Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, August 16, 2023, 6:28 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


Biters Bit: Hackers Hack Themselves

Threat intelligence firm Hudson Rock has built a cybercrime intelligence database consisting of over 14.5 million computers infected by infostealers. Using this database, they analyzed 100 of the leading cybercrime forums, finding an amazing 120,000 infected computers, many of them belonging to hackers, which had credentials associated with cybercrime forums.

Let that sink in: these were computers, belonging to hackers, which were infected by infostealers - either unintentionally by the hackers themselves, by associates, or who knows? Bear in mind that hackers can't resist luring in would-be hackers and script kiddies with trojaned hacking tools - download something from a disreputable site like a cybercrime forum, and the phrase caveat emptor should be tattooed on your forehead. The Hudson Rock researchers were probably inspired by a previous example of this, in which an initial access broker called "La_Citrix" accidentally infected his own computer with an infostealer he was using to gather corporate credentials for Citrix and RDP servers.

Infostealers typically enumerate a lot of information, such as system information, credentials (usernames, email addresses and plaintext passwords), browser data including session and authentication cookies and even form autofill data such as names, addresses and phone numbers. It is this information that allows the real identities of the hackers to be discovered.

The biggest single group of infected users - over 57,000 of them - came from the "Nulled.to" forum; "Cracked.io" and "Hackforums.net" were in second and third place, respectively. Analyzing password strength, Hudson Rock found that cybercrime forum users generally use stronger passwords than those used on government web sites.

It also seems that the most effective infostealer for gathering information from cybercriminals is Redline, followed by Raccoon and Azorult.

Hudson Rock, 100,000 Hackers Exposed from Top Cybercrime Forums, blog post, 14 August 2023. Available online at https://www.hudsonrock.com/blog/100-000-hackers-exposed-from-top-cybercrime-forums.

NIST Drafts Major Update to Cybersecurity Framework, Adds Governance Function

The US National Institute of Standards and Technology (NIST) has had a major success on its hands for almost a decade, in the form of its Framework for Improving Critical Infrastructure Cybersecurity. As the name suggests, this framework was originally developed for critical infrastructure like the energy grid as well as financial and telco networks - but its logical structure, coupled with the fact that it was freely downloadable let to it rapidly becoming popular across a range of organizations, right down to small and medium enterprises, both inside the US and internationally. Perhaps as a consequence, it has become better known just as the Cybersecurity Framework (CSF).

While most users were able to adapt 2018's version 1.1 of the CSF to their needs - after all, it is a framework, meaning that it provides a conceptual organizing structure and principles while actually referencing a range of other informative standards - it became obvious that the next revision would have to have a broader scope. Accordingly, the recently-released draft of version 2.0 is now officially titled "The Cybersecurity Framework", and its scope has explicitly been expanded to apply to all organizations regardless of type or size.

In order to direct this update, NIST issued a request for information in February 2022. "Many commenters said that we should maintain and build on the key attributes of the CSF, including its flexible and voluntary nature", said Cherilyn Pascoe, lead developer of the framework. "At the same time, a lot of them requested more guidance on implementing the CSF and making sure it could address emerging cybersecurity issues, such as supply chain risks and the widespread threat of ransomware. Because these issues affect lots of organizations, including small businesses, we realized we had to up our game".

As a consequence, the five principal functions of the Framework - Identify, Protect, Detect, Respond and Recover - have been augmented by a new sixth: Govern. This covers have an organization can establish its own approach to developing and supporting a cybersecurity strategy, setting cybersecurity risk alongside other senior leadership concerns such as legal, financial, operational and other types of risk.

The draft also introdiices the concept of profiles, which tailor and refine the Framework for specific industry sectors and use cases, such as manufacturing industry, elections, the smart grid and extreme fast charging infrastructure for EV's. Following the release of this draft in a few weeks will be a CSF 2.0 reference tool which will allow browsing, searching and export of the CSF core data in both human- and machine-readable formats. A later version of the tool will provide the informative references which link to Standards and other resources.

NIST, NIST Drafts Major Update to Its Widely Used Cybersecurity Framework, news release, 8 August 2023. Available online at https://www.nist.gov/news-events/news/2023/08/nist-drafts-major-update-its-widely-used-cybersecurity-framework.


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: