Empowering Clients to the next level of Cybersecurity

A Cybersecurity Partner You Can Trust

We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them.

Our high standards in servicing clients are exemplified through information security, quality and IT service management certifications, both at individual and organisational levels.
Our Services
Managed Detection & Response

CyBourn’s Managed Detection and Response Service maintains seamless integration with our clients’ IT infrastructure and processes. We deliver optimum levels of hardware and software integration, enabling analysts to rapidly detect threats. Our incident handling process ensures that threat mitigation activity commences immediately following identification.

Managed Detection & Response
Our Services
Penetration Testing

Penetration Testing is a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might. Penetration testing should be viewed as a method for gaining assurance in your organisation’s vulnerability assessment and management processes, not as a primary method for identifying vulnerabilities.

pen-testing
Our Services
Incident Response

Our incident response methodology is designed to provide a common framework for our incident responders to work and interact as part of the SOC ecosystem in order to react quickly and effectively to identified threats within infrastructure while coordinating their actions with monitoring and detection teams as well as other incident responders.

incident-response
Our Services
Threat Hunting

Our threat hunting methodology is designed to provide a common framework for our threat hunters to work and interact as part of the SOC ecosystem in order to provide targeted threat detection and effective, continuous improvement to our automated detection and response capabilities.

threat-hunting
Our Services
Cybersecurity Awareness Training

CyBourn builds and executes complex social engineering scenarios to test awareness levels of internal staff. As the number one entry point for data breaches, phishing techniques are very hard to mitigate. The best solution to cope with such threats is maintaining high levels of awareness.

cyber-awareness

Secure your remote workforce

Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, attackers are becoming more innovative, and we are facing the fact that there will forever be more remote workers in the new post-pandemic world.

The latest cyber-offensive intelligence to identify and address security risks

Defending against cyber threats requires an in-depth understanding of how attackers operate. Our extensive experience of conducting pen testing, red teaming and other ethical hacking engagements around the world means we have first-hand knowledge of the latest adversarial tactics and wide-ranging insight into how to safeguard against them.

Incorporating your tools 

CyBourn delivers ultramodern solutions in consultation with our clients’ IT and risk departments enabling a high degree of scalability and customisation. We can utilise existing client tools, or act as security integrators to recommend and implement open-source, commercial, or off-the-shelf products.

CyBourn takes a unique bespoke approach to developing cybersecurity solutions

We deploy SOAR (Security Orchestration, Automation, and Response) solution stack to ensure deep visibility, continuous analysis, and rapid response. If an existing product or solution does not offer the needed level of visibility for you, CyBourn can build custom tools to collect relevant data.

CyBourn leverages bespoke ML algorithms.

CyBourn leverages machine learning algorithms to build network and user behavioural patterns, detect anomalies accurately, perform in-depth investigations, and act swiftly to contain potential threats, enhance proactive analysis, and map behaviour.

Drive decisions through powerful data

Integrate your essential data and information security indicators to empower your data driven decision making and response capabilities with EtherLast.

We offer global coverage

Enabled by our global R&D and continuous internal development process, we cover the entire cybersecurity landscape for enterprises across industries, sectors and geographies.

End-to-end solutions

We live the policies, architectures, and intelligence that define cyber enterprises and operations. Our experts have significant experience in offering state-of-the-art monitoring solutions, best in class incident response services, and tailored strategic cybersecurity consulting.

Secure your remote workforce

Implementing effective cybersecurity measures is particularly challenging today because there are more devices than people, attackers are becoming more innovative, and we are facing the fact that there will forever be more remote workers in the new post-pandemic world.

The latest cyber-offensive intelligence to identify and address security risks

Defending against cyber threats requires an in-depth understanding of how attackers operate. Our extensive experience of conducting pen testing, red teaming and other ethical hacking engagements around the world means we have first-hand knowledge of the latest adversarial tactics and wide-ranging insight into how to safeguard against them.

Incorporating your tools 

CyBourn delivers ultramodern solutions in consultation with our clients’ IT and risk departments enabling a high degree of scalability and customisation. We can utilise existing client tools, or act as security integrators to recommend and implement open-source, commercial, or off-the-shelf products.

CyBourn takes a unique bespoke approach to developing cybersecurity solutions

We deploy SOAR (Security Orchestration, Automation, and Response) solution stack to ensure deep visibility, continuous analysis, and rapid response. If an existing product or solution does not offer the needed level of visibility for you, CyBourn can build custom tools to collect relevant data.

CyBourn leverages bespoke ML algorithms.

CyBourn leverages machine learning algorithms to build network and user behavioural patterns, detect anomalies accurately, perform in-depth investigations, and act swiftly to contain potential threats, enhance proactive analysis, and map behaviour.

Drive decisions through powerful data

Integrate your essential data and information security indicators to empower your data driven decision making and response capabilities with EtherLast.

We offer global coverage

Enabled by our global R&D and continuous internal development process, we cover the entire cybersecurity landscape for enterprises across industries, sectors and geographies.

End-to-end solutions

We live the policies, architectures, and intelligence that define cyber enterprises and operations. Our experts have significant experience in offering state-of-the-art monitoring solutions, best in class incident response services, and tailored strategic cybersecurity consulting.

UI3C
UI3C
What’s trending at CyBourn
The Cybersecurity Express – 21 June 2022
Blog | 21 JUN, 2022
The Cybersecurity Express – 21 June 2022
You’ve been waiting on the platform for far too long, perhaps beginning to wonder if the train will ever arrive… But you waited, you endured, and your patience is about to pay off! From the depot, you hear a familiar sound: the Cybersecurity Express awakens from its slumber! You are happy to be back on board and eagerly await the journey ahead. The schedule reads: Small Businesses Aren’t Ready for a Cyber Attack It may not come as a surprise, but first stop brings news that most small businesses haven’t even considered cybersecurity. CNBC conducted a quarterly survey involving more than 2000 small US business owners to understand their overall business environment along with their own business’s health. The latest one shows that only 5% of the owners feel that cyber threats are the biggest risk to their business. This percentage is steadily maintained over the quarterly studies, and not growing, despite the current instability caused by Russian latest cyber attacks that took place all over the world and the warnings issued by the US government. It seems inflation is the most perceived threat to the business, a perception that has grown from 31% to 38% in one quarter alone. Now that COVID-19 and supply chain fear is dwindling, it appears that cybersecurity is once again shadowed by a new threat. CNBC|SurveyMonkey Small Business Survey Q2 2022               What adds salt to the wound is that most of those who are not even concerned with cybersecurity believe they can successfully respond to/mitigate a successful cyber attack on their own. The numbers only get worse: Less than half or the owners surveyed have installed antivirus or malware software, strengthened their passwords, or backed up files on an external hard drive to protect their business against potential cyber attacks. Only a third each have enabled automatic software updates or enabled multi-factor authentication. Just one quarter have installed a virtual private network (VPN).              Unfortunately, cyber attacks fall in the category of “intangible” threats, for most people, which are easily overlooked for a more “palpable” concern, but the damage done by cyber crime is real nonetheless and, even a partially successful attack, can have lasting consequences, with financial impact or staining the company image irreversibly. Truth be told, for a small business, the cost associated with cybersecurity is something that makes it difficult to implement, but luckily cybersecurity is being made more affordable by companies like CyBourn , who offer cost effective solutions, tailored for small and medium businesses. Quantum Computing: An Emerging Threat for Cryptography               Quantum Computing is threatening the strength of our encryption and cryptographic mechanisms, as it becomes less science-fiction and more science-fact. Although still experimental and with hardware taking up huge spaces, we must not forget that, not so long ago, so were the computers we you are now reading this article from.               As quantum computing is becoming a reality, one question becomes more prevalent: “ Will we be ready for a quantum based cyber attack?” It is not a question of “ if ”, because it is certain, that’s why U.S. Special Operations Command is worried about this future threat and why it’s planning ahead in this very matter. But why is a quantum computer such a big threat? It all comes down to speed. Every encryption mechanism that we use now can be decrypted, given enough time or computing power. Trying to sum up what a quantum computer is, in just a short paragraph, is in its self a task for such a computer, but we’ll give you a gross simplification: Instead of relying on the processing potential of the bit, which can have only two values of 1 or 0, this new breed of computers uses a qubit (quantum bit) which can be either 1, 0 or both, which can be looked at as a 3 rd state of the bit. This is possible by exploiting the superposition property of subatomic particles. So, if you have two qubits, you have the information of 00 11 10 01, all at the same time. The computing power increasing exponentially with every qubit you add. It is hard to get a precise estimate, but it is said a quantum computer could do in four minutes what it would take a traditional supercomputer 10,000 years to accomplish, for the same number of bits/qubits. This means that a quantum computer does not have to wait for one process to end before it can begin another, it can compute them at the same time.               Returning to the cybersecurity aspect, because we are not quantum scientists, this would mean that a decryption could be handled in minutes, not centuries, and that will pose a huge threat to everything that uses encryption: passwords, private data storage, cryptocurrency, you name it! But’ perhaps we are giving the quantum computer a bad rep by only talking about the harm it can do. Such a powerful tool is intended for good use and can bring huge advances in many fields by taking machine learning and neural networks to a whole new level, it can optimize energy and fuel consumption and solve humanity’s biggest threats like global warming. It’s potential to do good, more than justifies the possible use for harm, because with great power comes great responsibility! Where have we heard that before?… The quantum computers that we have now, are far from these performance levels, and still must battle qubit growth stability, interference, and many other quirks before it becomes usable, but it is good to plan ahead for a safe and organic introduction of this technology when its time arrives. Apple’s M1 chip hardware vulnerability Researchers at MIT have created a new type of attack, which bypasses pointer authentication codes (PAC) with a combination of memory corruption and speculative execution techniques. The attack shows that pointer authentication can be fooled without leaving a trace, and, as it utilizes a hardware mechanism, no software patch can fix it. Named “PACman”, (no one saw that coming) works by “guessing” a cryptographic signature issued by the PAC that confirms an app hasn’t been maliciously altered. This is done using speculative execution — an optimization technique in which a processor performs a series of speculated tasks before it is prompted to, in order to speed things up — to try all PAC verification results against a hardware side-channel that reveals whether or not the guess was correct, which can be done because they are only a “handful” PAC verification codes. In a proof of concept, it was shown that the attack works against the kernel which has a “massive implications for future security work on all ARM systems with pointer authentication enabled” says Joseph Ravichandran, a PhD student at MIT CSAIL and co-lead author of the research paper. Apple has implemented pointer authentication on all its custom ARM-based silicon so far, including the M1, M1 Pro and M1 Max. Several other chip manufacturers, including Qualcomm and Samsung, are about to manufacture chips supporting the hardware-level security feature. The attack was not yet tested on Apple’s unreleased M.2 chip, which also uses the infamous module. A note to make here is that the Pacman attack isn’t a “magic bypass” for all security on the M1 chip and can only take on an existing bug that pointer authentication protects against. The same is confirmed by Apple engineers, which “concluded this issue does not pose an immediate risk to the users and is insufficient to bypass operating system security protections on its own.” This has been a fun ride on CyBourn’s Cybersecurity Express that really puts some things into perspective. Do not worry about the uncertain nature of tomorrow as it creates the need for innovation, and it drives us further. Hope you enjoyed the ride. We look forward to seeing you aboard next time! Notice: JavaScript is required for this content.
The Cybersecurity Express – April 1st 2022
Blog | 1 APR, 2022
The Cybersecurity Express – April 1st 2022
A crazy place to be in right now, the 2022 cyberspace, with so much cyber activity happening, it’s hard not to be anxious and excited at the same time. Although at times alarming , CyBourn’s Cybersecurity Express is here to help you visit these emerging threats from the comfort of you seat. But remember, if you are alive in these modern times then you are exposed (unless you are some sort of a virtual Bear Grills and chose to live a life off-grid), and you are swimming in open waters where the sharks are always lurking… So, get your scuba gear ready, because we are about to dive into the cybersecurity abyss: Russia’s War has an intensifying cyber-front and imminently will target the USA and its allied countries, the US intelligence community openly warns. Please make sure to secure your air tanks while we take a look on at the cyber-criminal group LAPSUS$ and their latest hacks. Keep your fins inside while the train is moving past critical information disclosure vulnerability found in VMware vCenter. “Russian Cyber-attacks will Continue”                 It is a sad truth that Russian attacks against Ukraine are continuing, both physical and cybernetic, but the latter seems to be a gray area. Confined by the fact that the world is uniting to help Ukraine, and because of the sanctions, Russia is exploring options for cyber-attacks to weaken allied forces, so warns US intelligence. So far, due to their intangible and (partially) anonymous nature, cyber-attacks are yet to be considered “an act of war”, and can be used without many repercussions, but that really depends on the interpretation of the victim state. Russian state intelligence agencies and/ or related criminal gangs could be used to target US Government Departments and Agencies, hospitals, critical infrastructure, and utilities. President Biden and CISA first warned the private sector, which owns much of America’s critical infrastructure and hasn’t always heeded government warnings, to immediately harden its online defenses, warnings that we covered in a previous Cybersecurity Express. “The magnitude of Russia’s cyber capacity is fairly consequential, and it’s coming,” the President warned. “He hasn’t used it yet, but it’s part of his playbook,” Biden said of Putin. Cyber-attacks may be Putin’s only way to “punish” the west for the crippling sanctions and for the anti-tank and anti-aircraft weapons sent to Ukraine, all this are backed by the fact that Russia has a history in cyber-warfare .                 Although the president stated that the US will retaliate severely to any such attacks on US Government infrastructure and on US medical, utility and supply infrastructure – what can the private sector do to stay safe? The same good measures as always apply here and are the best and cheapest way to deter any Russian or other state coordinated attacks and that goes with any cyber-attacks in general:  Sensitive Information Disclosure in VMware vCenter                 Although not yet given a CVSS (at the time of writing), CVE-2022-22948 is a critical vulnerability due to the global scale usage, where it’s estimated that 80% of virtualized environments are running VMware technology. This vulnerability is part of a critical kill chain that leads to an ESXi takeover, complete with virtual machines, from just endpoint access to a host with a vCenter client. Researchers published these finding alongside the PoC (proof of concept), and it’s a lengthy process, involving multiple steps and multiple vulnerabilities. To summarize it, first they gain shell access to an instance of VMware vCenter by exploiting CVE-2021-21972 , using the basic user rights to gain access to postgresDB, where they can query extensive information about ESXi and vCenter, and also the contents of the ‘vpx_host’ table which contains the details for a user called ‘vpxuser’ and its password phrase. The “ vpxuser ” user is created on the ESXi by default and it’s highly privileged so it can manage the vCenter without the use of root, as stated by its passwd description: “ VMware VirtualCenter administration account ”. With a little bit of digging around, you can find all the information needed to be able to decrypt the password. Well, almost all of the information because you need a privilege escalation technique to be able to read the “ /etc/vmware-vpx/ssl/symkey.dat ” information, but “luckily” there is an privilege escalation vulnerability for that as well.                 To keep safe from CVE-2022-22948, be sure to apply the patches on VMware’s Advisory site.  There is no known workaround, so make sure to crank up those updates. The Cybercriminal Group LAPSUS$                 Of all the cyberattacks taking place lately and all the criminal groups involved, few stand out like Lapsus$. They are a relatively new cybercrime group that specializes in stealing data from big companies and threatening to publish it unless a ransom is paid, with the bulk of the group’s victims (15 of them) have been in Latin America and Portugal. “Little is known of the origins of the group, however, given that Lapsus$’s initial activity was directed towards several organizations in Brazil, some researchers have speculated that the group is based in South America,” researchers say. They have risen to “fame” quicky after successfully breaching companies like Nvidia, Microsoft, Okta and Globant. Microsoft on Tuesday confirmed that the Lapsus$ extortion-focused hacking crew had gained “limited access” to its systems, as authentication services provider Okta revealed that nearly 2.5% of its customers have been potentially impacted in the wake of the breach. Globant also confirmed a breach after Lapsus$ leaks 70GB of their data, and so did Nvidia and Okta. The companies have stated that the information exfiltrated is not of major importance and have contacted the victims to mitigate the outcome. It makes your skin crawl to think where they are already infiltrated by now, waiting to leak the data, and we don’t even know it.                 That’s it for this edition of CyBourn’s Cybersecurity Express. Hope you enjoyed the ride, and we await your return for the next journey. We know the subjects presented here can be scary, but it’s much better to be aware and educated, that we begin to prepare our defenses, that we are prepared to respond and fight back!
The Cybersecurity Express – Issue #6
Blog | 11 MAR, 2022
The Cybersecurity Express – Issue #6
You hear the Cybersecurity Express approaching as you near the platform. Everything seems to be in order and on schedule, but you notice one key difference: the colors of the train, blue and yellow. Reality soon settles in as you face an undeniable truth:  There is no denying this, we are all impacted and sooner or later we will have to face the music. The train will take you through the cybernetic battlefront as we need to see firsthand the implications and take the necessary approach in order to properly defend your organization. From the comfort of your seat, you will see history being written and how the stance between cyber-criminals and cybersecurity specialists is changing from here onward.                 It was inevitable not to talk about the grotesque Russian invasion of Ukraine, the implications of it all and how real-life conflict is bleeding into the digital realm. It’s chaos: Russia is attacking on all fronts, the world is united by circumstance against a common foe, bad actors are now switching to fight for the good cause and other groups are just taking advantage of the mess, playing their cards on both sides to maximize personal gains. Revelations of the Past                 This whole mess started back in 2014 when Pro-Russian Hacktivist Group – CyberBerkut was hired to disrupt/manipulate the 2014 Ukrainian presidential elections, where they employed a combination of malware, file deletion and DDoS tactics, but were ultimately not successful, resulting in a pro-western party being elected. This was followed with the first known successful cyber-attack against a power grid compromising systems of three energy distribution companies. On the eve of Ukraine Constitution Day in 2017, we were presented with one of the “most devastating cyber-attacks in history”: NotPetya wiper malware. Targeting both public and private sector entities, the attack was highly disruptive in nature as it disabled computers by wiping hard drives and spread independently to companies that used a popular tax-filing software (M.E.Doc). The malware was not designed to be decrypted; money was not what the perpetrators were after. A New Face of War                 In the beginning of 2022, we started seeing wiper attacks, that we are all familiar with now, the first of which being “WhisperGate”, discovered by Microsoft, that disrupted government, non-profit, and information technology organizations, followed by the more recent “HermeticWiper” that affected hundreds of computers, this time including Latvia and Lithuania as targets, with “IsaacWiper” being the latest of this kind. In the meantime, defacement of government and public institution websites took place with political imagery, presenting the message “Prepare for the worst” and the biggest DDoS attack Ukraine has ever witnessed, brought down websites of several Ukrainian banks and government departments, including the Ministry of Foreign Affairs, Ministry of Defense and Ministry of Internal Affairs among others. All of these coupled with misinformation/ disinformation being spread to the masses with unprecedented ease due to the online nature of today’s world, where the real war is fought on social media platforms like YouTube, Facebook, Instagram WhatsApp, Telegram and TikTok between the lies and the truth. These media networks have turned out to be a double-edged sword for the oppressors as not only being used by them to spread misinformation to the Russian people and to the world, but also against them, being the only way for the truth to get in. On the other flank, we see the world uniting and collaborating like never before, fighting back, doubling down on the oppressor, giving them a taste of their own medicine. Even some malicious cyber-groups have joined the just cause, for now, fighting for freedom and righteousness, united against a common foe. The Future is Being Decided As we saw in the tactics used so far, wipers masked as ransomware, DDoS disruptions and misinformation seem to be the weapon of choice, and they are being done in sneaky ways, at scales never seen before. This was something that the Cybersecurity and Infrastructure Security Agency (CISA) has foreseen and together with the FBI and the NSA released a joint Cybersecurity Advisory (CSA) providing an overview of Russian state-sponsored cyber operations, including commonly observed tactics, techniques, and procedures, and have been posting recommendations regularly.   Cloudflare announced they will keep providing its services to Ukraine, Belarus and Russia, however with certain security measures in place. They side with Ukraine and are willing to comply with all the requirements from the imposed sanctions against Russia, also taking drastic measures as bricking the servers, should they go online. The firm argued that services should be kept operational within Russia as the internet is the only source that the people can get reliable information from. DDoS attacks are becoming more common and more potent than ever before through new and clever ways. Researchers uncovered new reflection/ amplification DDoS methods that provide a record-breaking amplification ratio of almost 4.3 billion to 1. Reflection attacks start with a small packet reflected inside a closed network while its size gets amplified with each loop. When reaching the possible upper limit, the resulting volume of traffic is channeled to the target. For this DDoS method, threat actors are abusing vulnerable Mitel devices, such as MiVoice Business Express and MiCollab or by leveraging the functionality of Middleboxes . One notable difference of these vectors against most UDP reflection methodologies is that they can sustain lengthy DDoS attacks, lasting for up to 14 hours. “The single largest observed attack of this type to date was approximately 53 million pps and 23 gb/sec. The threat actors need a way in, and most of the time the weakest link for compromising a network remains human. Google has issued a warning of an increase in phishing campaign conducted by government-backed groups. The purpose of this will be to sweep the nations, especially eastern EU countries, for vulnerable spots in order to compromise networks for future attacks. Threat actor groups such as Belarusian Ghostwriter and Russian FancyBear launched, in the past several days, credential phishing campaigns using compromised email accounts targeting Polish and Ukrainian military and government organizations. An Awakening Out of all the unknowns, one thing is certain: We are seeing an increase in digital oppression and new, cunning ways to abuse the system, in a manner from which we may never go back. The good in all of this it that the world is starting to notice how vulnerable the digital medium is and how easily the harm reflected into the physical world is real. The masses are having an awakening to the importance of the service that cybersecurity companies provide. Among them CyBourn , standing with the oppressed, against the oppressors! An awakening to the ever-increasing need for the protection they provide against evolving actors, that have proven time and time again that we are as vulnerable in the here as we are out there.
The Cybersecurity Express – issue #5
Blog | 21 FEB, 2022
The Cybersecurity Express – issue #5
Good day and welcome aboard the Cybersecurity Express for another information packed adventure to the corners of the malicious underground to satisfy your appetite for shady tech news. On today’s ride, we will visit the past and see how a forgotten botnet malware is being brought back to life, a ransomware’s software flaw being used to decrypt its very own encrypted files, and lastly, because you’ve been good the past year, CISA put together a present, just for you. IoT Still Haunted by the Ghost of Mirai In this day and age, considering how rapidly software and computing evolve, 6 years is a really, really long time. So, it’s safe to assume that you may be too young to know about the Mirai malware, that harvested the power of about 100.000 IoT devices running Linux (like the smart TV in your living room, or your wi-fi enabled light bulb) to almost bring down the entirety of the US internet in October 2016. The targets were the DNS servers of Dyn, a company that controls much of the Internet’s domain name system infrastructure. This attack was of an unprecedented scale for its time, managing to bring down web giants such as Twitter, the Guardian, Netflix, Reddit, CNN, among others. Perhaps it was fate which made it so that the name chosen at the time was Mirai, which means “future” in Japanese, foreshadowing that the soul of this malware would, one day, come back to haunt us. Or maybe the researchers really understood that, although still in its infancy back then, the IoT would only multiply in the coming years, and that what they just have witnessed was only a taste of what the future had to offer. It just so happens that in 2020 and 2021 data revealed an increase in IoT device led attacks, and given the total number of IoT devices connected worldwide is projected to be about 30.9 billion devices by 2025 , this is a trend that we’ll only start hearing more of. The situation is only made worst by the security breaches suffered by compromised IoT manufacturers and the leaked confidential data being sold on the black market. Armed with this knowledge and having more targets to infect (the targets themselves only getting more powerful), it’s only a matter of time until something terrifying happens, the likes of which we have never seen before. With the power of research and technology, specialists at intel471 managed to pierce into the underworld, by analyzing data from compromised IoT devices (mainly in Europe and North America), and steal a glimpse of a specter, brought forth by the deployment of two kinds of botnet malware built on some familiar code bases, carrying out the echo of a long lost attack that once stumped the world: Gafgyt and Mirai. Just to name a few based on the latter: BotenaGo, Echobot, Loli, Moonet, Mozi and Zeroshell – which have been active since the start of the COVID-19 pandemic in early 2020 and have continued to evolve throughout 2021. And to put this in perspective, let’s name some of the vulnerabilities affecting IoT that have been disclosed lately: This leaves many possible options for both the attackers and the defenders. All is not lost, as such research is done for the sole purpose of understanding how the underground is leveraging the flaws in these devices and then deploy the correct defenses. Proactive measures can be taken to prevent damage, as such is the mission of cybersecurity services providers like CyBourn . Ransomware Encrypted Data, Decrypted by Researchers Just as the title suggests, researchers at South Korea Kookmin University have managed what they call “ first successful attempt ” at decrypting data infected with Hive ransomware “without the attacker’s private key, by using a cryptographic vulnerability identified through analysis”. First observed in June 2021, when it struck a company called Altus Group, Hive leverages a variety of tactics to infect their victims and as well as scare them, not just by encrypting the data but also exfiltrating sensitive data and threatening to post it publicly, in a tactic called double extorsion. Since then, they have victimized more than 355 companies. But now a glimmer of hope arises as the researchers claim that they were able to weaponize a flaw in the encryption algorithm to devise a method to reliably recover more than 95% of the keys employed during encryption. “For each file encryption process, two keystreams from the master key are needed,” the researchers explained. “Two keystreams are created by selecting two random offsets from the master key and extracting 0x100000 bytes (1MiB) and 0x400 bytes (1KiB) from the selected offset, respectively.” The encryption keystream, which is created from an XOR operation of the two keystreams, is then XORed with the data in alternate blocks to generate the encrypted file. But this technique also makes it possible to guess the keystreams and restore the master key, in turn enabling the decode of encrypted files without the attacker’s private key.             CISA Lists Free Security Tools and Services In an effort to help organizations fight off the malicious actors and reduce their cybersecurity risk, U.S. Cybersecurity and Infrastructure Security Agency (CISA) released repository of free tools and services , encompassing a mix of 101 “items” provided by CISA, open-source utilities and by private and public sector organizations across the cybersecurity community. “Many organizations, both public and private, are target rich and resource poor,” CISA Director, Jen Easterly, said in a statement. “The resources on this list will help such organizations improve their security posture, which is particularly critical in the current heightened threat environment.” This is not the first time CISA launces initiatives to help organizations maximize resilience by campaigning patching software security flaws, enforcing multi-factor authentication, and halting bad practices. Just in the recent past they gave us known exploited vulnerabilities, cybersecurity procedures, guidance for resisting ransomware infections as well as threats associated with nefarious information and influence operations , and just last week’s “ Shields Up ” campaign notifying organizations in the U.S. of potential risks arising from cyber threats that can disrupt access to essential services and potentially result in impacts to public safety. “Malicious actors may use tactics — such as misinformation, disinformation, and malinformation — to shape public opinion, undermine trust, and amplify division, which can lead to impacts to critical functions and services across multiple sectors,” CISA said.                 That’s a wrap for today’s Cybersecurity Express ride, and we thank you for being onboard. Be on the lookout for when we post the next itinerary, for we will want you back. Until then, stay safe!

Tell us about your Cybersecurity needs

We are strategists, engineers, analysts, and governance experts embedded in the world’s biggest cyber missions and trusted to advance them. Let us help you today.