Media Coverage

CREST recently visited the UN to take part in discussions throughout the day as part of the UN’s cyber focus group. The UN’s cyber focused open ended working group is working towards international agreement on key cyber capability development priorities.

CREST President, Rowland Johnson, and CEO, Nick Benson, attended the working group at the UN HQ in NY on 10 May 2024. Rowland presented on the benefits of consistent international standards for high quality cyber service providers and practitioners.

We were also honoured to be referenced by the UK’s representative who sited the valuable contribution of non-profits including CREST, Global Cyber Alliance, Shadowserver and FIRST.

In a recent conversation with Mastercard Newsroom, Rigo Van den Broeck (executive vice president of cybersecurity product innovation at Mastercard) shares what RiskRecon’s research reveals about the current risk landscape for cities and how to better protect critical systems and data.

For cities that scored lower, what are the easiest and most immediate steps they could be taking?

Developing strong cyber hygiene takes time, so it’s always important to evaluate ways to mitigate risks throughout your cybersecurity journey. There are resources that can help cities no matter their size. Cybersecurity agencies at various levels of government and computer emergency response teams have expansive missions that aid in securing the internet. Mastercard also proudly supports several organizations that provide no-cost cybersecurity services, including the CyberPeace Institute, the Global Cyber Alliance, and the Shadowserver Foundation.

Like it or not, you rely on the internet. So here’s a not-so-fun-fact: the functioning and security of the internet we all rely on, relies on non-profit organisations, many of which depend on uncertain funding streams and volunteer networks.

We’re talking here about organisations like the Shadowserver Foundation which scans the entire internet every day and reports vulnerabilities, free of charge, to network owners. Or Quad 9, which provides secure Domain Name Services (or an internet ‘address book’) for individuals and companies. Or MITRE, whose ATT&CK knowledge base is the go-to source for defence against cyber attackers.

We, the companies and individuals who get the benefit, just expect the internet to work. Yet the organisations on which we rely to make it work have very real costs, often in the millions of dollars per month. And all of these vital but little acknowledged organisations are funded through grants, donations and intermittent government-funded projects, and all of them suffer the extremes of perpetual funding uncertainty.

The good news is that this precarious model for sustaining a secure and functioning internet is recognised problem, and increasingly attracting attention and serious thought. At the forefront of this effort are the incredibly special people at the Global Cyber Alliance, who, rather than simply accepting that this frightening dependency is a hard-wired and permanent norm, are pioneering solutions to address this funding conundrum. This is the essence of the Common Good Cyber initiative

A maximum severity vulnerability that allows hackers to hijack GitLab accounts with no user interaction required is now under active exploitation, federal government officials warned as data showed that thousands of users had yet to install a patch released in January. While exploits require no user interaction, hijackings work only against accounts that aren’t configured to use multifactor authentication. Even with MFA, accounts remained vulnerable to password resets, but the attackers ultimately are unable to access the account, allowing the rightful owner to change the reset password. The vulnerability, tracked as CVE-2023-7028, carries a severity rating of 10 out of 10.

According to Internet scans performed by security organization Shadowserver, more than 2,100 IP addresses showed they were hosting one or more vulnerable GitLab instances. The number of IP addresses showing vulnerable instances has fallen over time. Shadowserver shows that there were more than 5,300 addresses on January 22, one week after GitLab issued the patch.

GitLab users should also remember that patching does nothing to secure systems that have already been breached through exploits. GitLab has published incident response guidance here.

A critical vulnerability in 1,400+ exposed CrushFTP servers has sparked major security concerns. Identified as CVE-2024-4040, this flaw (previously exploited as a zero-day) allows unauthenticated attackers to remotely execute code or access files on vulnerable systems.  CrushFTP urgently recommends updates to prevent exploitation that could compromise system files.

Security analysts from Shadowserver have pinpointed 1,401 CrushFTP servers that remain unpatched and exposed online, with the highest numbers located in the United States (725), Germany (115), and Canada (108). Moreover, a total of 5,232 CrushFTP servers are visible on the internet, though it remains unclear how many are susceptible to this vulnerability.

Update your CrushFTP servers promptly to mitigate this critical vulnerability and protect your systems from potential cyber threats. Stay vigilant and ensure your defenses are up to date!

In terms of revenue, 2023 will go down as a record-breaking year for ransomware, with over a billion dollars in payments going to hackers. The FBI reports a record $12.5 billion lost to cyber crime more broadly over the course of that year.

Tech companies often are best positioned to detect cyber threats and anomalies. They routinely issue software patches to preempt illicit cyber activity, and some even resort to civil litigation to disarm it. Commercial actors are also credible voices in internet governance bodies like ICANN and other nongovernmental, multistakeholder groups. These traits make them natural, even indispensable, partners for Western LEAs.

Meanwhile, civil society groups (such as the Shadowserver Foundation, the Institute for Security and Technology, and the Global Cyber Alliance) provide convening power, capability development, and vulnerability monitoring that can help prioritize and drive public awareness to both inform and complement LEA takedowns.

A website used by more than 2,000 criminals to defraud victims worldwide has been infiltrated in the Met’s latest joint operation to tackle large-scale online fraud. ‘LabHost’ is a service which was set up in 2021 by a criminal cyber network. It enabled the creation of “phishing” websites designed to trick victims into revealing personal information such as email addresses, passwords, and bank details.

But LabHost has now been infiltrated and disrupted as the result of a worldwide operation led by the Met.

Work began in June 2022 after detectives received crucial intelligence about LabHost’s activity from the Cyber Defence Alliance. Once the scale of site and the linked fraud became clear the Met’s Cyber Crime Unit joined forces with the National Crime Agency, City of London Police, Europol, Regional Organised Crime Units (ROCUs) across the country and other international police forces to take action.

Partners including Chainalysis, Intel 471, Microsoft, The Shadowserver Foundation and Trend Micro have also been at the centre of our efforts to bring down this platform.

Exploit code is now available for a maximum severity and actively exploited vulnerability in Palo Alto Networks’ PAN-OS firewall software.

Tracked as CVE-2024-3400, this security flaw can let unauthenticated threat actors execute arbitrary code as root via command injection in low-complexity attacks on vulnerable PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the device telemetry and GlobalProtect (gateway or portal) feature are enabled.

While Palo Alto Networks has started releasing hotfixes on Monday to secure unpatched firewalls exposed to attacks, the vulnerability has been exploited in the wild as a zero-day since March 26th to backdoor firewalls using Upstyle malware, pivot to internal networks, and steal data by a threat group believed to be state-sponsored and tracked as UTA0218..

Security threat monitoring platform Shadowserver says it sees more than 156,000 PAN-OS firewall instances on the Internet daily; however, it doesn’t provide information on how many are vulnerable.

The Common Good Cyber initiative, a collaborative effort aimed at addressing the challenge of sustaining nonprofit and public interest organizations involved in critical cybersecurity functions, announces the release of its workshop report. The report encapsulates insights and outcomes from a landmark gathering held in February 2024 at the National Press Club in Washington, D.C., United States.

The workshop, jointly organized by leading cybersecurity organizations including the Cyber Threat Alliance, the CyberPeace Institute, the Forum of Incident Response and Security Teams (FIRST), the Global Cyber Alliance, the Institute for Security and Technology (IST), and the Shadowserver Foundation, convened over 100 stakeholders representing various sectors including government, multilateral organizations, civil society, foundations, business, and academia. An additional 200 participants joined online to discuss the systemic underfunding of cybersecurity nonprofits and explore sustainable funding approaches.

First, our focus is on disrupting illegal cyber activity before it can cause harm and threaten national security. Drawing from our CT playbook, it’s a threat-driven and victim-centered approach. While we always look to make arrests where possible, our law enforcement disruptions can take many forms.

Not long ago, such law enforcement disruption operations occurred at most once per year. But, so far this year, the Department has announced already three significant such operations, two of which were spearheaded by NSD, alongside our U.S. Attorney’s Office and FBI partners.

It deserves emphasizing that this is a team sport: Even as the operations relied on Justice Department legal process, we are often not alone in planning or executing them. We are almost always joined by a coalition of U.S. government, private sector, and foreign partners in this work.

In disrupting the GRU botnet, for example, we planned and coordinated with the Shadowserver Foundation, Microsoft, and other private sector partners. Shortly after we announced the operation, the FBI, NSA, Cyber Command, and 11 foreign partner entities released a joint cybersecurity advisory providing device owners and network defenders with valuable threat intelligence about the GRU’s relevant tactics, techniques, and procedures. Many of these same partners provided invaluable assistance in eradicating portions of the botnet within their borders.