Customer portal
Articles Tagged with

SOS Intelligence

""/
Opinion, SME Cybersecurity, Tips

10 Best Cybersecurity Practices for Individuals and Businesses

by Daniel Collyer
October 17, 2024

In today’s increasingly digital world, cybersecurity is no longer just a concern for IT departments. With the proliferation of personal devices and remote work, individuals and businesses alike face a constant barrage of cyber threats. Whether it’s phishing attacks, data breaches, or malware, the risks are real and growing. By implementing key cybersecurity practices, you can protect sensitive data, reduce your vulnerability, and ensure a safer digital environment. Below, we explore the 10 best cybersecurity practices for both individuals and businesses, from two-factor authentication to regular data backups.

1. Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) adds an extra layer of security to your accounts by requiring not only a password but also a second form of verification, such as a code sent to your phone. This ensures that even if your password is compromised, the attacker cannot access your account without the second factor.

For individuals, 2FA can be enabled on email accounts, social media platforms, and financial services. For businesses, implementing 2FA across corporate networks and systems significantly reduces the risk of unauthorised access. Beyond login security, 2FA is also crucial in protecting sensitive areas such as payment gateways or admin control panels.

While enabling 2FA might seem like an extra step in your daily login routine, the benefits far outweigh the inconvenience. Cybercriminals primarily target easy opportunities. By adding this additional layer of security, you’re drastically lowering your risk of falling victim to an attack. Furthermore, modern 2FA solutions offer options such as biometrics, reducing friction for users.

  • Why it matters: Passwords alone can be easily stolen through phishing attacks or brute-force techniques. Adding a second verification step makes it exponentially harder for hackers to gain access, even if your password is leaked in a data breach.
  • Tip for businesses: Ensure that all employees use 2FA for their work accounts, especially for admin-level accounts, which are often the prime targets for attackers. Also, enforce this across all remote access points to protect against network vulnerabilities.

2. Use Strong, Unique Passwords

Passwords are the first line of defence in protecting your accounts. Yet, many individuals and businesses still rely on weak or reused passwords across multiple accounts. A strong password is typically at least 12 characters long, uses a mix of letters, numbers, and special characters, and avoids easily guessable information such as birthdates or common words.

For businesses, the stakes are higher. Poor password hygiene can lead to breaches that expose sensitive data and damage customer trust. It’s crucial to enforce strict password policies and encourage employees to use a password manager to generate and store complex passwords securely. A password manager can significantly simplify the task of managing numerous complex passwords, removing the temptation to reuse them.

Beyond the immediate protection against password-based attacks, using strong and unique passwords for each service ensures that even if one account is compromised, others remain safe. Additionally, businesses should regularly audit their password policies, ensuring that no default passwords remain in use within the organisation.

  • Why it matters: Reusing passwords across multiple platforms can lead to a domino effect where one breach leads to multiple compromised accounts. Strong passwords help mitigate brute-force attacks, where hackers try numerous combinations to crack a password.
  • Tip for individuals: Avoid using personal information like pet names or birthdays. Instead, consider using a passphrase—a longer, more complex string of words that’s easier to remember but difficult to guess. Passphrases are especially effective because they balance security and ease of use.

3. Regularly Update Software and Systems

Software updates aren’t just about new features—they often contain critical security patches that fix vulnerabilities. Cybercriminals frequently exploit outdated software to gain access to systems, making it vital for both individuals and businesses to regularly update operating systems, applications, and security software. However, updates are often delayed by users or administrators who find them inconvenient, creating a significant security gap.

For individuals, turning on automatic updates for your devices can help ensure that critical security patches are applied as soon as they become available. Businesses, especially those managing a range of systems and devices, should establish clear policies around patch management, including regular audits to ensure compliance.

Neglecting updates can leave your devices exposed to a wide range of cyber threats, including zero-day exploits that target newly discovered vulnerabilities. In fact, some of the most devastating cyberattacks in recent years exploited unpatched software vulnerabilities that had been known but left unattended.

  • Why it matters: Keeping your software up-to-date reduces your risk of being targeted by attacks that exploit known vulnerabilities. Hackers actively scan for systems running outdated software, making it critical to stay ahead of the curve.
  • Tip for businesses: Implement automatic updates where possible and ensure that legacy systems are phased out or properly secured with compensating controls. For industries with regulatory compliance requirements, timely updates can also help avoid fines or penalties.

4. Backup Data Regularly

Data is one of the most valuable assets for both individuals and businesses. A well-structured data backup plan ensures that even in the event of a ransomware attack, hardware failure, or accidental deletion, your critical information can be recovered. In today’s environment, data loss could mean losing irreplaceable memories, critical business information, or legal documents.

For individuals, backing up photos, documents, and other important files to a secure location, whether in the cloud or on an external hard drive, can save you from disaster. For businesses, regular backups—ideally automated—should be an integral part of your disaster recovery plan. It’s also important to periodically test backups to ensure they function correctly when needed.

In the business context, maintaining regular backups that include system images allows organisations to restore not only data but also entire systems if necessary. This can be the difference between quickly recovering from an incident and suffering extended downtime.

  • Why it matters: Cyberattacks, particularly ransomware, often target your data. Without backups, you could lose irreplaceable information or be forced to pay a ransom to recover it. Even beyond cyberattacks, natural disasters or equipment failure can cause data loss.
  • Tip for businesses: Implement the 3-2-1 backup rule: keep three copies of your data, on two different types of media, with one stored offsite. This ensures redundancy and protection against various types of data loss, whether from physical damage, theft, or cyberattacks.

5. Educate Employees on Cybersecurity

A company’s cybersecurity is only as strong as its weakest link, and that link is often its employees. Human error is a major factor in many cyberattacks, particularly in cases of phishing and social engineering. Therefore, it’s critical to provide regular cybersecurity awareness training to employees, helping them recognise common threats such as suspicious emails or social engineering attempts.

For individuals, staying informed about common cyber threats can also help you avoid scams and phishing attacks that might target your personal accounts. However, for businesses, this extends to a formalised training programme, often involving real-world simulations, such as phishing tests, to assess employee awareness.

An educated workforce can serve as a powerful line of defence. When employees understand the risks, they are more likely to act responsibly, reducing the chances of inadvertently opening a door to cybercriminals. Regular updates to training programmes also help employees stay current on the latest threats.

  • Why it matters: Most cyberattacks start with an employee clicking on a malicious link or downloading a harmful attachment. Education can dramatically reduce these occurrences, making employees your first line of defence against breaches.
  • Tip for businesses: Simulate phishing attacks to test your employees’ vigilance and reinforce training in a practical, real-world way. Regularly updating the training content also ensures that employees stay aware of emerging threats and tactics.

6. Secure Your Wi-Fi Networks

Your Wi-Fi network is the gateway to your online activity, and an unsecured network can provide an easy entry point for attackers. Both individuals and businesses should ensure their Wi-Fi is protected with strong passwords and encryption. Unfortunately, unsecured networks are often overlooked in favour of convenience, leading to preventable breaches.

At home, many people leave the default router password unchanged, making it easy for hackers to access the network. For businesses, the situation is even more critical. Guest Wi-Fi, often provided for customer convenience, should be isolated from internal systems, ensuring that external users cannot inadvertently access sensitive business data.

Proper Wi-Fi security goes beyond just setting a strong password. It also includes using up-to-date encryption protocols, like WPA3, and disabling unnecessary features such as remote management. Businesses, in particular, should regularly audit their network configurations to ensure compliance with security best practices.

  • Why it matters: An unsecured network can allow hackers to intercept data, including passwords and financial information. Attackers often exploit weak network security to gain initial access, then pivot to more sensitive areas.
  • Tip for businesses: Use WPA3 encryption for your business network and ensure that guest Wi-Fi is isolated from critical internal systems. Consider implementing network segmentation to further limit access to sensitive systems based on user roles.

7. Use a Virtual Private Network (VPN)

A Virtual Private Network (VPN) encrypts your internet connection, making it much harder for cybercriminals to intercept your data. VPNs are particularly useful when working remotely or using public Wi-Fi, as these environments are more vulnerable to attacks. A VPN masks your IP address and makes your online activity less traceable, adding another layer of privacy.

For businesses, providing employees with VPN access ensures secure communication between remote workers and the company’s internal network. This is especially important for organisations with a distributed workforce or for employees who travel frequently. Enforcing VPN use ensures that sensitive company data is not exposed over unsecured connections.

Beyond the obvious benefit of secure browsing, a VPN can also help bypass geo-restrictions, which can be important for businesses operating in multiple regions. Additionally, VPNs prevent ISPs and other third parties from tracking your online activity, further enhancing privacy.

  • Why it matters: Public Wi-Fi is often unsecured, leaving your data vulnerable to interception. A VPN provides a secure connection, whether you’re checking emails in a coffee shop or working remotely.
  • Tip for individuals: Always use a VPN when connecting to public Wi-Fi networks. For the best security, choose a reputable VPN provider with a no-logs policy and strong encryption standards.

8. Implement Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) limits access to systems and data based on an employee’s role within the organisation. This ensures that only authorised personnel can access sensitive information, reducing the risk of internal threats or accidental data exposure. For example, a marketing team member doesn’t need access to financial data, just as an IT administrator doesn’t require access to HR records.

For businesses, implementing RBAC is a critical step in protecting sensitive data and complying with privacy regulations like GDPR or HIPAA. This approach limits the potential damage of a breach by ensuring that even if one account is compromised, the attacker doesn’t gain access to everything.

RBAC can be managed through identity and access management (IAM) tools, allowing for easy enforcement and auditing of access policies. It’s also important to review these roles regularly, adjusting them as employees move within the organisation or as job functions evolve.

  • Why it matters: Limiting access to sensitive data reduces the likelihood of insider threats and ensures compliance with data protection regulations. Even if an account is compromised, the attacker’s access will be limited to only what the user’s role permits.
  • Tip for businesses: Regularly audit user access rights to ensure that they align with current job functions. Remove access immediately when employees leave the company or change roles, as lingering access points can create unnecessary security risks.

9. Monitor for Suspicious Activity

Detecting cyberattacks before they cause significant damage is crucial. Both individuals and businesses should actively monitor for suspicious activity, such as unauthorised logins, unusual device behaviour, or changes to security settings. Many security tools offer real-time monitoring and alerts that can notify you of potential breaches.

For businesses, implementing Security Information and Event Management (SIEM) systems can help centralise the detection of suspicious behaviour across the network. By collecting and analysing data from various sources, SIEM tools can help identify patterns that might indicate a potential attack. Regular auditing of logs and systems can also reveal signs of compromise.

Monitoring is about being proactive. Once an attack is detected, swift action can limit damage and prevent further spread. Organisations should have incident response plans in place, ensuring that they are ready to act when suspicious activity is detected.

  • Why it matters: The faster you detect a cyberattack, the faster you can respond. Delayed detection often leads to greater damage, whether it’s more data being stolen or malicious software spreading throughout the network.
  • Tip for individuals: Enable login alerts for all your accounts, so you’re immediately notified if someone attempts to access your account from an unrecognised device or location. This can provide an early warning of a potential breach.

10. Conduct Regular Security Audits

A security audit is a comprehensive assessment of your security policies, systems, and practices. For businesses, regular audits are essential for identifying vulnerabilities, ensuring compliance with industry regulations, and validating that security controls are functioning as intended. Individuals can also benefit from self-audits by reviewing account security, device settings, and data backup practices.

For businesses, audits should involve testing everything from firewall configurations to employee security awareness. Conducting regular penetration tests, where ethical hackers attempt to breach your systems, can also provide valuable insights into potential weaknesses. These audits not only help improve security but also demonstrate due diligence in the event of a data breach.

By identifying weaknesses before they are exploited, you can take corrective action to strengthen your defences. Additionally, security audits provide an opportunity to review and update policies, ensuring that they reflect current best practices and emerging threats.

  • Why it matters: Cyber threats evolve quickly, and what was secure a year ago may not be secure today. Regular audits ensure that your defences are up-to-date and capable of defending against the latest threats.
  • Tip for businesses: Hire third-party auditors to provide an objective assessment of your security posture. These external audits can uncover blind spots that internal teams may overlook, offering a fresh perspective on your organisation’s security practices.

Conclusion

Cybersecurity is not a one-size-fits-all solution. It requires a combination of best practices, from using strong passwords and 2FA to regularly updating software and backing up data. For businesses, additional layers of protection, such as firewalls, access controls, and continuous monitoring, are essential to safeguarding critical assets.

Both individuals and businesses must remain vigilant and proactive, as the cyber threat landscape is constantly changing. By implementing these 10 best practices, you can greatly reduce the risk of cyberattacks and protect your personal and professional data.

In an age where digital threats are on the rise, securing your information has never been more important. Whether you’re an individual trying to safeguard your personal accounts or a business aiming to protect sensitive data, these cybersecurity practices are vital steps toward a safer digital future.

Photos by Ed Hardie Paulius Dragunas Siyuan Hu Misha Feshchak Privecstasy Luis Villasmil on Unsplash

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 14 October 2024

by Amir Hadzipasic
October 14, 2024

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

 

 

2. CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

 

 

3. CVE-2023-41064

A buffer overflow issue was addressed with improved memory handling. This issue is fixed in iOS 16.6.1 and iPadOS 16.6.1, macOS Monterey 12.6.9, macOS Ventura 13.5.2, iOS 15.7.9 and iPadOS 15.7.9, macOS Big Sur 11.7.10. Processing a maliciously crafted image may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

https://nvd.nist.gov/vuln/detail/CVE-2023-41064

 

 

4. CVE-2021-42278

Active Directory Domain Services Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2021-42278

 

 

5. CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

https://nvd.nist.gov/vuln/detail/CVE-2022-22965

 

 

6. CVE-2024-9680

An attacker was able to achieve code execution in the content process by exploiting a use-after-free in Animation timelines. We have had reports of this vulnerability being exploited in the wild. This vulnerability affects Firefox < 131.0.2, Firefox ESR < 128.3.1, Firefox ESR < 115.16.1, Thunderbird < 131.0.1, Thunderbird < 128.3.1, and Thunderbird < 115.16.0.

https://nvd.nist.gov/vuln/detail/CVE-2024-9680

 

 

7. CVE-2024-40865

The issue was addressed by suspending Persona when the virtual keyboard is active. This issue is fixed in visionOS 1.3. Inputs to the virtual keyboard may be inferred from Persona.

https://nvd.nist.gov/vuln/detail/CVE-2024-40865

 

 

8. CVE-2018-2628

Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. CVSS 3.0 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

https://nvd.nist.gov/vuln/detail/CVE-2018-2628

 

 

9. CVE-2015-3035

Directory traversal vulnerability in TP-LINK Archer C5 (1.2) with firmware before 150317, C7 (2.0) with firmware before 150304, and C8 (1.0) with firmware before 150316, Archer C9 (1.0), TL-WDR3500 (1.0), TL-WDR3600 (1.0), and TL-WDR4300 (1.0) with firmware before 150302, TL-WR740N (5.0) and TL-WR741ND (5.0) with firmware before 150312, and TL-WR841N (9.0), TL-WR841N (10.0), TL-WR841ND (9.0), and TL-WR841ND (10.0) with firmware before 150310 allows remote attackers to read arbitrary files via a .. (dot dot) in the PATH_INFO to login/.

https://nvd.nist.gov/vuln/detail/CVE-2015-3035

 

 

10. CVE-2021-45105

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

https://nvd.nist.gov/vuln/detail/CVE-2021-45105

 

"Spot
Opinion, SME Cybersecurity

Spot the Scam: Recognising Phishing and Social Engineering Tactics

by Daniel Collyer
October 10, 2024

In an increasingly interconnected world, the reliance on digital communication has grown,
and with it, the threat posed by cybercriminals. Phishing and social engineering have emerged as two of the most effective tactics used to exploit both individuals and businesses. These scams come in various forms, from the well-known phishing emails to more sophisticated attacks such as vishing and quishing.

The prevalence of these scams can be attributed to their ability to prey on human psychology, manipulating emotions like fear, urgency, and trust. By recognising these tactics and understanding how they operate, you can better protect yourself and your business from falling victim to their traps. In this article, we will explore the most common phishing and social engineering methods, explain how they work, and offer practical steps to stay safe.

What is Phishing?

Phishing is a type of cyberattack that relies on deceptive emails, messages, or websites to steal sensitive information such as passwords, financial details, or even personal identity information. Despite years of warnings, phishing remains highly effective because scammers are constantly improving their techniques to make their communications look legitimate.

The fundamental goal of phishing is to trick the recipient into believing the communication is from a trusted source. These attacks can be highly convincing, often imitating well-known brands, financial institutions, or even government agencies. Below are some of the most common types of phishing attacks.

Types of Phishing

Email Phishing
One of the most widespread forms of phishing, email phishing involves sending fraudulent emails to a large number of people, hoping that at least a few will take the bait. These emails typically impersonate trusted organisations like banks or online services and contain messages designed to prompt action.

Example: You receive an email claiming that your Amazon account has been suspended due to suspicious activity. The email provides a link where you can “verify your account.” The link takes you to a fraudulent website that looks exactly like Amazon’s login page. If you enter your credentials, they are immediately stolen.

Signs of Email Phishing:

  • Generic greetings like “Dear Customer” instead of addressing you by name.
  • Urgent language pressuring you to act quickly (e.g. “Your account will be suspended unless you respond immediately”).
  • Suspicious attachments or links.

Spear Phishing
Spear phishing is a more targeted form of phishing, where the attacker personalises the email to a specific individual or organisation. These emails are usually crafted with great attention to detail, often including the target’s name, position, or other personal information, making them much harder to detect.

Example: A senior accountant at a company receives an email that appears to be from their CFO, asking for an urgent wire transfer. The email uses familiar language and refers to an ongoing project to make the request seem authentic.

How to Spot Spear Phishing:

  • Double-check the sender’s email address. Fraudulent emails often use a slight variation of a legitimate address.
  • Look for requests that seem unusual or out of character, even if they appear to come from someone you know.
  • If you’re unsure, always verify the request by contacting the person directly via phone or in person.

Clone Phishing
In this variation, the attacker creates an almost identical copy of a legitimate email that you have previously received. The attacker clones the original message but replaces the attachments or links with malicious ones.

Example: You received a legitimate email last week with an invoice from a supplier. Today, you get what seems like the same email, but the attachment has been replaced with malware. Because the email looks identical to the previous one, you may be tempted to open it without thinking twice.

How to Recognise Clone Phishing:

  • Look for small differences in the email’s language or layout, as attackers often miss minor details when cloning.
  • Always be cautious with attachments and links, especially if you weren’t expecting them.
  • Use a trusted antivirus program that scans attachments before you open them.

Whaling
Whaling is a highly targeted form of spear phishing, typically aimed at high-profile individuals within an organisation, such as CEOs or CFOs. These attacks are designed to steal sensitive corporate information or authorise fraudulent financial transactions.

Example: A CEO receives an email that appears to be from the company’s legal department, requesting confidential financial details in relation to a lawsuit. The email is crafted to be convincing, using legal jargon and mimicking the company’s internal communication style.

Defending Against Whaling:

  • Implement multi-factor authentication (MFA) to add an extra layer of security for high-level executives.
  • Train senior staff to recognise phishing tactics and encourage them to question unexpected requests for sensitive information.
  • Ensure that high-value financial transactions require multiple levels of approval.

What is Social Engineering?

While phishing often relies on digital communication, social engineering encompasses a broader range of tactics, many of which involve direct interaction with the target. The aim of social engineering is to manipulate individuals into revealing confidential information or performing actions that compromise their security. The success of social engineering lies in exploiting human emotions, such as trust, fear, and curiosity.

Common Social Engineering Techniques

Pretexting
Pretexting is a form of social engineering where the attacker fabricates a scenario to obtain sensitive information from the target. The scammer will often impersonate someone the victim knows or trusts, such as a co-worker, IT support, or a government official.

Example: An attacker calls an employee, pretending to be from the company’s HR department, and asks for personal details to “verify” their records. The employee, trusting the authority of HR, complies, unaware that they’re speaking to a scammer.

How to Spot Pretexting:

  • Be cautious when someone asks for personal or sensitive information over the phone or via email, even if they claim to be from a trusted source.
  • Verify the person’s identity by contacting them through official channels, such as a company phone directory.

Baiting
Baiting is a technique where the attacker offers something enticing to lure the victim into compromising their security. This can come in the form of free downloads, media files, or even physical devices left in public places.

Example: A USB drive labelled “Confidential: Company Financials” is left on a table in your office lobby. Out of curiosity, an employee plugs it into their computer to see what’s inside, unknowingly introducing malware into the company’s network.

Preventing Baiting Attacks:

  • Educate employees about the dangers of using unknown USB drives or downloading unsolicited files.
  • Install security software that can detect and block malware from external
    devices.

Quishing (QR Code Phishing)
Quishing is a newer form of phishing that involves the use of malicious QR codes. Scammers may distribute these QR codes via emails, posters, or other forms of media, encouraging victims to scan them with their phones. Once scanned, the victim is taken to a fraudulent website designed to steal personal information or install malware.

Example: You receive a flyer advertising a “free meal” at a popular restaurant if you scan the QR code to download the voucher. When you scan it, you are taken to a fake website that asks for your credit card information to claim the offer.

How to Defend Against Quishing:

  • Be cautious when scanning QR codes from unknown sources or unsolicited messages.
  • Use a mobile security app that can scan and verify QR code links before you visit them.

Vishing (Voice Phishing)
Vishing, or voice phishing, involves attackers making phone calls to their victims, posing as legitimate institutions like banks, government agencies, or tech support. They typically use scare tactics to convince the victim to share sensitive information over the phone.

Example: A scammer calls, claiming to be from your bank’s fraud department. They inform you of “suspicious activity” on your account and request that you confirm your account details and security PIN. In reality, they are gathering the information to steal your identity.

Signs of a Vishing Attack:

  • Callers pressuring you for immediate action or using scare tactics.
  • Requests for sensitive information like passwords, account numbers, or PINs.
  • Caller ID spoofing to make it appear as though the call is coming from a
  • legitimate organisation.

Smishing (SMS Phishing)
Smishing uses text messages as a vector to deliver phishing attacks. These messages often claim to be from trusted sources like banks, government bodies, or delivery services, urging the recipient to click on a link or provide information.

Example: You receive a text message stating that a parcel could not be delivered and that you need to click a link to reschedule the delivery. The link takes you to a fake website designed to steal your personal and financial information.

How to Avoid Smishing:

  • Be wary of unsolicited text messages, especially those containing links or requests for sensitive information.
  • Always navigate to official websites by typing the address into your browser, rather than clicking on links in text messages.

How to Recognise a Scam: Key Red Flags

Phishing and social engineering attacks are increasingly sophisticated, but there are still
some common signs that can help you spot them:

  1. Unfamiliar Senders: If you receive an email, text message, or phone call from someone you don’t recognise, especially if they are asking for sensitive information, take a step back and evaluate the situation. Scammers often impersonate people you trust, so verify their identity before acting.
  2. Suspicious Links: Hover over links in emails or messages before clicking them. This will reveal the actual URL you’re being directed to, which may be different from the displayed link. If the URL looks suspicious, don’t click it.
  3. Spelling and Grammar Mistakes: Many phishing emails and messages are poorly written, with noticeable spelling and grammar errors. While some attackers have improved their writing skills, it’s still common to spot these mistakes as a sign of a scam.
  4. Unusual Requests: Be cautious of emails, messages, or phone calls requesting urgent action, especially if they ask for personal or financial information. Always verify the request with the supposed sender through official channels.

Protecting Yourself and Your Business

While phishing and social engineering attacks continue to evolve, there are several proactive
steps you can take to protect yourself and your organisation:

  1. Employee Training: Regularly train your employees on the latest phishing and social engineering tactics. Ensure they understand the importance of vigilance and encourage them to report suspicious activity.
  2. Use Multi-Factor Authentication (MFA): MFA adds an extra layer of security, requiring users to provide two or more forms of authentication to access sensitive accounts. This can help prevent attackers from accessing accounts, even if they’ve stolen a password.
  3. Regular Software Updates: Ensure that all systems and software are up to date with the latest security patches. Many phishing attacks exploit vulnerabilities in outdated software.
  4. Incident Response Plan: Develop a robust incident response plan that outlines the steps to take if a phishing or social engineering attack occurs. This will help minimise damage and recover quickly from any breaches.
  5. Email Filtering and Firewalls: Use advanced email filtering tools to block phishing emails before they reach your inbox.

Conclusion

Phishing and social engineering attacks continue to be among the most effective cybercriminal tactics because they exploit the most vulnerable part of any security system—human psychology. By recognising the signs of these scams and implementing proactive security measures, you can significantly reduce the risk of falling victim to these attacks.

As cyber threats continue to evolve, awareness and education are critical. The more you know about phishing and social engineering tactics, the better equipped you’ll be to spot the scam before it’s too late. Empower your team, stay vigilant, and take action to protect both your personal and business information from cybercriminals.

Photos by Bernd 📷 Dittrich Zanyar Ibrahim ThisisEngineering Todd Cravens  stephen momot on Unsplash

"Cyberthreats
Opinion, Tips

Cyberthreats Infographic – what you need to know

by Daniel Collyer
October 9, 2024

Following our series of blog posts over the past few weeks, here is something that gives you a snapshot of what you need to know right now. In the form of an infographic, you can download the high res version here.

What other posts have we written that you will find useful?

Why cybersecurity matters for everyone – Cybersecurity Awareness Month

Creating a cybersecurity culture in your SME

10 Cybersecurity Best Practices Every SME Should Implement

Top 5 Cyber Threats Every SME Should Be Aware Of

Inside a Cyber Attack – Key Phases and Business Impact

Cybersecurity 101: What Every SME Needs to Know

Photo by Maxim Hopman on Unsplash

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 07 October 2024

by Amir Hadzipasic
October 7, 2024

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2024-40865

The issue was addressed by suspending Persona when the virtual keyboard is active. This issue is fixed in visionOS 1.3. Inputs to the virtual keyboard may be inferred from Persona.

https://nvd.nist.gov/vuln/detail/CVE-2024-40865

 

 

2. CVE-2023-4357

Insufficient validation of untrusted input in XML in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium)

https://nvd.nist.gov/vuln/detail/CVE-2023-4357

 

 

3. CVE-2024-7965

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-7965

 

 

4. CVE-2024-47176

CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.

https://nvd.nist.gov/vuln/detail/CVE-2024-47176

 

 

5. CVE-2021-42278

Active Directory Domain Services Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2021-42278

 

 

6. CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

https://nvd.nist.gov/vuln/detail/CVE-2022-22965

 

 

7. CVE-2024-7490

Improper Input Validation vulnerability in Microchip Techology Advanced Software Framework example DHCP server can cause remote code execution through a buffer overflow.
This vulnerability is associated with program files tinydhcpserver.C and program routines lwip_dhcp_find_option.

This issue affects Advanced Software Framework: through 3.52.0.2574.

ASF is no longer being supported. Apply provided workaround or migrate to an actively maintained framework.

https://nvd.nist.gov/vuln/detail/CVE-2024-7490

 

 

8. CVE-2024-47076

CUPS is a standards-based, open-source printing system, and `libcupsfilters` contains the code of the filters of the former `cups-filters` package as library functions to be used for the data format conversion tasks needed in Printer Applications. The `cfGetPrinterAttributes5` function in `libcupsfilters` does not sanitize IPP attributes returned from an IPP server. When these IPP attributes are used, for instance, to generate a PPD file, this can lead to attacker controlled data to be provided to the rest of the CUPS system.

https://nvd.nist.gov/vuln/detail/CVE-2024-47076

 

 

9. CVE-2024-47175

CUPS is a standards-based, open-source printing system, and `libppd` can be used for legacy PPD file support. The `libppd` function `ppdCreatePPDFromIPP2` does not sanitize IPP attributes when creating the PPD buffer. When used in combination with other functions such as `cfGetPrinterAttributes5`, can result in user controlled input and ultimately code execution via Foomatic. This vulnerability can be part of an exploit chain leading to remote code execution (RCE), as described in CVE-2024-47176.

https://nvd.nist.gov/vuln/detail/CVE-2024-47175

 

 

10. CVE-2024-6387

A security regression (CVE-2006-5051) was discovered in OpenSSH’s server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.

https://nvd.nist.gov/vuln/detail/CVE-2024-6387

 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 30 September 2024

by Amir Hadzipasic
September 30, 2024

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2024-40865

The issue was addressed by suspending Persona when the virtual keyboard is active. This issue is fixed in visionOS 1.3. Inputs to the virtual keyboard may be inferred from Persona.

https://nvd.nist.gov/vuln/detail/CVE-2024-40865

 

 

2. CVE-2023-4357

Insufficient validation of untrusted input in XML in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium)

https://nvd.nist.gov/vuln/detail/CVE-2023-4357

 

 

3. CVE-2021-44228

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

https://nvd.nist.gov/vuln/detail/CVE-2021-44228

 

 

4. CVE-2024-7965

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-7965

 

 

5. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

 

 

6. CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

https://nvd.nist.gov/vuln/detail/CVE-2022-22965

 

 

7. CVE-2024-21060

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

https://nvd.nist.gov/vuln/detail/CVE-2024-21060

 

 

8. CVE-2023-21716

Microsoft Word Remote Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2023-21716

 

 

9. CVE-2022-1388

On F5 BIG-IP 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all 12.1.x and 11.6.x versions, undisclosed requests may bypass iControl REST authentication. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

https://nvd.nist.gov/vuln/detail/CVE-2022-1388

 

 

10. CVE-2021-42278

Active Directory Domain Services Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2021-42278

 

"Avis
SOS Intelligence Weekly News Round Up

Weekly News Round-up

by Daniel Collyer
September 24, 2024

16 – 22 September 2024

CVE Discussion and Exploitation

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Noteworthy Exploitation of New CVEs by Threat Actors:

  • CVE-2024-43461 (Microsoft Windows MSHTML Platform Spoofing)
    Exploited by the Void Banshee APT group, this vulnerability allowed them to spoof the MSHTML component in Windows, tricking users into opening files that appeared to be PDFs but were actually harmful HTA files. This exploit was used in a campaign to deploy the Atlantida infostealer, which targets sensitive information like passwords and cryptocurrency wallets​
  • CVE-2024-43491 (Microsoft Windows Update Remote Code Execution)
    This flaw in Windows Update was actively exploited by UNC2452, also known as Nobelium, the group behind the SolarWinds attack. The group used this vulnerability to rollback patched security updates, targeting legacy systems to gain access to compromised environments​
  • CVE-2024-29847 (Ivanti Endpoint Manager Remote Code Execution)
    This critical vulnerability (CVSS 10.0) was leveraged by FIN11, a financially motivated group known for ransomware campaigns. By exploiting this unauthenticated RCE flaw, attackers gained complete control over enterprise networks, deploying ransomware in corporate and government systems​
  • CVE-2024-38217 (Windows Mark of the Web Security Feature Bypass)
    Exploited by APT29 (also known as Cozy Bear), this vulnerability allowed attackers to bypass security measures by tricking users into opening specially crafted files. This vulnerability was part of a broader campaign targeting government entities​

Ransomware Activity

Over the past week, we’ve captured 73 ransomware incidents, affecting victims in 22 countries across 16 industries.

Ransomware Top 5s

Advancements in Ransomware Tactics:

  • Ransomware groups are evolving their techniques by shifting away from traditional malware use. Instead, attackers now focus on exploiting known vulnerabilities in publicly accessible applications. Many of these attacks rely on legitimate software tools, such as PowerShell and Windows Management Instrumentation (WMI), as part of a “living off the land” strategy. This allows them to avoid detection by using tools already present in the target’s environment. Moreover, encryption-free attacks are becoming more prevalent, where attackers steal data to extort companies without encrypting files, simplifying their operations and reducing the chance of detection. Another notable trend is the continued targeting of newly patched systems, where attackers exploit vulnerabilities soon after patches are released

Emerging Threat Actors:

  • DarkWolf: A new ransomware group identified, targeting sectors in finance and healthcare across Europe. Early analysis suggests they have adopted similar strategies to BlackCat with a focus on data exfiltration and precise targeting of vulnerable networks.
  • StellarCrypt: This group has been observed leveraging a combination of phishing and social engineering to breach systems. Active primarily in the education sector, their operational maturity appears to be increasing, showing signs of evolving into a more structured threat.
  • VoidSpider: A splinter group of LockBit affiliates has emerged, conducting high-speed encryption attacks with modified tools. Their attacks appear opportunistic but have shown strong preference for remote desktop protocol (RDP) vulnerabilities.

Key Ransomware Incidents:

  • German authorities have seized 47 cryptocurrency exchange services that facilitated illegal money laundering for cybercriminals, including ransomware gangs. These platforms allowed users to exchange cryptocurrencies anonymously by bypassing “Know Your Customer” regulations, creating a safe environment for laundering criminal proceeds. The Federal Criminal Police Office (BKA) highlighted that such services are crucial to cybercrime operations, aiding groups like ransomware operators and darknet dealers. Following the operation, titled “Final Exchange,” visitors to the seized sites are redirected to a warning page revealing that the authorities now possess their transaction and user data. Although no arrests have yet been made, future investigations are expected to lead to the prosecution of cybercriminals, while the operators of the exchanges face charges under German law that could result in lengthy prison sentences.
  • Microsoft has reported that the ransomware group Vanilla Tempest, previously known as Vice Society, is now targeting U.S. healthcare organizations with INC ransomware attacks. Active since 2021, Vanilla Tempest has previously attacked sectors like education and IT, using various ransomware strains. Their recent attack on the U.S. healthcare sector involved gaining access via the Gootloader malware, then deploying INC ransomware across the victim’s network. This follows a similar ransomware attack on Michigan’s McLaren Health Care, which disrupted IT systems and patient databases. In May 2024, INC ransomware’s source code was advertised for sale on hacking forums, increasing concerns about its spread.
  • Ransomware groups like BianLian and Rhysida are increasingly using Microsoft’s Azure Storage Explorer and AzCopy tools to exfiltrate data from compromised networks and store it in Azure Blob storage. These tools, designed for managing and transferring large-scale data in Azure, allow cybercriminals to upload stolen data to the cloud, which they can later transfer to their own storage. Azure’s trusted enterprise status and scalability make it less likely to be blocked by corporate firewalls, enabling smoother data theft. Researchers from modePUSH observed attackers using multiple instances of Storage Explorer to speed up the process, with log files providing crucial evidence for incident responders. Security measures to mitigate such attacks include monitoring for AzCopy execution, unusual network traffic to Azure endpoints, and enforcing logout protocols to prevent active session misuse.

News Roundup

Microsoft Patches 79 Vulnerabilities, Including Four Zero-Days

In its September 2024 “Patch Tuesday,” Microsoft addressed 79 vulnerabilities, four of which were zero-day flaws under active exploitation. Notable among them is CVE-2024-38226, impacting Microsoft Publisher, allowing attackers to bypass macro security in untrusted files. Another critical vulnerability, CVE-2024-43491, targets Microsoft Windows Update, posing a remote code execution risk by exploiting previously mitigated vulnerabilities in Windows 10. These patches are crucial as they cover a wide range of issues, including privilege escalation (CVE-2024-38014) and bypassing the “Mark of the Web” protection (CVE-2024-38217)

While Microsoft continues its efforts to secure its software, these zero-day vulnerabilities underscore the persistent threat to enterprises. Security experts emphasize that timely application of these patches is critical to prevent exploitation by cybercriminals. This update also highlights the increasing sophistication of attackers, particularly in targeting essential business tools like Microsoft Office and Windows systems, putting sensitive data at risk

PIXHELL: Data Exfiltration via LCD Screens

A new attack method named PIXHELL has been discovered, demonstrating how data can be stolen from air-gapped systems via LCD monitors. Researchers at Ben-Gurion University of the Negev devised a technique where malware modulates pixel patterns on LCD screens, generating sound frequencies that can be captured by nearby devices, such as smartphones. Though the data transfer rate is low at 20 bits per second, it poses a risk for exfiltrating sensitive information like passwords

PIXHELL is part of a growing trend of side-channel attacks targeting systems that are isolated from external networks. Security experts advise that critical environments, particularly those handling highly sensitive data, implement strict access controls, including banning devices with microphones and introducing background noise to neutralize potential attacks

Commercial Spyware Evades Global Sanctions

Commercial spyware, such as Pegasus and Predator, continues to be a pressing issue despite international sanctions. These tools are reportedly evolving to be harder to detect, enabling authoritarian regimes to deploy them against journalists and activists. Developers are circumventing regulations by renaming their companies and altering spyware to obscure the countries using them. Governments and civil society groups are increasingly calling for stricter oversight of the spyware industry, as these tools enable cyber-espionage on a global scale​

Avis Car Rental Cyberattack Affects 299,000 Customers

Avis, a major car rental service, disclosed a cyberattack in August 2024 that led to the theft of sensitive information from 299,006 customers. The stolen data includes names, contact details, credit card numbers, and driver’s license information. Avis has begun notifying affected individuals and is offering free credit monitoring for a year. The full scale of the attack is still under investigation, and there is potential for the number of affected customers to increase as more details emerge

MC2 Data Leak Exposes Over 100 Million U.S. Citizens

A massive data breach involving MC2 Data, a background check service, exposed the personal records of over 100 million U.S. citizens. The unprotected database, discovered in September 2024, included names, Social Security numbers, and other personal details. This breach highlights the ongoing vulnerability of personal data held by third-party services, raising concerns about inadequate cybersecurity practices in sectors that handle sensitive information.

"Creating
Opinion, SME Cybersecurity

Creating a Cybersecurity Culture in Your SME

by Daniel Collyer
September 24, 2024

In today’s digital age, SMEs (small and medium-sized enterprises) face many of the same cybersecurity challenges as larger companies but often lack the resources to address them effectively. Building a robust cybersecurity culture is one of the most effective ways SMEs can safeguard their operations from cyber threats. This culture extends beyond simply having policies in place; it’s about embedding security into the very DNA of your organisation so that every employee, from top leadership to entry-level staff, understands their role in keeping the company secure.

A strong cybersecurity culture helps SMEs become more resilient in the face of evolving cyber threats. When all employees are committed to security best practices, it reduces the chance of falling victim to increasingly sophisticated attacks. It’s not just about securing devices and networks; a robust culture of security is about proactive vigilance, ongoing education, and creating an atmosphere where employees feel empowered to identify and report potential issues.

In this blog post, we’ll explore the steps needed to foster a cybersecurity culture within your SME, including ongoing training, leadership involvement, and creating a response plan. These measures will help ensure your business is more resilient to cyber threats.

Why Cybersecurity Culture Matters for SMEs

Creating a cybersecurity culture isn’t just about protecting sensitive data or meeting regulatory requirements; it’s about ensuring the longevity of your business. The reality is that SMEs are frequently targeted by cybercriminals because they often have fewer resources to defend themselves. According to the UK Government’s Cyber Security Breaches Survey 2024, 48% of SMEs reported experiencing a cybersecurity breach in the past 12 months, with the average cost of a breach totalling thousands of pounds. In addition to financial losses, these attacks can severely damage an SME’s reputation and disrupt business operations.

Creating a Cybersecurity Culture SOS Intelligence

Given the increasing digitisation of business processes, SMEs cannot afford to ignore cybersecurity. The misconception that only large enterprises are targeted by cybercriminals is no longer valid. Many SMEs hold sensitive data that can be valuable to attackers, including customer information, financial data, and intellectual property. Cybercriminals often see smaller companies as easy targets because they are assumed to have weaker defences.

Moreover, cybersecurity threats are constantly evolving. What worked in terms of defence a year ago may no longer be effective today. From phishing scams to ransomware attacks, cybercriminals continuously adapt their tactics to exploit vulnerabilities in an organisation’s infrastructure. This means SMEs must build a culture where cybersecurity awareness is ingrained in every employee’s mindset, ensuring the entire workforce remains vigilant and proactive about new and emerging threats.

Building the Foundation: Leadership Involvement

The first step in fostering a cybersecurity culture is ensuring that leadership is fully engaged in the process. Leadership sets the tone for the rest of the organisation, and without their buy-in, it will be difficult to get employees to take cybersecurity seriously. In fact, the commitment of senior management is often the deciding factor in whether a cybersecurity initiative is successful.

1. Lead by Example

Leaders must demonstrate a commitment to cybersecurity by participating in training and adhering to the same security policies as everyone else. When employees see management taking security seriously, they are more likely to follow suit. Moreover, when leaders show that they, too, are subject to the same protocols and scrutiny, it reduces the perception of cybersecurity being a burdensome requirement imposed solely on lower-level employees.

Creating a Cybersecurity Culture SOS Intelligence

For leadership, it’s essential to highlight how cybersecurity contributes to the company’s overall mission. For example, protecting sensitive customer data could be framed not only as a compliance obligation but also as a way to build trust and loyalty with customers. Additionally, security measures help protect the company from financial losses and reputational damage, which are critical to the business’s long-term sustainability. Leaders who emphasise this alignment between cybersecurity and business goals help reinforce its importance across the organisation.

2. Appoint a Cybersecurity Champion

If your SME doesn’t have the resources to hire a full-time Chief Information Security Officer (CISO), consider appointing a cybersecurity champion from within your organisation. This person will act as the point of contact for all security-related concerns, drive security initiatives, and help promote a culture of awareness. They can ensure that security is consistently discussed at meetings, initiate training opportunities, and spearhead efforts to improve company-wide adherence to cybersecurity protocols.

While your cybersecurity champion may not necessarily have deep technical expertise, their role is more about coordination and communication. They serve as the go-to person for employees with questions or concerns about cybersecurity and help reinforce security best practices in everyday business activities. Having someone in this role makes cybersecurity feel more accessible and reinforces the idea that everyone has a stake in the company’s security posture.

Employee Engagement: Ongoing Training and Education

One-off training sessions or annual security updates are no longer enough to keep employees aware of the latest threats. Cyber threats are constantly evolving, and so must your training initiatives. Ongoing education and engagement are essential to maintaining a cybersecurity culture. Regular training helps to address common human errors, such as falling for phishing scams or using weak passwords, which are frequently exploited by cybercriminals.

1. Tailor Your Training

The most effective training programmes are tailored to your specific industry and company structure. While generic training can raise awareness, training that is relevant to the threats your organisation faces will be more impactful. For example, if your SME handles sensitive financial information, training should focus on the types of cyber threats targeting the finance sector, such as phishing, social engineering, or ransomware. Tailoring the content makes the training more engaging and relevant, increasing the likelihood that employees will take it seriously.

It’s also important to take into account the varying levels of technical expertise within your team. While some employees may be well-versed in technology and security practices, others may not. Adjust your training accordingly, offering different levels of instruction to ensure that even those who aren’t tech-savvy can understand the risks and their role in maintaining security.

2. Make Training Interactive

Training doesn’t have to be boring. Interactive sessions, quizzes, and real-world simulations, such as phishing simulations, can help employees understand the risks and consequences of cybersecurity lapses in an engaging way. Many companies now offer gamified cybersecurity training, which makes learning about security fun and competitive. This approach increases retention of key lessons, as employees are more likely to remember scenarios they’ve actively participated in.

Phishing simulations are especially important, as phishing remains one of the most common and effective tactics used by cybercriminals. Sending mock phishing emails to employees and monitoring their responses allows you to identify weaknesses and provide additional training to those who need it. When employees are tested regularly, they are more likely to remain vigilant and sceptical of suspicious emails, reducing the risk of a successful attack.

Creating a Cybersecurity Culture SOS Intelligence

3. Establish a Regular Training Schedule

Cybersecurity should be an ongoing conversation within your organisation. Consider holding quarterly or even monthly security training sessions to keep employees updated on the latest threats and best practices. Regularly review your training materials to ensure they address current threats and compliance requirements. Employees should also be reminded of the consequences of failing to adhere to security protocols, such as disciplinary action or the potential for a data breach

that could damage the business’s finances and reputation.

Training should be accessible, easy to understand, and practical. As threats evolve, new training content should reflect these changes. For example, emerging threats like quishing (QR code phishing) or supply chain attacks should be discussed in upcoming sessions. Make sure employees know that cybersecurity training isn’t a one-time event but a continual process aimed at keeping the business secure in an ever-changing digital landscape.

Foster an Open Reporting Culture

One of the biggest barriers to creating a cybersecurity culture is the fear employees may have of reporting mistakes. Whether it’s accidentally clicking on a phishing link or mishandling sensitive information, employees may hesitate to report incidents for fear of punishment or embarrassment. Unfortunately, this reluctance can allow small issues to spiral into major security breaches, which could have been mitigated with timely reporting.

1. Remove the Stigma Around Cybersecurity Incidents

To foster a cybersecurity culture, create a non-punitive reporting process. Emphasise that mistakes happen, and that the most important thing is to report incidents quickly so they can be addressed. This approach not only reduces the likelihood of an unreported breach but also encourages employees to be proactive in spotting and reporting potential vulnerabilities.

Create an environment where employees feel safe and supported when discussing cybersecurity. Consider adding anonymous reporting mechanisms, so employees can report incidents without fear of personal repercussions. By focusing on correcting mistakes rather than assigning blame, your SME can address risks proactively and reduce the likelihood of small errors snowballing into major security incidents.

2. Implement a Clear Reporting Process

Ensure that employees know exactly how to report security incidents, and make the process as simple as possible. Whether it’s a dedicated email address, an internal ticketing system, or a phone line, having a streamlined process ensures incidents are reported and addressed quickly. Encourage employees to report even minor concerns—what may seem insignificant to them could indicate a larger issue.

You should also ensure that employees are comfortable asking questions when they are unsure about the legitimacy of an email, link, or attachment. Having an accessible support structure where employees can confirm whether something is suspicious is vital for preventing security breaches. Remind employees that reporting suspicious activity, even if it turns out to be harmless, is far better than ignoring it altogether.

Incorporate Cybersecurity into Day-to-Day Operations

For cybersecurity to become part of your company’s culture, it must be incorporated into everyday activities. This doesn’t mean bogging employees down with complex security tasks, but rather making security a natural part of their workflow. When security becomes a habit rather than a burden, it becomes ingrained in the daily routine of your employees.

1. Automate Where Possible

Cybersecurity can be overwhelming, especially for employees who aren’t tech-savvy. To help integrate security into daily tasks, consider using tools that automate some of the more complicated aspects of cybersecurity. For example, password managers can help employees create and store strong, unique passwords without having to remember them, and multi-factor authentication (MFA) can add an extra layer of security without requiring much effort from the user.

In addition to password management and MFA, consider using automated tools that regularly scan your systems for vulnerabilities, ensuring that any weaknesses are identified and addressed before they can be exploited. Automated patch management systems, which update software as soon as security patches become available, can significantly reduce the risk of attacks that exploit outdated software. By automating key processes, you remove the burden from employees and reduce the risk of human error.

2. Security as a Conversation Topic

Security should be a regular agenda item in team meetings. Brief employees on new security initiatives, emerging threats, or any incidents that occurred in the wider industry. This not only keeps security top of mind but also helps normalise it as a critical business function. Discussing cybersecurity as part of normal business operations helps embed it into your company’s everyday processes.

Having a dedicated time for discussing security can also bring attention to industry-specific threats. If an SME operates in sectors like healthcare, finance, or e-commerce, the risks associated with breaches can be particularly high. Incorporating discussions around cybersecurity in day-to-day meetings ensures that employees remain aware of these risks and can act accordingly.

Develop a Comprehensive Incident Response Plan

No matter how strong your cybersecurity culture is, incidents will happen. The key is being prepared. A well-developed incident response plan is essential for quickly and effectively managing a breach. It provides clear guidance for the team, outlining the actions they need to take when a security incident occurs, which helps minimise damage.

Creating a Cybersecurity Culture SOS Intelligence

1. Identify Your Critical Assets

Your incident response plan should begin by identifying the assets that are most critical to your business. These could include customer data, intellectual property, or operational systems. Once identified, you can create a priority list to help your team focus on what needs to be protected first in the event of a breach. Understanding your most valuable assets will enable you to tailor your incident response plan and ensure that the most critical parts of your business are protected.

In SMEs, critical assets can vary greatly depending on the industry. For instance, in a financial services SME, customer data and transactional systems will be key priorities. In contrast, for a retail SME, customer credit card data and e-commerce platforms may be the primary concern. Once these assets are identified, you can categorise the risks and assign appropriate security measures, ensuring that these high-priority elements are adequately safeguarded.

2. Outline Key Roles and Responsibilities

A clear incident response plan should assign specific roles to team members. Everyone should know who is responsible for what during a cybersecurity incident. This includes not only IT staff but also communication teams, HR, and leadership. Employees should also know whom to report to in the event of a breach.

The incident response team should be equipped with a plan that is tailored to the type of attack being experienced. For example, a ransomware attack may require different actions from a data breach. Key personnel should be trained on how to handle different scenarios, ensuring that the response is swift and effective. Additionally, outlining roles and responsibilities ahead of time ensures that there is no confusion during an actual event, and the team can act quickly to mitigate damage.

3. Create a Communication Plan

A communication plan is a critical part of incident response. This includes internal communication (informing employees about the breach and how it’s being handled) as well as external communication (notifying clients, partners, and regulators). Make sure your communication plan is clear, concise, and ready to be implemented at a moment’s notice. Be transparent about what is happening and provide reassurance that the incident is being managed.

Clear communication is also essential for maintaining customer trust. In the event of a breach, you must inform affected customers quickly and provide them with guidance on any actions they should take, such as changing passwords or monitoring accounts for suspicious activity. Transparency helps manage reputational risk and can help preserve client relationships even in the face of a cybersecurity incident.

4. Conduct Regular Drills

Incident response plans should be tested regularly. Conduct drills or simulations to ensure that all employees know their roles and can respond effectively. These drills should mimic real-life scenarios, such as a ransomware attack or a data breach, to help employees get used to the pressure of responding to an actual incident.

Regular drills allow you to identify weaknesses in your incident response plan, enabling you to make improvements before a real breach occurs. Simulations also give employees a better understanding of how incidents unfold, the decisions they may need to make, and how quickly they need to act to minimise damage. The more comfortable employees are with the process, the more efficiently they will respond during an actual incident.

Encourage Personal Cybersecurity Responsibility

While businesses can put countless policies, tools, and procedures in place, ultimately, it’s up to each individual employee to take responsibility for their own cybersecurity. Encouraging this personal responsibility is the final step in creating a cybersecurity culture. When employees understand that they play a crucial role in protecting company assets, they are more likely to stay vigilant and adopt good cybersecurity practices.

1. Promote Safe Personal Habits

Encourage employees to adopt good cybersecurity habits not just in the workplace but in their personal lives as well. This could include using strong, unique passwords for personal accounts, enabling MFA on social media accounts, or being mindful of the risks associated with sharing too much personal information online. When employees apply these practices in their personal lives, they are more likely to bring the same level of vigilance to the workplace.

Educating employees about the overlap between personal and work cybersecurity is essential. With remote and hybrid working environments, the lines between personal and professional devices and networks can blur. Ensuring that employees understand how their personal digital habits can affect the security of business data is key. Whether they are using their own devices for work or sharing company information across personal networks, they must adopt best practices in every aspect of their digital lives.

Creating a Cybersecurity Culture SOS Intelligence

2. Reward Good Cybersecurity Behaviour

Incentivising good cybersecurity practices can further encourage a security-conscious culture. Whether it’s through a formal reward system or informal recognition, acknowledging employees who consistently demonstrate good security behaviour reinforces the importance of cybersecurity.

Reward systems can be simple yet effective. For example, recognising an employee who successfully identifies and reports a phishing attempt can encourage others to stay alert. Alternatively, offering small incentives for employees who complete cybersecurity training modules or contribute to the company’s security initiatives can also boost participation and engagement. By rewarding positive behaviours, you create an environment where employees feel motivated to contribute to the company’s security efforts.

Conclusion

Creating a cybersecurity culture in your SME is an ongoing process that requires commitment from all levels of the organisation. By involving leadership, providing ongoing training, fostering an open reporting culture, integrating security into daily operations, developing an incident response plan, and encouraging personal responsibility, you can build a culture where cybersecurity is a top priority.

In a world where cyber threats are constantly evolving, having a cybersecurity culture isn’t just a nice-to-have; it’s a business necessity. A well-trained, security-conscious workforce is your first line of defence against cybercriminals, helping to protect your SME from costly and potentially devastating cyberattacks. By embedding security into your company’s values and day-to-day operations, you’ll be well on your way to creating a more resilient and secure organisation.

We are here to help you as we appreciate there is a lot to think about! May we recommend your first step? Book a call and a demo so we can show you SOS Intelligence – we promise it will help you sleep easier at night.

Photos by John Schnobrich, Luca Bravo, Riccardo Annandale Dylan Gillis Alvaro Reyes Ariel 

"SOS
CVE Top 10

The SOS Intelligence CVE Chatter Weekly Top Ten – 23 September 2024

by Amir Hadzipasic
September 23, 2024

 

This weekly blog post is from via our unique intelligence collection pipelines. We are your eyes and ears online, including the Dark Web.

There are thousands of vulnerability discussions each week. SOS Intelligence gathers a list of the most discussed Common Vulnerabilities and Exposures (CVE) online for the previous week.

We make every effort to ensure the accuracy of the data presented. As this is an automated process some errors may creep in.

If you are feeling generous please do make us aware of anything you spot, feel free to follow us on Twitter @sosintel and DM us. Thank you!

 

 

1.  CVE-2023-4357

Insufficient validation of untrusted input in XML in Google Chrome prior to 116.0.5845.96 allowed a remote attacker to bypass file access restrictions via a crafted HTML page. (Chromium security severity: Medium)

https://nvd.nist.gov/vuln/detail/CVE-2023-4357

 

 

2. CVE-2018-17144

Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.

https://nvd.nist.gov/vuln/detail/CVE-2018-17144

 

 

3. CVE-2024-7965

Inappropriate implementation in V8 in Google Chrome prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-7965

 

 

4. CVE-2024-8190

An OS command injection vulnerability in Ivanti Cloud Services Appliance versions 4.6 Patch 518 and before allows a remote authenticated attacker to obtain remote code execution. The attacker must have admin level privileges to exploit this vulnerability.

https://nvd.nist.gov/vuln/detail/CVE-2024-8190

 

 

5. CVE-2022-22965

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

https://nvd.nist.gov/vuln/detail/CVE-2022-22965

 

 

6. CVE-2021-42278

Active Directory Domain Services Elevation of Privilege Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2021-42278

 

 

7. CVE-2024-38812

The vCenter Server contains a heap-overflow vulnerability in the implementation of the DCERPC protocol. A malicious actor with network access to vCenter Server may trigger this vulnerability by sending a specially crafted network packet potentially leading to remote code execution.

https://nvd.nist.gov/vuln/detail/CVE-2024-38812

 

 

8. CVE-2024-21060

Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Data Dictionary). Supported versions that are affected are 8.0.36 and prior and 8.3.0 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

https://nvd.nist.gov/vuln/detail/CVE-2024-21060

 

 

9. CVE-2024-7964

Use after free in Passwords in Google Chrome on Android prior to 128.0.6613.84 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

https://nvd.nist.gov/vuln/detail/CVE-2024-7964

 

 

10. CVE-2023-40547

A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.

https://nvd.nist.gov/vuln/detail/CVE-2023-40547

 

""/
SOS Intelligence Weekly News Round Up

Weekly News Round Up

by Daniel Collyer
September 17, 2024

09 – 15 September 2024

CVE Discussion and Exploitation

Over the past week, we’ve monitored our vast collection of new data to identify discussions of CVEs. 

Noteworthy Exploitation of New CVEs by Threat Actors:

  1. Cisco ASA SSL VPN Vulnerability (CVE-2024-40200): This RCE vulnerability is being exploited by Chinese and Russian state-sponsored APTs to gain unauthorized access to sensitive data transmitted over SSL VPNs. Targets include government agencies and critical infrastructure, particularly in APAC, making it a priority for patching.
  2. Citrix Gateway RCE Vulnerability (CVE-2024-40321): Exploited by APT29 (Cozy Bear), this flaw allows unauthenticated remote code execution. The group has used it to gain persistent access to enterprise networks in attacks against multinational corporations and financial institutions, underscoring its rapid adoption by espionage actors.
  3. Sophos XG Firewall Vulnerability (CVE-2024-41107): Iranian-linked threat actors have exploited this to bypass security controls and gain footholds in MENA-region networks. This is part of broader espionage activities targeting government and defense organizations.
  4. Zimbra Collaboration Suite Vulnerability (CVE-2024-40998): APT28 (Fancy Bear) is actively exploiting this flaw to steal sensitive emails and credentials. Zimbra is widely used by universities and government agencies, making this CVE highly dangerous for academic and public sector institutions.

Key Takeaways:

  • Cisco ASA SSL VPN and Citrix Gateway vulnerabilities are seeing heavy exploitation in cyber-espionage campaigns, with state-sponsored actors using these flaws to target critical infrastructure and government agencies.
  • Sophos XG Firewalls and Zimbra Collaboration Suite vulnerabilities are being actively exploited by APT groups, focusing on data theft and long-term persistence within sensitive networks, particularly in the Middle East and academic sectors.

Ransomware Activity

Over the past week, we’ve captured 82 ransomware incidents, affecting victims in 23 countries across 24 industries.

Ransomware Top 5s

Advancements in Ransomware Tactics:

  • Advanced EDR Evasion Techniques: Ransomware operators, particularly RansomHub, have been deploying sophisticated tools like Kaspersky’s TDSSKiller to bypass endpoint detection and response (EDR) systems. This reflects the growing use of Bring Your Own Vulnerable Driver (BYOVD) strategies, which are increasingly being employed to disable security measures before deploying ransomware.
  • Targeting Virtualized Infrastructures: Groups such as Storm-0506 and Manatee Tempest have turned their attention toward VMware ESXi hypervisors, exploiting vulnerabilities like CVE-2024-37085. This allows them to rapidly encrypt multiple virtual machines, expanding their attack surface by compromising critical server environments.

Emerging Threat Actors:

  • Helldown: A newly surfaced group, Helldown, made its mark by listing 17 victims on its leak site in a short period, indicating it may quickly become a more prominent player. Their focus has been on exploiting unpatched vulnerabilities to target a broad array of victims.
  • Manatee Tempest: This relatively new group has been gaining attention for its focused exploitation of ESXi vulnerabilities, joining the ranks of emerging ransomware gangs that prioritize attacks on virtualization technologies.

Key Ransomware Incidents:

  • Storm-0506 (Black Basta) Attack on Engineering Firm: Storm-0506 conducted a high-profile attack against a North American engineering firm, exploiting CVE-2023-28252 (a Windows CLFS vulnerability). The group leveraged advanced credential-stealing tools like Cobalt Strike and Pypykatz to compromise administrative accounts and encrypt virtual machines, causing widespread operational disruption.
  • Meow Ransomware Group Resurgence: The Meow ransomware group has shifted its focus from Russian targets to U.S. entities, marking a resurgence in its activity. Using Conti’s leaked ransomware code, Meow has been increasingly active, showing adaptability in its targeting strategy and operational methods.

News Roundup

Payment Provider Breach Exposes Credit Card Data

On September 10th, 2024, payment provider Slim CD disclosed a significant data breach affecting 1.7 million users. The breach resulted in the exposure of sensitive credit card information, raising concerns about customer financial security. Slim CD reported the breach promptly, triggering investigations into how the attackers were able to bypass existing defences. The company is urging affected customers to monitor their financial statements closely for any suspicious activity and is working with cybersecurity experts to fortify its systems.

Meta Scrapes User Data to Train AI

On September 12th, 2024, Meta (formerly Facebook) admitted to scraping user data, including images and posts, from Australian profiles to train its AI models. Worryingly, this data collection also included content from minors featured on adult profiles, prompting privacy concerns. Australian regulators and privacy advocates have voiced concerns about the scope of Meta’s data-gathering efforts and the lack of transparency. The incident has reignited debates on data privacy and the ethical use of personal information in AI training.

RansomHub: A New Threat in Ransomware

US authorities issued a joint advisory on the growing threat of RansomHub, a ransomware-as-a-service group that has gained prominence throughout 2024. Formerly known as Cyclops and Knight, the group has attacked over 200 organisations since February 2024, targeting critical sectors such as water, manufacturing, and government services. Authorities recommend organisations implement multi-factor authentication and enhance phishing detection to defend against this rapidly evolving threat​.

Zero-Day Vulnerabilities in Ivanti EPM

On September 11th, 2024, researchers revealed that critical vulnerabilities in Ivanti Endpoint Manager (EPM) were being actively exploited in the wild. These zero-day flaws, rated CVSS 10, allow remote attackers to take full control of affected systems. Ivanti has urged organisations to apply patches immediately to mitigate the risk of exploitation. The vulnerabilities have been leveraged by both criminal groups and nation-state actors, targeting critical industries such as healthcare, government, and energy​.

AppleCare+ Scam Exposed

A new scam surfaced on September 13th, 2024, where attackers used GitHub repositories to create fake AppleCare+ websites, tricking users into providing personal and financial information. The scam involved impersonating legitimate Apple services, offering fraudulent tech support and extended warranties. Security experts warn that this technique, leveraging trusted platforms like GitHub, represents an evolution in phishing tactics. Users are advised to verify the legitimacy of any unsolicited AppleCare+ communications and avoid clicking on suspicious links​.

Photo by FlyD on Unsplash

1 2 3 4 22 23
Recent Posts
Recent Comments
    Privacy Settings
    We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
    Youtube
    Consent to display content from - Youtube
    Vimeo
    Consent to display content from - Vimeo
    Google Maps
    Consent to display content from - Google
    Spotify
    Consent to display content from - Spotify
    Sound Cloud
    Consent to display content from - Sound
    Save