Daily Tech Digest - October 16, 2020

New Emotet attacks use fake Windows Update lures

According to an update from the Cryptolaemus group, since yesterday, these Emotet lures have been spammed in massive numbers to users located all over the world. Per this report, on some infected hosts, Emotet installed the TrickBot trojan, confirming a ZDNet report from earlier this week that the TrickBot botnet survived a recent takedown attempt from Microsoft and its partners. These boobytrapped documents are being sent from emails with spoofed identities, appearing to come from acquaintances and business partners. Furthermore, Emotet often uses a technique called conversation hijacking, through which it steals email threads from infected hosts, inserts itself in the thread with a reply spoofing one of the participants, and adding the boobytrapped Office documents as attachments. The technique is hard to pick up, especially among users who work with business emails on a daily basis, and that is why Emotet very often manages to infect corporate or government networks on a regular basis. In these cases, training and awareness is the best way to prevent Emotet attacks. Users who work with emails on a regular basis should be made aware of the danger of enabling macros inside documents, a feature that is very rarely used for legitimate purposes.

Prolific Cybercrime Group Now Focused on Ransomware

Overall, the group does not display sophisticated tactics, techniques and procedures (TTPs), but they are aggressive in their attempts to gain a foothold in companies, says Kimberly Goody, senior manager of the Mandiant threat intelligence financial crime team at FireEye. "The main thing that sets this group apart from our perspective is how widespread their campaigns are," she says. "They are sophisticated, but they have a wide reach. And their constant evolution of their TTPs—even though minor—can prevent organizations from being able to adequately defend against their spam campaigns." The group also highlights a trend observed by FireEye. Since early 2019, financial cybercrime groups once focused on stealing payment-card data are now shifting to compromising corporate networks, infecting a significant number of systems with ransomware, and then extorting the business for large sums, Goody says. "Point of sale intrusions were very profitable, and we saw actors such as FIN6 and FIN7—all the way back to FIN5—they were targeting payment card data," Goody says.

Agile: 4 signs your transformation is in trouble

True culture change requires more than a shot in the arm. The shot in the arm jolts the team awake and gets them moving, but from that moment the old culture drags everyone back where they started, so you have to fight against it. If you started with fun and creativity (or just never got there), look for opportunities to light the path toward a more creative and fun world at a leadership level. Virtual happy hours are fine, but, especially during COVID, you need to go further than that to set the example. Maybe you throw in a game. Maybe you have an appetizer delivered to each person’s house. Maybe you give each person $30 to surprise a teammate with a personal encouragement. No matter the approach, bring back the fun and joy and you’ll boost creativity from your agile teams. When you go to the gym and you only lift weights to strengthen your biceps, they get stronger while your leg muscles stay the same (or get weaker). The same thing happens in agile and produces similarly disproportionate results. Focusing on agility in one part of the organization (like the software teams), but not the leadership that fills their funnel, actually builds fragility into your business.

Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE

“VPN bugs are tremendously dangerous for a bunch of reasons,” he told Threatpost. “These systems expose entry points into sensitive networks and there is very little in the way of security introspection tools for system admins to recognize when a breach has occurred. Attackers can breach a VPN and then spend months mapping out a target network before deploying ransomware or making extortion demands.” Adding insult to injury, this particular flaw exists in a pre-authentication routine, and within a component (SSL VPN) which is typically exposed to the public internet. “The most notable aspect of this vulnerability is that the VPN portal can be exploited without knowing a username or password,” Young told Threatpost. “It is trivial to force a system to reboot…An attacker can simply send crafted requests to the SonicWALL HTTP(S) service and trigger memory corruption.” However, he added that a code-execution attack does require a bit more work. “Tripwire VERT has also confirmed the ability to divert execution flow through stack corruption, indicating that a code-execution exploit is likely feasible,” he wrote, adding in an interview that an attacker would need to also leverage an information leak and a bit of analysis to pull it off.

Avoiding Serverless Anti-Patterns with Observability

New adopters of serverless are more susceptible to anti-patterns, so not being aware of — or not understanding the effect of — these anti-patterns, may be frustrating. So it acts as a barrier to serverless adoption. Observability mitigates this black box effect, and understanding the possible anti-patterns allows us to monitor the right metrics and take the right actions. Therefore, this article goes through some of the major anti-patterns unique to serverless and describes how the right strategy in observability can cushion the impact of anti-patterns creeping into your serverless architectures. Serverless applications tend to work best when asynchronous. This is a concept that was preached by Eric Johnson in his talk at ServerlessDays Istanbul, titled “Thinking Async with Serverless.” He later on went to present a longer version of the talk at ServerlessDays Nashville. As teams and companies begin to adopt serverless, one of the biggest mistakes they can make is designing their architecture while still having a monolith mentality. This results in a lift and shift of their previous architectures. This means the introduction of major controller functions and misplaced await functions.

Only the Agile Survive in Today’s Ever-Changing Business Environment

It’s almost inevitable that you’ll end up overlooking a vital document or missing a key contract in the hectic rush. Scrabbling around for all the relevant files and folders causes your confidence to leak away as you feel that you’re just not ready for this deal, and I’ve often seen that become a self-fulfilling prophecy. One company I consulted for learned this lesson when a well-known international consumer goods brand showed interest in buying their logistics business. Although the CEO had been hoping to arrange an exit on favorable terms, the CFO wasn’t on board and hadn’t made any advance preparations for due diligence situations. The prospective buyer was only in town for three days and wanted to look over their documents and agree on a preliminary contract before she left, but the CFO was so rattled by the pressure that he presented a profit and loss statement from the wrong year. The buyer declined to continue with the negotiations, and the CFO was left knowing that he’d let a great deal slip through his fingers simply because he didn’t have all of his books digitized and organized in a secure, centralized resource.

Singapore Launches IoT Cybersecurity Labelling

The Cybersecurity Labelling Scheme will focus first on Wi-Fi routers and smart home hubs, according to the Cyber Security Agency of Singapore. "Amid the growth in number of IoT products in the market, and in view of the short time-to-market and quick obsolescence, many consumer IoT products have been designed to optimize functionality and cost over security," the Cyber Security Agency says. "As a result, many devices are being sold with poor cybersecurity provisions, with little to no security features built-in." ... Singapore's program is voluntary for manufacturers for now, but the nation intends eventually to make it mandatory. The testing has four rating levels, and the CSA has offered detailed information for manufacturers. Developers can make declarations that their products conform with the first two levels. The first level means a product meets basic security requirements, such as mandating the use of unique passwords and delivering software updates as dictated by the European Telecommunications Standards Institute's EN 303 645 standard. The second level encompasses the first level requirements plus following the IoT Cyber Security Guide developed by Singapore's Infocomm Media Development Authority, or IMDA.

Why AI can’t ever reach its full potential without a physical body

A designer can’t effectively build a software sense-of-self for a robot. If a subjective viewpoint were designed in from the outset, it would be the designer’s own viewpoint, and it would also need to learn and cope with experiences unknown to the designer. So what we need to design is a framework that supports the learning of a subjective viewpoint. Fortunately, there is a way out of these difficulties. Humans face exactly the same problems but they don’t solve them all at once. The first years of infancy display incredible developmental progress, during which we learn how to control our bodies and how to perceive and experience objects, agents and environments. We also learn how to act and the consequences of acts and interactions. Research in the new field of developmental robotics is now exploring how robots can learn from scratch, like infants. The first stages involve discovering the properties of passive objects and the “physics” of the robot’s world. Later on, robots note and copy interactions with agents (carers), followed by gradually more complex modelling of the self in context. In my new book, I explore the experiments in this field.

Singapore releases AI ethics, governance reference guide

Noting that AI sought to inject intelligence into machines to mimic human action and thought, SCS President Chong Yoke Sin noted that rogue or misaligned AI algorithms with unintended bias could cause significant damage. This underscored the importance of ensuring AI was used ethically. "On the other hand, stifling innovation in the use of AI will be disastrous as the new economy will increasingly leverage AI," Chong said, as she stressed the need for a balanced approach that prioritised human safety and interests. Speaking during SCS' Tech3 Forum, Singapore's Minister for Communications and Information S. Iswaran further underscored the need to build trust with the responsible use of AI in order to drive the adoption and extract the most benefits from the technology. "Responsible adoption of AI can boost companies' efficiencies, facilitate decision-making, and help employees upskill into more enriching and meaningful jobs," Iswaran said. "Above all, we want to build a progressive, safe, and trusted AI environment that benefits businesses and workers, and drives economic transformation." The launch of a reference guide would provide businesses access to a counsel of experts proficient in AI ethics and governance, so they could deploy the technology responsibly, the minister said.

How to ensure faster, quality code to ease the development process

If there’s one metric most businesses are focused on when it comes to coding, it’s speed. Tech and dev teams are at the forefront of innovation, and they’re used to moving at a serious pace. Anything that slows down the process of shipping code damages their ability to perform. To move quickly though, and to get from planning to coding in record time, teams need real-time visibility into what’s being worked on and transparent access to the latest updates from the team. Closed-off communication, like email, which limits visibility of information to a handful of people selected by a single sender, isn’t up to the task. Instead, channel-based communication can provide a single-space for developers to collaborate, share priorities and simplify processes in order to speed up testing and deployment. Rather than having to sift through information flying in from different sources, channel-based messaging integrates all existing tools into a single place, meaning developers can increase visibility over deploys and get straight to the information they need. Developers can pull in key material using integrations that plug different apps like Jira and Github right into their discussions.

Quote for the day:

"A coach is someone who can give correction without causing resentment." -- John Wooden

No comments:

Post a Comment