Security News

Folks at Technische Universität Wien in Austria have devised a formal security framework called WebSpec to analyze browser security. They've used it to identify multiple logical flaws affecting web browsers, revealing a new cookie-based attack and an unresolved Content Security Policy contradiction.

The framework enables organizations to improve the security and resilience of critical infrastructure with a well-planned and easy-to-use framework. Although the CSF was written and updated while SaaS was on the rise, it is still geared towards the classic legacy critical infrastructure security challenges.

Cybersecurity researchers have offered a detailed glimpse into a system called DoubleFeature that's dedicated to logging the different stages of post-exploitation stemming from the deployment of DanderSpritz, a full-featured malware framework used by the Equation Group. DanderSpritz came to light on April 14, 2017, when a hacking group known as the Shadow Brokers leaked the exploit tool, among others, under a dispatch titled "Lost in Translation." Also included in the leaks was EternalBlue, a cyberattack exploit developed by the U.S. National Security Agency that enabled threat actors to carry out the NotPetya ransomware attack on unpatched Windows computers.

ESET researchers present their analysis of all malicious frameworks used to attack air-gapped networks known to date. "Unfortunately, threat groups have managed to find sneaky ways to target these systems. As air-gapping becomes more widespread, and organizations are integrating more innovative ways to protect their systems, cyber-attackers are equally honing their skills to identify new vulnerabilities to exploit," says Alexis Dorais-Joncas, who leads ESET's security intelligence team in Montreal.

Four different malicious frameworks designed to attack air-gapped networks were detected in the first half of 2020 alone, bringing the total number of such toolkits to 17 and offering adversaries a pathway to cyber espionage and exfiltrate classified information. "All frameworks are designed to perform some form of espionage, [and] all the frameworks used USB drives as the physical transmission medium to transfer data in and out of the targeted air-gapped networks," ESET researchers Alexis Dorais-Joncas and Facundo Muñoz said in a comprehensive study of the frameworks.

To help, here's a simple 5-step framework businesses of all sizes can use to protect their customer data. The first step businesses need to take to increase the security of their customer data is to review what types of data they're collecting and why.

Cybersecurity is a lucrative field, and you don't have to spend years learning all the various aspects of it. If you are an advanced IT professional, you can actually break into it with very specialized training, such as the NIST Cybersecurity & Risk Management Frameworks course.

Two vulnerabilities have been found in the Gutenberg Template Library & Redux Framework plugin for WordPress, which is installed on more than 1 million websites. It exists because the Gutenberg Template Library & Redux Framework plugin registers several AJAX actions available to unauthenticated users, one of which is deterministic and predictable, making it possible to uncover what the $support hash for a site would be.

MITRE ATT&CK has become the go-to framework in understanding and visualizing cyber threats and risk. Tips on how to use it as part of your cyber skills strategy.

Sisense announced the Sisense Extense Framework, an innovation developed to deliver AI-driven analytic experiences directly within the applications users are working in without needing to leave their workflow. As a part of the announcement, Sisense is introducing several new infusion applications built on the Extense Framework to deliver actionable intelligence to employees for enhanced operational, logistical, and role-based teamwork, improving collaboration and decision-making effectiveness.