News Items

  • news

    Visible to the public "VMware Patches 2 Flaws in vRealize Operations"

    VMware recently patched two critical vulnerabilities in its vRealize Operations (vROps) discovered by Egor Dimitrenko of Positive Technologies. The vROps product offers self-driving IT operations management for private, hybrid, and multi-cloud environments in a unified platform. The vROps Manager API is impacted by a server-side request forgery (SSRF) vulnerability as well as an arbitrary file write issue. The exploitation of the SSRF vulnerability could allow an attacker to abuse the functionality of a server. This flaw can lead to the access or manipulation of information by attackers. The second flaw is an arbitrary file write vulnerability contained by the vROps Manager API that allows attackers to write files to the underlying operating system. It is described as post-authentication because an attacker would need to be authenticated with administrative credentials to exploit the flaw. According to Positive Technologies, attackers could gain remote code execution privileges if the two flaws are chained together. VMware has released patches for the two vulnerabilities across vROps Manager versions 7.5.0 through 8.3.0. This article continues to discuss the critical flaws found in the IT operations management platform vRealize Operations and other recently discovered VMware issues.

    BankInfoSecurity reports "VMware Patches 2 Flaws in vRealize Operations"

  • news

    Visible to the public "Engineering Oversight” Costs ForceDAO $367k"

    Hackers were able to steal cryptocurrency worth $367k from a new decentralized finance (DeFi) aggregator within hours of its launch. ForceDAO was launched on the morning of April 3. Its operators discovered that the platform was being exploited after receiving a tip from a 'white hat' hacker. During the investigation into the incident, it was found that an "engineering oversight" had allowed cyber-criminals to steal 183 Ethereum (ETH). The thefts were able to occur because of a flaw in the SushiSwap smart contract used by ForceDAO, which contained a mechanism that could revert tokens used in failed transactions. Malicious hackers exploited this flaw to mint xFORCE tokens, which they then withdrew and exchanged for ETH. The ForceDAO team stated that this incident could've been prevented by using a standard Open Zeppelin ERC-20 or adding a safeTransferFrom wrapper in the xSUSHI contract. The company added that all funds on their platform are safe and that only xFORCE was affected.

    Infosecurity reports: "Engineering Oversight" Costs ForceDAO $367k"

  • news

    Visible to the public "North Korean Hackers Are Now Using a Fake Security Company to Target Researchers"

    According to researchers at Google LLC's Threat Analysis Group (TAG), the same North Korea-backed hackers discovered to have been targeting security researchers earlier this year are now using a fake security company called SecuriElite to continue their campaign. In January, Google researchers warned of the North Korean Advanced Persistent Threat (APT) group specifically targeting security researchers at several organizations using a research blog and multiple Twitter accounts. The blog included write-ups exploring publicly disclosed vulnerabilities and posts from legitimate security researchers who had been deceived into thinking they were posting on a legitimate site. The new website SecuriElite appears to be owned by a cybersecurity company based in Turkey. It includes a link to a PGP public key on the page that lets security researchers confidentially send messages to the fake company. This article continues to discuss the recent targeting of security researchers by a North Korea-backed hacking group through a fake offensive security company, as well as the growing sophistication of attackers' approach to email attacks.

    SiliconANGLE reports "North Korean Hackers Are Now Using a Fake Security Company to Target Researchers"

  • news

    Visible to the public "Facebook Data for Over 500M Users Reportedly Leaks Online"

    Personal information belonging to more than 500 million users from 106 countries has leaked online. The leaked data set includes names, birth dates, and phone numbers. Alon Gal, the CTO of cybercrime intelligence firm Hudson Rock, first discovered the data being shared among hackers in January. According to Facebook spokesperson Liz Bourgeois, the data is from an old leak that was reported in 2019, and the issue that led to the breach was fixed in August 2019. However, the data remains valuable to identity thieves and other fraudsters. Malicious actors will use this information to carry out social engineering attacks, scams, hacks, and more. This article continues to discuss findings surrounding the data breach involving over 500 million Facebook users' personal information and other privacy and security incidents faced by the social networking giant over the years.

    CNET reports "Facebook Data for Over 500M Users Reportedly Leaks Online"

  • news

    Visible to the public "As Online Fraud Rises, 72% of Retail Brands Expect to Grow Fraud Teams"

    Researchers during a new study discovered that retailers around the world are increasing their fraud teams and budgets because of a significant rise in all types of online fraud during the pandemic. Most (72%) of retail brands worldwide expect to grow fraud teams in the next year, while 76% predict their budget to tackle fraud will increase in the next 12 months. Almost a quarter (20%) of retail companies expect their funding to tackle fraud to be significantly increased. The researchers also found that nearly 40% of fashion and FMCG retailers see online payment fraud as their most significant fraud risk. Refund abuse, where consumers wrongly claim they never received a product they ordered online, has increased for half of the retailers. Account takeover, often the result of password reuse across multiple retailers, has also risen for 45% of retailers in the past 12 months. The researchers believe that fraud in an ecommerce world is likely to worsen before it gets better.

    Help Net Security reports: "As Online Fraud Rises, 72% of Retail Brands Expect to Grow Fraud Teams"

  • news

    Visible to the public Tac filing schemes

    Watch out for tax filing phishing schemes warns a recent email from Robinhood to its clients. It might look like a note from your broker or accountant, but that email may be attackers trying to steal your personal information and spread malware using fake tax documents. Recommendations including only downloading from the company's official website or apps rather than from emails links.

  • news

    Visible to the public "A New Stanford Initiative Aims to Ensure 5G Networks Are Reliable and Secure"

    A team of researchers at the Stanford University School of Engineering will demonstrate how an arrangement of computer-controlled drones can be managed with precision even if the 5G network that controls it is being hit with a cyberattack. The success or failure of the demonstration will depend on whether an experimental network control technology can detect the attack and defeat it within a second to protect the navigation systems. The demonstration will be observed by officials from the Defense Advanced Research Projects Agency (DARPA), the government agency that is underwriting Project Pronto. Stanford University, Cornell University, Princeton University, and the nonprofit Open Networking Foundation (ONF) are jointly collaborating on Project Pronto, which is led by Nick McKeown, a professor of electrical engineering and computer science at Stanford. Their goal is to ensure the security and reliability of 5G networks that will support autonomous vehicles, trains, and planes of the future, as the transition to 5G is expected to impact every device connected to the Internet. Project Pronto offers a solution devised by McKeown and his colleagues that uses Software-Defined Networking (SDN) technology to wrap a virtually instantaneous shield around wirelessly accessible computers. This article continues to discuss the goals of Project Pronto, the pending Pronto demonstration, the application of advanced SDN techniques to secure 5G networks, and the importance of ensuring 5G networks are reliable and secure.

    Stanford reports "A New Stanford Initiative Aims to Ensure 5G Networks Are Reliable and Secure"

  • news

    Visible to the public "CMMC Under Internal Review at DoD for 'Potential Improvements'"

    The Pentagon is conducting an internal review of the Cybersecurity Maturity Model Certification (CMMC) program to explore potential improvements for the program's implementation. The goal of the Department of Defense's (DoD) CMMC program is to ensure that Defense Industrial Base (DIB) companies implement appropriate cybersecurity practices and processes to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). The requirements of the CMMC program are still in the process of being rolled out to DoD contracts. According to Katie Arrington, the Pentagon's CISO for acquisition and sustainment, all DoD contracts will contain CMMC requirements by Fiscal Year (FY) 2026. This article continues to discuss the purpose, ongoing internal assessment, and status of the CMMC program.

    MeriTalk reports "CMMC Under Internal Review at DoD for 'Potential Improvements'"

  • news

    Visible to the public "Financial Sector Remains Most Targeted by Threat Actors: IBM"

    IBM Security researchers in a new study discovered that organizations in the financial and insurance sectors were the most targeted by threat actors in 2020. Manufacturing and energy became the second and third most targeted industries last year, respectively. Retail and professional services rounded up the top five most targeted sectors. The researchers also found that ransomware was the most popular attack method in 2020, with a market share of roughly 23%. IBM estimates that 36% of the public breaches in 2020 were ransomware-related data leaks. The researchers also found that data theft attacks went up 160% compared to 2019 but accounted for only 13% of the overall incidents in 2020. Server access came in third at 10%, marking a 233% increase year-over-year, while Business Email Compromise (BEC) dropped to the fourth position with a 9% market share (a drop from 14% in 2019).

    Security Week reports: "Financial Sector Remains Most Targeted by Threat Actors: IBM"

  • news

    Visible to the public "How Does Science Work?"

    Professor Dashun Wang, an award-winning scientist at the Kellogg School of Management, has published a new book on the "science of science," an interdisciplinary field in which big data and innovative research methods are used to gain insight into the dynamics and outcomes of scientific careers and research processes. The book, titled "The Science of Science," offers unique and actionable insights to students, scientists, policymakers, and other decision-makers based on data. Wang emphasizes that expanding understanding surrounding the precursors of impactful science will help us develop systems and policies that further increase the chances of success for scientists and science investment. Science has played an integral role in security, healthcare, and more. Therefore, it is essential to enhance the process of science and help scientists improve their work. Wang's book provides insights on the science of careers, collaboration, and impact. This article continues to discuss the concept and importance of the science of science, and the book recently released by Professor Wang on this discipline.

    Northwestern Now reports "How Does Science Work?"

  • news

    Visible to the public Large Florida School District Hit by Ransomware Attack

    A criminal gang hacked Broward County Public Schools' computer system, which is one of the nation's largest school districts, and encrypted district data. The cyber gang behind the attack is called Conti, and they demanded $40 million in ransom, or they would erase the files and post students' and employees' personal information online. Broward County Public Schools said in a statement Thursday that there is no indication that any personal information has been stolen and that they have made no extortion payment to the ransomware gang. As a pressure tactic, the cyber gang posted screenshots of its online negotiations with the district to its site on the dark web last week. According to the hacker's screenshots, the screenshots show that negotiations between the school district and Conti occurred over two weeks. At the end of the negotiations, the school district did offer to pay $500,000 at which point the ransomware criminals apparently ended negotiations.

    ABC News reports: Large Florida School District Hit by Ransomware Attack

  • news

    Visible to the public "Smart Factory Cyber Attacks Knock Out Production for Days"

    Trend Micro commissioned independent research specialist Vanson Bourne to survey 500 IT and OT professionals in the United States, Germany, and Japan. The survey revealed that over 60 percent of manufacturers have faced a cybersecurity incident in their smart factories, with over 70 percent of them having suffered system outages as a result. They are also finding it difficult to deploy the technology needed to manage cyber risk. Akihiko Omikawa, the executive VP of IoT security for Trend Micro, has emphasized that the gap in IT and OT cybersecurity awareness is creating an imbalance between people, processes, and technology, thus giving threat actors more opportunities to launch attacks. The security challenges most cited by respondents in all three countries were technology, people, and processes. However, less than half of them are implementing technical measures to strengthen cybersecurity. Organizations with high IT-OT collaboration were more likely to implement technical security measures than those with little to no IT-OT collaboration. Most respondents cited standards and guidelines as the top driver for enhanced collaboration, with the National Institute of Standards and Technology's (NIST) Cyber Security Framework and ISO27001 (ISMS) being among the most popular guidelines. Trend Micro has suggested a three-step technical approach to securing smart factories and maintaining operations, which involves reducing intrusion risks at data exchange points, spotting anomalous network behavior, and more. This article continues to discuss findings surrounding smart factory cyberattacks and IT-OT collaboration, as well as the technical approach suggested by Trend Micro to bolster the security of such factories.

    PR Newswire reports "Smart Factory Cyber Attacks Knock Out Production for Days"

  • news

    Visible to the public "Gaming Mods, Cheat Engines Are Spreading Trojan Malware and Planting Backdoors"

    New research from the security firm Cisco Talos sheds light on a malware campaign targeting the systems of gamers and modders. The campaign involves malvertising and game modding-focused YouTube videos that lead users to malicious websites or downloads. According to researchers, the cybercriminals behind this campaign are using gaming tools to deploy a cryptor for various malware strains, most of which have been discovered to be Remote Access Trojans (RATs). A cryptor is a tool designed to prevent the reverse-engineering or analysis of malware. The researchers have found cheats, cheat engines, and mods that contain cryptors capable of hiding RAT code and backdoors through many layers of obfuscation. When a user downloads and installs a malicious mod or cheat on their machine, a dropper injects code to evade detection tools. From there, malware can be executed. Samples that have been tracked so far include an information stealer called XtremeRAT. This article continues to discuss the tactics and tools used in the new malware campaign targeting video gamers and modders, as well as how this attack wave can affect enterprises.

    ZDNet reports "Gaming Mods, Cheat Engines Are Spreading Trojan Malware and Planting Backdoors"

  • news

    Visible to the public "Ragnarok Ransomware Hits Boggi Milano Menswear"

    Luxury Italian men's clothing line Boggi Milano has confirmed what they have suffered a ransomware attack. Boggi Milano is based in Italy and has 190 stores in 38-plus countries. Ragnarok was the ransomware gang behind the attack and was able to exfiltrate 40 gigabytes of data. With the help of KELA, a monitoring tool for the Dark Web, investigators were able to look at filenames being leaked by Ragnarok related to the breach and found payroll files, payment PDFs, vouchers, tax documents, and more. It has not been disclosed how much Ragnarok wants in ransom to return the files. The Boggi Milano website is still up and running, and the brand said it is working with Italian authorities on the matter.

    Threatpost reports: "Ragnarok Ransomware Hits Boggi Milano Menswear"

  • news

    Visible to the public "Cybercriminals Make Twitter a Playing Field to Target Indonesian Banks"

    The global threat hunting company Group-IB recently released a cyber intelligence report that shares findings regarding an ongoing Twitter-based fraud campaign targeting Indonesia's largest banks. The cybercriminals behind this campaign are masquerading as bank representatives or customer support team members on Twitter in order to lure and gain the trust of victims. Security analysts found that at least seven large Indonesian financial institutions have been targeted in the massive campaign. The scam starts with a customer leaving a comment on the bank's official Twitter page. They are then contacted by fraudsters using fake Twitter accounts that appear to belong to real bank staff representatives or customer support employees. After engagement occurs between the customer and the fake Twitter account, the attackers invite the customer to chat off-line on a third-party messenger, such as WhatsApp or Telegram. During the off-line chat, the attackers send a link to the customer that redirects them to a phishing website identical to the official banking website where the cybercriminals can exfiltrate entered banking credentials. This article continues to discuss the use of Twitter in a fraud campaign against Indonesia's major banks, the growing performance of multi-stage scams, and how banking customers can identify such scams.

    CISO MAG reports "Cybercriminals Make Twitter a Playing Field to Target Indonesian Banks"

  • news

    Visible to the public "Malicious Docker Cryptomining Images Rack Up 20M Downloads"

    Researchers at Palo Alto Networks' Unit 43 have discovered at least 30 malicious images in Docker Hub, with a collective 20 million downloads. The images have been used to spread cryptomining malware. According to the researchers, the malicious images (spread across 10 different Docker Hub accounts) have raked in around $200,000 from cryptomining. The most popular cryptocurrency in the instances observed by researchers was Monero, which accounted for around 90 percent of the activity. Monero not only provides "maximum anonymity" due to its hidden transaction paths, but it is also easier to mine cost-effectively. In most attacks that mine Monero, the attackers used the well-worn XMRig off-the-shelf miner.

    Threatpost reports: "Malicious Docker Cryptomining Images Rack Up 20M Downloads"

  • news

    Visible to the public "Tax Refund Phishing Scam Targets University Students and Staffers"

    The Internal Revenue Service (IRS) has issued an alert about an ongoing IRS-impersonation phishing scam that primarily targets university students and employees. The IRS has received complaints about the scam over the past few weeks from people with email addresses ending in .edu. The phishing emails display the IRS logo and use subject lines relating to a tax refund payment or a tax refund payment recalculation. Recipients are urged to click a link and submit a form in order to claim their refund. The phishing website requires users to supply personal information such as their Social Security number, name, birth date, driver's license number, gross income, electronic filing PIN, and more. Cybercriminals can use this information to file fraudulent tax returns on behalf of the victim and steal identities. They can also sell the information on the dark web. This article continues to discuss the ongoing IRS-impersonation scam targeting university students and staff and how taxpayers can avoid falling victim to such scams.

    TechRepublic reports "Tax Refund Phishing Scam Targets University Students and Staffers"

  • news

    Visible to the public "Winner Crowned in “Hacker Games” Contest Promoting Secure Coding Skills"

    During Veracode's inaugural Hacker Games competition, the University of Warwick has been crowned as the winner. After coming out on top in a collegiate contest between eight universities from across the UK and US, the WMG Cyber Security Center at the University of Warwick was awarded a $10,000 charitable donation. Tufts University came in second place, earning a $5000 donation. Additionally, prize money was given to each player from the winning teams and overall top scorers. During the event, a total of nearly 90 computer science and cybersecurity students undertook a series of hands-on coding challenges over two weeks (March 15-25). Held in Veracode's Security Labs to gamify the experience, the participants successfully solved a total of 8500 labs and accumulated nearly 100,000 points. The initiative, which the UK government supports, aims to help close the cybersecurity skills gap by encouraging the development of secure coding skills among the younger generation.

    Infosecurity reports: "Winner Crowned in "Hacker Games" Contest Promoting Secure Coding Skills"

  • news

    Visible to the public "APT Charming Kitten Pounces on Medical Researchers"

    Security researchers at Proofpoint have recently linked a late-2020 phishing campaign aimed at stealing credentials from 25 senior professionals at medical research organizations in the United States and Israel to an advanced persistent threat group with links to Iran called Charming Kitten. The phishing campaign has been dubbed BadBlood because of its medical focus and the history of tensions between Iran and Israel. The phishing campaign aimed to steal the credentials of professionals specializing in genetic, neurology, and oncology research. Charming Kitten, believed to be an Iranian state-sponsored APT, has been operating since around 2014 and has built a "vast espionage apparatus" comprised of at least 85 IP addresses, 240 malicious domains, hundreds of hosts, and multiple fake entities. Spearphishing and custom malware are among an array of tactics the group uses against victims.

    Threatpost reports: "APT Charming Kitten Pounces on Medical Researchers"

  • news

    Visible to the public "To Help Protect Our Elections, NIST Offers Specific Cybersecurity Guidelines"

    In an effort to bolster election security, the National Institute of Standards and Technology (NIST) has drafted guidelines for local election officials on how to address cyber threats that could impact election infrastructure and disrupt the voting process. The Draft Cybersecurity Framework Election Instractructure Profile (NISTIR 8310) applies the principles of the NIST Cybersecurity Framework to election systems. The new guide covers the protection of physical locations like polling places as well as the technology involved in voter registration databases, voting machines, and the networks that connect them. This article continues to discuss the development and content of NIST's plain-language guide aimed at strengthening election-related technology against cyberattacks.

    NIST reports "To Help Protect Our Elections, NIST Offers Specific Cybersecurity Guidelines"

  • news

    Visible to the public "Attackers Target PHP Git Server to Backdoor Source Code"

    The developers who maintain the PHP programming language have decided to move the main Git repository for PHP to GitHub after hackers targeted PHP source code in a backdoor attack. Nearly 80 percent of websites on the Internet are written in PHP. Two updates were pushed to the PHP Git server under the account names of two well-known PHP developers Nikita Popov and Rasmus Lerdorf. The two malicious commits appeared to be minor typographical corrections, but upon closer look, the commits added a backdoor that enables hackers to perform remote code execution on websites running the infected version of PHP. The incident has made the PHP Group change how its code infrastructure is run as the PHP maintainers have now decided to discontinue the server. All code changes will instead be pushed directly to GitHub. This article continues to discuss the recent targeting of the PHP Git repository by hackers to add a backdoor to PHP source code.

    Dark Reading reports "Attackers Target PHP Git Server to Backdoor Source Code"

  • news

    Visible to the public "Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims"

    Researchers from Awake Security, CrowdStrike, and Accenture analyzed attacks involving the Hades ransomware and shared information on their findings in relation to the malware itself and its operators' tactics, techniques, and procedures (TTPs). Hades ransomware, which is different from the Hades Locker ransomware, uses a double-extortion tactic. This tactic involves exfiltrating a victim's data and threatening to leak the data to the public in order to pressure the victim into paying the demanded ransom. The Hades ransomware operators appear to be focused primarily on enterprises, some of which have been multi-national organizations with revenues above $1 billion. Hades has mainly impacted Germany, Luxembourg, Canada, Mexico, and the United States. Only a few industries have been targeted by the Hades ransomware operators, including consumer products, transportation and logistics, and manufacturing and distribution. The ransomware notes obtained through Hades samples demanded payments ranging from $5 to $10 million from victims. In a typical Hades ransomware attack, legitimate credentials are used to connect to Internet-facing systems via the Remote Desktop Protocol (RDP) or a Virtual Private Network (VPN). Cobalt Strike and Empire implants are also typically deployed in a Hades attack for persistence. The operators also use several scripts to perform reconnaissance, collect credentials for privilege elevation, identify additional systems in the target network, and more. This article continues to discuss key findings from the dissection of Hades ransomware attacks.

    Security Week reports "Hades Ransomware Hits Big Firms, but Operators Slow to Respond to Victims"

  • news

    Visible to the public "SolarWinds Attackers Accessed DHS Emails, Report"

    The SolarWinds cyberattackers were able to use SolarWinds' Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March, before being discovered in December. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate in a massive cyberespionage campaign that has hit nine U.S. government agencies, tech companies like Microsoft, and 100 others hard. According to anonymous government sources, it has recently been discovered that as part of the federal government infiltration, the hackers were also able to access the email accounts of then-acting Secretary Chad Wolf and his staff. It is unclear whether the information in the emails that the hackers accessed contained classified information. Tim Wade, technical director on the CTO team at Vectra, stated that the information classification protocols should have helped more sensitive details from being directly accessible and exposed without a hostile, foreign actor first finding access and exfiltration channels classified networks. However, he also stated that even unclassified communication between sensitive parties could disclose a great deal of actionable intelligence if seen by the hackers.

    Threatpost reports: "SolarWinds Attackers Accessed DHS Emails, Report"

  • news

    Visible to the public "Russian-Backed Hackers Target German Lawmakers"

    Russian state-sponsored hackers known for launching disinformation campaigns against the North Atlantic Treaty Organization (NATO) are suspected to have targeted dozens of German lawmakers. The hackers performed spear-phishing attacks targeting private email accounts belonging to members of the German parliament and regional state assemblies. Germany's domestic intelligence agency and information security agency noticed the attacks. At least seven German parliament members and 31 lawmakers in state assemblies were targeted. German security officials believe the cyberattack was carried out by members of the group dubbed Ghostwriter, which is suspected to be linked to Russia's GRU military intelligence agency. According to the cybersecurity firm FireEye, Ghostwriter has run information operations for a Russian influence campaign since at least 2017. These operations have mostly targeted the Baltic states and Poland, with the purpose of spreading misinformation about NATO. This article continues to discuss the recent targeting of German lawmakers by Russian-backed hackers and the history of the disinformation-focused group Ghostwriter.

    Homeland Security News Wire reports "Russian-Backed Hackers Target German Lawmakers"

  • news

    Visible to the public "New, Critical Vulnerability Discovered That Could Let Attackers Gain Entry to SolarWinds Systems"

    Researchers in Trend Micro's Zero Day Initiative (ZDI) team discovered two remote code execution (RCE) vulnerabilities that could lead to the takeover of SolarWinds Orion systems. The team has worked closely with SolarWinds to assist in responding to the massive hack. According to the researchers, one of the RCE vulnerabilities has a critical severity rating, while the other received a high severity rating. The exploitation of these vulnerabilities could allow remote attackers to take over an affected SolarWinds system. The critical RCE vulnerability exists in the OneTimeJobSchedulerEventsService Windows Communication Foundation (WCF) service. It stems from the inadequate validation of user-supplied data, possibly resulting in the deserialization of untrusted data. An attacker can abuse this vulnerability to escalate privileges and execute arbitrary code, thus allowing them to carry out any action that the System Account can perform. The second RCE vulnerability exists in the JobRouterService WCF service and is caused by the service's configuration, which allows unprivileged users to access a critical resource. This vulnerability lets attackers execute code as an administrator. However, an attacker would need to be authenticated to abuse this vulnerability. These vulnerabilities provide attackers with many opportunities for lateral movement, data exfiltration, and the performance of destructive actions. This article continues to discuss the new vulnerabilities impacting SolarWinds' Orion IT monitoring platform.

    SC Magazine reports "New, Critical Vulnerability Discovered That Could Let Attackers Gain Entry to SolarWinds Systems"

  • news

    Visible to the public "Double-Extortion Ransomware Attacks Surged in 2020"

    During a new study, researchers at F-Secure discovered that double-extortion ransomware attacks exploded in 2020. The tactic involves threat actors stealing data from organizations in addition to encrypting files. This means that, as well as demanding a ransom to decrypt data, attackers can later threaten to leak the stolen information if an additional payment is not made. The researchers observed that by the end of 2020, 15 different ransomware families had used this double-extortion approach, which compares to just one in 2019. The researchers also found that nearly 40% of ransomware families discovered last year utilized this ransomware method. Calvin Gan, a senior manager with F-Secure's Tactical Defense Unit, stated that organizations with reliable backups and effective restoration procedures are in a solid position to recover from a ransomware attack without having to pay. During the study, the researchers also found many other significant cybersecurity trends that took place in 2020. There was a tripling in the use of Excel formulas to obfuscate malicious code in the second half of 2020. Regarding phishing attacks, the researchers found that the most popular brand spoofed in emails was Outlook, followed by Facebook Inc. and Office365, while web hosting services made up nearly three-quarters of domains used to host phishing pages.

    Infosecurity reports: "Double-Extortion Ransomware Attacks Surged in 2020"

  • news

    Visible to the public "Closing the Cyber Skills Gap Will Take New Technologies in Addition to New Talent"

    Marcus Fowler, the director of strategic threat at the cybersecurity Artificial Intelligence (AI) company Darktrace, discusses the need for new technologies and new talent to close the cybersecurity skills gap. Although the first decrease has been recorded for the cybersecurity workforce gap, the scale and complexity of cybersecurity professionals' workloads and tasks have increased together with the sophistication of cyberattacks. For security teams across industries, the most critical gap isn't a specific skill. Rather, it is the gap between the growing number of tasks to be performed by security teams and the skilled personnel needed to carry them out. Even if more individuals enter the cybersecurity field, there are several factors that will continue to make the cybersecurity community play catch-up. The constant advancement of external attack methods like automated attacks will continue to present challenges for the cybersecurity community. In addition, security teams have to deal with the accelerated transformation of workforce practices and technological infrastructure stemming from the widespread shift toward remote working as well as the increased adoption of the software-as-a-service (SaaS) model and cloud computing platforms. With these challenges, humans alone cannot solve the cybersecurity resources gap. Instead of just hiring more humans to solve the problem, Fowler suggests the implementation of new security tools that can help human cybersecurity professionals work smarter. We need to equip professionals with AI and Machine Learning (ML)-based autonomous technologies that can help in security incident investigation, response, mitigation, and more. This article continues to discuss the cybersecurity resources and skills gap and the need for new talent and breakthrough technologies to close it.

    NextGov reports "Closing the Cyber Skills Gap Will Take New Technologies in Addition to New Talent"

  • news

    Visible to the public "More Solutions Doesn’t Mean More Protection"

    Researchers at Acronis conducted a survey of 4,400 IT users and professionals in 22 countries across six continents about their cybersecurity solutions. The results showed that while 80% of companies now run up to 10 different solutions simultaneously to protect their data and computer systems, more than half of those organizations suffered unexpected downtime in 2020 after losing data. The researchers stated that not only does investing in more solutions not deliver more protection, in many cases trying to manage protection across multiple solutions creates greater complexity and less visibility for the IT team, which increases risk. The researchers also found that 68% of IT users and 20% of IT professionals would be unable to tell if their data had been altered without their knowledge because their cybersecurity solution makes determining that kind of tampering difficult. Nearly half of IT users (43%) were in the dark when knowing if their anti-malware stops zero-day threats because their solution does not make such information easily available. A tenth of IT professionals admitted not knowing if their organization is subject to data privacy regulations, potentially exposing their company to significant fines for compliance violations. While 83% of IT users said they spent more time on their devices in 2020, only half of them took extra steps to protect those devices. A third (33%) admitted waiting at least a week to update their devices with a new patch after being notified of the patch's release.

    Infosecurity reports: "More Solutions Doesn't Mean More Protection"

  • news

    Visible to the public "This Android Malware Hides as a System Update App to Spy on You"

    Researchers at Zimperium zLabs have discovered new Android malware disguised as a System Update application. The researchers detected the sample app on a third-party repository, not the official Google Play Store. Once the spyware app is installed, the victim's device is registered with a Firebase command-and-control (C2) server, which issues commands while a separate C2 manages data theft. Data exfiltration is triggered when a certain condition, such as the installation of a new app, is met. According to the team, the malware is a Remote Access Trojan (RAT) capable of stealing GPS data, SMS messages, call logs, contact lists, images, and video files. It can steal operational information like storage statistics and lists of applications installed on the device. The RAT can also take over a mobile device's camera to take photos, secretly record microphone-based audio, review browser histories, and eavesdrop on phone conversations. Zimperium researchers say the malware is part of an advanced spyware campaign with complex capabilities. This article continues to discuss the distribution and capabilities of the new advanced Android malware, and Google's recent removal of Android apps from the Play Store that carried a dropper for banking Trojans.

    ZDNet reports "This Android Malware Hides as a System Update App to Spy on You"

  • news

    Visible to the public "Apple Rushes to Patch Zero‑Day Flaw in iOS, iPadOS"

    Apple has recently released an emergency update for its iOS, iPadOS, and watchOS operating systems to patch a zero-day security flaw being exploited in the wild. The list of impacted devices includes iPhone 6s and later, all versions of the iPad Pro, iPad Air 2 and later, the 5th generation of iPad and later, iPad mini 4 and later, and the 7th generation of the iPod touch. Apple has also issued security updates for its Apple Watch products. The security hole is being plugged with the release of iOS 14.4.2 and iPadOS 14.4.2. Researchers suggest that users download the update as soon as possible. The security flaw is known as CVE-2021-1879 and resides in WebKit, Apple's open-source web browser engine used by the Safari browser, Mail, and various other iOS and iPadOS apps. According to researchers at CyberSecurityHelp, a remote attacker who can hoodwink their victim into clicking on a specially crafted link and execute arbitrary code could steal sensitive data, perform a phishing or drive-by-download attack, as well as change the appearance of a website.

    We Live Security reports: "Apple Rushes to Patch Zero-Day Flaw in iOS, iPadOS"

  • news

    Visible to the public "Cyberattack Disrupts Operations At Molson Coors"

    The multi-billion-dollar brewing and beverage giant Molson Coors recently faced a cyberattack that disrupted parts of the company's business, including brewery operations, production, and shipping. Molson Coors reportedly suffered a ransomware attack. The company operates 20 brewing facilities in North America and Europe. Brewing and adult beverage companies have become increasingly common targets for cybercriminals, with Italy's Licya Campari Group, Australia's Lion, and Jack Daniel's owner Brown-Forman all having been hit in the past year. Downtime caused by a cyber incident can lead to thousands of dollars in costs per minute for such companies. This article continues to discuss the recent disruption of Molson Coors' business operations by a cyberattack, the increased targeting of high-profile organizations like Molson Coors, and the significant costs that companies can face when they experience a cyber incident.

    Forbes report "Cyberattack Disrupts Operations At Molson Coors"

  • news

    Visible to the public What looks like an Android update may be a Trojan horse

    What looks like a new Android update may contain an information-stealing trojan horse. This spyware mimics an System Update application then takes control of compromised devices. Although not distributed through the official Google Play store, third party app stores did contain the spyware update and users should beware.

    #ScienceofSecurity #cybersecurity

  • news

    Visible to the public "Young Adults, Seniors Over 75 Most Susceptible to Cyber Fraud"

    According to the latest research shared in the LexisNexis Risk Solutions biannual Cybercrime Report, young adults under the age of 25 and adults over 75 are the most vulnerable to falling victim to cybercrime. The report is based on the analysis of global cybercrime activity from July 2020 through December 2020. A significant flood of new-to-digital customers went online in 2020, with young adults and seniors proving to be the groups most vulnerable to online fraud attacks. Analysis revealed a 10 percent growth in customers in the under 25 age group. The youngest online users became the most vulnerable to fraud attacks over the six months. Although young adults are often considered highly tech-savvy, many of them tend to show more relaxed usage behavior patterns and willingness to share personal data online. On the other hand, adults over 75 are generally considered less informed about the latest digital technologies, making them increasingly vulnerable to scams and phishing attempts. However, fraudsters have been observed targeting the younger age group more than the older group as higher success rates compensate for lower monetary gains. These findings suggest the need for more education and layered fraud defenses to protect the full spectrum of online users. This article continues to discuss what puts younger and older adults at more risk of digital fraud and other key findings surrounding cyber fraud in 2020.

    TechNewsWorld reports "Young Adults, Seniors Over 75 Most Susceptible to Cyber Fraud"

  • news

    Visible to the public "Insurance Giant CNA Hit With Novel Ransomware Attack"

    A novel ransomware attack forced insurance giant CNA to take systems offline and temporarily shutter its website. The Chicago-based company is the seventh-largest commercial insurance provider in the world. The company stated that the attack caused a network disruption and impacted certain CNA systems, including corporate email. The attack occurred earlier this week and leveraged a new variant of the Phoenix CryptoLocker malware. Cryptolockers are an oft-used type of ransomware that immediately encrypt files on the machines they attack and demand a ransom from the victims in exchange for the key to unlocking them. The threat actors behind Phoenix CryptoLocker are likely the cybercrime group Evil Corp, which recently resurfaced after taking a short hiatus from cybercriminal activity.

    Threatpost reports: "Insurance Giant CNA Hit With Novel Ransomware Attack"

  • news

    Visible to the public "Public-Private Partnership is 'Critical' to Cybersecurity"

    The National Security Agency's (NSA) Cybersecurity Collaboration Center, together with government and industry partners, is working to share information and strengthen cybersecurity. Morgan Adamski, the chief of NSA's Cybersecurity Collaboration Center, emphasizes the importance of establishing partnerships in support of combating cyberattacks as no one organization has the full picture. The NSA's Cybersecurity Collaboration Center's three main areas of focus include detection, innovation, and mitigation. The center detects adversaries using signals intelligence and commercial data, as well as through bidirectional threat sharing with the private sector. This article continues to discuss the three channels of focus at NSA's Cybersecurity Collaboration Center, the importance of public-private partnerships in cybersecurity, and why information sharing is essential.

    MeriTalk reports "Public-Private Partnership is 'Critical' to Cybersecurity"

  • news

    Visible to the public "Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns"

    The FBI recently issued an alert about the abuse of the DiskCryptor open-source tool by the Mamba ransomware to encrypt entire drives as well as the operating system. Mamba ransomware, also referred to as HDDCryptor, has been active for nearly half a decade, abusing DiskCryptor for about as long. DiskCryptor was designed to allow users to encrypt all disk drives, including the system partition, with the purpose of bolstering data security. However, Mamba ransomware has been observed abusing the application in numerous attacks against local governments, public transportation agencies, technology services, construction entities, and more. This article continues to discuss the FBI's warning about the weaponization of DiskCryptor by Mamba ransomware, how users could protect themselves from Mamba and other ransomware families, and why victims should not pay ransoms to cybercriminals.

    Security Week reports "Mamba Ransomware Leverages DiskCryptor for Encryption, FBI Warns"

  • news

    Visible to the public "Rise in Attacks on ICS Computers in Second Half of 2020"

    Researchers from Kaspersky have discovered that attacks on industrial control system (ICS) computers went up by .85 percentage points in H2 of 2020 compared to H1. The researchers also found that the variety of malware families targeting ICS computers increased by 30% in this period, with cyber-criminals significantly ramping up attacks against these sectors amid the COVID-19 lockdowns. Compared to H1, in the engineering and ICS integration sector, the proportion of ICS computers attacked grew by nearly eight percentage points to 39.3%. The proportion of ICS computers attacked in the building automation sector saw an increase of 46.7%, and the proportion of ICS computers attacked in the oil and gas sector grew by 44%. Of the countries the researchers examined, they found that 62% experienced a growth in the percentage of ICS computers targeted. The researchers also discovered that the proportion of ICS computers on which malicious email attachments were blocked went up by 73.4%. The most commonly employed malware were backdoors, spyware, other types of Trojans, and malicious scripts and documents.

    Infosecurity reports: "Rise in Attacks on ICS Computers in Second Half of 2020"

  • news

    Visible to the public "Researchers Discover Two Dozen Malicious Chrome Extensions"

    Researchers at the security vendor Cato Networks discovered two dozen malicious Google Chrome browser extensions. They also found 40 malicious domains associated with the extensions that are being used to inject adware, steal credentials, and redirect victims to malware distribution sites. According to the researchers, the extensions were found on networks belonging to hundreds of the vendor's customers. Endpoint protection tools and threat intelligence systems were also not flagging the extensions. The extensions pose significant threats to enterprises as security researchers have discovered them performing malicious activities such as stealing usernames and passwords, stealing financial data, and more. Cato Networks says its researchers analyzed five days of network data collected from customer networks to try to identify whether the extensions communicate with command-and-control (C&C) servers. Network traffic was correlated with extension behavior to classify the extensions as benign or malicious preliminarily. As a result, the company identified 97 out of 551 unique extensions as likely to be malicious. In the next phase of this research, each extension was manually inspected to determine whether they are truly malicious or benign. The manual inspection resulted in the identification of 85 malicious extensions, 24 of which had not been previously classified as malicious. This article continues to discuss the recent discovery of 24 malicious Chrome extensions and 40 malicious domains, the risks posed by such extensions, and four different approaches used by threat actors to introduce malicious extensions into users' browsers.

    Dark Reading reports "Researchers Discover Two Dozen Malicious Chrome Extensions"

  • news

    Visible to the public "Your Streaming Service Is Fertile Ground for Bot Attacks"

    Streaming services have become increasingly attractive targets in the launch of malicious bots by cybercriminals to steal customer account information. Customers often use easier password combinations for streaming services because these services do not hold a lot of personal data. A study conducted by the Pew Research Center found that 39 percent of people use the same or similar passwords for multiple online accounts. Therefore, if a consumer's sign-in credentials are stolen from a streaming service and those credentials are also used for a bank account, the hacker then has access to sensitive data and the ability to steal money. Hackers perform Account Takeover (ATO) attacks to infiltrate online accounts. In ATO attacks, malicious actors typically gain access to accounts through the use of automatic credential stuffing and credential cracking attack techniques. The likelihood of success for username and password combination testing across multiple sites is increased when hackers use bots. A bot can try different combinations at a much higher rate than humans could. In a recent attack against a streaming service, nearly 300,000 unique username and password combinations were attempted in just over five hours, during which the hackers successfully harvested 1,500 combinations. Malicious bots are also used to create fake accounts in the targeting of streaming services. Cybercriminals can use this tactic to generate spam and abuse new account promotions. This article continues to discuss how bots are used in attacks targeting streaming services and how malicious bot attacks can be prevented.

    Security Magazine reports "Your Streaming Service Is Fertile Ground for Bot Attacks"

  • news

    Visible to the public "Data Loss Impacts 40% of SaaS App Users"

    Researchers from Rewind, a provider of cloud backups for SaaS applications, discovered that 40% of Software as a Service (SaaS) users across a range of industries had lost data stored in their online tools. A total of 631 respondents answered questions related to how they use SaaS apps in a professional context. More than half (53%) of respondents use SaaS tools while at work, with some (43 percent) utilizing four or more apps. Most users said that the data in their SaaS applications were either "somewhat" (47%) or "very" (42%) critical to the performance of their work. Despite this, more than half of the respondents lacked vital knowledge regarding the security of that data. Many users (45 percent) were not aware of the Shared Responsibility Model.

    Infosecurity reports: "Data Loss Impacts 40% of SaaS App Users"

  • news

    Visible to the public "Challenges And Benefits of Using Threat Data Feeds"

    Researchers at Ponemon Institute discovered that threat data feeds could help organizations strengthen their cybersecurity posture. The researchers surveyed 1025 IT security practitioners (70% of whom were at or above the supervisory level) in the United States and the United Kingdom. Most of the professionals participating (79%) in the study said threat data feeds were essential to their organization's ability to achieve a strong cybersecurity posture, and 55% rate the quality of their threat feeds' ability to pinpoint cyberthreats as very high. Study participants said threat data feeds offer several benefits. Threat data feeds add unique data to better inform security (71%), increase preventive blocking to ensure a better defense (63%), reduces the time it takes to detect and remediate an attack (55%), and reduce the time spent researching false positives (51%). However, more than half (56%) of respondents also said threat feeds deliver data that is often too voluminous and/or complex to provide timely and actionable intelligence.

    Help Net Security reports: "Challenges And Benefits of Using Threat Data Feeds"

  • news

    Visible to the public "REvil Ransomware Hits Acer; Threat Actors Demand $50 Million in Ransom"

    The computer manufacturer Acer has fallen victim to the REvil ransomware attack, with the threat actors demanding a ransom of more than $50 million. The ransomware operators infiltrated Acer's network systems. They allegedly shared images of the files they stole to prove that they compromised the company's network. These images included financial spreadsheets, bank balance statements, and other sensitive documents belonging to Acer. It remains unknown as to whether Acer decided to pay the ransom to the cybercriminals. Acer did reveal that once the abnormality was detected, its internal security mechanisms immediately initiated security and precautionary actions. Many industry experts suspect that the ransomware operators exploited vulnerabilities in Microsoft Exchange Servers on Acer's domain to launch their attack. This article continues to discuss the REvil ransomware attack on Acer, the possible exploitation of vulnerabilities in Microsoft Exchange Servers to execute the attack, and other recent activities of the REvil ransomware threat group.

    CISO MAG reports "REvil Ransomware Hits Acer; Threat Actors Demand $50 Million in Ransom"

  • news

    Visible to the public "Ransomware Attack Foils IoT Giant Sierra Wireless"

    A ransomware attack on leading internet-of-things (IoT) manufacturer Sierra Wireless this week grounded its production activity to a halt and froze various other internal operations. The Canadian multinational manufacturer creates a broad array of communications equipment from gateways to routers, cellular modems to modules, and smart connectivity solutions for IoT devices.
    The ransomware attack first affected the company on March 20, pushing its IT systems offline and halting production across its manufacturing sites. The company's website ( is currently down, saying, "Site is under maintenance". The company stated that it is currently working to bring its internal IT systems back online and hopes to restart production at its facilities soon. According to Sierra Wireless, once the company learned of the attack, its IT and operations teams immediately implemented measures to counter the attack according to established cybersecurity procedures and policies developed in collaboration with third-party advisors. The company at this time does not believe its customer-facing products and services have been impacted by the attack. It is not clear whether customer data has been affected. Sierra Wireless has not yet specified how the cyber attack initially occurred, what type of ransom was demanded, and whether they considered paying.

    Threatpost reports: "Ransomware Attack Foils IoT Giant Sierra Wireless"

  • news

    Visible to the public "Purple Fox Malware Targets Windows Machines With New Worm Capabilities"

    Researchers at Guardicore Labs have discovered that a malware that has historically targeted exposed Windows machines through phishing and exploit kits has been retooled to add new "worm" capabilities. Purple Fox, which first appeared in 2018, is an active malware campaign that until recently required user interaction or some kind of third-party tool to infect Windows machines. The adversaries have now upped their game and added new functionality that can brute force its way into victims' systems on its own. Researchers analyzed Purple Fox's latest activity and found two significant changes to how attackers are propagating malware on Windows machines. The first is that the new worm payload executes after a victim machine is compromised through a vulnerable exposed service (such as SMB). Purple Fox also is using a previous tactic to infect machines with malware through a phishing campaign, sending the payload via email to exploit a browser vulnerability, researchers observed. Once the worm infects a victim's machine, it creates a new service to establish persistence and execute a simple command that can iterate through several URLs that include the MSI for installing Purple Fox on a compromised machine.

    Threatpost reports: "Purple Fox Malware Targets Windows Machines With New Worm Capabilities"

  • news

    Visible to the public Cyber Scene #54 - US-China: Cyber Syndrome or War of the Worlds?

    Cyber Scene #54 -

    US-China: Cyber Syndrome or War of the Worlds?

  • news

    Visible to the public SoS Musings #47 - The Problem with False Positives in Security Operations

    SoS Musings #47 -

    The Problem with False Positives in Security Operations

  • news

    Visible to the public "Dark Web Bursting With COVID-19 Vaccines, Vaccine Passports"

    Security researchers at Check Point have observed a 300 percent increase in listings on the dark web marketplaces advertising vaccine doses, falsified vaccine certifications, negative test results, and more in the last three months. According to the researchers, there are more than 1,200 listings that are offering various vaccines, including Moderna, Pfizer, AstraZeneca, Sputnik, Johnson & Johnson, and Sinopharm. The legitimacy of the doses remains unknown. However, even if the doses were legitimate, there is no guarantee that they have been stored properly. The researchers attempted to purchase the Sinopharm vaccine from one of the dark web vendors. Negotiations for purchasing the vaccine took place on Telegram. The vendor provided reassurance that the vaccine doses were real. The researchers paid $500 in bitcoin for the vaccine then received a FedEx shipping label, but they did not receive the shipment. Dark web vendors are suspected to be having greater success with selling falsified vaccine cards and negative test results, as the researchers have seen more vaccination certificates being offered than vaccines. This article continues to discuss the researchers' observations surrounding the increase in COVID-19-related listings on dark web marketplaces.

    Ars Technica reports "Dark Web Bursting With COVID-19 Vaccines, Vaccine Passports"

  • news

    Visible to the public "Protecting Open-Source Software by Analyzing Community Behavior"

    The Defense Advanced Research Projects Agency (DARPA) wants to develop a dynamic and continuously updated open-source software (OSS) situational awareness capability to preserve the security of the US Defense Department's OSS supply chain. The SocialCyber program will maintain the integrity and security of an OSS project by providing early warnings about weaknesses. DARPA is looking to develop an overall security assessment of an OSS project's complex cyber-socio-technical ecosystem by gathering data pertaining to the security of a project's architecture, participants' social behaviors, attack surfaces, and security economics. The program will explore hybrid methods that can help analyze source code, communication artifacts in relation to development, and social media activity. The analysis of these factors will help detect and combat malicious cyber-social operations as well as safeguard the security and privacy of the Defense Department's open-source infrastructure. This article continues to discuss the aim of the SocialCyber program.

    GCN reports "Protecting Open-Source Software by Analyzing Community Behavior"

  • news

    Visible to the public "New Cybersecurity Programs to Protect US Energy"

    The Department of Energy's (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has announced three new researcher programs aimed at strengthening the security of America's energy system against cyberattacks and physical hazards. The new schemes will address potential vulnerabilities in the global supply chains and explore ways to protect critical infrastructure from geomagnetic and electromagnetic interference. The new programs will also focus on establishing a research and talent pipeline for the next generation of cybersecurity professionals. These programs will gather experts from industry, academia, and government to help enhance the energy sector's resilience. CESER pointed out the major threats facing America's critical energy infrastructure, which include digital hazards such as cyberattacks and environmental dangers like climate change, wildfires, and extreme weather. This article continues to discuss the goals and importance of the three new cybersecurity research programs.

    Infosecurity Magazine reports "New Cybersecurity Programs to Protect US Energy"

  • news

    Visible to the public Deepfakes - AI-Generated Media

    Deepfakes - AI-Generated Media