cyberattacker's advantage against them, thereby leveling the playing field a little better."

Nonetheless, there could be a growing appetite for such measures, Galinkin says, as the Australian bill shows. "Calls for bills such as the Active Cyber Defense Certainty Act and others may increase given the current cyber threat environment, but we as practitioners have a responsibility to continue to inform policymakers about the risks associated with allowing such activities."

Australia's Hack-Back Plan Against Cyberattackers Raises Familiar Concerns

Today, Talos is publishing a glimpse into the most prevalent threats we've observed between Nov. 11 and Nov. 18. As with previous roundups, this post isn't meant to be an in-depth analysis. Instead, this post will summarize the threats we've observed by highlighting key

Threat Round up for November 11 to 18

Threat hunting is the process of looking for malicious activity and its artifacts in a computer system or network. Threat hunting is carried out intermittently in an environment regardless of whether or not threats have been discovered by automated security solutions. Some threat actors may stay dormant in an organization's infrastructure, extending their access while waiting for the right

Threat hunting is the process of looking for malicious activity and its artifacts in a computer system or network. Threat hunting is carried out intermittently in an environment regardless of whether or not threats have been discovered by automated security solutions. Some threat actors may stay dormant in an organization's infrastructure, extending their access while waiting for the right opportunity to exploit discovered weaknesses.

Therefore it is important to perform threat hunting to identify malicious actors in an environment and stop them before they achieve their ultimate goal.

To effectively perform threat hunting, the threat hunter must have a systematic approach to emulating possible adversary behavior. This adversarial behavior determines what artifacts can be searched for that indicate ongoing or past malicious activity.

**MITRE ATT&CK**

Over the years, the security community has observed that threat actors have commonly used many tactics, techniques, and procedures (TTPs) to infiltrate and pivot across networks, elevate privileges, and exfiltrate confidential data. This has led to the development of various frameworks for mapping the activities and methods of threat actors. One example is the MITRE ATT&CK framework.

MITRE ATT&CK is an acronym that stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). It is a well-documented knowledge base of real-world threat actor actions and behaviors. MITRE ATT&CK framework has 14 tactics and many techniques that identify or indicate an attack in progress. MITRE uses IDs to reference the tactic or technique employed by an adversary.

**The Wazuh unified XDR and SIEM platform**

Wazuh is an open source unified XDR and SIEM platform. The Wazuh solution is made up of a single universal agent that is deployed on monitored endpoints for threat detection and automated response. It also has central components (Wazuh server, indexer, and dashboard) that analyze and visualize the security events data collected by the Wazuh agent. It protects on-premises and cloud workloads.

Figure 1: Wazuh security event dashboard

**Threat hunting with Wazuh**

Threat hunters use various tools, processes, and methods to search for malicious artifacts in an environment. These include but are not limited to using tools for security monitoring, file integrity monitoring, and endpoint configuration assessment.

Wazuh offers robust capabilities like file integrity monitoring, security configuration assessment, threat detection, automated response to threats, and integration with solutions that provide threat intelligence feeds.

**Wazuh MITRE ATT&CK module**

Wazuh comes with the MITRE ATT&CK module out-of-the-box and threat detection rules mapped against their corresponding MITRE technique IDs. This module has four components which are:

a. **The intelligence component of the Wazuh MITRE ATT&CK module**: Contains detailed information about threat groups, mitigation, software, tactics, and techniques used in cyber attacks. This component helps threat hunters to identify and classify different TTPs that adversaries use.

Figure 2: Wazuh MITRE ATT&CK Intelligence

b. **The framework component of the Wazuh MITRE ATT&CK module**: Helps threat hunters narrow down threats or compromised endpoints. This component uses specific techniques to see all the events related to that technique and the endpoints where these events happened.

Figure 3: Wazuh MITRE ATT&CK framework

c. **The dashboard component of the MITRE ATT&CK module**: Helps to summarize all events into charts to assist threat hunters in having a quick overview of MITRE related activities in an infrastructure.

Figure 4: Wazuh MITRE ATT&CK dashboard

d. **The Wazuh MITRE ATT&CK events component**: Displays events in real-time, with their respective MITRE IDs, to better understand each reported alert.

Figure 5: Wazuh MITRE ATT&CK events

**Wazuh rules and decoders**

Wazuh has out-of-the-box rules and decoders to parse security and runtime data generated from different sources. Wazuh supports rules for different technologies (e.g., Docker, CISCO, Microsoft Exchange), which have been mapped to their appropriate MITRE IDs. Users can also create custom rules and decoders and map each rule with its appropriate MITRE tactic or technique. This blog post shows an example of leveraging MITRE ATT&CK and Wazuh custom rules to detect an adversary.

**Security Configuration Assessment (SCA) module**

The Wazuh SCA module performs periodic scans in endpoints to detect system and application misconfigurations. It can also be used to scan for indicators of compromise, like malicious files and folders that have been created by malware. Analyzing software inventories, services, misconfigurations, and changes in the configuration on an endpoint can help threat hunters detect attacks underway.

Figure 6: Wazuh SCA dashboard

**Integration with threat intelligence solutions**

Due to its open source nature, Wazuh provides an opportunity to integrate with threat intelligence APIs and other security solutions. Wazuh integrates with open source threat intelligence platforms like Virustotal, URLHaus, MISP, and AbuseIPDB to name a few. Depending on the integration, relevant alerts appear in the Wazuh dashboard. Specific information, such as IP addresses, file hashes, and URLs, can be queried using filters on the Wazuh dashboard.

**File integrity monitoring**

File integrity monitoring (FIM) is used to monitor and audit sensitive files and folders on endpoints. Wazuh provides an FIM module that monitors and detects changes in specified directories or files on an endpoint's filesystem. The FIM module can also detect when files introduced to endpoints match hashes of known malware.

**Wazuh archives**

Wazuh archives can be enabled to collect and store all security events ingested from monitored endpoints. This feature assists threat hunters by providing them with data that can be used to create detection rules and stay ahead of threat actors. Wazuh archives are also helpful in meeting regulatory compliance where audit log history is required.

**Conclusion**

The MITRE ATT&CK framework helps to properly classify and identify threats according to discovered TTPs. Wazuh uses its dedicated MITRE ATT&CK components to display information about how security data from endpoints correspond to TTPs. The threat hunting capabilities of Wazuh help cybersecurity analysts to detect apparent cyber attacks as well as underlying compromises to infrastructure.

Wazuh is a free and open source platform that can be used by organizations with cloud and on-premises infrastructure. Wazuh has one of the fastest-growing open source community in the world, where learning, discussions, and support is offered at zero cost. Check out this documentation to get started with Wazuh.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Threat hunting with MITRE ATT&CK and Wazuh

The threat actors behind the Hive ransomware-as-a-service (RaaS) scheme have launched attacks against over 1,300 companies across the world, netting the gang $100 million in illicit payments as of November 2022.
"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information

The threat actors behind the Hive ransomware-as-a-service (RaaS) scheme have launched attacks against over 1,300 companies across the world, netting the gang $100 million in illicit payments as of November 2022.

"Hive ransomware has targeted a wide range of businesses and critical infrastructure sectors, including government facilities, communications, critical manufacturing, information technology, and — especially — Healthcare and Public Health (HPH)," U.S. cybersecurity and intelligence authorities said in an alert.

Active since June 2021, Hive's RaaS operation involves a mix of developers, who create and manage the malware, and affiliates, who are responsible for conducting the attacks on target networks by often purchasing initial access from initial access brokers (IABs).

In most cases, gaining a foothold involves the exploitation of ProxyShell flaws in Microsoft Exchange Server, followed by taking steps to terminate processes associated with antivirus engines and data backups as well as delete Windows event logs.

The threat actor, which recently upgraded its malware to Rust as a detection evasion measure, is also known to remove virus definitions prior to encryption.

"Hive actors have been known to reinfect—with either Hive ransomware or another ransomware variant—the networks of victim organizations who have restored their network without making a ransom payment," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.

According to data shared by cybersecurity company Malwarebytes, Hive compromised about seven victims in August 2022, 14 in September, and two other entities in October, marking a drop in activity from July, when the group targeted 26 victims.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hive Ransomware Attackers Extorted $100 Million from Over 1,300 Companies Worldwide

An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date.
"The threat actor is still active and is releasing more malicious packages," Checkmarx researcher Jossef Harush said in a technical write-up, calling the adversary WASP. "The attack seems related to cybercrime as the attacker

An ongoing supply chain attack has been leveraging malicious Python packages to distribute malware called W4SP Stealer, with over hundreds of victims ensnared to date.

"The threat actor is still active and is releasing more malicious packages," Checkmarx researcher Jossef Harush said in a technical write-up, calling the adversary **WASP**. "The attack seems related to cybercrime as the attacker claims that these tools are undetectable to increase sales."

The findings from Checkmarx build on recent reports from Phylum and Check Point, which flagged 30 different modules published on the Python Package Index (PyPI) that were designed to propagate malicious code under the guise of benign-looking packages.

The attack is just the latest threat to target the software supply chain. What makes it notable is the use of steganography to extract a polymorphic malware payload hidden within an image file hosted on Imgur.

The installation of the package ultimately makes way for W4SP Stealer (aka WASP Stealer), an information stealer engineered to exfiltrate Discord accounts, passwords, crypto wallets, and other files of interest to a Discord Webhook.

Checkmarx's analysis further tracked down the attacker's Discord server, which is managed by a lone user named "Alpha.#0001," and the various fake profiles created on GitHub to lure unwitting developers into downloading the malware.

Furthermore, the Alpha.#0001 operator has been observed advertising the "fully undetectable" for $20 on the Discord channel, not to mention releasing a steady stream of new packages under different names as soon as they are taken down from PyPI.

As recently as November 15, the threat actor was seen adopting a new username on PyPI ("halt") to upload typosquatting libraries that leveraged StarJacking – a technique wherein a package is published with an URL pointing to an already popular source code repository.

"The level of manipulation used by software supply chain attackers is increasing as attackers get increasingly more clever," Harush noted. "This is the first time \[I've\] seen polymorphic malware used in software supply chain attacks."

"The simple and lethal technique of fooling using by creating fake GitHub accounts and sharing poisoned snippets has proven to trick hundreds of users into this campaign."

The development also comes as U.S. cybersecurity and intelligence agencies published new guidance outlining the recommended practices customers can take to secure the software supply chain.

"Customer teams specify to and rely on vendors for providing key artifacts (e.g. SBOM) and mechanisms to verify the software product, its security properties, and attest to the SDLC security processes and procedures," the guidance reads.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

W4SP Stealer Constantly Targeting Python Developers in Ongoing Supply Chain Attack

INTELBRAS SG 2404 MR 20180928-rel64938 allows authenticated attackers to arbitrarily create Administrator accounts via crafted user cookies.

O SG 2404 PoE é ideal para empresas que desejam ter uma estrutura de rede com suporte a esta tecnologia. Além de funções avançadas de gerenciamento, suas portas PoE (Power over Ethernet), permitem o tráfego de dados e energia elétrica através do mesmo cabo de rede, fornecendo alimentação e conectividade para câmeras e telefones IP, pontos de acesso wireless e outros dispositivos compatíveis com o padrão IEEE 802.3at e IEEE 802.3af.

Desempenho

Além de prover a redução de custos com infraestrutura e fornecer soluções flexíveis para projetos de todos os portes, o SG 2404 PoE possui diversos recursos de gerenciamento que proporcionam maior controle sobre a rede, alto desempenho, estabilidade e facilidade de configuração através da interface em português (web GUI). Pode prover até 30 W de potência por porta e até 180 W de potência total (todas as portas) com alcance máximo de 100 metros de distância.

Extensão da rede  
Possui 4 portas para a instalação de Mini-GBICs, que permitem a ampliação da rede em longas distâncias via fibra óptica. Os Mini-GBICs não precisam de alimentação externa, são alimentados pelo próprio switch e não exigem configuração, são Plug & Play. Além disso, não ocupam espaço extra no rack, já que são instalados diretamente nas portas dedicadas, e ainda podem ser inseridos ou removidos com o switch em funcionamento graças à tecnologia Hot Swap.

Solução PoE IP  
Pode ser utilizado com produtos que possuem tecnologia IP PoE, implementando uma plataforma única e proporcionando economia nos investimentos com infraestrutura. Além disso, é possível configurar a função PoE de diversas formas, permitindo priorizar o fornecimento de energia para as portas, verificar em tempo real o consumo dos equipamentos, programar horários para acionamento dos dispositivos PoE e identificar equipamentos conectados diretamente através do protocolo LLDP. 

Assista ao vídeo e conheça melhor o SG 2404 PoE:

CVE-2022-43308: Switch gerenciável 24 portas PoE Gigabit Ethernet | Intelbras

Elon Musk laid off half the staff, and mass resignations seem likely. If nobody’s there to protect the fort, what’s the worst that could happen?

In the Weeks since Elon Musk was forced to complete his acquisition of Twitter for $44 billion, the social network has been in a state of dramatic upheaval. Musk laid off more than half its workforce and fired more via public tweets. Digital infrastructure went on the fritz. And today, a reported 75 percent of staff refused to sign a pledge to work “long hours at high intensity," ostensibly triggering their resignations. It's now unclear who still works at Twitter.

In short, all hell is breaking loose at the bird site.

As the chaos mounts, one consequence inside the company could be less attention on digital security monitoring and fewer dedicated staffers working to defend Twitter from cyberattacks. And that could put the company and its users at increased risk of a massive data breach or other security incident.

The possibility of a Twitter breach is particularly worrying given a whistleblower report and congressional testimony this summer from Twitter's former chief security officer, Peiter Zatko, that alleged an already dire state of the company's internal defenses and access controls. In other words, the company already seemingly had security issues before Musk took over—and the situation may have gotten worse since.

The good news is that, unlike the credit bureau Equifax or Sony Pictures—both of which suffered breaches of incredibly sensitive user or internal information in the past eight years—Twitter doesn't broadly collect or store government-issued identity data like Social Security numbers, doesn't hold financial information about most of its users, and doesn't require users to input data like street addresses or birth dates. Plus, while not all tweets are shared publicly, most are. Yet Twitter still holds a vast and potentially extremely valuable trove of user data, including the contents of their direct messages and the social graph of who users have communicated and interacted with on the platform, as well as phone numbers, email addresses, and other potentially private details. Users can also opt into location-sharing in tweets, and the company has collected different user information at different times over the years, which could mean it holds more than you realize.

Users also have limited ability to delete their direct messages on Twitter. The chat platform offers the option to “Delete for You,” meaning you can delete messages in your own account, but you can't delete them for the users with whom you are DM'ing. And in general, Twitter has not stated firmly what its practices are with regard to deleting user data even when they deactivate their accounts. Twitter's policy on account deactivation simply says, “If you do not log back into your account for the 30 days following the deactivation, your account will be permanently deactivated. Once permanently deactivated, all information associated with your account is no longer available in our Production Tools.” Given that no form of the word “delete” appears there, it's difficult to parse the true meaning of the policy. 

Twitter did not return multiple requests for comment from WIRED about data deletion. Relatedly, the company's entire communications department has reportedly been let go.

Security researchers and incident responders emphasize, though, that a breach of Twitter's infrastructure or a data leak wouldn't necessarily focus on impacting users but could also reveal sensitive company information. And malicious control of Twitter's infrastructure could be weaponized in a number of ways to spread disinformation, stoke conflict, or even hijack Twitter's mobile apps.

“Twitter has seemingly neglected security for a very long time, and with all the changes, there is risk for sure,” says David Kennedy, CEO of the incident response firm TrustedSec, who formerly worked at the NSA and with the United States Marine Corps signal intelligence unit. “There’s a lot of work to be done to stabilize and secure the platform, and there is definitely an elevated risk from a malicious insider perspective due to all the changes occurring. As time passes, the probability of an incident lowers, but the security risks and technology debt are still there.”

A breach of Twitter could expose the company or users in myriad ways. Of particular concern would be an incident that endangers users who are activists, dissidents, or journalists under a repressive regime. With more than 230 million users, a Twitter breach would also have far-reaching potential consequences for identity theft, harassment, and other harm to users around the world. And from a government intelligence perspective, the data has already proved valuable enough over the years to motivate government spies to infiltrate the company, a threat the whistleblower Zatko said Twitter was not prepared to counter.

The company was already under scrutiny from the US Federal Trade Commission for past practices, and on Thursday, seven Democratic senators called on the FTC to investigate whether “reported changes to internal reviews and data security practices” at Twitter violated the terms of a 2011 settlement between Twitter and the FTC over past data mishandling. 

Were a breach to happen, the details would, of course, dictate the consequences for users, Twitter, and Musk. But the outspoken billionaire may want to note that, at the end of October, the FTC issued an order against the online delivery service Drizly along with personal sanctions against its CEO, James Cory Rellas, after the company exposed the data of roughly 2.5 million users. The order requires the company to have stricter policies on deleting information and to minimize data collection and retention, while also requiring the same from Cory Rellas at any future companies he works for.

Speaking broadly about the current digital security threat landscape at the Aspen Cyber Summit in New York City on Wednesday, Rob Silvers, undersecretary for policy at the Department of Homeland Security, urged vigilance from companies and other organizations. “I wouldn't get too complacent. We see enough attempted intrusions and successful intrusions every day that we are not letting our guard down even a little bit,” he said. “Defense matters, resilience matters in this space.”

Dan Tentler, a founder of the attack simulation and remediation firm Phobos Group who worked in Twitter security from 2011 to 2012, points out that while current chaos and understaffing within the company does create pressing potential risks, it also could pose challenges to attackers who might have difficulty in this moment mapping the organization to target employees who likely have strategic access or control within the company. He adds, though, that the stakes are high because of Twitter's scale and reach around the world.

“If there are insiders left within Twitter or someone breaches Twitter, there's probably not a lot standing in their way from doing whatever they want—you have an environment where there may not be a lot of defenders left,” he says.

Here’s How Bad a Twitter Mega-Breach Would Be

By Waqas
ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date.
This is a post from HackRead.com Read the original post: Study shows that 42% of people use their names in passwords

Password theft can make life significantly more difficult. Aside from benign major hassle, compromised passwords can easily lead to identity theft and cause serious legal issues. Therefore, it is worth paying attention to the strength of your passwords and changing them regularly or, at the latest, when you suspect your accounts have been compromised.

ExpressVPN’s study on the most common passwords around the world showed that 42% of people use their first name in their passwords, while 43% of them use their birth date. Since this information is easily traceable on social media, your accounts can be more prone to hacking attacks.

**How can someone find out my password?**

A compromised password allows unauthorized people to log into your accounts. Password compromise is usually not your fault; your data is not directly compromised on a specific computer. There’s no reason to automatically assume that an attacker has accessed or hacked your computer and is still watching it (these thoughts are only appropriate if you find that multiple passwords have been compromised in a relatively short period of time).

The most common reason is the theft of user’s personal data from various services. It is also conceivable that attackers could hack and obtain a database of users of a certain service (a so-called “Breach”) and then publish it. The password is then sold on the black market and can in fact be read by anyone. 

**How to protect yourself****Checking for fraudulent use**

You can easily check your password online. Take a look at the publicly available tools that can do this. Most of them work automatically and can send an alert when you enter your email address if they detect a leak or incident (containing your email address or password) as mentioned above.

The best-known monitoring tool is ”have I been pwned”. Here, after entering your email address, you can see which services or providers have been hacked and which user accounts have been compromised. If your account is listed, consider your password hacked and change it urgently. It is clear which one it is by looking at your password, even if it is not naturally displayed.

You can type the password directly into the Pwned Passwords tool (instead of looking for the associated email). The result is a notification of whether the password was part of a data breach and how many times it happened. The database contains over 613 million compromised passwords that have previously been proven to have been stolen.

Other password compromise checking services:

*   F-Secure
*   Firefox Monitor
*   Chrome browser
*   Avast Hack Check
*   Mirkat for Lenovo

**Discover weak and duplicated passwords at the administrator or keychain**

Password compromise detection or password weakness alerts should be available in any decent password manager. We’ve already covered them in our magazine, and you can find the best-known ones in a dedicated password managers section.

On some systems, passwords are stored in keychains that support the features mentioned above; for example, on iOS (iPhone) and macOS, the keychain warns if a password is weak or repeated across multiple services. Since iOS 14 and macOS Big Sur, the keychain can also keep track of compromised passwords. If your saved password has an exclamation mark icon next to it, you should change it right away.

1.  List of 2020’s most used passwords is here and it’s appalling
2.  Revealed: The 200 Most used and Worst Passwords of 2021
3.  Chrome on Android will alert, fix your compromised password
4.  Psst! tool by 1Password lets users share passwords using a link
5.  Nissan source code leaked, it used “admin” as username, password

**Use a password manager**

The average internet user uses so many services and apps that if they had to use unique passwords for each one, they would not be able to remember them. So, if you don’t want to give up security completely and use a single password, we recommend using a password manager.

Password managers may even suggest strong passwords, which is something to consider. Password suggestions are also built into some browsers or password manager plug-ins allow this feature. Artificial intelligence can judge better than the user what is a suitable and strong password.

The default setting for cloud-based password managers is to log in with 2FA. If you use a password manager on your phone, it usually has biometrics – fingerprint or facial recognition. This adds another layer of security to password access.

**Ustwo-factor authentication**

We regularly cover two-factor authentication (2FA) in our magazine, so the term is certainly not new to you. Simply put, 2FA adds an extra layer of protection to your login, so a simple password is no longer enough. To log in, you will still need to enter a one-time password (OTP), which is generated separately on the device you have. This is usually an app on your smartphone that shows you an OTP password for each “paired” service, which is valid for a very short period.

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Study shows that 42% of people use their names in passwords

Mediatrix 4102 before v48.5.2718 allows local attackers to gain root access via the UART port.

DGW Application 48.5.2718

*   Summary
*   Security changes

**Summary**

ID

Synopsis

DGW-14973

SIP: Support additional DHE ciphers

DGW-15007

User passwords are now securely hashed

DGW-15338

OWASP: Disable access to internal UART

DGW-15442

CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate

**Security changes  
**

**DGW-15442 - CVE-2022-0778: Possible Denial of Service (DoS) from purposedly crafted TLS certificate**

An important security flaw was found in the OpenSSL library affecting DGW version 48.4 and below. If exploited successfully, this vulnerability could cause the unit to reboot unexpectedly.

The CVE-2022-0778 has been addressed by upgrading the OpenSSL library to version 1.1.1n.

**DGW-15338 - OWASP: Disable access to internal UART**

Follow OWASP IoT Verification Requirement C.1:Verify that application layer debugging interfaces such USB, UART, and other serial variants are disabled or protected by a complex password.

**DGW-15007 - User passwords are now securely hashed**

User passwords are no longer saved in clear text, but instead saved in a cryptographically secure way, using the PBKDF2-HMAC-SHA256 hash algorithm.

Previously, when exporting a backup or configuration script, the passwords could be read in clear-text. Now, only the hashed passwords are visible.

A user cannot retrieve a forgotten password anymore, since it is impossible to reverse a hashed password into a clear-text password. In case all passwords are forgotten, a partial reset or factory reset can be done to restore to the factory initial passwords.

**DGW-14973 - SIP: Support additional DHE ciphers**

The SipEp service now supports the following DHE ciphers when using SIP over TLS:

*   TLS\_DHE\_RSA\_WITH\_AES\_128\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_128\_GCM\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_CBC\_SHA256
*   TLS\_DHE\_RSA\_WITH\_AES\_256\_GCM\_SHA384

**Copyright Notice**

Copyright 2022 Media5 Corporation.

This document contains information that is proprietary to Media5 Corporation.

Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.

This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.

Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.

www.media5corp.com

Tag

#intel