IT hygiene is a security best practice that ensures that digital assets in an organization’s environment are secure and running properly. Good IT hygiene includes vulnerability management, security configuration assessments, maintaining asset and system inventories, and comprehensive visibility into the activities occurring in an environment.

As technology advances and the tools used by cybercriminals and cybersecurity professionals evolve, the strategies used to carry out cyber attacks differ based on their complexity and uniqueness. Threat actors continuously target organizations practicing poor IT hygiene to exploit known security weaknesses and human error. Security administrators can defend against cyberattacks by implementing good IT hygiene practices like whitelisting programs, keeping systems up to date, and more.

Gaining complete visibility into the IT assets is fundamental to developing an effective security strategy. The emergence of shadow IT, like rogue assets, software, or user accounts, can create a blind spot that threat actors can use as an attack vector. IT hygiene practices address the issue of visibility, ensuring IT assets are adequately protected therefore reducing the attack surface.

images from Hacker News

The threat actors behind BlackCat ransomware have come up with an improved variant that prioritizes speed and stealth in an attempt to bypass security guardrails and achieve their goals.

The new version, dubbed Sphynx and announced in February 2023, packs a “number of updated capabilities that strengthen the group’s efforts to evade detection,” IBM Security X-Force said in a new analysis.

The “product” update was first highlighted by vx-underground in April 2023. Trend Micro, last month, detailed a Linux version of Sphynx that’s “focused primarily on its encryption routine.”

BlackCat, also called ALPHV and Noberus, is the first Rust-language-based ransomware strain spotted in the wild. Active since November 2021, it has emerged as a formidable ransomware actor, victimizing more than 350 targets as of May 2023.

images from Hacker News

Cybersecurity researchers have offered a closer look at the RokRAT remote access trojan that’s employed by the North Korean state-sponsored actor known as ScarCruft.

“RokRAT is a sophisticated remote access trojan (RAT) that has been observed as a critical component within the attack chain, enabling the threat actors to gain unauthorized access, exfiltrate sensitive information, and potentially maintain persistent control over compromised systems,” ThreatMon said.

ScarCruft, active since at least 2012, is a cyber espionage group that operates on behalf of the North Korean government, exclusively focusing on targets in its southern counterpart.

images from Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently patched critical security flaw in Zyxel gear to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation.

Tracked as CVE-2023-28771 (CVSS score: 9.8), the issue relates to a command injection flaw impacting different firewall models that could enable an unauthenticated attacker to execute arbitrary code by sending a specially crafted packet to the device.

images from Hacker News

WordPress has issued an automatic update to address a critical flaw in the Jetpack plugin that’s installed on over five million sites.

The vulnerability, which was unearthed during an internal security audit, resides in an API present in the plugin since version 2.0, which was released in November 2012.

“This vulnerability could be used by authors on a site to manipulate any files in the WordPress installation,” Jetpack said in an advisory. 102 new versions of Jetpack have been released to remediate the bug.

images from Hacker News

A financially motivated threat actor is actively scouring the internet for unprotected Apache NiFi instances to covertly install a cryptocurrency miner and facilitate lateral movement.

The findings come from the SANS Internet Storm Center (ISC), which detected a spike in HTTP requests for “/nifi” on May 19, 2023.

“Persistence is achieved via timed processors or entries to cron,” said Dr. Johannes Ullrich, dean of research for SANS Technology Institute. “The attack script is not saved to the system. The attack scripts are kept in memory only.”

A honeypot setup allowed the ISC to determine that the initial foothold is weaponized to drop a shell script that removes the “/var/log/syslog” file, disables the firewall, and terminates competing crypto-mining tools, before downloading and launching the Kinsing malware from a remote server.

images from Hacker News