The chip giant has developed new features and services to make it tougher for malicious hackers and insiders to access sensitive data from applications in the cloud.

INTEL INNOVATION 2022 -- San Jose, Calif. — Intel has announced new hardware and software features for Project Amber, a confidential computing service that interlaces hardware and software to attest and certify the trustworthiness of data, at its Innovation developer summit this week.

The enhancements include features to protect data from the time it leaves the system and is in transit, in use, or at rest in storage.

"This is a fundamental technology that Intel has been developing for years. The place where it's going to be the most important is in AI/ML models ... to make sure when you're running a model on the edge, it's not being pilfered, it's not being stolen, it's not being manipulated," said Intel CTO Greg Lavender during his Wednesday keynote.

Data is traveling farther when outside the data center, with multiple stopovers, until it reaches cloud services or completes a round trip to enterprise infrastructure. Information from sources like sensors are added as data moves along a telecom network, with stopovers and artificial intelligence (AI) chips ensuring only relevant data moves ahead.

Project Amber uses hardware and software techniques to verify that the packets of data and its origin device are trustworthy. That layer of trust between devices and waypoints when data is in transit is a form of assurance that a company's infrastructure and execution environment are secure, says Anil Rao, Microsoft vice president for systems architecture and engineering in the office of CTO.

"Gone are the days where the central hubs are simply the data movers," Rao says. "They're not simple data movers. They're intelligent data movers."

The confidential computing offering is important for an enterprise mixing its own datasets with information from third parties to strengthen AI learning models. Project Amber provides a way to ensure that data is coming from trusted sources, Rao says.

**Secure Enclaves**

Project Amber adds a stronger lockdown mechanism to protect data while it is being processed. The Trust Domain Execution (TDX) instructions, which are on the company's upcoming 4th Generation Xeon Scalable processor, can secure an entire virtual machine as a trusted enclave.

The data is locked down so even hypervisors — which manage and monitor virtual machines — can't peek into the confidential computing environment.

"Your application will still do a virtual machine entry and exit call, but during those calls the data is still encrypted," Rao says.

Today's computing environment in the cloud is built around virtual machines, and applications don't run directly off processors, says Steve Leibson, principal analyst at Tirias Research.

"When we ran on processors, we didn't need attestation because nobody was going to alter a Xeon. But a virtual machine — that's just software. You can alter it," Leibson says. "Attestation is trying to provide the same sort of rigidity to software machines as silicon does for hardware processors."

TDX is bigger in scope than Secure Guard Extensions (SGX), which is a secure area in the memory in which to push, run, and operate code. SGX, a common feature on Intel chips, is also a part of Project Amber.

Intel's Rao compares the scope of TDX and SGX to hotel rooms. If TDX was a trusted boundary in the form of a secure hotel room, SGX was a secure locker inside the hotel room.

Project Amber allows data to enter secure enclaves after matching numerical codes issued by Amber engines. If the codes match, data can enter the secure enclave; if not, entry is denied because data could have been altered, modified, or hacked in transit.

"It's almost like you're giving somebody your VIN number and saying, 'Is this the authentic VIN number for my car or has someone done something hanky-panky with that thing?'" Rao says.

Intel will also provide customers the ability to define their own policies to create a trusted execution environment.

"You may want to process everything in an East Coast data center versus a West Coast," Rao says. "What Amber says is that here is exactly what it is — your code did not pass the policy."

**Protection in the Clouds**

Amber will support multiple cloud service providers, but Intel didn't provide specific details.

"We want to make it multicloud so you don't need to have a different attestation mechanism as an enterprise when you go to different clouds," Rao says.

There are hundreds of millions of processors from Intel in data centers around the world, and bad actors have an established ability to break into servers and steal secrets, Tirias' Leibson says.

"It's a cat-and-mouse game, and Intel is constantly trying to develop new ways to prevent the bad guys from breaking into the servers and stealing secrets," Leibson says. "And it goes all the way from script kiddies, to teenagers who are just hacking around, to state-sponsored sites."

At some point, one has to think about protecting data in use, in motion, and in storage. Project Amber was thus inevitable, especially with computing moving farther away from homegrown infrastructure to the cloud, Leibson says.

Project Amber is still in the pilot phase as Intel gears the technology for computing models adopted by verticals. The chipmaker is working with research company Leidos to use Project Amber in the healthcare sector, which has many types of devices and sensors spread over large geographies and requires attestation to ensure systems receive only trustworthy data.

Intel Hardens Confidential Computing With Project Amber Updates

REDWOOD CITY, Calif., Sept. 27, 2022 /PRNewswire/ -- Delinea, a leading provider of Privileged Access Management (PAM) solutions for seamless security, today announced the latest release of DevOps Secrets Vault, its high-speed vault for DevOps and DevSecOps teams. New enhancements include development support on the most recent Mac computers, and improved secrets management usability through automation, intended to reduce development time and increase visibility.

According to a 2022 Crowdstrike report, 80% of cyber attacks involve stolen credentials, and in late 2021 Gartner listed managing machine identities as one of the top five cybersecurity and risk trends. Delinea strives to reduce the risk of using hardcoded credentials in applications and services by instead dynamically injecting secure credentials with Just-in-Time access from DevOps Secrets Vault.

Expanded Support for developers on Macs

With added support for the M1 chip, developers coding on the latest Macs can now benefit from using DevOps Secrets Vault's command line interface (CLI) and the DSV Engine (an agent supporting database dynamic secrets) as part of their toolset. Building upon its focus on seamless usability, Delinea continues to reduce friction that commonly arises when securing sensitive secrets and credentials, especially in fast-paced DevOps environments.

Continual interface improvements reduce friction for DevOps teams

Both the CLI and graphical interface receive continual usability and flexibility enhancements, allowing developers to work seamlessly in their preferred interface with their preferred tools while helping organizations decrease the risk of compromised credentials.

New features added to both interfaces include:

Expanded support for Security Information and Event Management (SIEM) functionality

A certified Ansible plugin for use on Ansible Automation Hub

Enhanced authentication methods

"The exponential growth of machine identities as applications are modernized and architected as micro-services continues to place organizations at increased risk," said Jason Michell, SVP of Engineering at Delinea. "Delinea's ongoing focus on making security seamless for developers is reflected in these recent enhancements, enabling them to use DevOps Secrets Vault to dynamically insert credentials in their code, in line with security best practices."

Organizations can try DevOps Secrets Vault for free at https://delinea.com/products/devops-secrets-management-vault.

**About Delinea**

Delinea is a leading provider of privileged access management (PAM) solutions that make security seamless for the modern, hybrid enterprise. Our solutions empower organizations to secure critical data, devices, code, and cloud infrastructure to help reduce risk, ensure compliance, and simplify security. Delinea removes complexity and defines the boundaries of access for thousands of customers worldwide. Our customers range from small businesses to the world's largest financial institutions, intelligence agencies, and critical infrastructure companies. Learn more about Delinea on LinkedIn, Twitter, and YouTube.

Latest Delinea Update Streamlines DevOps Security

Combination of two companies to help SAP customers streamline audit, compliance and control processes.

DALLAS, Sept. 27, 2022 /PRNewswire/ -- Pathlock, the leading provider of application security and controls automation for critical business applications, today announced the acquisition of Grey Monarch, a UK-based specialist SAP Partner dedicated to SAP Process Automation. The acquisition will strengthen Pathlock's vision of providing the industry's most complete 360-degree platform for application security and controls automation for the SAP ecosystem.

Since 2008, Grey Monarch has developed expertise in SAP Security, Segregation of Duties, SAP Licence Optimization, SAP Background Processing Automation and Secure Managed File Transfer. With this acquisition, the SAP community will benefit from the very best SAP Process Automation advice, implementation skills, and software and training capabilities, improving levels of security, enhancing their users' experience and streamlining audit, compliance and control procedures.

"It's now more imperative than ever for organizations to utilize a holistic view of user access and privileges so they can be managed, monitored and controlled to ensure the maximum protection of data, business processes and intellectual property," said David Lloyd, Director and Co-Founder, Grey Monarch. "Combining Grey Monarch's capabilities with the Pathlock family of expertise, resources and product portfolio will provide our customers, existing and new, with an unsurpassed visibility into their business applications."

"We're thrilled to complete the acquisition of Grey Monarch," said Piyush Pandey, CEO of Pathlock. "We continue to see a strong demand for our globally recognized application security and controls automation solutions, and know that with Grey Monarch's specialization in SAP process automation we can continue to enable our global customers to revolutionize the way they secure their sensitive financial and customer data."

In May 2022, Pathlock announced a $200M capital raise sponsored by Vertica Capital Partners alongside a merger with Appsian and Security Weaver and the acquisition of Belgium-based CSI Tools and Germany-based SAST SOLUTIONS. The company has successfully doubled in size in terms of revenue and employees and is now servicing over 1,400 customers across all major industries on a global scale with offices across the United States, Belgium, the UK, Germany, Israel and India.

**About Pathlock**

Pathlock is the leader in application security and controls automation. With Pathlock, enterprises can manage all aspects of access governance via a single platform, across applications, including user provisioning, ongoing User Access Reviews, segregation of duties, control testing, and audit preparation. Today, many of the world's most respected, global 2000 companies rely on Pathlock to protect their critical digital assets from financial, operational, regulatory and security threats, ensure corporate compliance and improve performance. Our customers have saved millions in employee productivity, labor costs, audit fees and data loss prevention.

Pathlock Expands SAP Capabilities with Acquisition of Grey Monarch

By Waqas
Hackers are actively using encrypted chat apps like Signal and Telegram to share stolen data belonging to the Iranian government, tutorials on how to hack, and use VPNs and Tor to bypass censorship.
This is a post from HackRead.com Read the original post: Hackers turn to Signal, Telegram and Dark Web to assist Iranian protestors

Anonymous hackers, **as exclusively reported by Hackread.com**, waged a series of cyber attacks against the Iranian government in support of protestors. Now, Check Point Research has identified multiple hacker groups using Signal, Telegram, and Dark Web to support anti-government protestors in Iran. Their main objective is to bypass government restrictions.

This observation comes just days after anti-government protests erupted in Iran after Mahsa Amini’s death. It is worth noting that on September 16th, 2022, a 22-year-old Iranian woman named **Mahsa Amini** died in Tehran, Iran, under Police custody. Amini was arrested for failure to follow government-mandated forms of the Hijab.

According to researchers at Check Point, hacker groups are supporting the current situation of unrest in Iran by aiding anti-regime protestors by sharing open VPN servers to help them evade government censorship and internet status reports. They also teach protestors and activities about hacking guides.

**More on Hackread.com**

1.  Anti-surveillance mask enables you to pass as someone else
2.  How to use Signal messenger face blur tool on Android & iOS
3.  SnoopSnitch — An App That Detects Govt’s Stingray Mobile Trackers
4.  Twitter Goes on Tor with New Dark Web Domain to Evade Censorship
5.  How to download and use Tor browser + Best Dark Web Search Engines

**Telegram groups**

Telegram groups boast a few hundred to thousands of members, such as the Official Atlas Intelligence Group (AIG) channel has 900 members and is involved in data leaking and selling. This group obtains official contact numbers, emails, and sensitive location maps of the regime and sells or leaks them online.

Additionally, they try to upsell IRGC’s private information. Similarly, the ARVIN Telegram group has 5000 members. This group covers protests in Iran and informs people about them with videos and reports from the streets.

RedBlue is another Telegram group identified by Check Point, which boasts 4000 members. This group focuses more on hacking guides and conversations. Another Telegram group has around 12,000 members.

Moreover, Signal and Tor Project are also used as potential platforms to offer proxies to Iranian citizens so that they can access the internet and avoid government censorship.

**VPNs**

According to Check Point’s **report**, some groups offer a list of VPNs and proxies to help people bypass censorship in Iran, whereas others help protestors access social media websites. Hacker groups allow Iranian citizens to communicate and share the news with each other and discuss what the government wants to avoid.

> “What we see are groups from the Telegram, dark web and also ‘regular’ web helping the protestors to bypass the restrictions and censorship that are currently in place by the Iranian Regime, as a way to deal with the protests. We began seeing these groups emerge roughly a day after the protests began.”

1.  Iran’s Top Tier Airline Mahan Air Hit by Cyberattack
2.  Hackers disrupt Iran’s prison computers; leak live footage
3.  Iranian Gas Stations Crippled After Suffering Cyberattack
4.  US seizes official website of Iranian state-owned Press TV
5.  Hacker leaks 150 million user records from Iranian Raychat app

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Hackers turn to Signal, Telegram and Dark Web to assist Iranian protestors

A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. Thread allocation can lead to memory corruption. An attacker can create threads to trigger this vulnerability.

**SUMMARY**

A memory corruption vulnerability exists in the libpthread linuxthreads functionality of uClibC 0.9.33.2 and uClibC-ng 1.0.40. Thread allocation can lead to memory corruption. An attacker can create threads to trigger this vulnerability.

**CONFIRMED VULNERABLE VERSIONS**

The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.

uClibC 0.9.33.2  
uClibC-ng 1.0.40  
Anker Eufy Homebase 2 2.1.8.8h

**PRODUCT URLS**

uClibC-ng - https://uclibc-ng.org Eufy Homebase 2 - https://us.eufylife.com/products/t88411d1 uClibC - https://www.uclibc.org/

**CVSSv3 SCORE**

8.1 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

**CWE**

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

**DETAILS**

uClibC and uClibC-ng are both standalone replacements for glibc. uClibC and uClibC-ng are significantly smaller and easily portable to various architectures and embedded environments.

Libpthread is an extremely common library in a very large subset of unix-based devices, providing lightweight threading for processes. Libpthread built with uClibC using the linuxthreads.old implementation, or with uClibC-ng using the linuxthreads implementation, are both vulnerable to a memory corruption that occurs when a large number of threads are created. Both of these libraries have been used extensively in the Buildroot project with the uClibC option of linuxthreads(stable/old) and the uClibC-ng option of linuxthreads for threading implementation within the Buildroot menuconfig.

When a call to pthread_create occurs, pthread_handle_create is called during the initialization of the thread.

    static int pthread_handle_create(pthread_t *thread, const pthread_attr_t *attr,
                     void * (*start_routine)(void *), void *arg,
                     sigset_t * mask, int father_pid,
                     int report_events,
                     td_thr_events_t *event_maskp)
    {
      size_t sseg;
      int pid;
      pthread_descr new_thread;
      char * new_thread_bottom;
      char * new_thread_top;
      pthread_t new_thread_id;
      char *guardaddr = NULL;
      size_t guardsize = 0;
      int pagesize = getpagesize();
      int saved_errno = 0;
    
      /* First check whether we have to change the policy and if yes, whether
         we can  do this.  Normally this should be done by examining the
         return value of the sched_setscheduler call in pthread_start_thread
         but this is hard to implement.  FIXME  */
      if (attr != NULL && attr->__schedpolicy != SCHED_OTHER && geteuid () != 0)
        return EPERM;
      /* Find a free segment for the thread, and allocate a stack if needed */
      for (sseg = 2; ; sseg++)                                                         [1]
        {
          if (sseg >= PTHREAD_THREADS_MAX)
        return EAGAIN;
          if (__pthread_handles[sseg].h_descr != NULL)
        continue;
          if (pthread_allocate_stack(attr, thread_segment(sseg), pagesize,               [2]
                                     &new_thread, &new_thread_bottom,
                                     &guardaddr, &guardsize) == 0)     
          break;
          ...
    

At [1] the segments incremented as threads are created. Threads can be created up to the PTHREAD_THREADS_MAX limit, and for each thread being created the stack will be allocated using pthread_allocate_stack at [2]. thread_segment is an inlined function that is responsible for decrementing the starting address of the stack

    static __inline__ pthread_descr thread_segment(int seg)
    {
      return (pthread_descr)(THREAD_STACK_START_ADDRESS - (seg - 1) * STACK_SIZE)
             - 1;
    }
    

In both of these code bases THREAD_STACK_START_ADDRESS is 0x40000000000m, but is a machine specific variable, and STACK_SIZE is 2 MB by default for all machines. This means that this condition is far more likely to be seen in 32-bit memory spaces. Once the pointer has been calculated it is passed on to pthread_allocate_stack.

      static int pthread_allocate_stack(const pthread_attr_t *attr,
                                      pthread_descr default_new_thread,
                                      int pagesize,
                                      pthread_descr * out_new_thread,
                                      char ** out_new_thread_bottom,
                                      char ** out_guardaddr,
                                      size_t * out_guardsize)
    {
      pthread_descr new_thread;
      char * new_thread_bottom;
      char * guardaddr;
      size_t stacksize, guardsize;
    
        ...
        else {
          stacksize = STACK_SIZE - pagesize;
          if (attr != NULL)
            stacksize = MIN(stacksize, roundup(attr->__stacksize, pagesize));
          /* Allocate space for stack and thread descriptor at default address */
          new_thread = default_new_thread;
          new_thread_bottom = (char *) (new_thread + 1) - stacksize;
          if (mmap((caddr_t)((char *)(new_thread + 1) - INITIAL_STACK_SIZE),               [3]
                   INITIAL_STACK_SIZE, PROT_READ | PROT_WRITE | PROT_EXEC,
                   MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED | MAP_GROWSDOWN,
                   -1, 0) == MAP_FAILED)     
            return -1;
    

Within pthread_allocate_stack as long as a stack hasn’t been provided (already allocated), new allocations occur using the mmap call at [3]. This call includes the flag MAP_FIXED which forces mmap to take the address provided as the required address of the allocation, instead of as a hint. As sseg is incremented, the allocation moves to lower memory addresses for each allocation, eventually overwriting loaded libraries or even the code of the application itself.

Both vulnerabilities center around an issue while creating thread stacks using mmap with the MAP_FIXED flag. The manual page of mmap has the following information on MAP_FIXED

    MAP_FIXED
                  Don't interpret addr as a hint: place the mapping at
                  exactly that address.  addr must be suitably aligned: for
                  most architectures a multiple of the page size is
                  sufficient; however, some architectures may impose
                  additional restrictions.  If the memory region specified
                  by addr and length overlaps pages of any existing
                  mapping(s), then the overlapped part of the existing
                  mapping(s) will be discarded.  If the specified address
                  cannot be used, mmap() will fail.
    

By using MAP_FIXED, creating a large number of threads will remap any memory for use by the thread. This generally will first remap libraries loaded into the memory space of an application.

The vulnerable code within the latest version of uClibC is based on the linuxthreads.old implementation. A newer implementation based on linuxthreads is also present, and aptly named linuxthreads. The linuxthreads.old implementation is present in older versions of Buildroot and presented as linuxthreads (stable/old), compared to just linuxthreads. All images built based on the stable/old implementation are vulnerable. Since uClibC-ng is a fork of the original uClibC code, it stands that the vulnerability was present at the time of the code fork,. Since that time, the code has diverged into unique codebases.uClibC-ng only has a single linuxthreads implementation within the codebase, and as such, any linuxthreads\-based implementation of libpthread is vulnerable. All new versions of Buildroot that rely upon uClibC-ng will present this vulnerable implementation as a possible option for the threading implementation in the image.

**TIMELINE**

2022-05-04 - Vendor Disclosure  
2022-05-17 - Vendor Disclosure  
2022-05-17 - Initial Vendor Contact  
2022-09-22 - Public Release

Discovered by Lilith &gt;\_&gt; of Cisco Talos.

CVE-2022-29503: TALOS-2022-1517 || Cisco Talos Intelligence Group

Categories: Business
With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We’ll break down five best practices for local government cybersecurity in this post.



(Read more...)




The post Local government cybersecurity: 5 best practices appeared first on Malwarebytes Labs.

It seems like not a day goes by where we don’t hear about a local government cyberattack. Indeed, from 911 call centers to public schools, cyberattacks on local governments are as common as they are devastating. 

Just how often do threat actors attack local governments? A survey of 14 mainly larger US local governments found that just over half of respondents said they suffer attacks constantly, more than a quarter said hourly, and 14.3% said daily. 

Local governments continue to be a common cyberattack target for two big reasons. The first is that they handle troves of sensitive data, especially personally identifiable information (PII), and the second is that they operate on shoestring budgets with little to no cybersecurity staff or leadership buy-in. 

Now, factor in these two reasons with the sheer number of local governments out there in the United States—90,075 units—and you have a huge, vulnerable, and valuable target. Sounds like easy pickings for attackers, but it doesn’t have to be. 

With a few best practices, local governments can improve their cybersecurity posture and make it less likely that threat actors attack their systems. We’ll break down five best practices for local government cybersecurity in this post.

****Table of Contents********1\. Take cybersecurity assessments to find and address weaknesses********2\. Adopt the fundamentals********3\. Partner up!********4\. Build a playbook for ransomware response and recovery********5\. Consider outsourcing******1\. Take cybersecurity assessments to find and address weaknesses**

Cybersecurity consultants and the professional literature agree: You should adopt cybersecurity policies such as the NIST Framework to help prevent and respond to attacks. And a key part of building out any cybersecurity policy for your local government is to develop an organizational understanding of risk to systems, people, data, and so on. 

There are tons of free cybersecurity assessments for Federal, State, Local, Tribal and Territorial (SLTT) governments that you can take to get started. After performing the assessments, you can compare your results to the criteria of NIST to identify gaps, as well as deficiencies to be improved.

1.  **Cyber Infrastructure Survey (CIS)**: A free assessment of essential cybersecurity practices in-place for critical services. Also conducted by the DHS.
2.  **Cyber Resilience Review (CRR)**: The CRR assessment evaluates your organization’s operational resilience and cybersecurity practices. Conducted free of charge by the US Department of Homeland Security (DHS)
3.  **Phishing Campaign Assessment (PCA)**: Evaluates an organization’s susceptibility and reaction to phishing emails. Conducted free of charge by the National Cybersecurity Assessments and Technical Services (NCATS) team.
4.  **Cybersecurity Evaluation Tool (CSET®)**: A stand-alone desktop application that guides asset owners evaluate their cybersecurity posture against recognized standards. Also delivered free of charge by the NCATS team.
5.  **Risk and Vulnerability Assessment (RVA)** One-on-one engagement to give organizations an actionable risk analysis report containing remediation recommendations prioritized by severity and risk.

**2\. Adopt the fundamentals  **

The unfortunate reality is that an inability to pay competitive salaries, insufficient number of staff, and lack of funds are big barriers to local government cybersecurity. However, there’s still plenty of important cybersecurity fundamentals that local governments should try to adopt to the fullest extent possible. 

Take cyber insurance, for example. Cyber insurance can prevent local governments from having to pay huge out of pocket costs in the event that they’re hit with a cyberattack. Baltimore learned this the hard way. 

(An important caveat here is that cyber insurance is becoming increasingly expensive: check out our article on 4 ways to save money on cyber insurance).

Cybersecurity best practices don’t just help you stay safe—they can also make you eligible for grant funding. In particular, local governments looking to be eligible for the State and Local Cybersecurity Grant Program must include these best practices in their cybersecurity plan:

1.  **Multi-factor authentication (MFA)**
2.  **Enhanced logging**
3.  **Data encryption for data at rest and in transit**
4.  **End use of unsupported/end of life software and hardware that are accessible from the Internet** 
5.  **Prohibit use of known/fixed/default passwords and credentials** 

In addition, only 23% of local governments have adopted the .gov domain, meaning a majority of local governments are missing out on one of the simplest ways to strengthen their cybersecurity posture. Sponsored by CISA, the Cybersecurity and Infrastructure Security Agency, the .gov domain comes with several key security benefits:

*   MFA is enforced on all accounts in the .gov registrar, and user accounts cannot use passwords that have been found in known data breaches.
*   It ‘preloads’ all new domains, which lets web browsers know to always use HTTPS to connect with any website on that domain.
*   CISA, GSA, and the National Institute of Standards and Technology (NIST) help monitor for issues in the namespace

To obtain a .gov domain or to learn more, check out some of the resources below. 

*   **https://home.dotgov.gov/registration.** 
    
*   **https://home.dotgov.gov/registration/requirements/** 
    
*   **https://home.dotgov.gov/help/** 
    

**3\. Partner up!**

Local governments may be resource-constrained, but the good news is that they don’t have to face cybersecurity alone. State governments, together with Federal, university, and even nonprofit partners, can be strong allies to local government cybersecurity.

*   **Federal partners**: Local governments are encouraged to report cyber incidents to a federal entity so they can receive relevant asset response, threat response, and threat intelligence services. Partnering with your local fusion center is a good idea as well.
    

*   **State partners**: The level of state-local cybersecurity support will vary by state, but can include assessments, exercises, and consulting services. In Michigan’s Cyber Partners Program, for example, local communities receive services from a CISO-level consultant.
    
*   **University partners**: Partnering with universities can help local governments get access to talent, technological insights, even real-time network security monitoring.
    
*   **Nonprofit partners**: Local governments involved with the Multi-State Information Sharing & Analysis Center (MS-ISAC) get free resources for cyber threat prevention, protection, response, and recovery.
    

**4\. Build a playbook for ransomware response and recovery **

For local governments especially, a ransomware attack is a matter of ‘when’ and not ‘if’. However, they might not have the budget or staff to implement and use anti-ransomware solutions such as Endpoint Detection and Response (EDR).

Fortunately, you don’t need any fancy technology to start building a solid ransomware response and recovery plan. NIST recommends that organizations follow these steps to accelerate their recovery, among others: 

*   **Develop an incident recovery plan**: Establish a plan that has a Cyber Incident Response Team (CIRT) with clearly identified roles, responsibilities, and contacts ahead of time, then regularly exercise that plan.
    

*   **Data backup and restoration strategy**: Backups are a prime target for attackers, so keep multiple copies of your data, and make sure at least one of them is online.
    

*   **Know who you’re going to contact**: Maintain an up-to-date list of internal and external stakeholders to contact in the event of an attack, which may include senior management, PR, your legal team, insurance providers, vendors, and law enforcement.
    

In our Ransomware Emergency Kit, you'll find more resources your local government needs to understand threats, prevent attacks, and defend against cybercriminals.

**5\. Consider outsourcing**

Though CISOs might be wary about having their data handled by an outside organization, many local governments rely on vendors and managed service providers (MSPs) to provide some or all of their cybersecurity operations. 

A 2020 survey of 165 municipalities found 50.9% outsourced some of their cybersecurity functions, with almost 60% citing “Lack of local skilled professionals” as a reason for outsourcing. Some of functions commonly outsourced are:

*   **All cybersecurity needs**
    
*   **24/7 monitoring of cyber threats**
    
*   **24/7 monitoring of Intrusion Prevention System (IPS)**
    
*   **Incident response** 
    
*   **Network monitoring** 
    
*   **Employee security awareness training**
    

“By working with a trusted partner or service provider, local governments can fast track to get their security stack up to par,” said David Pier, Team Lead, Corporate Solutions Engineering at Malwarebytes. “Many frameworks and security plans can take upwards of multiple years to successfully implement and audit for certification. If they can pass this work along to their partners, it circumvents the need for them to commit to a lengthy process in addition to the complexity of implementation.”

Read “Risk Considerations for Managed Service Provider Customers” from CISA for more information for local governments choosing an MSP.

****_Related_:** ******Cyber threat hunting for SMBs: How MDR can help********EDR vs MDR vs XDR – What’s the Difference?******Enhancing local government cybersecurity**

A lack of funding and staff makes local government cybersecurity tough, period. 

However, if every local government implemented these five best cybersecurity practices today, they could dramatically lessen the likelihood and fallout of an attack—and increase eligibility for the State and Local Cybersecurity Grant Program while they're at it.

Malwarebytes has ample experience providing local governments and public schools with effective, intuitive, and inclusive cyberprotection. Read the case studies below to learn more:

*   **City of Vidalia gains a ransomware and vulnerability-free zone**
*   **University of Illinois turns to Malwarebytes in the search for an endpoint remediation solution**
*   **Shaker Heights Schools uses Malwarebytes to help remediate ransomware infection**

Check out our government case studies and education pages for more information.

Local government cybersecurity: 5 best practices

By Deeba Ahmed
APT28 or Fancy Bear is linked with the Russian military intelligence unit called GRU.
This is a post from HackRead.com Read the original post: Fancy Bear Hackers Distributing Graphite Malware using PowerPoint Files

Fancy Bear, aka APT28, is a Russian state-sponsored threat actor. The group is back in action and utilizing a new code execution method that exploits mouse movement in MS PowerPoint files to distribute Graphite malware.

For your information, APT28/Fancy Bear is linked with a Russian military intelligence unit called GRU. This is the same group that was blamed for hacking MH17 flight crash investigators with a spear-phishing campaign in October 2016. In 2018, the group was accused of sending death threats to US army wives posing as ISIS.

**Campaign Details**

According to threat intelligence firm Cluster 25, Fancy Bear used mouse movements in MS PowerPoint presentations to execute a malicious PowerShell script. The group leverages the SyncAppvPublishingServer utility for this purpose.

In its technical report, Cluster25 stated that the attack starts right after the user runs the presentation mode and uses the mouse. A PowerShell script is run, and a dropper from OneDrive is downloaded and executed.

The .ppt files have two slides with instructions in French and English, while the interpretation option is available in the Zoom app. The image file is an encrypted DLL file, which is decrypted and dropped in the ‘C:\\ProgramData\\’ directory,’ it is run later through rundll32.exe, and a registry key is also created to ensure persistence.

The dropper is a harmless-looking image file that functions as a pathway for a follow-on payload. This is a Graphite malware variant. It uses the Microsoft Graph API and OneDrive to carry out C2 communications and retrieve additional payloads. Fancy Bear uses a valid OAuth2 token and a fixed client ID to access the service.

PowerShell Script

**More Fancy Bear News**

1.  Anti-theft software LoJack hijacked by Fancy Bear
2.  Republican & Conservative leaders targeted by Fancy Bear
3.  Fancy Bear Spy on VIP Hotel Guests with Leaked NSA Tool
4.  Fancy Bear’s VPNfilter malware is back with 7 new modules
5.  Hackers alter stolen emails for clandestine attacks against Putin’s critics

**Attack Method Analysis**

The attack, according to the company’s report, entails using a lure document with a template linked to the Parish-based entity OECD (Organization for Economic Co-operation and Development).

Researchers noted that these attacks are ongoing since the URLs used in the attack were active between August and September. However, they also said that hackers had started prepping for the campaign in January.

> “When opening the lure document in presentation mode and the victim hovers the mouse over a hyperlink, a malicious PowerShell script is activated to download a JPEG file (“DSC0002.jpeg”) from a Microsoft OneDrive account.”
> 
> Cluster 25

**Potential Targets**

this campaign’s potential targets include individuals and organizations in the government and defense sectors. Fancy Bear is primarily targeting entities in Eastern Europe and Europe. This indicates that Fancy Bear aims to achieve specific objectives, considering the geographic focus of the gang.

Fancy Bear Hackers Distributing Graphite Malware using PowerPoint Files

Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft. 
While CISOs are aware of growing identity threats and have multiple tools in their arsenal to help reduce the potential risk, the

Every year, billions of credentials appear online, be it on the dark web, clear web, paste sites, or in data dumps shared by cybercriminals. These credentials are often used for account takeover attacks, exposing organizations to breaches, ransomware, and data theft.

While CISOs are aware of growing identity threats and have multiple tools in their arsenal to help reduce the potential risk, the reality is that existing methodologies have proven largely ineffective. According to the 2022 Verizon Data Breach Investigations Report, over 60% of breaches involve compromised credentials.

Attackers use techniques such as social engineering, brute force, and purchasing leaked credentials on the dark web to compromise legitimate identities and gain unauthorized access to victim organizations' systems and resources.

Adversaries often leverage the fact that some passwords are shared among different users, making it easier to breach multiple accounts in the same organization. Some employees reuse passwords. Others use a shared pattern in their passwords among various websites. An adversary can use cracking techniques and dictionary attacks to overcome password permutations by leveraging a shared pattern, even if the password is hashed. The main challenge to the organization is that hackers only need a single password match to break in.

To effectively mitigate their exposure, given current threat intelligence, organizations need to focus on what is exploitable from the adversary's perspective.

Here are five steps organizations should take to mitigate credentials exposure:

**Gather Leaked Credentials Data**

To start addressing the problem, security teams need to collect data on credentials that have been leaked externally in various places, from the open web to the dark web. This can give them an initial indication of the risk to their organization, as well as the individual credentials that need to be updated.

**Analyze the Data**

From there, security teams need to identify the credentials that could actually lead to security exposures. An attacker would take the username and password combinations (either cleartext or hashed), then try to use them to access services or systems. Security teams should use similar techniques to assess their risks. This includes:

*   Checking if the credentials allow access to the organization's externally exposed assets, such as web services and databases
*   Attempting to crack captured password hashes
*   Validating matches between leaked credential data and the organization's identity management tools, such as Active Directory
*   Manipulating the raw data to increase the achieved number of compromised identities. For example, users commonly use the same password patterns. Even if the leaked credentials do not allow access to external-facing assets or match Active Directory entries, it may be possible to find additional matches by testing variations.

**Mitigate Credential Exposures**

After validating the leaked credentials to identify actual exposures, organizations can take targeted action to mitigate the risk of an attacker doing the same. For instance, they could erase inactive leaked accounts in Active Directory or initiate password changes for active users.

**Reevaluate Security Processes**

After direct mitigation, security teams should evaluate whether their current processes are safe and make improvements where possible. For instance, if they are dealing with many matched leaked credentials, they may recommend changing the entire password policy across the organization. Similarly, if inactive users are found in Active Directory, it may be beneficial to revisit the employee offboarding process.

**Repeat Automatically**

Attackers are continuously adopting new techniques. Attack surfaces change, with new identities being added and removed on a routine basis. Similarly, humans will always be prone to accidental mistakes. As a result, a one-time effort to find, validate, and mitigate credential exposures is not enough. To achieve sustainable security in a highly dynamic threat landscape, organizations must continuously repeat this process.

However, resource-constrained security teams cannot afford to manually perform all these steps on a sufficient cadence. The only way to effectively manage the threat is to automate the validation process.

Pentera offers one way for organizations to automatically emulate attackers' techniques, attempting to exploit leaked credentials both externally and inside the network. To close the validation loop, Pentera provides insights into full attack paths, along with actionable remediation steps that allow organizations to efficiently maximize their identity strength.

To find out how Pentera can help you reduce your organization's risk of inadvertent credential exposure, contact us today to request a demo.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Five Steps to Mitigate the Risk of Credential Exposure

Several hacktivist groups are using Telegram and other tools to aid anti-government protests in Iran to bypass regime censorship restrictions amid ongoing unrest in the country following the death of Mahsa Amini in custody.
"Key activities are data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations," Israeli cybersecurity firm Check Point said in

Several hacktivist groups are using Telegram and other tools to aid anti-government protests in Iran to bypass regime censorship restrictions amid ongoing unrest in the country following the death of Mahsa Amini in custody.

"Key activities are data leaking and selling, including officials' phone numbers and emails, and maps of sensitive locations," Israeli cybersecurity firm Check Point said in a new report.

The company said it has also witnessed sharing of proxies and open VPN servers to get around censorship and reports on the internet status in the country, with one group helping the anti-government demonstrators access social media sites.

Chief among them is a Telegram channel called Official Atlas Intelligence Group (AIG) that's primarily focused on publishing data associated with government officials as well as maps of prominent locations.

Calling itself the "CyberArmy," the group is said to have commenced its operations in May and has also advertised a wide range of services in the past, such as data leaks, DDoS attacks, and remote access to organizations. It's also known to voluntarily hunt and dox pedophiles.

According to Cyberint, the cyber mercenary actor also claims to have "connections with people in several law enforcement entities in Europe who can deliver sensitive information about certain individuals exclusively."

A second group of interest is ARVIN, which consists of about 5,000 members and shares news reports about the ongoing protests along with providing a list of Open VPN servers to circumvent internet blockades.

RedBlue™, a 4,000-member group on Telegram, has also pitched in with similar efforts, in addition to sharing hacking conversations and guides.

Privacy-focused messaging app Signal, for its part, has reached out to its community to set up a proxy that will help people in the country use the service on Android.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks

Inflated user bases and fake engagement cause more harm than good, especially when the artificial accounts are based on stolen human identities.

Growth in the number of new accounts looks great, but if fake accounts get in that mix, they are not providing the value you (and your investors) need. If you are a social media platform striving for growth, fake accounts may seem like the answer to your prayers — something you can show investors to demonstrate your reach. And to the end user, all those accounts that listen to music online or follow us on social media seem great. But the reality is that fake accounts are harmful, even before the truth comes to light.

It's especially damaging when bots use real human data, stolen and sold on the Dark Web, to create these fake accounts. And when they are exposed to sunlight, as the situation with Elon Musk's stalled acquisition of Twitter has shown, the effects can be unexpected and rampant, quickly taking on a life of their own.

We're going to look at what fake accounts mean, why they exist, and what you can do to combat this pernicious adversary.

**Enter the Billionaire**

Love him or hate him, you cannot deny the impact Musk has made on the tech industry. But second-guessing his motives and actions is very much like my dog trying to work out the significance of my sitting at my desk drumming my fingers on the keyboard all day.

When I spoke with Tamer Hassan, co-founder and CEO of Human Security, I asked him what he believes is the core challenge facing any investor looking at Twitter. 

"It's really all about the question, 'What would you do if you could look like a million humans?' The answer is a lot," he said. "Cybercriminals have proliferated sophisticated bots and spam accounts across social media platforms with limited accountability, and the combined result is diminished trust in the brand, a negative user experience, and a negative impact on the company's valuation and bottom line."

**Twitter & the Tragedy of the Digital Commons**

Twitter is an increasingly rare Internet resource. It is a common platform connecting humans all over the world and, with some rare exceptions, does not inhibit or censor free expression. As with most common goods, it is subject to overuse; the phrase "tragedy of the commons" originated to describe people overusing grassy common land to graze their livestock. As anyone who has dipped a toe into the Twitter stream knows, the slew of tweets is overwhelming and impossible to keep up with. This is made worse because, along with all of the humans desperate to air their opinions, points of view, and excitable investment plans, there are The Bots.

Bots are part of much of our life nowadays. Those of us using Office365 are familiar with the coy daily email saying, _"__Hey, we aren't analyzing what you do or the content of your inbox_, _but here's some stuff to be aware of_,_"_ and of course, on Twitter there are beneficial bots and harmful bots. Many bots watch for tweets that seem to relate to a particular subject (for example, #cybersecurity), and then amplify those tweets to their audiences. And of course, many will try and game these amplifiers, sometimes using bots of their own. And so the overgrazing continues.

**No One Should Pay for False Volume, Even Billionaires**

The primary incoming revenue stream for social platforms is advertising, which is driven by how many interested eyes can be shown targeted ads that are likely to lead to conversion. It therefore follows that the value of any social platform lies in the number of active users, whether it be a general-purpose networking platform such as Twitter, a narrow-purpose use case such as music, or even accommodation rentals (inactive users are just sludge at the bottom of the well). Bots, while they may generate activity, defraud advertisers by artificially inflating the user count.

Musk is understandably squeamish about paying for accounts that have zero (or even negative) lifetime value. When I asked about what a company can do about bots, Hassan commented, "Having the right protections in place, including transparency and regulation around the use of automation, to ensure they have a genuine view of human users on their platform can help brands establish greater credibility while also stopping cybercriminals from impacting their business."

Musk very publicly tried to withdraw from the Twitter acquisition, which has generated continuing legal ramifications. If we take his statements at face value, then the clear message is that bots and other fake accounts are bad business. Considering the ways that future Twitter (or any social media platform) could make money, being a trustworthy source of curated identity that doctors, banks, governments, and any other interested party (including peer-to-peer) can rely on would be a significant advantage.

**Here's Mudge in Your Eye**

One of Musk's stated concerns about the Twitter acquisition is that he has no certainty about how many of the platform's 396.5 million accounts are human. To add fuel to Twitter's bonfire of the vanities, its former CISO, Peiter "Mudge" Zatko, has blown the whistle on poor operational security controls, nonexistent software governance, and (you guessed it) inadequate user enrollment verification. In other words, no one knows how many users are bots, and what vulnerabilities exist in the platform that can be exploited by unfriendly groups — some of which are backed by nation-states.

As a former Facebook security engineer pointed out to me, "Mudge has a decades-long reputation of being highly ethical and one of the most respected practitioners in the cybersecurity community." When I asked whether they believed Mudge's claims about foreign intelligence infiltration, the response was, "I believe enough of it not to care about the rest."

Robert Graham takes a different view in his Cybersect blog, which contrasts the focus of a cybersecurity activist with that of a corporate executive. An executive's primary objective is to further the interest of the company and its shareholders, he wrote, which does not correlate with the ideals of many cybersecurity activists. In his view, Mudge has allowed his passion for cybersecurity excellence to overwhelm his responsibilities as an executive.

**Identity as a Commodity**

Identity is the cornerstone of cybersecurity. When an identity is successfully compromised, all of the other security controls will fold up and get out of the attacker's way. The opportunity for Twitter to provide an identity service based on its user base is a significant one.

It is clear, however, that if we cannot trust that the identities being asserted and corroborated by Twitter are genuine, then Twitter's usefulness in this area will always be limited. Twitter asserts that the cost of validating every account (and giving us all a little blue tick) is prohibitive, however, as the lifetime value of each Twitter account is very low.

I'm sure that Twitter is well aware of its security gaps. Indeed, a good use for some of Musk's proposed investment, if the company can still get it, would be to clean up the town square and correct the tragedy of the digital commons that we discussed earlier.

This is why identity is important, in particular being able to prove that a specific account is being operated by a human. If we manage to turn Twitter into a place where free speech is valued precisely _because_ the speakers are identified as human, then its value — to investors, the Twitter team, and most importantly, its users — will skyrocket.

Tag

#intel