Proactively anticipating cybersecurity risks in the digital era

Outstanding

Nearly 440 million compromised accounts in Vietnam in 2024 — this is the figure announced by VSEC at the 7th Vietnam Security Summit 2025 held this afternoon, May 23, at GEM Center, based on statistics from the VSEC Threat Intelligence platform. A VSEC representative emphasized that businesses must adopt a proactive strategy to anticipate cybersecurity risks, rather than passively waiting for incidents to occur.

Cyber threats are real — and always present

No business is unfamiliar with this reality—yet none can confidently say, “I know for certain whether my IT system is secure or has already been breached and under control for some time.” This is a shared concern among information security managers not only in Vietnam but globally, as the pace of digitalization and the expansion of services on cloud infrastructure continue to accelerate.

According to projections by IoT Analytics, the number of connected IoT devices worldwide is expected to reach 40 billion by 2030. In Europe alone, 75% of businesses are anticipated to adopt cloud computing technologies for their operations by the same year (according to the European Commission). As digital connectivity expands and the digital decade unfolds, cybersecurity threats are becoming more apparent and pressing than ever before.

In the session “Cloud Security in a Digital World,” Mr. Phan Hoang Giap – CTO of VSEC – highlighted the growing complexity of modern cyberattacks, such as Advanced Persistent Threats (APTs), Zero-day Exploits, sophisticated evasion and stealth tactics, polymorphic/metamorphic malware, fileless attacks, and even attacks delivered through third-party software and services.

Based on VSEC Threat Intelligence’s 2024 monitoring data, there are 257 active hacker groups operating globally, with 19,471 ransomware victims recorded—36 of whom are based in Vietnam. The report also reveals that 523,110 compromised devices and 435,343,839 leaked accounts have been detected in Vietnam alone. The information that end users typically know about recent cyberattacks is merely the tip of the iceberg.

an ninh mạng

Mr. Phan Hoang Giap – CTO of VSEC, speaking at the 7th Vietnam Security Summit 2025

Proactively anticipating cybersecurity risks

In response to escalating cybersecurity threats—especially on internet-connected and cloud-based platforms—VSEC highlights three essential strategies that enable digital enterprises to proactively manage cyber risks. Specifically, these include proactively “screening” for hidden threats through Compromise Assessment, “vaccinating” against vulnerabilities via Red Teaming, and continuously “sweeping” for potential exposures using VSEC’s Attack Surface Management service. With these measures, organizations can maintain clear visibility into the current security posture of their IT systems.

Instead of merely asking: Has my system been breached? Are any of my organization’s accounts or data exposed on the internet? How might hackers be viewing my infrastructure? Which digital assets require evaluation? — VSEC experts advise businesses to take the next step by establishing a comprehensive, end-to-end cybersecurity framework.

an ninh mạng

Security consulting at VSEC’s booth – a Managed Security Service Provider (MSSP) in Vietnam since 2003

“It’s not easy to determine whether your system is truly secure—but it is absolutely achievable,” emphasized a VSEC representative. In addition to rigorous compliance with basic protocols such as password changes, timely software patching, and security awareness training for employees, these simple measures alone can reduce cyber risks by up to 50%.

For organizations in the financial sector or those managing high volumes of sensitive digital assets, 24/7 SOC (Security Operations Center) monitoring and periodic compromise assessments are imperative to continuously track and manage the “health” of their IT systems.

In today’s rapidly evolving digital era, a strong and secure digital foundation is critical—not only for building customer trust but also for enabling strategic partnerships with global-scale enterprises. Certifications from professional MSSPs are now essential, serving as a trusted assurance that the organization is actively safeguarding itself against persistent cybersecurity risks.

About VSEC:

VSEC is the first MSSP in Vietnam to simultaneously achieve dual CREST certifications for Penetration Testing and Security Operations Center (SOC) in 2023. As Vietnam’s earliest cybersecurity provider and the nation’s first Cybersecurity Threat Alert Center, VSEC has operated since 2003.

In addition to traditional services such as Penetration Testing, Red Teaming, and SOC, VSEC also offers modern security solutions including MDR (Managed Detection and Response), DFIR (Digital Forensics and Incident Response), CA (Compromise Assessment), Pentest as a Service, and Attack Surface Management. VSEC also integrates AI-powered platforms such as Threat Intelligence, XDR, and more.

Learn more at ICTVietnam

Technology Trends in Cybersecurity for 2025

Cyber world trending Outstanding

Mr. Phan Hoang Giap – Chief Technology Officer at VSEC – shares his insight: “In the landscape of 2025, emerging trends such as Artificial Intelligence (AI) and Cloud-Native Application Protection Platforms (CNAPP) are forecasted to dominate the cybersecurity sector.”

According to the Cybersecurity Market Report 2024–2029 by Mordor Intelligence, the Asia-Pacific region plays a pivotal role in the global cybersecurity market due to rapid digital transformation and the growing adoption of advanced technologies across multiple sectors. Trends such as Zero Trust and Blockchain have been widely discussed in recent years and have reached a certain level of maturity. Meanwhile, quantum computing—though promising to revolutionize various aspects of cybersecurity—still requires more time for practical expansion and widespread adoption.

Therefore, “in the landscape of 2025, emerging trends such as Artificial Intelligence (AI) and Cloud-Native Application Protection Platforms (CNAPP) are forecasted to dominate the cybersecurity sector,” shared Mr. Phan Hoang Giap, CTO of VSEC. At the same time, Chief Information Security Officers (CISOs) are increasingly aware of the importance of proactively managing risks to protect their organizations from vulnerabilities and latent threats.

Artificial Intelligence not only supports rapid threat detection and incident response but also significantly enhances the ability to anticipate potential risks. Meanwhile, CNAPP—by embedding security across the entire lifecycle of cloud-native application development—has become an indispensable solution for digitally transforming enterprises. These powerful trends are reshaping the way we safeguard data and systems in this new digital era. Let’s dive deeper into these two trends with Mr. Phan Hoang Giap, CTO of VSEC.

1. AI-Driven Cybersecurity: A Strategic Shift

Artificial Intelligence is rapidly becoming a critical component in the cybersecurity landscape. Its ability to process vast volumes of data and make near-instant decisions is transforming how organizations defend systems and respond to threats. On the offensive side, AI is enabling attackers to launch more sophisticated campaigns with unprecedented speed and effectiveness. Highly convincing phishing emails, realistic deepfake videos, and optimized malware are just a few examples. However, on the defensive front, AI has emerged as a powerful tool to counter these evolving threats. According to IBM Security, organizations applying AI and Machine Learning to threat detection have reduced detection time by up to 96% compared to traditional approaches.

AI-integrated security products are driving a major shift in the industry, with solutions like UEBA (User and Entity Behavior Analytics) playing a pivotal role. By analyzing the behavior of users and entities, UEBA helps identify abnormal patterns that traditional tools often overlook. The use of AI in UEBA has improved anomaly detection accuracy by up to 85%, according to Gartner. Similarly, AI-powered insider threat detection tools have seen significant advances in precision, helping organizations mitigate both internal and external risks more effectively.

One notable trend in AI adoption is the transition from legacy SIEM (Security Information and Event Management) solutions to XDR (Extended Detection and Response). XDR not only enhances detection and response capabilities but also leverages AI to streamline threat analysis and identification. Its ability to integrate and correlate data sources significantly reduces false positives, improving both the reliability and efficiency of cybersecurity operations. In parallel, this shift is accelerating the growth of MDR (Managed Detection and Response) services, which are increasingly replacing traditional Managed SIEM offerings. With MDR, organizations benefit not just from 24/7 monitoring but also from tailored, actionable responses to incidents—reducing both damage and downtime.

In the field of Threat Intelligence, AI functions as an ultra-fast “analyst,” capable of processing and analyzing vast volumes of data from diverse sources. AI not only helps identify patterns within the data but also uncovers relationships between entities such as IP addresses, domains, or malicious files. This provides a more accurate and contextual understanding of threats. Based on these insights, organizations can make informed strategic decisions to prevent and respond to emerging threats effectively.

In the realm of Security Operations (SecOps), AI and the trend of HyperAutomation are gradually redefining the role traditionally played by SOAR (Security Orchestration, Automation, and Response). Conventional SOAR platforms heavily depend on custom scripts, require significant costs, and often entail lengthy deployment times. In contrast, the integration of AI makes automation processes far more agile. AI not only facilitates easier system integration but also optimizes incident response workflows, significantly reducing response times to security incidents. The convergence of AI and automation is ushering in a new era in cybersecurity—one where speed and efficiency are key to combating increasingly complex threats. According to Gartner, Security Operations Centers (SOCs) that incorporate AI and HyperAutomation can reduce manual workloads by up to 55%, allowing engineers to focus on more sophisticated threats.

AI is also driving a significant leap in productivity for security engineers, particularly within modern SOC environments. These teams face overwhelming volumes of data and security alerts on a daily basis, creating substantial operational pressure. AI has emerged as a powerful tool, enabling faster and more accurate incident analysis, risk-based threat prioritization, and intelligent triage of critical issues. Moreover, AI automates repetitive tasks, dramatically reducing manual effort and enabling security teams to dedicate their time to more strategic and complex missions.

Xu huong an ninh mang

Demand for Pentest-as-a-Service (PTaaS) rose by 35% in 2023 compared to 2022 (according to MarketsandMarkets)

AI is driving a significant shift in penetration testing (Pentest), a domain that traditionally requires high-level expertise and extensive manual effort. With AI, a portion of vulnerability exploitation—particularly at medium complexity levels—can now be automated. AI enables rapid and accurate testing, identifying and reporting potential vulnerabilities at a speed that far surpasses human capabilities. This advancement not only reduces reliance on manual pentesters but also accelerates the growth of Pentest-as-a-Service (PTaaS). PTaaS empowers organizations to embed continuous security testing into their DevSecOps pipelines, helping to eliminate bottlenecks in the software development lifecycle and accelerate the implementation of cybersecurity measures.

2. Cloud Security – CNAPP in Cybersecurity

The Cloud Native trend is reshaping how organizations build and operate their systems, while simultaneously introducing new security challenges. In 2023, 45% of global data breaches were related to cloud platforms (Verizon Data Breach Investigations Report 2023). Additionally, 80% of organizations reported experiencing cloud misconfigurations, which remain the leading cause of cloud security vulnerabilities (McKinsey & Company). This has driven the emergence of solutions like CNAPP (Cloud-Native Application Protection Platform), a comprehensive platform designed to safeguard applications and data in cloud environments. According to Gartner, by 2025, 60% of organizations using cloud services are expected to adopt CNAPP to protect their applications and data.

CNAPP trong an ninh mang

A key component of CNAPP is Code Security, which focuses on securing applications right from the development stage to mitigate risks before deployment. One widely used technique is Static Application Security Testing (SAST), which analyzes source code to identify security flaws such as injections or insecure coding practices during development. In parallel, Dynamic Application Security Testing (DAST) evaluates the application during runtime, simulating real-world attacks to uncover vulnerabilities that only emerge in a live environment. For applications heavily dependent on open-source code or third-party libraries, Software Composition Analysis (SCA) plays a critical role in detecting and managing known vulnerabilities in these components, reducing risks associated with outdated or insecure dependencies. Beyond application security, Code Security also extends to infrastructure by scanning and analyzing Infrastructure as Code (IaC) to identify misconfigurations or insecure provisioning scripts that could expose the environment to threats.

This approach helps identify insecure misconfigurations in infrastructure configuration files such as Terraform or Kubernetes YAML, ensuring that deployment environments comply with security standards before going live. Another key highlight is the management of sensitive information—such as API keys or tokens—through secret scanning tools that detect and prevent secret leaks within source code. Scanning Infrastructure as Code (IaC) helps detect and fix up to 90% of infrastructure misconfigurations before deployment. Simultaneously, with the widespread use of containers in Cloud Native environments, securing containers during the development phase has become essential. Container image scanning tools can detect vulnerabilities or unsafe configurations during the build process.

Cloud Security Posture Management (CSPM) and Kubernetes Security Posture Management (KSPM) are critical components of modern organizations’ security strategies as they transition aggressively to cloud environments and containerized deployments. CSPM focuses on monitoring and managing the security posture of cloud-based resources, helping identify and remediate misconfigurations to reduce the risk of exploitation. In increasingly complex, multi-layered cloud environments, CSPM not only ensures compliance with security standards like CIS or PCI DSS but also provides continuous monitoring capabilities to ensure that configuration changes do not introduce new vulnerabilities. Similarly, KSPM is tailored toward securing Kubernetes deployments—the most widely used container orchestration platform today. Due to the dynamic and flexible nature of Kubernetes, ensuring security at the cluster, node, and container level has become more challenging than ever. KSPM automatically detects misconfigurations, such as over-permissive access or the absence of necessary policy controls. Additionally, KSPM supports organizations in validating compliance with Kubernetes-specific security standards while enabling continuous monitoring and reporting to improve security posture over time.

Cloud Workload Protection (CWP) focuses on securing workloads operating in cloud environments. These workloads include virtual machines (VMs), containers, and serverless functions, which form the backbone of modern application operations. While cloud environments offer flexibility and scalability, they also introduce increasingly sophisticated cybersecurity risks. CWP is designed to monitor, detect, and prevent threats in real time, helping organizations safeguard assets from external attacks and anomalous internal behavior. Beyond traditional protections such as malware detection and unauthorized access prevention, CWP leverages advanced technologies like AI and machine learning to perform behavioral analysis, enabling the prediction and mitigation of threats before they cause harm. This is especially crucial in Cloud Native environments, where workloads frequently change and move across zones or environments. With CWP, organizations can ensure that every workload is comprehensively protected, remaining resilient against vulnerabilities and cyberattacks.

Cloud Infrastructure Entitlement Management (CIEM) is another critical component within the CNAPP ecosystem, focusing on managing permissions and securing resources in cloud environments. Given the nature of modern cloud infrastructure—where resources and services are flexibly deployed, shared, and accessed—CIEM was developed to address the challenges of access control and minimize the risks stemming from permission misuse or misconfiguration. CIEM can reduce up to 80% of excessive access rights in cloud environments, which is a major contributing factor to insider threats. It manages not only human user permissions but also access rights for non-human entities such as service accounts, API keys, and automated systems. The core function of CIEM is to deliver comprehensive visibility, detect excessive or unnecessary privileges, and provide recommendations for rights optimization—ensuring that only the users or entities with legitimate needs are granted access to specific resources. This approach significantly lowers the risks of insider threats and mitigates potential abuse of over-privileged access by attackers.

Conclusion

Cybersecurity remains an adversarial race—a constant intellectual and technological tug-of-war between defenders and attackers. As threat actors continuously evolve with new techniques and intrusion methods, defensive teams must also proactively adapt, improve, and modernize their security strategies to protect systems and data effectively. In this fast-moving digital era, where threats are increasingly sophisticated and unpredictable, leveraging advanced technologies like AI and CNAPP empowers organizations to improve their detection, response, and overall security posture against emerging risks.

Source: www.vsec.com.vn

Reported by ICT News

VSEC and ambition to put Vietnam on the global cybersecurity map

Outstanding

Cybersecurity is a complex domain, characterized by rapid technological change. Human resources in this field require not only high-quality training and professional expertise but also extensive hands-on experience. For this reason, the number of companies operating in cybersecurity remains relatively small, and even fewer have managed to survive and establish their reputation over two decades. Vietnam Security Network Corporation (VSEC), with 21 years of operation in information security, proudly stands as the first cybersecurity training and early-warning center in Vietnam. We spoke with Mr. Trần Thanh Long – CEO of VSEC – to gain deeper insight into the company’s work culture, development direction, and the opportunities it offers.

Embracing Differences, Committing to Continuous Learning

Over its 21-year journey, VSEC has gone through multiple transformations — including periods of severe talent shortages, due either to staff turnover or active restructuring. However, by embracing those risks, VSEC successfully built its core human capital around a shared set of values: Integrity, Lifelong Learning, Listening & Sharing, and Customer-Centricity.

At VSEC, every employee is encouraged to fully unleash their potential.
“We foster a workplace culture built on continuous learning, where each individual grows in order to deliver outstanding services to our clients,” shared Mr. Trần Thanh Long. A culture that values fairness, transparency, and diversity has become the foundation for VSEC’s ability to attract and retain talent in an increasingly competitive landscape.

Every individual who joins the company is empowered to take ownership of their work and is provided with the right conditions to maximize their capabilities. The knowledge-sharing spirit across teams not only enhances performance but also binds members into a unified collective. This spirit helped VSEC achieve major milestones—such as becoming the first organization in Vietnam to earn dual CREST certifications for Penetration Testing and Security Operations Center (SOC) services in 2022, when Vietnam was still unfamiliar with such rigorous international standards.

VSEC team members are also empowered to participate in technical competitions and conduct applied research to deepen their cybersecurity expertise. These opportunities are enabled through partnerships with globally recognized security firms and include collaborative engagements on complex projects such as Mercury, Black Panda, and CREST Con.

Ambition to Put Vietnam on the Global Map

According to the fifth edition of the Global Cybersecurity Index (GCI) 2024 published by the International Telecommunication Union (ITU), Vietnam is currently ranked among 46 countries in Tier 1 (scoring between 95 and 100), with an overall score of 99.74. Back in 2020, Vietnam was ranked 25th out of 182 countries in the fourth GCI edition. These achievements highlight Vietnam’s growing capacity in cybersecurity and underscore the importance of sustaining progress, enhancing international credibility, and contributing meaningfully to the national digital transformation agenda.

Source: here

In alignment with the broader development of cybersecurity, VSEC has been actively collaborating with various domestic and international organizations and associations. The goal is to elevate the quality of Vietnam’s cybersecurity workforce and position the country as a provider of high-quality cybersecurity services in the global market—placing Vietnam firmly on the international cybersecurity map.

According to Mr. Long, VSEC began implementing a comprehensive development strategy in 2024, centered around four key pillars:

  1. Research & Development: Strong investments are being made into R&D to create cybersecurity products and services based on cutting-edge technologies, capable of addressing the increasing number and complexity of threats.
  2. Market Expansion: Extending operations into new domestic and international markets, especially targeting developed countries within the region and across the globe.
  3. International Collaboration: Strengthening partnerships with leading global cybersecurity entities to access advanced technologies and expand business networks.
  4. Talent Development: Focusing on the training and growth of high-quality human resources to meet the rising demands of the cybersecurity market.

The Challenges of Innovation and Talent

While proud of VSEC’s achievements, Mr. Long acknowledged that the company faces significant challenges—particularly from the rising complexity of cyber threats that require constant and faster innovation to stay ahead.

The rapid advancement of technologies such as Artificial Intelligence (AI), Machine Learning, and the Internet of Things (IoT) presents both opportunities and challenges for the cybersecurity industry. To keep pace, VSEC is heavily investing in intelligent defense solutions, automation, and enhanced big data analytics capabilities. High-value services such as Red Teaming and DFIR (Digital Forensics & Incident Response) remain core areas of focus and growth. We need passionate and talented individuals—not only to help VSEC overcome these challenges but to also help shape the future of cybersecurity”, shared Mr. Long.  

Also according to Mr. Long, VSEC today not only provides internationally certified cybersecurity solutions but also integrates market-specific needs in Vietnam through its in-house experts. By working closely with major global technology partners, VSEC ensures its solutions are both globally compliant and locally relevant—delivering highly effective outcomes for clients. “We are committed to continuously investing in R&D to keep improving our products and services, maintaining our position as a market leader“, Mr. Long emphasized.

An Opportunity for You

Opportunities remain open for those who share a passion for cybersecurity and a mindset of continuous learning. Discover current job openings at VSEC here or reach out to us directly:

📧 Email: tuyendung@vsec.com.vn

What to do when attacked by Ransomware? (1)

Cyber world trending VSEC - BLOG

February 2024 is said to be a month of complete chaos in cyberspace when there are consecutive ransomware attacks. Economic losses from cyber attacks and data loss reach billions of dollars. Even large businesses that are supposed to invest in information security are confused

Ransomware is appearing every day, every hour

According to statistics, 2023 is the year of “explosion” of ransomware attacks: the total amount of money paid by victims exceeded 1 billion dollars, 10% of organizations were targeted by ransomware. It can be seen that ransomware attacks on businesses are still a common trend and Vietnam is no exception to that trend, besides attacks on common users are gradually leveling off.

In recent times, LockBit Ransomware – LockBit 3.0 has also become the most serious threat that businesses are facing. This threat marks a significant advance in the field of ransomware, characterized by its sophisticated tactics and comprehensive capabilities. LockBit 3.0 not only demonstrates a superior ability to adapt to evolving cybersecurity defenses, but also demonstrates a higher level of organization and coordination. LockBit accounted for 27.93% of all known ransomware attacks between July 2022 and June 2023. This number highlights the group’s exceptional performance and efficiency in carrying out attacks network, demonstrating a level of precision activity that sets this group apart in the field of malicious cyber activity.

What sets LockBit 3.0 apart from its counterparts is not merely its popularity but also its methodological evolution. The team continuously refines its tactics, incorporates cutting-edge technologies, and adapts to the ever-changing cybersecurity landscape. This agility has allowed LockBit 3.0 to outperform traditional defense mechanisms, posing a persistent challenge for organizations of all sizes. Therefore, this line of malicious code is being used by many attackers.

Who are the real victims of Ransomware?

Nạn nhân Ransomware là ai?

According to VSEC statistics, all economic sectors have been “visited” by Ransomware. In 2023, the healthcare field is ranked Top 1 in the world with the most data breaches and attacks, the average cost of a data breach in this field has increased by 53.3%. exceeding 3 million USD compared to the average cost of only 7.13 million USD in 2020. In the United States, this sector is considered an important industry, especially infrastructure systems. Since the Covid-19 pandemic, the industry has seen significantly higher average data breach costs.

In Vietnam, from the beginning of the year until now, the information systems of a series of financial units, banks, public administration, etc. have been attacked, causing disruption of operations and material damage to the units. enterprise. This has stalled the entire system, not only causing heavy economic losses but also greatly damaging the reputation of the business.

According to the 2024 Cyber Security Report of Vietnam Cyber Security Joint Stock Company (VSEC), up to 70% of SME organizations have been experiencing Ransomware attacks. This shows that not only large organizations and businesses are the destination of hacker groups, but small units and businesses are also “easy prey” for hackers.

The price to pay for a “click” is too expensive!

The average cost of ransomware attacks can be challenging because not all data breach reports come to light. Some companies and small businesses prefer to quietly make their payments and sweep ransomware incidents under the rug, rather than admitting their shortcomings to regulators and addressing security issues. their data confidentiality. Average cost of ransomware attacks based on their own data in their annual report.

Financial costs of ransomware attacks

When backups are available, the average costs are somewhat lower — but these costs still run into millions of dollars.

The average cost of recovery from a ransomware attack (excluding ransom) is $1.82 million. Meanwhile $2.6 million is the average ransom to recover lost data, although this can be reduced to $1.6 million by using backups

The time cost of ransomware attacks

Time is money. It will take significant recovery time to get back on track, especially for companies that have chosen to pay the ransom fee. Up to 45% of organizations with physical backups were able to restore within a week, but for paid organizations the figure was only 39%.

How to act when attacked by Ransomware?

Cyber security experts from VSEC share that when the system is attacked, businesses need to take the following simple actions to ensure minimal damage. Enterprises need to evaluate the status of the incident to come up with an appropriate plan with two simultaneous implementation directions:

Isolate and maintain the status quo to investigate in detail the cause of the incident. Some forms of handling include temporarily isolating network connections from the outside network area into the system to prevent risks of spread and impact. Switch to use the backup system (if available). Collect device logs for future investigation.

Next, do not arbitrarily restore the affected system without determining the safety level of the system. This is extremely important in preserving evidence to help experts investigate the root cause.

In the absence of expertise, business organizations should contact companies that specialize in handling cyber attack incidents to get appropriate recommendations. Deploying a network security incident response service will bring businesses specific benefits such as: Helping quickly prevent/remediate system information security incidents; Limit and minimize economic losses as well as disruptions in the operations of organizations; The information system is always guaranteed 24/7

About VSEC

VSEC is the leading security assessment unit in Vietnam with 20 years of experience implementing information security activities domestically and internationally. As a pioneer information security management service provider in Vietnam, it has achieved important CREST certifications for SOC (Information Security Monitoring and Operation Center) and Penetration Testing (Penetration Testing) services.

Source: Cafef

Investigate the cause of a cyber attack through log files

Security for Newbie VSEC - BLOG

This time, I received a request to analyze log files to find the cause of an attack on a company’s website using WordPress. Website was attacked by hackers and data was deleted.

Below is an image of “one corner” of the log file.

In this investigation, I used SublimeText 3 and Google :v Initially, I read through the entire log file several times to grasp the structure of the file’s content. In general, this log file is not long (about 4500 lines), so I can easily grasp it. After reading through it a few times, I noted a few requests that were “different” from the rest. In addition to requests from bots and requests to read website articles, I have listed a few signs (in my opinion, they are suspicious). However, after searching Google for a while, those signs don’t say much. I started thinking that if the website had its entire database deleted, there would be some action related to “admin”, Ctrl + F and start searching.

Oh, a pretty interesting line as shown below (maybe because I missed this detail when I read the log):

At this point, I continued to google about the above request and discovered that this was a malicious request targeting a vulnerability in a WordPress plugin called “ThemeGrill Demo Importer”. This vulnerability allows attackers to delete all tables in WordPress.

Request: “GET /wp-admin/admin-ajax.php?do_reset_wordpress=1 HTTP/1.1”

More information about the vulnerability: By sending a call to /wp-admin/admin-ajax.php?action=anything&do_reset_wordpress=1, the database will be wiped and we will be logged in as “admin” if the “admin” user exists in the users table. Authentication is not required.

From the above information along with the fact that all articles on the Website were deleted, it can be concluded: The cause of the attack was because the Website used a vulnerable version of the ThemeGrill Demo Importer plugin. Hackers take advantage of vulnerabilities in this plugin to send malicious requests to delete website posts. Below is information about the patch (version 1.6.2):

Additionally, the source IP address of the attack on this website (107.180.225.158) was also shared on the internet, which means hackers exploited this vulnerability on many WordPress websites using the ThemeGrill Demo Importer plugin ( mid-2020).

Solution:

Block the source IP addresses of the attack and update the ThemeGrill Demo Importer plugin to the latest version.

Author: Hoang Duc Hoan – VSEC

[Shodan] – Search engines serve security, or the evil eye?

Security for Newbie VSEC - BLOG

Shodan ( https://www.shodan.io/ ) is a search engine designed by web developer John Matherly ( http://twitter.com/achillean ). Shodan is a much different search engine than content search engines like Google, Yahoo, or Bing. Shodan is a search engine to find online devices on the internet such as: computers, servers, webcams, routers… It works by scanning all devices on the internet that have open public ports. go to the internet and analyze the signals returned from the devices. Using that information, Shodan can tell you things like which web servers (and versions) are most popular, or how many anonymous FTP servers exist in a particular location, or return a list The cameras are accessible online via the internet. In general, with shodan you can search for any device on the internet as long as they have an internet connection and open a public port.

Shodan is effectively used in security testing of IOT (Internet Of Thing) devices by quickly detecting devices that are online and devices with security vulnerabilities. Shodan operates 24/7 so its data is always updated as quickly and accurately as possible.

With Shodan, hackers with evil tendencies (Black hat) can search for targets to serve hacking (walking hack). By reading notifications about newly appearing vulnerabilities, the notifications will often include additional information about the vulnerable service versions. Hackers rely on that service information to find targets on Shodan and exploit them. Or, it can also be used to peek at cameras with weak or no passwords, etc.

For security experts, Shodan becomes an effective Information Gathering tool for Pen Testing Applications, Pentest Server,… and it is also a useful reference channel for statistics and risk assessment. Potential security risks, the risk of being attacked by a certain vulnerability in a certain area. For example: Statistics to see how many servers can be exploited through the HeartBleed vulnerability in Vietnam?

=> Shodan is completely legal and does not violate the law. In essence, shodan just collects data that is already available on the internet, and shodan simply reports what it finds. However, users may violate the law if they use information from Shodan indiscriminately and without control!

Author: Hoang Duc Hoan – VSEC

What is the difference between Penetration Testing and Vulnerability Assessment?

For pentester VSEC - BLOG

In the dictionary universe of security assessment forms, Penetration Testing and Vulnerability Assessment are considered to be the two familiar and typical techniques that are most used. Although the functions, methods and implementation techniques may be different, in terms of final results, both methods aim to evaluate the security strength of the system.

To make it easier for businesses to choose which form of security assessment is more suitable for them, we will list some basic differences as below.

The difference between Penetration Testing and Vulnerability Assessment (Source: VSEC)

What is Vulnerability Assessment (or ​​VA)?

True to its name, VA is a form of security assessment through which businesses can find the most possible vulnerabilities. With a VA, the organization will respond to cyber-attacks on the system by identifying, classifying and resolving security risks and guiding to minimize the risks in the best way.

Recommendation: The unit in charge of the VA may not have specialized personnel or the management system may not be equipped with many security tools, but it may have identified the goal of checking for vulnerabilities in the system for appropriate recommendations.

The basic form of VA that these units perform often focuses on security assessment on websites, applications, etc and the business’s information technology infrastructure.

 

Why Vulnerability Assessment is needed?

All information security experts recommend that businesses need VA as soon as possible because the core value system of the businesses needs to be ensured the maximum level of security before expanding or upgrading in line with the speed of business development. Here are four basic reasons:

Firstly, VA helps identify threats and weaknesses in IT system security early

Secondly, after VA, the IT department will need to take corrective actions to close vulnerabilities and protect sensitive information systems.

Thirdly, VA helps businesses implement and meet compliance requirements, and applicable cybersecurity regulations such as HIPAA and PCI DSS.

Fourthly, VA helps protect against data breaches and unauthorized access

 

Only if a business has a dedicated security or information management team, should it perform Penetration Testing?

Not entirely correct. The assessment and testing by security experts will be a form of assessment that goes quite deeply into the business’ IT system in order to detect potential weaknesses and assess the security level of the system. There are many models and methods of security assessment for businesses to choose to minimize the risk of breaking the system’s security structure such as Pentest As A Service, Network Pentest, Web Application Pentest, Mobile Application Pentest, API. Pentest, etc..

In most cases, businesses that need to test their team’s defenses will choose Penetration Testing or even Red Team to test the system’s capabilities and professional qualifications of the staff themselves.

However, whichever form may be selected, businesses need to set clear goals, principles and limits for the form of an attack to ensure risk management during the security assessment.

Cyber security & frequently asked questions

Security for Newbie

Cyber security is one of the important issues for units operating on digital platforms. In this article, VSEC will provide you with frequently asked questions when you are new to the field of Information Security.

1. Why do hackers hack?

– Cyber security is the activity of protecting computers, servers, mobile devices, electronic systems, networks, and data from malicious threats. It is also referred to as information security or electronic information security. This term can be applied in various contexts and can be divided into several common types, as below:
– Application security: focuses on keeping software and devices free from threats. An infiltrated application may provide unauthorized access to the data it is designed to protect. Security should be started buiding from the design phase, before a program or device is deployed.
– Information security: protects the integrity and privacy of data, both during storage and transmission.
– Operational security: includes processes, regulations about handling and protecting data assets. The rights that users have when accessing the network and the procedures that determine how and where data can be stored or shared belong to the scope of this protection.
– Incident Recovery and Business’s continuity: determine how an organization responds to a cybersecurity incident or any other event that causes operational or data loss. Incident repair policies dictate how an organization restores its operations and information to return to normal functioning prior to the incident. Business continuity is the plan that organizations rely on when attempting to operate without certain resources.
– End-user education: resolves the most unpredictable cyber security factor: people. Anyone can accidentally introduce virus into a secure system if they do not conform to good security measures. Instructing users to delete suspicious email attachments, do not plug in unidentified USB drives, and other important lessons are crucial for any organization’s security.

2. Who or which organization can be attacked?

The reality is that in today’s world, all organizations are at risk of cyber attacks. The digital revolution is driving innovation in business, but it also brings new threats that organizations must face to. Exciting new technologies like virtualization, AI, and Cloud, etc. help organizations enhance the integration and reduce costs, but they also come with risks and the potential for exploitation. The more avenues for exploration, the more organizations must confront a greater number of cyber attacks.

However, for many businesses, the concept of cyber security remains quite vague and complex. Although it may be part of a strategic program, what does it truly mean? And what can organizations do to strengthen their defense systems and protect themselves from cyber threats? A common misconception is that cyber attacks only happen to certain types of organizations, such as well-known technology companies or financial institutions. However, the truth is that every organization has valuable assets at stake.

The losses from cyber attacks are significant. Tangible costs include stolen money, damaged systems, legal expenses, and financial compensation for affected parties. However, what can be even more damaging are the intangible costs—such as loss of competitive advantage due to stolen intellectual property, loss of trust from customers or business partners, loss of integrity because of breached digital assets, and overall damage to the organization’s reputation and brand—all of which can have a profound impact and, in extreme cases, even lead to a company ceasing operations.

3. What is Ransomware?

Ransomware is malicious software that uses encryption to keep the victim’s information for various purposes, with the most common being ransom money. The critical data of users or organizations is encrypted, preventing them from accessing files, databases, or applications, and with conditions to request for the access right.
Ransomware is often designed to spread across networks and target databases and file servers, thus can quickly cripple an entire organization. Threats related to ransomware are more and more increasing , causing damages amounting to billions of dollars paid to cybercriminals by businesses and government organizations all over the world.

4. Black hat and White hat?
A hacker is an individual or organization that uses their skills to breach cyber security defenses. In the world of cyber security, hackers are often classified into different “hats.” This system may have originated from the old cowboy movie culture, where good characters typically wore white hats and bad characters wore black hats.
There are three main “hats” in the cyberspace:

– White Hat: White hat is like Marvel’s Captain America. They always stand up for protecting the truth, people and organizations in general by actively identifying and reporting vulnerabilities in systems before bad characters find them. They often work for organizations and take on roles such as cyber security engineers, penetration test engineers, security analysts, CISOs (Chief Information Security Officers), and other security positions.

– Grey Hat: DC’s Dark Knight and grey-hat hackers have a lot in common. Both aim to protect the trutht but employ unique methods to do so.
Grey-hat hackers are a balance between white-hat and black-hat hackers. Unlike white hats, they don’t ask permission to attack the systems, but also do not perform any illegal activities like black-hat hackers. Grey hats have a controversial history, and some even must go to prison for their actions.

– Black Hat: The Joker is the closest comparison to black-hat hackers. They engage in illegal activities for financial benefit, challenge, or simply for entertainment purposes. They seek out vulnerable systems, exploit them, and use them to gain any advantage possible.
They can use both technical and non-technical measures as long as they achieve their ultimate objectives.

5. Why do hackers hack?

Hackers are individuals or organizations who gain unauthorized access to different information technology systems with a specific objective, such as gaining prestige by shutting down computer systems, stealing money, or causing network disruption.The experience gained from these attacks and the satisfaction derived from successful attacks can become an addiction. Some common reasons for launching attacks include reputation, curiosity, revenge, boredom, challenge, theft for financial gain, sabotage, corporate espionage, extortion, etc. Hackers are known to frequently cite these reasons to explain their actions.Furthermore, a very common scenario is when hackers steal data to assume identities and then use that data for other purposes, such as borrowing money, transferring money, ect. The occurrence of such incidents has increased with the popularity of mobile banking and internet banking services.

6. How to secure your private data?

Below are some tips to ensure your personal information does not fall into the hands of wrongdoers.

a. Create strong passwords

When creating passwords, think beyond easily guessable words or numbers that cybercriminals might easily figure out, such as your date of birth. Choose a combination of lowercase and uppercase letters, numbers, and symbols and change them regularly. You should also use a unique password instead of using the same one across multiple websites. If you are worried about remembering too many passwords, a password manager tool can help you keep track.

b. Avoid oversharing on social media

We all have a friend who post too many details about his life online. This not only causes annoyance but can also put your personal information at risk. Check your privacy settings to know who is viewing your posts and be cautious when sharing your location, hometown, date of birth, or other personal information.

c. Be cautious with free Wi-Fi

Most public Wi-Fi networks are not well-secured, which means others using the same network can easily access your activities.

d. Beware of links and attachments

Cybercriminals operate stealthily and often design their deceptive schemes to make them look like legitimate communications from banks, utility companies, or other businesses. Pay attention to errors such as spelling mistakes, unusual numbers or characters, wrong brand names, different email addresses from the usual senders, as these could be indicators of a trap.

e. Check if a website is secure

Before entering personal information on a website, check your browser’s address bar. If there is a padlock icon and the URL begins with “https,” it means the website is secure. There are other ways to determine if a website is trustworthy, such as checking their privacy policy, contact information, or “verified security” seal.

f. Consider additional protection

Installing antivirus software, anti-spyware software, and a firewall may not be foolproof methods, but they are essential for self-defense against low-level threats in the “flat world” era.

Above are some frequently asked questions when new to the concept of Information Security/Cybersecurity. If there are any questions not listed above, please follow the information here to be answered,

15 critical security flaws in the well-known US healthcare website were found by VSEC.

Case study VSEC - BLOG

Errors were discovered while applying VSEC’s Pentest service to a well-known American healthcare website, resulting in the discovery of 4 critical vulnerabilities, 3 serious breaches, and 8 possible flaws. Experts from VSEC quickly addressed all of these issues in the following two weeks, allowing businesses to move forward without worry…. Last June, VSEC received a contact from the city of Washington, USA. A company has requested that we investigate the safety of their website (their primary point of contact with customers) to ensure the complete safety of all data and assess any potential threats. VSEC promptly began developing the client’s system after evaluating their website!

About customers

Our clients are professionals in the medical industry who deliver cutting-edge, practical, and patient-centered healthcare solutions. Customers have demonstrated, from a new angle, that the health care industry must consider not just external health issues and hazardous substances, but also internal elements and potentials. It has left a lasting impression on many people and has contributed to the rapid expansion of our clients’ businesses. The customer’s annual sales have surpassed $17 million, and they have earned numerous honors for their success, including being named one of Inc. magazine’s Top 500 Outstanding Development Enterprises in 2016 and one of Seattle Business Magazine’s Top 100 Best Businesses to Work for in 2014–2016. 

Challenge

After ten years in business, clients have amassed a vast quantity of data on their servers. When a company relies heavily on technological resources, it is its most valuable asset. The publicly available website serves as the main entry point to the data warehouse. The security measures taken by the customer to protect their website are the determining factor in whether or not their data will remain secure. Clients need to do research on the organization, on the needs and goals of many people, and on the specific area of health care they need help with in order to come up with each plan, program, and suitable health care. While this is great for customers, it also means that cybercriminals will have more opportunities to steal sensitive information. In order to prevent the misuse of the customer’s resources and the revelation of sensitive information, it is imperative that the website’s security be verified. The customer is a small to medium-sized business, thus it has few available employees and no IT security experts. Client saw the value of VSEC’s Pentest Penetration testing service and contacted the company after searching for it online. Many strict regulations, such as BASEL, PCI/DSS (Payment Card Industry Data Security Standard), and others, have been enacted by the host country’s state-owned bank to protect information security. Each member of the technical team carries numerous tasks. Information security evaluation and testing is typically outside of their capabilities because of the sheer diversity and volume involved. Banks need to ensure they are in compliance with the ever-changing set of regulations that govern their industry. 

Solution

Access to the primary website account login page, the user management center login page, and the support partner website login page are all validated by VSEC. In order to evaluate the security of its customers’ systems from the outside without having any prior knowledge of the system, VSEC employs the Black Box method in Pentest through these three portals. Specifically, VSEC professionals take on the role of attackers, mimicking actual attack methods in an effort to locate vulnerabilities in websites. After two weeks of testing, specialists identified fifteen separate flaws. After the service is complete, VSEC generates a report and hands off implementation to the client, along with suggestions for corrective measures and preventative measures.

Benefits of the service

Pentest is known to have a lot of benefits. One of them is rapid rollout with little information collected from end users. It also helps reduce the overall cost of security and the time needed to patch security vulnerabilities in data systems. Customers have been motivated to learn more about VSEC and its services by these factors. And after experiencing its benefits firsthand, customers are ecstatic, praising Pentest for its ability to cut down on investment costs in the system, protect against most vulnerabilities, and lessen the severity of any damage that does occur, plus create a more streamlined workflow.

Conducting a penetration test on the system of a TOP 1000 world bank

Case study VSEC - BLOG

Our clients are those who operate in the banking sector. In line with the trend, they are actively developing online software utilities to provide more convenient services for current clients as well as expand their new client network. These utilities is often accompanied by security risks. VSEC’s VCHECK penetration testing service visually demonstrates the significant risks of an online banking application. They may arise from the potential for a valid user to proactively access the full bank account information of other clients.

About clients

Our client is a joint-stock commercial bank in the Top 1000 largest banks in the world, with total assets of nearly USD 6 billion and more than one million regular active accounts. After nearly 25 years of operation, this bank has been frequently awarded prizes such as EuroMoney, Asian Banker, The Banker, and so on from prestigious international organizations.

Challenge

To enhance transaction convenience, the bank has developed a Mobile Banking application on mobile phones. Through this software, clients can query and conduct basic transactions similar to when they do so at a teller counter. At the time of assessment, over 1.06 million bank accounts have been activated and regularly used. The service development has posed challenges regarding information security assurance. Bank account numbers are considered non-confidential information. When conducting online transactions, many users provide them on websites for transferring money to buy and sell goods and services However, certain account-related financial details must always be protected at the highest level: account balance, transaction information, etc. Securing this information is the responsibility of the bank which provides the technological infrastructure. In the home country, the state bank has also issued many strict regulations that bind banks to comply with and ensure information security, such as BASEL, PCI/DSS, and so on. Due to handling multiple tasks with a heavy workload, technical personnel often lack the necessary resources, time, and skills to carry out information security assessments and testing. As regulations become increasingly specific, banks are required to ensure proper compliance and consistently maintain control checks.

Solution

One of the biggest concerns of banks is whether the Mobile Banking application that is provided to clients is safe or not, and how well user data is protected. As a result, the bank needs to use an information security penetration testing service to obtain objective and multidimensional information. VCHECK is VSEC’s overall information security service, which includes penetration testing. The service is capable of imitating the most realistic way that external attackers take advantage of the vulnerability to illegally collect Client’s data. To begin the penetration testing process, the Bank provides VSEC the name of the Mobile Banking application on the Google Play (Android version) or Apple Appstore (iOS version). VSEC technicians will act as attackers and imitate real-life techniques in order to identify software vulnerabilities. Skilled engineers combined with various specialized tools will learn how the Mobile Banking application works and how the server interacts with the application to detect weaknesses, reconstruct security errors and finally report. After 10 days, a VSEC engineer establishes a bank account as a customer of the bank. With the key technique of using a proxy, it assists the engineer in fully comprehending how the application works and how it interacts with the Bank’s server. The application includes many different components, VSEC engineer noticed a serious issue while allowing him to view the details of any other account. This serious security error occurred because computer programmers did not closely apply to user account management and safe programming standards. VSEC have transferred the entire implementation process to the Client. Simultaneously, VSEC recommended to remedy it by modifying the application and providing the ability to verify whether the query submitted to the server is valid, and the correct information of the client is using or not.

Benefits of VCHECK security testing service

Deployment is quick and Clients do not need to provide much information.

Penetration testing project for government agencies

Case study VSEC - BLOG

This time, our customer is the state management agency in charge of information security, responsible for establishing regulations and policies of information security. This is also the unit in charge of assisting government agencies and businesses with information security. 

Although it is a State agency, the team of information security specialists is relatively small, It is challenging to meet the demands of completing multiple tasks at once.

Furthermore, the unit lacks objective evaluation from external partners to exclude cases of omission due to subjective factors from internal employees.

In our experience, we have provided evaluation and penetration testing services for your system and applications. From there, we can determine the best suggestions and solutions for the unit. VSEC collaborates with the unit to deploy solutions of reducing information security risks such as Pentest testing of the entire system, application, etc.

Following the working procedure, we have quickly identified a large number of risks and vulnerabilities on the unit’s system and applications. This reduces the risk of being attacked and exploited in the unit’s system and application, and thereby contribute to ensuring the image of the State management agency on information security and social security.

Monitoring information security for the state’s provincial unit information management agency

Case study VSEC - BLOG

The client is an agency in charge of managing the website system representing the voice of the state, informing and orienting information across the entire province. They own a system of more than 150 websites that operate continuously 24/7.

The number of websites requiring monitoring is substantial. The business operations are diverse. The connectivity system is extensive. There is a high volume of access traffic. The displayed information must ensure absolute accuracy and integrity.

Provide 24/7 security monitoring services for critical website systems, install 24/7 downtime monitoring for the entire website, periodically review vulnerabilities, offer recommendations, and collaborate on remediation efforts. Coordinate with on-site personnel to address identified vulnerabilities.

The client enhances their capability to manage and monitor information security for critical website systems. This reduces personnel costs and investment for the IT security team while whole system is still guaranteed to be monitored 24/7. It also decreases response time to incidents.