Microsoft patched a critical vulnerability in its Copilot Studio, tracked as CVE-2024-38206, which could allow authenticated attackers to exploit a Server-Side Request Forgery (SSRF) flaw to leak sensitive information. This bug, with a CVSS score of 8.5, could potentially grant access to Microsoft’s internal infrastructure, including the Instance Metadata Service and Cosmos DB instances, though cross-tenant data access was not possible. Users are advised to review and apply the latest updates to mitigate this risk.

Litespeed Cache Bug Exposes Millions of WordPress Sites to Takeover Attacks

A critical vulnerability in the LiteSpeed Cache WordPress plugin, affecting over 5 million sites, allows unauthenticated attackers to escalate privileges and gain admin access, potentially leading to full site takeover. The flaw, present in versions up to 6.3.0.1, was patched in version 6.4, but many sites remain vulnerable due to slow adoption of the update. Immediate action to update to the latest version is strongly advised as active exploitation is anticipated.

Thousands of Apps Using AWS ALB Exposed to Attacks Due to Configuration Issue

A critical configuration issue in AWS Application Load Balancer (ALB) could expose up to 15,000 applications to ALBeast attacks. These attacks exploit a misconfiguration that allows threat actors to forge tokens and bypass authentication and authorization, potentially leading to unauthorized access and data exfiltration. AWS has updated its documentation and added new security measures, but applications using ALB should verify token signers and restrict traffic to mitigate this risk.

New macOS Malware TodoSwift Linked to North Korean Hacking Groups

A newly discovered macOS malware strain named TodoSwift has been linked to North Korean hacking groups, specifically BlueNoroff, a subgroup of Lazarus. The malware is distributed via a SwiftUI-based dropper application that deploys a malicious payload after displaying a Bitcoin-related PDF, a method similar to past DPRK malware like RustBucket. The primary targets are in the cryptocurrency industry, aiming to steal funds to evade international sanctions.

Microchip suffers cyberattack, impacting manufacturing operations

Microchip Technology has suffered a cyberattack that has impacted its manufacturing operations, highlighting the vulnerability of supply chains to cyber threats. The attack led to disruptions in production, emphasizing the need for robust cybersecurity measures to protect critical infrastructure. Cybersecurity professionals are advised to focus on strengthening defenses against such attacks to ensure operational resilience and continuity. 

Donating to your political party could cost you, cyber experts warn

A recent investigation has revealed that many US political donation websites are vulnerable to cyberattacks, posing significant risks to donor information and campaign integrity. These vulnerabilities could be exploited by cybercriminals to steal sensitive data or manipulate donation processes, highlighting a critical need for enhanced security measures. Cybersecurity professionals are urged to assess and fortify these platforms to protect against potential breaches and ensure the security of political contributions.

CERT-UA Warns of New Vermin-Linked Phishing Attacks with PoW Bait

The Computer Emergency Response Team of Ukraine (CERT-UA) has issued a warning about a new phishing campaign linked to the Vermin malware, which is targeting Ukrainian organizations. This campaign utilizes malicious attachments to distribute the malware, aiming to compromise sensitive information and disrupt operations. Cybersecurity professionals are advised to implement stringent email security measures and conduct regular training to defend against such phishing threats.

North Korean Hackers Deploy New MoonPeak Trojan in Cyber Campaign

North Korean hackers have developed and deployed a new strain of malware designed to infiltrate and exfiltrate data from targeted systems, posing significant threats to global cybersecurity. This advanced malware uses sophisticated evasion techniques to bypass traditional security measures, making detection and mitigation challenging. Cybersecurity professionals are urged to enhance monitoring capabilities and update defense strategies to counteract these evolving threats effectively.

SMBs play a crucial role in the economy for the following reasons:

1. SMBs are major job providers, offering a wide range of employment opportunities across various sectors.
2. They are agile and adaptable, often driving innovation with their unique products and services. SMBs contribute significantly to a country’s GDP and play a vital role in local economic development.
3. They have strong local ties, supporting communities and helping to circulate money within local economies.
4. SMBs add resilience and diversity to supply chains, ensuring greater stability and flexibility.

I can go on… But you get the point.

If they are so important to the economy, are these businesses doing enough to protect themselves from cyberattacks?

Are governments encouraging them to prioritize cybersecurity?

There is some cybersecurity awareness within the SMB community, but do they have the budget to act upon it?

It’s a common misconception that only large enterprises, with their vast data reserves and extensive digital footprints, are the main targets for cyber attacks. In fact, a significant proportion of these attacks are focused on smaller businesses. Cyber criminals’ rationale behind this targeting strategy is clear: smaller enterprises often lag behind in deploying advanced security measures, making them susceptible to a wide array of cyber threats.

Here I would like to list Five Reasons Why SMBs Can’t Afford to Ignore Security

1. Cybercriminals Prefer To Target Small Businesses. Period.
   
   Let’s try to digest this fact with some numbers. Here are some startling statistics that underscore the vulnerability of small businesses in the cyber realm:
   • 46% of all cyber breaches impact businesses with fewer than 1,000 employees [2021 Data Breach Investigations Report | Verizon]
   • In 2021 alone, 61% of Small and Medium-sized Businesses (SMBs) found themselves at the receiving end of a cyberattack [2022 Data Breach Investigations Report | Verizon]
   • A staggering 82% of ransomware attacks in 2021 were against companies with fewer than 1,000 employees. [Coverware Article]
   • 37% of the companies that fell victim to ransomware had fewer than 100 employees. [Coverware Article]
   • SMB Employees experience a whopping 350% more social engineering attacks compared to their counterparts at larger enterprises. [Barracude Spear-phishing Report]
     
     
2. Customers do not want to trust SMBs that have been attacked
   
   55% of people in the U.S. would be less likely to continue doing business with companies that have experienced a breach. [America’s small businesses aren’t ready for a cyberattack (CNBC)]
   
   In the landscape of modern business, a company’s reputation is not just a peripheral concern; it’s one of its most valuable assets. This holds especially true for small businesses, where the relational dynamics play a much more intimate role in driving success.
   
   For many customers, choosing to work with a small business is a deliberate decision. This choice often stems from the allure of personalized, “white glove” service that larger enterprises might struggle to consistently deliver. The scale of small businesses enables them to offer this unparalleled level of care, attention, and bespoke service. This kind of intimate business-consumer relationship fosters deep trust, with customers often feeling more like partners or even family rather than just another transaction.
   
   However, this closeness and trust come with heightened expectations. Yes, customers recognize that small businesses may not have the infrastructure or sophisticated systems akin to those of more mature organizations. But this recognition is accompanied by an unspoken pact: “I understand and am willing to overlook certain limitations in return for the personal touch and care you offer. In this exchange, however, I trust you implicitly to keep my data and interactions safe.”
   
   When a cyberattack or security breach occurs, this delicate balance is shattered. The damage is not just to the immediate business operations or the financial metrics. It is a piercing blow to the very core of the relationship. The trust, painstakingly built over time, is eroded in an instant. The aftermath of a security breach is littered with questions: “If they couldn’t protect my data, what else might they be overlooking? Can I trust them again? Should I risk another breach or just move to a larger, seemingly more secure enterprise?”
   
   In an age where digital channels amplify word-of-mouth, news of a breach can spread like wildfire. Prospective clients might hesitate, thinking, “If they let this happen once, who’s to say it won’t happen again?” Thus, the ramifications extend beyond the immediate client base to potential future business as well.
   
3. SMBs can’t afford the cost of a cyberattack
   
   95% of cybersecurity incidents at SMBs cost between $826 and $653,587. [2021 Data Breach Investigations Report | Verizon]
   
   This range underscores the variability in the scale of potential financial damage. For many small businesses, especially those at the higher end of that spectrum, such costs can be a death knell, pushing them towards insolvency or bankruptcy.
   
   The potential financial consequences of a cyber breach for these entities can be both immediate and long-lasting, often dwarfing the initial financial estimates of the damage.
   
   To put it into perspective, while a cyberattack might merely dent the earnings of a large enterprise, representing just a minor setback in their expansive financial portfolio, the story is starkly different for SMBs. These businesses operate on narrower margins and often lack the extensive financial cushions that larger corporations have at their disposal.
   
   As such, a serious cyberattack doesn’t just strain an SMB’s financial resources—it can challenge its very existence.
   
   Let’s break down the types of expenses a business may need to incur in the aftermath of a cyberattack:
   
   Immediate Costs: This can include the cost of forensic investigations to determine the extent and source of the breach, legal fees to address potential liabilities, and the often-overlooked expenses associated with notifying affected customers.
   
   Regulatory Fines: Depending on the jurisdiction and industry, regulatory bodies might levy heavy fines on businesses that fail to adequately protect customer or client data. For SMBs, these fines can represent a significant portion of their annual revenue, further straining their financial position.
   
   Loss of Business: Trust is an invaluable currency for SMBs. A security breach can erode customer confidence, leading to a decline in sales, contracts being terminated, and difficulty in acquiring new clients. This drop in revenue can be prolonged, especially if the breach gains media attention.
   
   Potential Lawsuits: Affected parties, whether they’re customers, clients, or partners, might pursue legal action against the business for failing to protect their data. The legal defense costs, combined with any potential settlements or judgments, can escalate quickly.
   
4. SMBs can’t afford to halt operations
   
   A smooth flow of operations often implies that things are working as they should, and any disruption to this flow can have repercussions far beyond immediate tangible losses. One of the most potent disruptors in today’s business environment is the threat of cyberattacks.
   
   When systems go offline due to a cyberattack, basic operations can grind to a halt. Whether it’s processing transactions, accessing vital data, or simply communicating internally, businesses heavily rely on their digital systems. Interruptions, even if they last just a few hours, can cause backlogs, missed deadlines, and operational chaos.
   
   The direct consequence of operational disruption is the potential for revenue loss. Especially for businesses that rely on real-time transactions, like e-commerce platforms or digital service providers, downtime can translate into a significant dip in sales. And as the old adage goes, “Time is money.”
   
   System downtimes don’t just affect the machinery of business; they impact the human component as well. Employees unable to access necessary tools or information can’t perform their roles effectively. This idle time, when stretched, can cause a decline in overall productivity, and also lead to frustration and reduced morale.
   
5. SMBs Are A Gateway to Bigger Fish
   
   SMBs frequently serve as suppliers, service providers, or partners to larger corporations, establishing a network of interdependencies. Cybercriminals, with their eyes set on these larger, more fortified targets, have realized that breaching an SMB can provide them with a backdoor entrance.
   
   Large enterprises, with their vast resources, often implement stringent security protocols, making direct attacks a formidable challenge. SMBs, however, may not have the same level of security infrastructure in place, creating a disparity that cybercriminals are eager to exploit.
   
   SMBs usually have trusted connections with their larger partners. Once a small business’s system is compromised, cybercriminals can leverage this trust to infiltrate the larger enterprise.
   

Conclusion:

From a cybercriminal’s vantage point, SMBs represent “low-hanging fruit”. Their security controls, often due to budget constraints or lack of awareness, might not be as robust or up-to-date as those in larger corporations. This makes them easier targets for quick, often lucrative payoffs, whether it’s through direct theft, ransom demands, or leveraging the acquired data in other malicious ventures.

In conclusion, the narrative that cyber threats predominantly loom over large corporations is both outdated and dangerous. The data underscores a pressing need for small businesses to recalibrate their approach to cybersecurity. It isn’t a luxury or an afterthought; it’s an imperative for survival in an increasingly digitalized and threat-laden landscape.

But 15 years later, I am still being proven wrong every day. Phishing still remains one of the top means for cyber fraudsters to get initial access to an organization. How they further exploit this initial access is completely dependent upon the sophistication of the attacker and the sophistication of the defenses implemented in the organization.

How Do You Typically Defend Against Phishing Attacks

When we think about the proposed defense for Phishing, almost everyone will tell you to make your users aware of the risks. Teach them how to identify a Phishing page. That’s fair advice! I get it. People need to be told to be on the lookout for phishing emails and phishing pages. Traditional wisdom says, that these are the things you need to look for when telling a legitimate page versus a Phishing page:

• Check the domain carefully for typos
• Check SSL Certificate or padlock sign
• The look and feel are identical to the original
• There are no typos, glitches, or spacing issues on the page

Let’s Put The Above Guidance In Practice

Following the above guidance, let’s look at a screenshot of the following Google Login Page:

Let’s run through the above checklist to assess whether this is a legitimate login page:

• Check the domain carefully for typos
• Check SSL Certificate or padlock sign
• The look and feel are identical to the original
• There are no typos, glitches, or spacing issues on the page

Checks all the boxes for me! Looks legitimate, doesn’t it?

Google OAuth Login is usually triggered from another website’s login page. We are all pretty familiar with this flow. So, let’s Zoom out a bit and see what the underlying page looks like:

The underlying web app can be anything that interests you. Could be a page for your favorite football club or can be a website offering free educational courses. If it interests you, you would not hesitate to log in with Google. It’s proven to be a safe way to authenticate to numerous websites. The login flow is almost embedded in your neural network. So, you would not see anything out of the ordinary in this flow.

But Hold On! There’s a Tiny Catch!

When you look under the hood of this seemingly innocent page. That is, in technical terms, if you inspect the source of the page, you would be astonished to know that “THE ENTIRE BROWSER POPUP INCLUDING THE TITLE BAR AND ADDRESS BAR IS ACTUALLY BUILT USING HTML”. It’s not a browser window at all!!

WHAT!!!

Welcome to the world of Browser-In-The-Browser (BITB) Attacks. This is a fairly new attack technique (discovered in Mid-2022) being employed by fraudsters to convince your users into divulging their account credentials. This phishing strategy is difficult to detect even for a trained eye.

Modus Operandi of a Phishing Campaign using the BITB attack

• Make an exciting offer that requires the user to Login with an OAuth service such as Google, Twitter, Microsoft, etc.
• Spawn an HTML popup that looks exactly like the browser window when one of these login buttons is clicked
• The window to render is customized based on the platform and the browser that the user is using
• It even checks whether the user is using Light Mode or Dark Mode on the OS to ensure a flawless experience
• Transmit credentials to the attacker’s server once the user submits them
• Done. Initial Access Gained!

So, What’s the Solution? User Education?

Unfortunately, user Education is not going to help on this front. It checks all the boxes that a trained user would look for. There is only one logical solution, and that is to train your users to rely on password managers for auto-filling their passwords on sites. Although a human cannot discern between a real and a fake browser window, password managers can by design. That’s their default behavior. Password managers will not auto-fill credentials on the fake browser window because the login form is rendered in the context of the attacker’s site. Password manager is a great tool, not just because it prevents your users from reusing passwords, but it also helps the user identify malicious sites using the dreaded BITB attack.

Would You Like To Demonstrate This In Your Next Awareness Training

This GitHub repository has a collection of Login Window Templates exploiting BITB on popular browsers:

https://github.com/mrd0x/BITB

How does SAML work?

Let’s start by understanding what parties are involved in the SAML authentication process. There are three parties involved during a SAML authentication process:

• Subject: That is you as the user who wants to prove to an online service that you are the individual you claim to be. Your identity is usually identified via a unique identifier such as a username or email.
• Service Provider (SP): The website or application you want to log in to.
• Identity Provider (IdP): A service that holds information required to authenticate the subject. Such as your username and password.

How do these parties interact with each other to fulfill the authentication process?

Auth0 provides a clear and concise explanation of the SAML authentication process that I am including here as-is:

Say, Auth0 is our identity provider (IdP), and a fictional service, Zagadat, is our service provider. The SAML authentication steps play out as follows:

1. The user tries to log in to Zagadat from a browser.
2. Zagadat responds by generating a SAML request.

3. The browser redirects the user to an SSO URL, Auth0

4. Auth0 parses the SAML request and authenticates the user

5. Once the user is authenticated, Auth0 generates a SAML response.

6. Auth0 returns the encoded SAML response to the browser.

7. The browser sends the SAML response to Zagadat for verification.

8. If the verification is successful, the user will be logged in to Zagadat

From a sequence diagram perspective, this is what the process looks like:

Why Bother About Cyber Security?

If you are frequently in technical discussions, it is very likely that you have encountered the term “Technical Debt”. It is used to denote a situation where the easier of the available options is chosen to move forward, knowing that this would mean added work to fix this in the future. Startups accrue a lot of technical debt while gaining initial traction, even while scaling. And most of the time, this decision is conscious.

Although everyone talks about “Technical Debt”, no one notices or speaks about “Cyber Security debt”. The later you start thinking about and integrating Cyber Security into your business, the bigger the debt.

Will Cyber Security Slow You Down?

Startups are high-velocity businesses. No one wants to get bogged down by controls when you are in a fast-paced world. Bringing in Cyber Security in your fast-paced world is akin to installing new brakes on your supercar. Brakes slow you down, right? Yes, but they also allow you to go fast with confidence because you know that you have fully functional brakes. So, no, Cyber Security will not slow you down.

Get Started On Your Cyber Security Journey

Enough theory, now let’s get into some practical advice. Let’s understand what are the bare essentials you need to get started.

The Must-haves

1. Anti-virus

Anti-virus software is probably the oldest cyber security defense out there. It did not take long for criminals to jump on the computing bandwagon once it started to gain pace. Malware is usually delivered to users either via email or via malicious websites. Most of the time, it is the innocent user clicking on that link, downloading that attachment or executing questionable executables that start the chain of infection.

The damage caused by malware is two-fold:

• Disruption of operations: Most malware either causes a slowdown of infected systems or may also render them completely unusable. You have to inevitably stall operations to get users back to speed. With a limited IT staff, this can be a daunting task. On the other hand, there is also a risk of ransomware. If your business-critical data gets encrypted, and you cannot do without it, you might need to raise a funding round just to fund the ransom.
• Sensitive information leakage: Malware is designed to exfiltrate data to an external server that is under the criminal’s control. If they find juicy data in your exfiltration such as PII, credit card details, or trade secrets, this data will soon be up for sale on the dark web.

A decent anti-virus solution is the cheapest investment you can make to ensure the security of your business.

2. Cloud Security Posture Management Solution (CSPM)

If you are a tech startup, you have to inevitably be on the public cloud. Cloud Security Posture Management (CSPM) is a proactive approach to ensuring the security of cloud environments. It involves continuously assessing and managing security configurations, settings, and policies across cloud services and resources to align with best practices and compliance requirements. A single misconfiguration in your cloud environment can mean a catastrophe for your business.

3. Open-Source Vulnerability Scanner

Open-source libraries can contain vulnerabilities that expose your application to potential security risks. These vulnerabilities might range from outdated components with known weaknesses to hidden backdoors inserted by malicious actors. Having a good Open-Source Vulnerability Scanner integrated in your source code repository solution can be a huge help in identifying and remediating these vulnerabilities. In most cases, the fix is to just upgrade the vulnerable package to the latest version, which can be done automatically by these tools.

4. Multi-factor Authentication

Passwords are good, but MFA is much better. Passwords are shared rampantly in a fast-paced business such as a startup, most of the time, insecurely. It’s a common sight to see passwords pinned to a desk in a startup’s office. It’s easy to inadvertently leak them to unintended parties. In cases like these, MFA ensures that your data and systems are not accessed by unauthorized individuals. It’s like having a virtual bouncer at the door, making sure only the right people get in and keeping your valuable data safe from any sneak attacks.

5. Use a CDN provider

CDNs were originally designed with the goal of easing content delivery for your website. However, as the landscape evolved, people started to realize that CDNs are not only effective for speeding up your public websites, but they are also useful for protecting your website against DoS attacks.

6. Security Awareness Training

You might have this cliched saying: “Humans as the weakest link in cybersecurity”. Like it or not, it’s true. People, due to their natural behaviors and vulnerabilities, can inadvertently open the door to cyber threats. Humans can be tricked or manipulated through various methods like phishing emails, social engineering, or even unintentional errors.

Obviously, you would not want your users to sit through boring security awareness training when they could do a thing or two that will move your valuation needle upwards. Security Awareness Training indeed sounds unnecessary and boring, but trust me, it is effective. Whether your team likes it or not, it makes them aware of things they need to watch out for when faced with a real social engineering attack.

Good-to-haves:

7. Ransomware Protection:

We already discussed the need for anti-virus solutions above. Ransomware is the most damaging threat in the current Cyber Security landscape. Although anti-virus solutions are adept in identifying most of the well-known ransomware, a specialized ransomware protection tool can make your infrastructure more resilient against ransomware attacks.

8. Web Application Firewall

If it’s on the Internet, it’s going to be attacked. When you host anything on the Internet, your systems are inevitably scanned and probed for open holes. If your main product is a web application, which is most likely the case, then a critical vulnerability in your web application can lead to a serious data security risk. WAFs sit between your users and your application to filter out traffic that contains common attack patterns. This prevents attack payloads from reaching your main web application, thus saving your system from compromise.

9. Cyber Insurance

This is not a technical defense measure per se, but having a good Cyber Insurance policy can provide you peace of mind. In the event of an attack, this may actually help you from going bankrupt. The underwriting process for cyber insurance generally entails a review of your existing security measures. The most robust your measures, the smaller premium you would have to pay to cover your cyber risk. However, if your cyber security measures do not meet the baseline defined by the insurance company, they may reject your insurance proposal.

Being a tech startup in the current cyber landscape, you cannot ignore cyber attacks on your online platform. The average financial impact per cyber attack is close to US$ 4 million. It takes months for an enterprise to recover operations post an attack. A startup, on the other hand, may not survive to see another day if they are not well prepared.

A startup is always cash-crunched, especially when bootstrapped. And the extra cashflow you have may seem better suited for an extra engineering hire than to invest in cybersecurity at an early stage.

When you are operating quietly, making no news, you will stay out of the radar of most of the attackers. But, what’s a startup that does not make some noise. Sooner or later, you will have to knock the PR door to scale rapidly and that will be an invitation to attackers to attack and compromise a brand that has been written about.

All said and done, Cyber Attack is a tangible business risk that you should consider while planning future expenses at your tech startup.

OK, so you have decided to take cyber attacks seriously, what next?

Should You Be Doing What Enterprises Are Doing?

Do you want to know how large enterprises secure their businesses from cyber crimes? Well, it’s a long list and it’s the wrong list to look at for a startup. No startup has ever succeeded by plainly copying the business model of a large competitor. Startups succeed because of their hacky way of doing things and unorthodox methods of running a business. Well, the same holds true for Cybersecurity. Enterprise solutions and methods to secure businesses do not suit startups and startups should be wary from copying them. They might help in mitigating some risks, but they bring unnecessary overhead with them which would drain your resources.

Although your solutions and methods may differ from enterprises, your approach towards cybersecurity can be similar. When enterprises decide the cyber security tactics they would employ, they perform a risk assessment. And when assessing risks, the first thing they do is list the assets that are critical to their business. No, I am not talking about the assets in your balance. Assets are things that are considered valuable to a business. They can be software, hardware, paper documents, property, and so on.

On the other hand, for a startup which is taking its first step into securing themselves from cyber attacks, this task is straightforward. What is the one most important asset that a startup holds – That’s Your Product, right? You have been slogging day & night, fighting the giants in your field, compromising on your monthly salary, all to build your product the best in the market.

What Should You Be Worried About the Most?

Well, you can start by considering the simplest and the most damaging risks to your startup:

• Complete Compromise of your tech platform leading to data leakage or data corruption leading to a loss to brand reputation
• Cloud/SaaS Environment Compromise
• Ransomware or other malware attacks
• Social Engineering
• Single critical vulnerability in your platform allowing massive sensitive data disclosure

The above is not an exhaustive list of all risks that your startup is exposed to, however, I believe that the above list can be detrimental to your startup efforts if any of them get realized. Enough of bad news, now let’s try to understand things that you should do avoid these risks from materializing.

What Is The LEAST You Should Do?

Must Do:

Vulnerability Scanning

This is the most basic task you can perform to analyze the vulnerabilities in your platform’s environment. These scans can performed on IP addresses, a range of IP addresses or a fully qualified domain name. Engage a Cyber Security vendor or use one of the multiple online services available for availing such a scan. It is important that you engage multiple cyber security vendors and identify a trusted partner early in your startup’s lifecycle to ensure a comprehensive and effective cybersecurity strategy tailored to your specific needs and risks.

Penetration Testing

Vulnerability scanning, explained above, does not actively exploit or validate the identified vulnerabilities; it’s a non-intrusive process. Penetration testing, on the other hand, involves simulating real-world cyberattacks on a system, network, or application to identify exploitable vulnerabilities. It goes beyond vulnerability scanning by actively attempting to exploit the identified weaknesses to determine their impact on the target environment. So, vulnerability scanning may tell you where the loopholes are in your systems, a penetration testing exercise can help you understand which are the most severe ones that can be exploited by a real attacker.

Application Security Assessment

Application Security Assessment can take various forms, some automated and some manual. Automated analysis happens right on your code through the use specialized tools to identify insecure code patterns. This kind of source code analysis is good for identifying usual security errors that software engineers make when writing code. However, these automated tools cannot identify bugs that a human attacker can identify and exploit. Hence, an automated analysis should always be complemented with a manual application security assessment.

The goal of a manual application security assessment is to try and attack your application from a user’s standpoint. This assessment attempts to identify bugs that are unintentionally introduced in your functionality. If you engage a security vendor to perform an application security assessment, they should generally ask you to provide a whole suite of user accounts for all possible permission levels that an external user can obtain.

Cloud Security Assessment

Tech startups love the cloud. As a tech startup, you would try to solve all your problems in the cloud. Your cloud services account is the primary backbone of your startup. Letting an attacker gain unauthorized access to your cloud is catastrophic as this would allow them to access all your sensitive business data, customer information, and intellectual property. Financial Loss, Reputational Damage, Business Disruption, these are some of the possibilities if this event were to occur.

Recommended:

Source Code Review

We touched a bit on source code review above when discussing application security assessment using automated tools. However, if a cyber security expert is put to the task, they can dig deep into the code and identify logical bugs that automated analysis cannot identify.

Configuration Audits

Configuration Audits involve checking the configurations of your systems, which includes your server operating systems, web & application servers, middleware and third party software. Configurations are verified against industry standards that are meant for locking down these systems such that their features cannot be exploited.

Security Awareness Training

Employees are often the first line of defense against cyber threats. Security Awareness Training helps them recognize and respond to security risks, reducing the likelihood of successful social engineering attacks and phishing attempts. Security Awareness Training is an investment in building a security-first mindset among employees. By educating your team and fostering a security-conscious culture, startups can significantly enhance their overall cybersecurity posture and protect their sensitive assets and valuable data.

Closing Comments:

They say that startups are build on Blood, Sweat and Tears of the founders and the startup’s early team. A team that trusted the vision of the company’s founders when others were possibly mocking the startup for their unconventional mindset. It would be devastating for the people connected with the startup if the faces an existential crisis because of a cyber attack that could have been avoided with a little due diligence. It is never too late to start thinking about Cyber Security if you haven’t started already.

So, what’s this dangerous minuscule file the title talks about?

Actually, we all have seen this file on our Windows desktops when they are deployed for legitimate use cases. This type of file is commonly dropped by an installer when you install new applications on your Windows system. Some of you might have almost guessed it by now, I am talking about the Windows Shortcut file.

So, what’s up with this file. It seems to be benign. We have interacted with shortcut files for years without ever worrying about the risk of a system compromise. For the uninitiated, Windows shortcut files are special files with a hidden .lnk extension that point to another file or executable within the filesystem. If you are Linux user, think symlinks. If you are coming from the Mac world, think aliases.

Now, let’s get to the crux of the matter.

A simple LNK file does nothing but invokes the file it points to. However, if you dig further into the LNK file rabbit hole, that is, if you right-click the file and check its properties, you should see the Target property. For a usual LNK file, this Target property just contains the path of the target file.

Why is it considered dangerous?

The dangerous aspect about the Target property is that it also accepts command-line arguments. So what? What can go wrong because of this? Let me explain. The capability to pass command line arguments to LNK means that this worthless little file can now be used to operate like a Windows Batch file. Yea, you read that right. It can be used to trick a user into executing arbitrary commands on their system.

For example, setting the target parameter to cmd.exe /c ping -t 127.0.0.1 will allow you to run a ping scan on localhost that is initiated from a benign looking Windows shortcut:

Hold on, the fun does not end here. Ideally, when you create a shortcut, the default icon shown on the shortcut is the icon of the underlying file it points to. So, if you create a file pointing the cmd as we did above, the icon on the shortcut shows a cmd icon. Aah, that is a dead giveaway, isn’t it? Any security aware user would not click on that file.

But, hold your horses. Windows has this amazing feature for a shortcut called Change Icon.

So, you can choose from any of the built-in Windows icons or browse and add your own.

Take a look at this short video showing a ping scan being executed from a shortcut file which, based on its icon, was supposed to open a text document:

To add to this ordeal, Windows hides the .lnk file extension by default. Even when “Hide extensions for known file types” is unchecked in User options. So, an attacker can simply name the file “Important Doc”, give it a Word Doc icon and the user would never know what they are going to execute under the hood. Except, if they are smart enough to note the little shortcut arrow on the bottom left corner of the file. But, it’s not out of the ordinary to see that icon, so users would generally trust these files.

Yea, let that sink in for a while before we move ahead!!!

How does this affect your users?

We never educated our users to safeguard themselves from threats like these. It would be much easier for an attacker to convince a user to open a seemingly innocent text file instead of an executable. Just imagine this, instead of running an innocuous ping scan like we did above, an attacker can have a user run execute a shortcut that downloads and installs malware on the user’s system.

This is exactly the trick being used by malware operators today to trick users into running malicious code on their system. Malware operators realized the potential of the LNK file soon enough and this is now an active delivery mechanism seen in many recent malware attacks.

Malware Actively Exploiting Windows LNK features

Example 1: EMOTET

The infection chain seen in recent EMOTET infections starts with an LNK file delivered to users over email:

The EMOTET infection chain works as follows:

1. The LNK file delivered to the user is supposed to execute a shell command that downloads a VB Script file (vbs).
2. This vbs file is then executed to download the main malicious DLL
3. Finally, the malicious DLL is executed to infect the system.

Example 2: ICEDID

ICEDID used a slightly similar infection chain, but it uses Powershell commands instead of shell commands:

1. LNK file runs a powershell command which downloads a hta file (Link to hta wiki: https://en.wikipedia.org/wiki/HTML_Application)
2. Now, HTA files form a whole separate story we can cover in a different article. But, what we need to understand in this infection chain is that the HTA file is used to run another Powershell command which downloads the malware executable.
3. This malware executable is then executed to infect the system

Example 3: Qakbot

Qakbot also uses LNK at it’s point of entry and then downloads the malicious DLL.

1. LNK runs a powershell command to download the malicious DLL.
2. This DLL is then executed effectively infecting the underlying system.

Example 4: DUCKTAIL

Recent DUCKTAIL samples too show a similar modus operandi of infecting systems. It all starts with a seemingly innocuous LNK file.

So, cyber criminals are already banking on the LNK infection chain. It is time for you to level up your defences agains this novel attack technique.

Further details about the detailed modus operandi of the above malware can be found here:

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/rise-of-lnk-shortcut-files-malware/

https://www.deepinstinct.com/blog/ducktail-threat-operation-re-emerges-with-new-lnk-powershell-and-other-custom-tactics-to-avoid-detection

What can you do:

1. Educate your users: Obviously
2. Block Delivery of LNK attachments: Again, obviously. I have never once seen a legitimate use case for a user to receive an LNK file in their mailbox. So, why not just block these attachments at the email server or spam firewall level. If you are using Gsuite or Office 365, here are some helpful links for administrators on how you can do this: GSuite Office365
3. Block Download of LNK attachments: There is no legitimate need for users to even download LNK files, so download of these files should be blocked at the Internet gateway level or via browser policy
4. Question your EDR or Antivirus vendors how they are protecting against such attacks.

Closing Comments:

I feel that the battle between malware creators and defenders acts out like a game of Chess. Except, that the malware creators have an unobstructed view of all the pieces of the defenders, however, criminals have the leverage to introduce new pieces in the game and create new rules for this ever-evolving game. Defenders can only adapt to the new rules and design defences to counter the criminal’s moves until they see a new piece with new rules.

Google is adding support for Message Layer Security (MLS) to its Messages service for Android, enabling end-to-end encryption with interoperability across different messaging platforms. The protocol, recently released as an RFC by the Internet Engineering Task Force (IETF), provides continuous group key agreement for secure communication among multiple participants and offers post-compromise security and forward secrecy. Major companies like Amazon Web Services (AWS), Cisco, and Cloudflare have also endorsed MLS, aiming to enhance the security and privacy of messaging services.

Critical Zero-Day Vulnerabilities in Atera Windows Installers Enable Privilege Escalation Attacks

Atera’s remote monitoring and management software’s Windows Installers were found to contain zero-day vulnerabilities that could lead to privilege escalation attacks. The flaws, discovered by Mandiant, allow potential attackers to execute arbitrary code with elevated privileges, presenting serious security risks. Atera has released updated versions (1.8.3.7 and 1.8.4.9) to remediate the issues, emphasizing the importance of thorough review and prevention of misconfigured Custom Actions to protect against such attacks. Additionally, Kaspersky revealed an actively exploited privilege escalation flaw (CVE-2023-23397) in Windows that targeted government and critical infrastructure entities in various countries before public disclosure.

Banks Targeted by Threat Actors in Open Source Software Supply Chain Attacks

Cybersecurity researchers at Checkmarx have reported two separate incidents where threat actors attempted to introduce malware into the software development environments of two different banks via poisoned packages on the Node Package Manager (npm) registry. These attacks marked the first instances of adversaries targeting banks through the open source software supply chain and involved advanced techniques, including the use of Azure’s CDN subdomains to deliver the second-stage payload, which was identified as the Havoc Framework. The attacks aimed to steal sensitive data, login credentials, and potentially gain access to the banks’ networks, highlighting the need for heightened security measures to protect against such threats in the financial sector.

KillNet’s Ambitious Growth and Russian State Alignment Raise Concerns

The connection between Russian cybercrime collective KillNet and the Kremlin remains uncertain, but its cyberattacks appear to align with Russian state interests. KillNet’s media branding strategy is proving effective, attracting more cybercriminals and their skills into the organization, potentially consolidating Russian hacker power under one entity. While there is limited direct evidence of collaboration with the Russian security services, the collective’s increasing capabilities and alignment with Russia’s geopolitical interests raise concerns among cybersecurity professionals about its potential threat.

Atlassian Confluence and Bamboo Vulnerable to Remote Code Execution

Atlassian has disclosed three remote code execution (RCE) vulnerabilities affecting Confluence Data Center & Server (CVE-2023-22505, CVE-2023-22508) and Bamboo (CVE-2023-22506). The flaws could potentially allow threat actors to take full control of Atlassian instances, putting cloud infrastructure, software supply chain, and other critical assets at risk. Admins are urged to apply the patches immediately to prevent exploitation and safeguard their systems.

Google’s Internet Access Block for Staff: Enhancing Cybersecurity or Hindering Productivity?

Reports indicate that Google is blocking certain staff members’ internet access in an effort to bolster its cybersecurity. The pilot program restricts internet access to internal web-based tools and Google-owned sites, but some employees are allowed to opt-out after expressing dissatisfaction with the restrictions. While the move may reduce potential malware attacks, it raises questions about employee productivity and the contradiction with Google’s mission to make information universally accessible.

Disclaimer: Titles and summaries are AI-generated. Please refer to the linked content for more details.

Security Posture Management solutions gained popularity in the context of Cloud Security, that is, in the form of Cloud Security Posture management (CSPM) solutions. CSPM enabled organizations to assess and monitor their security posture in the cloud, helping them identify vulnerabilities, misconfigurations, and potential threats.

If you google Cloud Security Posture Management, most descriptions of the solution talk about the following features:

• Continuously monitor and assess compliance policies
• Identify how new assets comply with security policies and regulations
• Centrally review how threats are being detected, quarantined, and remediated
• Identifying and classifying risks is critical to maintaining cloud security
• Visibility into what assets are in the cloud and how they are configured is crucial for cloud security

Now, those who have been in Cyber Security long enough can sense the familiarity of the above features to the old-school world of “Configuration Auditing”: the practice of verifying that the configurations of operating systems, web servers, application servers, etc met a minimum baseline standard for security. “Security Posture Management” is just a fancy name for “Configuration Audting”. The security industry is great for generating new jargon. Enough criticism, let’s dive deeper into understanding why the world of SaaS Security Posture Management ecosystem.

First, Understanding the SaaS Landscape

• We know from looking around us within our organizations and outside that SaaS is exploding like never before, especially after the pandemic. Lower costs, ease of use, scalability, and integration capabilities are key drivers for organizations opting for these services to address their problems. As per the market and consumer statistics company, Statista, there are currently 30,000 SaaS companies around the world and this number is expected to explode to 72,000 by 2024. The market size of SaaS is projected to reach $700 billion by 2030. Given this growth, it is clear that we are already in a SaaS economy. Some would argue and say that, no we are now in AI economy. Truly speaking, most of the AI applications today are being sold as SaaS products. So, I would still call it a SaaS economy.

Why does SaaS need Security Posture management?

When it comes to secure configuration of operating systems or other system software, you would find a plethora of documentation around the optimal configurations that you should make on your box to lock it down. You would also find numerous scripts to automate the process for you. But can you find the same for your SaaS product? Nope.

SaaS products are usually feature rich. (They have to be, otherwise they won’t receive VC funds ). When onboarding SaaS prodcucts, admins would first be concerned whether they are configuring the product correctly for their use case. Secure configuration is always an after thought.

Owing to the abundance of features, SaaS can open up new attack surfaces for organizations. The more functionalities a system has, the more chances there are that some of them may be misconfigured. Additionally, unlike OS and other system software, there is no singular underlying principle that governs the secure configuration of all SaaS services because every SaaS is different in terms of the features they provide.

How SSPMs help organizations reduce risk?

• Providing visibility of your SaaS platforms’ security:
  You can’t mitigate the risks that you are unaware about. Since SaaS products do not sit within your network, old-school monitoring makes no sense here. Most SSPM solutions provide a dashboard for administrators to understand the inventory of SaaS products handling organization’s sensitive data and the risks that this data is exposed to.
• User Access Monitoring
  • Overly permissive settings: The variety of SaaS applications running in an organization makes it difficult for administrators to understand the security implications of every role and privilege granted to users. SSPM solutions ease this task by providing information about user roles or accounts that are likely too permissive.
  • Stale user accounts: De-provisioning user access from SaaS applications can be a real pain as it would almost always require administrators to manually login to the application and revoke permissions or delete accounts. In such a scenario, it is highly likely that administrators would miss deleting some accounts. SSPM alerts administrators about user accounts that have not logged-in for an extended period of time indicating the possibility of a stale user account.
• Identify Misconfigurations and Vulnerabilities: By actively detecting and notifying your security team of unnecessary permissions, ensuring access control, and providing proactive remediation solutions, a reliable SSPM solution helps prevent misconfigurations. While many security solutions focus on guarding against deliberate misconfigurations, SSPM offers the ability to manage both intentional and unintentional misconfigurations, thereby reducing the risk of user configurations deviating from standard guidelines.
• Compliance Management: Companies heavily reliant on SaaS face significant challenges in maintaining compliance with internal regulations and external security policies. The sheer volume of applications used by employees and customers on a daily basis can make it easy for compliance considerations to be overlooked or disregarded. Despite the critical importance of compliance in SaaS usage, companies often struggle to keep track of and adhere to the necessary regulations and policies.
• Remediation Guidance or one-click remediation: Upon identifying security risk-related data, SSPM autonomously assesses the required actions to be taken. By continuously monitoring and reinforcing your security posture round the clock, SSPM ensures immediate remediation, which is crucial for effectively defending against threats. The proactive and constant vigilance provided by SSPM significantly contributes to strengthening your overall security defenses.

Here’s the Github Gist that you can add to your Sheet’s AppScript Engine to get AES encryption/decryption capability in your sheet:

https://gist.github.com/ameyanekar/be20cbb775c4d89c87e37c55994a7240

The above code will create two functions for you:

encrypt(plaintext)
decrypt(ciphertext)

Update the asciiKey variable to adjust the key, or even better, pass the key in the function from the sheet.