IT security | Breaking Cybersecurity News | The Hacker News

SaaS applications have become indispensable for organizations aiming to enhance productivity and streamline operations. However, the convenience and efficiency these applications offer come with inherent security risks, often leaving hidden gaps that can be exploited. Conducting thorough due diligence on SaaS apps is essential to identify and mitigate these risks, ensuring the protection of your organization's sensitive data. Understanding the Importance of Due Diligence Due diligence is a critical step in evaluating the security capabilities of SaaS applications. It involves a comprehensive assessment of the app's audit log events, system and activity audits, and integration capabilities to ensure proper logging and monitoring, helping to prevent costly incidents. Here are a few reasons why due diligence is non-negotiable: Identifying Critical Audit Log Gaps: A thorough review helps ensure that essential events, such as logins, MFA verifications, and user changes, are lo

The Emergence of Identity Threat Detection and Response Identity Threat Detection and Response (ITDR) has emerged as a critical component to effectively detect and respond to identity-based attacks. Threat actors have shown their ability to compromise the identity infrastructure and move laterally into IaaS, Saas, PaaS and CI/CD environments. Identity Threat Detection and Response solutions help organizations better detect suspicious or malicious activity in their environment. ITDR solutions give security teams the ability to help teams answer the question "What's happening right now in my environment - what are my identities doing in my environments." Human and Non-Human Identities As outlined in the ITDR Solution Guide, comprehensive ITDR solutions cover both human and non-human identities. Human identities entail the workforce (employees), guests (contractors), and vendors. Non-human identities include tokens, keys, service accounts, and bots. Multi- environment ITDR solutions c

For years, securing a company's systems was synonymous with securing its "perimeter." There was what was safe "inside" and the unsafe outside world. We built sturdy firewalls and deployed sophisticated detection systems, confident that keeping the barbarians outside the walls kept our data and systems safe. The problem is that we no longer operate within the confines of physical on-prem installations and controlled networks. Data and applications now reside in distributed cloud environments and data centers, accessed by users and devices connecting from anywhere on the planet. The walls have crumbled, and the perimeter has dissolved, opening the door to a new battlefield: identity . Identity is at the center of what the industry has praised as the new gold standard of enterprise security: "zero trust." In this paradigm, explicit trust becomes mandatory for any interactions between systems, and no implicit trust shall subsist. Every access request, regardless of its origin,

Ivanti has rolled out security updates for a critical flaw in Virtual Traffic Manager (vTM) that could be exploited to achieve an authentication bypass and create rogue administrative users. The vulnerability, tracked as CVE-2024-7593, has a CVSS score of 9.8 out of a maximum of 10.0. "Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticated attacker to bypass authentication of the admin panel," the company said in an advisory. It impacts the following versions of vTM - 22.2 (fixed in version 22.2R1) 22.3 (fixed in version 22.3R3, available week of August 19, 2024) 22.3R2 (fixed in version 22.3R3, available week of August 19, 2024) 22.5R1 (fixed in version 22.5R2, available week of August 19, 2024) 22.6R1 (fixed in version 22.6R2, available week of August 19, 2024) 22.7R1 (fixed in version 22.7R2) As temporary mitigation, Ivanti is recommending customers to limit admin access to th

The last few years have seen more than a few new categories of security solutions arise in hopes of stemming a never-ending tidal wave of risks. One of these categories is Automated Security Validation (ASV), which provides the attacker's perspective of exposures and equips security teams to continuously validate exposures, security measures, and remediation at scale. ASV is an important element of any cybersecurity strategy and by providing a clearer picture of potential vulnerabilities and exposures in the organization, security teams can identify weaknesses before they can be exploited.  However, relying solely on ASV can be limiting. In this article, we'll take a look into how combining the detailed vulnerability insights from  ASV  with the broader threat landscape analysis provided by the Continuous Threat Exposure Management Framework (CTEM) can empower your security teams to make more informed decisions and allocate resources effectively. (Want to learn more about CTEM? Check

Cybersecurity companies are warning about an uptick in the abuse of Clouflare's TryCloudflare free service for malware delivery. The activity, documented by both eSentire and Proofpoint , entails the use of TryCloudflare to create a rate-limited tunnel that acts as a conduit to relay traffic from an attacker-controlled server to a local machine through Cloudflare's infrastructure. Attack chains taking advantage of this technique have been observed delivering a cocktail of malware families such as AsyncRAT, GuLoader, PureLogs Stealer, Remcos RAT, Venom RAT, and XWorm. The initial access vector is a phishing email containing a ZIP archive, which includes a URL shortcut file that leads the message recipient to a Windows shortcut file hosted on a TryCloudflare-proxied WebDAV server. The shortcut file, in turn, executes next-stage batch scripts responsible for retrieving and executing additional Python payloads, while simultaneously displaying a decoy PDF document hosted on

How to detect and prevent attackers from using these various techniques Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it. What Is Obfuscation? Obfuscation is the technique of intentionally making information difficult to read, especially in computer coding. An important use case is data obfuscation, in which sensitive data is made unrecognizable to protect it from unauthorized access. Various methods are used for this.  For example, only the last four digits of a credit card number are often displayed, while the remaining digits are replaced by Xs or asterisks. In contrast, encryption involves converting data into an unreadable form that can only be decrypted using a special key. Obfuscation In Code When computer code is obfuscated, complex language and redundant logic are used to make the code difficult to understand. The aim?

As more people work remotely, IT departments must manage devices distributed over different cities and countries relying on VPNs and remote monitoring and management (RMM) tools for system administration.  However, like any new technology, RMM tools can also be used maliciously. Threat actors can establish connections to a victim's device and run commands, exfiltrate data, and stay undetected.  This article will cover real-world examples of RMM exploits and show you how to protect your organization from these attacks.  What are RMM tools?  RMM software simplifies network management, allowing IT professionals to remotely solve problems, install software, and upload or download files to or from devices.  Unfortunately, this connection is not always secure, and attackers can use malicious software to connect their servers to a victim's device. As these connections become easier to detect, however,  ransomware-as-a-service (RaaS) groups have had to adjust their methods.  In

A North Korea-linked threat actor known for its cyber espionage operations has gradually expanded into financially-motivated attacks that involve the deployment of ransomware, setting it apart from other nation-state hacking groups linked to the country. Google-owned Mandiant is tracking the activity cluster under a new moniker APT45 , which overlaps with names such as Andariel, Nickel Hyatt, Onyx Sleet (formerly Plutonium), Silent Chollima, and Stonefly. "APT45 is a long-running, moderately sophisticated North Korean cyber operator that has carried out espionage campaigns as early as 2009," researchers Taylor Long, Jeff Johnson, Alice Revelli, Fred Plan, and Michael Barnhart said . "APT45 has been the most frequently observed targeting critical infrastructure." It's worth mentioning that APT45, along with APT38 (aka BlueNoroff), APT43 (aka Kimsuky), and Lazarus Group (aka TEMP.Hermit), are elements within North Korea's Reconnaissance General Bureau

The browser is the nerve center of the modern workspace. Ironically, however, the browser is also one of the least protected threat surfaces of the modern enterprise. Traditional security tools provide little protection against browser-based threats, leaving organizations exposed. Modern cybersecurity requires a new approach based on the protection of the browser itself, which offers both security and frictionless deployment.  In an upcoming live webinar ( Register here ), Or Eshed, CEO of browser security company LayerX, and Christopher Smedberg, Director of Cybersecurity at Advance Publishing, will discuss the challenges facing modern enterprise in the new hybrid-work world, the gaps found in existing security solutions, and a new approach to securing the modern enterprise workspace, which is centered on the browser. The Browser is Where Work Takes Place The browser is the key to the organization's critical assets. It connects all organizational devices, identities, and SaaS and

Docker is warning of a critical flaw impacting certain versions of Docker Engine that could allow an attacker to sidestep authorization plugins (AuthZ) under specific circumstances. Tracked as CVE-2024-41110 , the bypass and privilege escalation vulnerability carries a CVSS score of 10.0, indicating maximum severity. "An attacker could exploit a bypass using an API request with Content-Length set to 0, causing the Docker daemon to forward the request without the body to the AuthZ plugin, which might approve the request incorrectly," the Moby Project maintainers said in an advisory. Docker said the issue is a regression in that the issue was originally discovered in 2018 and addressed in Docker Engine v18.09.1 in January 2019, but never got carried over to subsequent versions (19.03 and later). The issue has been resolved in versions 23.0.14 and 27.1.0 as of July 23, 2024, after the problem was identified in April 2024. The following versions of Docker Engine are impacte

The initial onboarding stage is a crucial step for both employees and employers. However, this process often involves the practice of sharing temporary first-day passwords, which can expose organizations to security risks. Traditionally, IT departments have been cornered into either sharing passwords in plain text via email or SMS, or arranging in-person meetings to verbally communicate these credentials. Both methods carry inherent risks, from man-in-the-middle attacks to the simple human error of password mismanagement. This vulnerability creates openings for hackers, who will aim to use weak or intercepted passwords to gain unauthorized access to corporate systems. In this post, we explore the pitfalls of traditional password distribution methods during employee onboarding and introduce a solution that enhances security without compromising the ease of access for new hires. It's possible for organizations to safeguard their digital environments right from the start, ensuring a se