What is a cyberattack surface and how can you reduced it?

 Discover the best ways to mitigate your organization’s attack surface in order to maximize cybersecurity

 By Phil Muncaster

 In almost all coverage of modern breaches you’ll hear mention of the “cyberattack surface” or something similar. It’s central to understanding how attacks work and where organizations are most exposed. During the pandemic the attack surface has grown arguably further and faster than at any point in the past. And this has created its own problems. Unfortunately, organizations are increasingly unable to define the true size and complexion of their attack surface today—leaving their digital and physical assets exposed to threat actors.

Fortunately, by executing a few best practices, these same defenders can also improve their visibility of the attack surface, and with it, gain enhanced understanding of what’s necessary to minimize and manage it.

What is the corporate attack surface?

At a basic level, the attack surface can be defined as the physical and digital assets an organization holds that could be compromised to facilitate a cyber-attack. The end goal of the threat actors behind it could be anything from deploying ransomware and stealing data to conscripting machines into a botnet, downloading banking trojans or installing crypto-mining malware. The bottom line is: the bigger the attack surface, the larger the target the bad guys have to aim at.

Let’s take a look at the two main attack surface categories in more detail:

The digital attack surface

This describes all of an organization’s network-connected hardware, software and related components. These include:

Applications: Vulnerabilities in apps are commonplace, and can offer attackers a useful entry point into critical IT systems and data.

Code: A major risk now that much of it is being compiled from third-party components, which may contain malware or vulnerabilities.

Ports: Attackers are increasingly scanning for open ports and whether any services are listening on a specific port (ie TCP port 3389 for RDP). If those services are misconfigured or contain bugs, these can be exploited.

Servers: These could be attacked via vulnerability exploits or flooded with traffic in DDoS attacks.

Websites: Another part of the digital attack surface with multiple vectors for attack, including code flaws and misconfiguration. Successful compromise can lead to web defacement, or implanting malicious code for drive-by and other attacks (ie formjacking).

Certificates: Organizations frequently let these expire, allowing attackers to take advantage.

This is far from an exhaustive list. To highlight the sheer scale of the digital attack surface, consider this 2020 research into firms on the FTSE 30 list. 

Full article on www.welivesecurity.com

BladeHawk group: Android espionage against Kurdish ethnic group

ESET researchers have investigated a targeted mobile espionage campaign against the Kurdish ethnic group. This campaign has been active since at least March 2020, distributing (via dedicated Facebook profiles) two Android backdoors known as 888 RAT and SpyNote, disguised as legitimate apps. These profiles appeared to be providing Android news in Kurdish, and news for the Kurds’ supporters. Some of the profiles deliberately spread additional spying apps to Facebook public groups with pro-Kurd content. Data from a download site indicates at least 1,481 downloads from URLs promoted in just a few Facebook posts. The newly discovered Android 888 RAT has been used by the Kasablanka group and by BladeHawk. Both of them used alternative names to refer to the same Android RAT - LodaRAT and Gaza007 respectively.

BladeHawk Android espionage The espionage activity reported here is directly connected to two publicly disclosed cases published in 2020. QiAnXin Threat Intelligence Center named the group behind these attacks BladeHawk, which we have adopted. Both campaigns were distributed via Facebook, using malware that was built with commercial, automated tools (888 RAT and SpyNote), with all samples of the malware using the same C&C servers.

Distribution

We identified six Facebook profiles as part of this BladeHawk campaign, sharing these Android spying apps. We reported these profiles to Facebook and they have all been taken down. Two of the profiles were aimed at tech users while the other four posed as Kurd supporters. All these profiles were created in 2020 and shortly after creation they started posting these fake apps. These accounts, except for one, have not posted any other content besides Android RATs masquerading as legitimate apps.

These profiles are also responsible for sharing espionage apps to Facebook public groups, most of which were supporters of Masoud Barzani, former President of the Kurdistan Region; an example can be seen in Figure 1. Altogether, the targeted groups have over 11,000 followers.

Read full article on www.welivesecurity.com