Blog

Cybersecurity news

• Computer security experts in Scotland have developed a system that uses thermal imaging and artificial intelligence to guess computer and smartphone passwords in seconds.
• A phishing-as-a-service platform named ‘Caffeine’ makes it easy for threat actors to launch attacks, featuring an open registration process allowing anyone to jump in and start their own phishing campaigns. Caffeine doesn’t require invites or referrals, nor does it require wannabe threat actors to get approval from an admin on Telegram or a hacking forum. Due to this, it removes much of the friction that characterizes almost all platforms of this kind.
• The Zimbra Collaboration Suite is impacted by a critical remote code execution vulnerability that remains unpatched, despite being exploited in attacks. The issue, tracked as CVE-2022-41352, exists because of the Cpio method that the Zimbra antivirus engine uses when scanning inbound emails. According to Rapid7, an attacker can exploit the vulnerability by emailing a .cpio, .tar, or .rpm file to an affected server.
• Fortinet has warned administrators to update FortiGate firewalls, FortiProxy web proxies, and FortiSwitch Manager on-premise management platforms to the latest versions, which address a critical severity vulnerability.

More

From time to time when researching product ideas and hypotheses, our team develops prototypes. We have an opinion that some of them could be useful to the cybersecurity community. Today we want to share a model for ranking indicators of compromise that we implemented based on the study “Scoring model for IoCs by combining open intelligence feeds to reduce false positives” by the University of Amsterdam. This model solves one of the key tasks of threat intelligence: ranking indicators of compromise according to a number of parameters in order to distinguish among them the most dangerous and narrow the focus of the search for threats.

The model operates with sufficiently clear parameters (coefficients), which are used in the calculation:

• Extensiveness is a measure of the number of interrelationships between indicators of compromise and other indicators and contexts.
• Timeliness is a measure of the speed with which a source provides data compared to other sources.
• Completeness – the completeness of the data in the source relative to the total data set of all sources.

In addition to these parameters, there is an additional coefficient to take into account the inclusion of IoCs in lists of known non-malicious resources, a decay coefficient to adjust the rate of rating obsolescence and coefficient weights, with which you can adapt the model to your needs.

More

Defensys is proud to announce that current version of the SGRC now supports Shariah Governance Framework for Local Banks Operating in Saudi Arabia.

This framework is ready to be used in compliance procedures by all the organisations operating under the requirements regulated by SAMA along with the SAMA frameworks themselves.

“We rapidly responded on such a demand from mostly banks in the KSA where we currently doing projects with our partners. Now any institution that operates in the Kingdom can do all the audits using out-of-the box frameworks available right after the installation of our SGRC solution which is a part of the whole cyber security ecosystem by Defensys. Also there is an option to add local and internal frameworks, standards and check-lists fetching all the requirements into the one list to save time of our customers when assessing similar requirements from different standards”

The Defensys SGRC solution helps enterprise companies of different scales to control the state of cybersecurity and effectively evolve cybersecurity based not only on compliance procedures but also on automatic risk assessments and the ability of the system to merge all the needed inventory data from different sources to create a master assets source for the whole organisation.

More

Cybersecurity news

• The Cybersecurity and Infrastructure Security Agency has added three more security flaws to its list of bugs exploited in attacks, including a Bitbucket Server RCE and two Microsoft Exchange zero-days. CISA’s Known Exploited Vulnerabilities catalog now includes two Microsoft Exchange zero-days (CVE-2022-41040 and CVE-2022-41082) exploited in limited, targeted attacks, according to Microsoft.
• A new phishing campaign targets US and New Zealand job seekers with malicious documents installing Cobalt Strike beacons for remote access to victims’ devices. The attack is modularized and multi-staged, with most steps relying on executing obfuscated scripts from the host’s memory and abusing the Bitbucket code hosting service to evade detection.
• Hackers have found a new method to establish persistence on VMware ESXi hypervisors to control vCenter servers and virtual machines for Windows and Linux while avoiding detection. With the help of malicious vSphere Installation Bundles, the attacker was able to install on the bare-metal hypervisor two backdoors that researchers have named VirtualPita and VirtualPie.
• Hackers have started using a new code execution technique that relies on mouse movement in Microsoft PowerPoint presentations to trigger a malicious PowerShell script.

More

Challenge

This is CERT, which main task is to collect information about incidents from its subordinates , as well as inform them about the main threats, attacks, vulnerabilities etc.

Before taking a look at the SOAR class systems almost all the procedures of interacting with different representatives of the regulated companies were manual. CERT communicated
with everyone via mailbox. For manual enrichment of IoCs delivered from subordinates, CERT analysts used various services, for example, WHOIS.

Also there was a demand from the regulated companies to have an electronic service to operate with this CERT with the possibility to automatically register incidents and IoCs.

Defensys products

The customer wanted to estimate comprehensively different types of building automation for their needs covered above:

• matured software from some vendor with features specially tailored for such needs
• ServiceDesk-like systems with some added programming and customization
• fully custom programmed software based just on the needs of this CERT

As a result a part of Defensys’s ecosystem: SOAR + TIP was chosen among other respectful vendors for building this selfservice cybersecurity portal.

Results

The following number of important issues was resolved after the implementation of Defensys SOAR+TIP:

• Build a personal account based self-service portal which allows subjects to access their accounts via API or UI, to send incidents to the regulator, creating incident cards of a particular category (the card depends on which fields you fill in and on the role of a user), register incidents via API for other vendors.

More