Blaze Information Security

Get unique insights on penetration testing for SOC 2 compliance from pentesting experts. Find out how long a SOC 2 pentest typically takes, how much it costs and how often to repeat it to maintain compliance. 🔥 Get your free ebook: https://lnkd.in/d-GZYRpB #soc2pentest #soc2ebook #soc2 #penetrationtesting #pentest

The provisions of the Digital Operational Resilience Act (DORA) will come into effect in January 2025. To keep you informed about the most important aspects surrounding the upcoming law, we have prepared a free e-book that offers financial institutions practical advice on how to prepare for it. Inside, you will discover: ➡ Who is within the scope of DORA ➡ ICT risk management requirements ➡ Incident management, classification, and reporting requirements ➡ The role of management ➡ Digital Operational Resilience testing ➡ Steps to take to prepare for DORA Access the link below and download your copy of the e-book now. 🔥 #DORA #DORAEbook #Cybersecurity #DigitalOperationalResilienceAct

➡ Google has updated Chrome to patch a high-severity zero-day vulnerability allowing attackers to execute malicious code on user devices. The vulnerability, CVE-2024-4671, is a "use after free" bug in C-based programming languages, where developers allocate and deallocate memory using "pointers" to manage limited memory space. Read more: https://lnkd.in/ebJSUa5a ➡ Authorities from the UK, US, and Australia have launched the second phase of Operation Cronos, imposing sanctions on Dmitry Yuryevich Khoroshev, a 31-year-old Russian administrator of LockBit ransomware. The US has unsealed an indictment and offered a $10 million reward for his arrest. LockBit conducted over 7,000 attacks from June 2022 to February 2024, mainly targeting the US, UK, France, Germany, and China. Read more: https://lnkd.in/e3JzHChT ➡ CISA and the FBI reported that Black Basta ransomware affiliates breached over 500 organizations between April 2022 and May 2024. A joint report with HHS and MS-ISAC revealed that the gang targeted at least 12 of 16 critical infrastructure sectors, including healthcare. High-profile victims include Rheinmetall, Hyundai Europe, Capita, ABB, Toronto Public Library, and Sobeys. Black Basta emerged in April 2022 after the Conti cybercrime syndicate split up. Read more: https://lnkd.in/en3AbdBB ➡ Millions of IoT devices across various sectors are at risk due to vulnerabilities in Telit's Cinterion modems. Kaspersky identified seven flaws, the most severe being CVE-2023-47610, allowing remote code execution via SMS. Despite reporting these in November, Telit has only partially addressed them. Affected devices span industries like automotive, healthcare, and telecommunications. Kaspersky recommends disabling nonessential SMS capabilities and employing private APNs for security. Read more: https://lnkd.in/d_uFMseD #MondayCyberRecap #Cybersecurity

AWS Summit Berlin is approaching fast. We are proud to be a sponsor of this event and will be there on 15 and 16 May. Topics you can learn about during the sessions include generative AI, AI/ML architecture, cloud operations, data and analytics, DevOps and developer productivity, migration, networking and global infrastructure, security, serverless, and more. Hope to see you there! #AWSSummitBerlin

Check out the new technical content from Blaze Labs on pentesting LLM-integrated applications. In the article, our expert explores prompt leaking and its subsequent exploitation through prompt injection, which allowed the unauthorized execution of system commands via Python code injection. #BlazeLabs #Pentesting #PromptInjection #Python #LLM

The latest edition of the Beyond the Hack newsletter is now available. This month, read about UK's new IoT law, CISA's Malware Next-Gen, Blaze's latest on pentesting & more. Check it out now. 🔥 2 #BeyondTheHack #CybersecurityNewsletter #Security

➡ Hackers are currently exploiting a critical GitLab vulnerability, CVE-2023-7028, to take over accounts by sending password reset emails to any chosen address. CISA warns of the high-severity flaw, now added to the KEV catalog, and mandates Federal Civilian Executive Branch (FCEB) agencies to remediate FCEB networks against the active threat. Read more: https://lnkd.in/e_6tH5PD ➡ The BlackCat ransomware group breached Change Healthcare by using stolen credentials to access their Citrix remote service, which didn't have multi-factor authentication enabled – UnitedHealth's CEO Andrew Witty disclosed in a written statement for a House Energy and Commerce subcommittee hearing. Read more: https://lnkd.in/gNPewTrf ➡ On May 02, 2024, CISA and the FBI issued a joint alert on eliminating directory traversal vulnerabilities in software, particularly due to their exploitation in critical sectors like healthcare. Highlighting 55 known cases in the KEV catalog, they urge software executives to ensure rigorous testing against such vulnerabilities. Read more: https://lnkd.in/eU6D7hkh ➡ In 2023, new US regulations increased pressure on company security teams, particularly CISOs, by making them potentially liable for data breaches. Notable cases included Uber’s former security chief being sentenced for hiding a breach, and SolarWinds' CISO charged over failure to disclose risks. These developments have led some professionals to avoid CISO roles, fearing personal liability, yet others see it as a chance to strengthen their influence in corporate governance. Read more: https://lnkd.in/d5meGsfc #MondayCyberRecap #Cybersecurity

Our very own Willian Caprino is at RSA Conference in San Francisco. Drop us a line if you want to meet up for a coffee or a drink. #RSAC

The expansion of Blaze's office in Recife, Brazil, is complete. 🔥 The number of workstations available has more than doubled, from 9 to 20, and now we have 3 meeting rooms - two individual and one collective, which has also been expanded. On Monday, part of our team got together to celebrate the exciting upgrade, enjoying more comfort, space and even a few hours of karaoke. We're thrilled about this new chapter and extend our gratitude to everyone who works with us.

On World Password Day, let's refresh our approach to password security with these expert tips based on NIST guidelines: ➡ Regularly update and check against a list of compromised or common passwords to ensure your choices are secure. ➡ Always use cryptographically protected channels to transmit passwords. Employ salted key derivation functions for password storage to enhance security. ➡ Strong composition: Opt for long passwords or passphrases (8-64 characters) that include spaces and all printable characters. Allow creativity with nonstandard characters like emoticons. Implement multifactor authentication (MFA) for a more secure verification beyond just passwords. Steer clear of SMS-based MFA due to vulnerabilities. Use password managers to generate, store, and auto-fill your passwords securely. ➡ Embrace new standards: Adopt passkeys in place of traditional passwords where possible, aligning with NIST's push towards more secure and user-friendly login methods. Additionally, incorporate 2FA with FIDO (Fast Identity Online) standards for increased phishing resistance on 2FA. 🛡️ Remember, simple measures can fortify your defenses against common threats like password stuffing and spraying. #WorldPasswordDay #CyberSecurity