News Items

  • news

    Visible to the public "Hackers Target Colombia's Healthcare System With Ransomware"

    Colombian healthcare provider Keralty recently reported a ransomware attack that affected its systems and two of its subsidiaries: EPS Sanitas and Colsanitas. The attack disrupted the companies' IT operations, websites, and scheduling of medical appointments. The hacking operation was reportedly confirmed by a Twitter user, who posted a screenshot of the alleged malware affecting Keralty's systems and deployed by the threat group RansomHouse. Furthermore, in addition to disrupting patient care, the RansomHouse ransomware group claimed to have stolen 3TB of data. Researchers at Rapid7 stated that even though it is yet to be confirmed what data has been stolen, their research shows that the majority of ransomware data disclosures against the healthcare and pharmaceuticals industry include finance and accounting data (71%) and patient data (58%). The researchers suggest that organizations need to implement file encryption and technologies that detect a potential intrusion or lateral movement so they have multiple layers of defense against ransomware attacks.

    Infosecurity reports: "Hackers Target Colombia's Healthcare System With Ransomware"

  • news

    Visible to the public "Researchers Found Security Pitfalls in IBM's Cloud Infrastructure"

    Security researchers investigated IBM Cloud's Database-as-a-Service (DaaS) infrastructure and discovered several security flaws that gave them access to the internal server used to build database images for customer deployments. The demonstrated attack brings further attention to common security flaws that can result in cloud infrastructure supply chain compromises. The attack, developed by Wiz researchers, combined a privilege escalation vulnerability in IBM Cloud Databases for PostgreSQL, plaintext credentials sprinkled throughout the environment, and excessively permissive internal network access controls that enabled lateral movement within the infrastructure. The audit of IBM Cloud Databases for PostgreSQL by Wiz was part of a larger research project that examined PostgreSQL deployments across major cloud providers offering this database engine as part of their managed DaaS solutions. Wiz researchers discovered and disclosed vulnerabilities in Microsoft Azure and Google Cloud Platform (GCP) PostgreSQL implementations earlier this year. PostgreSQL, an open-source relational database engine, has been in development for over 30 years, with a focus on stability, high availability, and scalability. However, this software was not designed with a permission model appropriate for multi-tenant cloud environments in which database instances must be isolated from each other and the underlying infrastructure. The Wiz researchers examined the Logical Replication mechanism available to users while analyzing IBM Cloud's PostgreSQL implementation. The function's code revealed a SQL injection vulnerability caused by improper sanitization of the arguments passed to it, meaning they could pass any SQL query to the function, which would then execute it as the superuser. In addition, the researchers used the PostgreSQL COPY statement to execute arbitrary commands on the underlying Virtual Machine (VM) hosting the database instance, resulting in the opening of a reverse shell. This article continues to discuss the demonstrated attack on IBM's cloud infrastructure by cybersecurity researchers that allowed them to gain access to the internal server used to build database images for customer deployments.

    CSO Online reports "Researchers Found Security Pitfalls in IBM's Cloud Infrastructure"

  • news

    Visible to the public "WhatsApp Files on Dark Web Show Millions of Records For Sale"

    In mid-November, a threat actor posting on a dark web forum claimed to have stolen the personal information of almost 500 million WhatsApp users. Recently, Check Point Research (CPR) has published a new advisory analyzing the exposed files and confirming the leak includes 360 million phone numbers from 108 countries. While CPR was unable to confirm the leaked numbers belonged to WhatsApp users, their researchers showed that the phone numbers varied in quantity among countries, ranging from 604 in Bosnia and Herzegovina to 35 million attributed to Italy. CPR noted that the whole list went on sale for four days and is now being distributed for free among dark web users. CPR stated that while the information on sale does not expose the content of any messages themselves, it is still worrying to see such a large volume of phone numbers for sale on the Dark Web. There is the potential that this information could be used as part of tailored phishing attacks in the future. One security researcher named Karol Paciorek, a security researcher from the computer security incident response team of the Polish financial sector (CSIRT KNF), claimed on Twitter that the leaked database is a re-use of an older 2019 Facebook breach. Paciorek stated that the WhatsApp "leak" is nothing more than phone numbers obtained from the Facebook "leak" that took place in 2019. He claimed that the sample of 5000 WhatsApp data records from Poland is identical to those they already saw in 2019. As security experts continue to analyze the leaked data, the researchers are calling for WhatsApp users to take steps to increase their security posture.

    Infosecurity reports: "WhatsApp Files on Dark Web Show Millions of Records For Sale"

  • news

    Visible to the public "These File Types Are the Ones Most Commonly Used by Hackers to Hide Their Malware"

    According to an analysis of real-world cyberattacks and data collected from millions of PCs, ZIP and RAR files have surpassed Microsoft Office documents as the most commonly used file types by cybercriminals to deliver malware. Based on customer data from HP Wolf Security, 42 percent of attempts to deliver malware attacks used archive file formats such as ZIP and RAR between July and September of this year. Cyberattacks involving the exploitation of ZIP and RAR formats are more common than those attempting to deliver malware via Microsoft Office documents such as Microsoft Word and Microsoft Excel files, which have long been the preferred method of tricking victims into downloading malware. According to researchers, this is the first time archive files surpassed Microsoft Office files as the most common means of delivering malware in over three years. It allows attackers to circumvent many security measures by encrypting malicious payloads and hiding them within archive files. Archives are simple to encrypt, allowing threat actors to conceal malware and avoid web proxies, sandboxes, and email scanners, thus making attacks difficult to detect, especially when combined with HTML smuggling techniques. In many cases, attackers create phishing emails appearing to be from popular brands and online service providers to trick the user into opening and running the malicious ZIP or RAR file. This includes attaching malicious HTML files to emails masquerading as PDF documents. When opened, they display a fake online document viewer that decodes the ZIP archive. If the user downloads it, it will infect them with malware. According to HP Wolf Security, Qakbot, a malware family that is used to steal data and serve as a backdoor for deploying ransomware, is one of the most notorious malware campaigns now relying on ZIP archives and malicious HTML files. This article continues to discuss HP Wolf Security's findings on the file types now most commonly used by hackers to hide malicious payloads.

    ZDNet reports "These File Types Are the Ones Most Commonly Used by Hackers to Hide Their Malware"

  • news

    Visible to the public Pub Crawl #68


    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "Hackers Dump Australian Health Data Online, Declare Case Closed"

    In November, hackers demanded health insurer Medibank pay US$9.7 million to keep the records stolen off the internet, or one dollar for each of the company's impacted customers, which included Prime Minister Anthony Albanese. Medibank refused to pay the ransom. The first batches of stolen data started appearing on a dark web forum on November 9, in curated posts highlighting medical records about drug addiction, pregnancy terminations, and sexually transmitted infections. The hackers leaking stolen Australian health records to the dark web on Thursday appeared to end their extortion attempt by dumping a final batch of data online and declaring: "Case closed." The post was posted on Thursday deliberately because it was International Computer Security Day. 4Medibank stated that the latest post was "incomplete and hard to understand," an indication the hackers may have lost interest after a ransom was taken off the table. The company stated that while its investigation continues, there are currently no signs that financial or banking data has been taken. Australian Federal Police Commissioner Reece Kershaw said in November that the hackers were believed to be a group of "loosely affiliated cyber criminals" based in Russia. Cybersecurity analysts have suggested they could be linked to the Russian hacker group REvil.

    SecurityWeek reports: "Hackers Dump Australian Health Data Online, Declare Case Closed"

  • news

    Visible to the public "Android Keyboard App Bugs Allow Remotely Infecting Devices"

    Three Android apps with millions of downloads on the Google Play store, Lazy Mouse, Telepad, and PC Keyboard, had several flaws that could allow attackers to remotely execute commands and steal credentials. These were riddled with critical flaws, putting users at risk of losing their data. All three apps have nearly two million downloads in both free and paid versions. When connected to a computer or another device, the apps allow users to use their Android device as a remote keyboard and mouse. However, the Synopsys Cybersecurity Research Center (CyRC) team discovered insecure communication vulnerabilities as well as weak or missing authentication and authorization mechanisms. Exploiting the authentication and authorization flaws could enable unauthenticated remote attackers to execute arbitrary commands. The exploitation of the insecure communication vulnerability exposes the user's keystrokes, including sensitive information such as usernames and passwords. Although the researchers say the flaws are related to the same authentication, authorization, and transmission implementations, each app's failure mechanism was determined to be unique. Each of the three apps requires a different exploit to take advantage of their flaws. The researchers stated that they contacted the app developers several times but received no response. While the apps are widely used, the researchers note that they are not updated or maintained. This article continues to discuss findings and observations regarding the Android keyboard app bugs.

    Cybernews reports "Android Keyboard App Bugs Allow Remotely Infecting Devices"

  • news

    Visible to the public "Researchers Accidentally Crash Cryptomining Botnet"

    Security researchers at Akamai, analyzing a prolific botnet, recently managed to accidentally kill it due to the coding equivalent of a typing error. The researchers detected the "KmsdBot" last month. The Golang-based bot is designed to conscript machines via SSH and weak credentials and has the functionality to launch DDoS and cryptomining campaigns. The KmsdBot is targeting the gaming, technology, and luxury car industries, among others. The researchers decided to test some of the botnet's command and control (C2) functionality as part of their research, so they set up a controlled environment by modifying a recent sample of KmsdBot to talk to an IP address in RFC 1918 address space. This allowed the researchers to have a controlled environment to play around in, and, as a result, they were able to send the bot their own commands to test its functionality and attack signatures. The researchers noted that, interestingly, after one single improperly formatted command, the bot stopped sending commands. The command in question was simply missing a space between the target website and the port, but it was enough to bring the entire bot crashing down. The researchers stated that this is because, unfortunately for the bot herders, KmsdBot didn't have error-checking built into its code to verify that commands are properly formatted. Because of this, an improperly formatted command will cause the Go binary to crash with a stack trace stating an "index out of range" error. This is because the wrong number of arguments were supplied. The researchers noted that this malformed command likely crashed all the botnet code that was running on infected machines and talking to the C2, essentially killing the botnet. The researchers also stated that the bot also didn't have any ability to maintain persistence on an infected machine, so the group behind it will effectively now have to start from scratch by reinfecting machines.

    Infosecurity reports: "Researchers Accidentally Crash Cryptomining Botnet"

  • news

    Visible to the public "Eight Charged with $30m Unemployment Benefits Fraud"

    Eight people have been recently charged with conspiring to defraud the Georgia Department of Labor (GaDOL) out of tens of millions of dollars in unemployment benefits. Among the defendants are Vienna, Georgia residents Tyshion Nautese Hicks, 30, Macovian Doston, 29, and Membrish Brown, 27. Also accused are Warner Robins, Georgia residents Shatara Hubbard, 34, and A'Darrion Alexander, 27, as well as Cordele residents Torella Wynn, 30, and Kenya Whitehead, 35. The Department of Justice (DoJ) noted that the eighth alleged conspirator is Edith Nate Hicks, 45, of Atlanta, Georgia. As an employee of an Atlanta-area healthcare network, she was allegedly paid by the others to obtain hundreds of patients' personally identifiable information (PII) from hospital databases. The DoJ stated that the conspirators then allegedly filed unemployment insurance claims on the GaDOL website in the names of their identity theft victims, adding fictitious employers for each fake claimant. Presumably, in a bid to hide the money trail, they asked the funds to be paid via prepaid debit cards mailed to addresses mainly in the Cordele and Vienna area. The DoJ noted that Edith Nate Hicks was allegedly paid via Chime, Venmo, and CashApp after accessing the PII of an estimated 1600 Atlanta-area patients. She has already pleaded guilty to conspiracy to commit mail fraud and faces a maximum term of 20 years behind bars. Tyshion Nautese Hicks, Hubbard, Wynn, Doston, Whitehead, Alexander, and Brown are each charged with conspiracy to commit mail fraud, which also carries a maximum penalty of 20 years in prison. Tyshion Nautese Hicks and Doston are also charged with aggravated identity theft, which carries a mandatory two-year prison sentence, while Alexander faces an additional charge of money laundering, which carries a maximum of 20 years in prison. The DoJ noted that the conspiracy is said to have resulted in at least $30m of stolen benefits designed to help the unemployed during the pandemic.

    Infosecurity reports: "Eight Charged with $30m Unemployment Benefits Fraud"

  • news

    Visible to the public "Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars"

    Security researchers have discovered a relatively simple way to take control of Hondas, Nissans, Infinitis, and Acuras through their infotainment systems. According to new research, several major automakers were affected by a previously unknown security flaw that would have allowed a hacker to hijack vehicles and steal user data. The bug was found in the Sirius XM telematics infrastructure and would have allowed a hacker to remotely locate a vehicle, unlock and start it, flash the lights, honk the horn, open the trunk, and access sensitive customer information such as the owner's name, phone number, address, and more. While looking for issues involving major car manufacturers, a group of security researchers uncovered the bug. One of the researchers said he and his friends were curious about the types of problems that could emerge if they examined providers of "telematic services" for carmakers. Most modern automobiles are web-connected computers on wheels. Vehicle data inflows and outflows enable cars to be more convenient and customizable, but they also make them more vulnerable to cyberattacks and remote hijacking. In addition, since car manufacturers have been known to sell vehicle data to surveillance vendors, the telematics industry is also a major privacy risk. The researchers discovered an authentication loophole inside infrastructure provided by the radio giant Sirius XM after exploring code related to various car apps. Sirius XM is found in most car infotainment systems and provides telematic services to most automakers. According to the researchers, Sirius XM is bundled with the vehicle's infotainment system, which can perform actions on the vehicle and communicate with the Sirius XM Application Programming Interface (API) via satellite to the Internet. This means that individual vehicles are sending and receiving data and commands from Sirius XM, and that information can be intercepted under the right conditions. This article continues to discuss the Sirius XM bug that can allow malicious actors to easily hijack different cars.

    Gizmodo reports "Researchers Used a Sirius XM Bug to Easily Hijack a Bunch of Different Cars"

  • news

    Visible to the public "Google Links Three Exploitation Frameworks to Spanish Commercial Spyware Vendor Variston"

    Google's Threat Analysis Group (TAG) discovered three exploitation frameworks likely linked to Variston IT, a Spanish firm, while tracking the activities of commercial spyware vendors. Variston officially claims to offer custom security solutions and custom patches for embedded systems. According to the experts, the framework includes exploits for n-day vulnerabilities in Chrome, Firefox, and Microsoft Defender. The company exploited vulnerabilities in Google, Microsoft, and Mozilla. The company also offers a set of tools for delivering a malicious payload to a target device. The company exploited vulnerabilities in Google, Microsoft, and Mozilla, which were fixed in 2021 and early 2022. According to TAG's findings, the issues were used as zero-days in the wild by the surveillance vendor. After receiving an anonymous submission to the Chrome bug reporting program, TAG discovered the Heliconia framework. The submitter reported exploitation frameworks, instructions, and an archive containing source code. The bug reports refer to them as "Heliconia Noise," "Heliconia Soft," and "Files." The researchers discovered a script in the source code that contains clues pointing to Variston IT, the possible developer of the exploitation frameworks. A Chrome renderer exploit is deployed using the Heliconia Noise web framework, followed by a Chrome sandbox escape an agent installation. The Heliconia Soft web framework takes advantage of a Microsoft Defender Remote Code Execution (RCE) vulnerability that was patched in November 2021. When a victim downloads a specially crafted PDF file, Windows Defender detects it and launches the exploit. For Windows and Linux, the Heliconia Files framework provides a Firefox exploit chain. This article continues to discuss the three exploitation frameworks Google linked to Variston IT.

    Security Affairs reports "Google Links Three Exploitation Frameworks to Spanish Commercial Spyware Vendor Variston"

  • news

    Visible to the public "Nvidia GPU Driver Bugs Threaten Device Takeover & More"

    Nvidia's latest GPU Display Driver update fixes 29 security vulnerabilities, seven of which have a base score of more than 7. The company's graphics cards are designed to accelerate computing processing in order to support real-time or data-intensive applications. Therefore, they are well-known for their use in gaming, graphic design, and other creative fields, as well as in Artificial Intelligence (AI) and Machine Learning (ML). GeForce, Studio, Nvidia RTX, Quadro, NVS, and Tesla are among the software products affected by the update. According to the chipmaker, the most serious bugs are two flaws in the user mode layer for Windows versions that could allow an unauthorized user to execute code, escalate privileges, launch Denial-of-Service (DoS) attacks, and achieve data compromise and disclosure. With a CVSS score of 8.8, CVE-2022-34669 allows an unprivileged regular user to access or modify system files or other files critical to the application. CVE-2022-34671, with a CVSS score of 8.7, allows an unprivileged regular user to cause an out-of-bounds write. The latest security update also included several updates to the Linux display driver. This article continues to discuss the GPU Display Driver flaws that could expose gamers, graphic designers, and others to code execution, DoS attacks, data tampering, and more.

    Dark Reading reports "Nvidia GPU Driver Bugs Threaten Device Takeover & More"

  • news

    Visible to the public "LastPass, GoTo Announce Security Incident"

    LastPass and its affiliate GoTo (formerly LogMeIn) announced a security incident and, in the case of LastPass, a possible data breach. According to GoTo CEO Paddy Srinivasan, unusual activity was discovered within their development environment and third-party cloud storage service. It was also revealed that GoTo, a cloud-based Software-as-a-Service (SaaS) provider of remote work collaboration and Information Technology (IT) management tools, and LastPass, the company behind the popular password manager of the same name, share the third-party cloud storage service. Both companies are working with Mandiant to help their internal teams investigate the problem and have notified law enforcement. Furthermore, both companies' products and services continue to function normally. Although GoTo does not mention the compromise of any information, LastPass CEO Karim Toubba said their preliminary investigation has revealed that an unauthorized party was able to gain access to certain elements of their customers' information using information obtained in the August 2022 incident. The customers' passwords are said to remain safely encrypted due to LastPass's Zero Knowledge architecture. He was referring to an incident in August 2022 that resulted in a breach and the exfiltration of portions of source code as well as some proprietary LastPass technical information. This article continues to discuss the security incident announced by LastPass and GoTo.

    Help Net Security reports "LastPass, GoTo Announce Security Incident"

  • news

    Visible to the public "New Windows Malware Scans Victims' Mobile Phones for Data to Steal"

    Security researchers have discovered Dolphin, a previously unknown backdoor used by North Korean hackers in highly targeted operations for over a year to steal files and send them to Google Drive storage. According to ESET researchers, the APT37 threat group, also known as Reaper, Red Eyes, Erebus, and ScarCruft, used Dolphin against specific entities. Since 2012, the group has been linked to espionage activities aligned with North Korean interests. The malware was discovered in April 2021, and the researchers watched it evolve into new versions with improved code and anti-detection mechanisms. Dolphin is used in conjunction with BLUELIGHT, a basic reconnaissance tool seen in previous APT37 campaigns. However, BLUELIGHT has more powerful capabilities, such as stealing data from web browsers (passwords), taking screenshots, and logging keystrokes. BLUELIGHT is used to launch Dolphin's Python loader on a compromised system, but its role in espionage operations is limited. The Python loader includes a script and shellcode that launches multi-step XOR-decryption, process creation, and other operations, eventually resulting in the Dolphin payload being executed in a newly created memory process. Dolphin is a C++ executable that uses Google Drive as a command-and-control (C2) server as well as a storage location for stolen files. By modifying the Windows Registry, the malware achieves persistence. This article continues to discuss the distribution and capabilities of the Dolphin malware.

    Bleeping Computer reports "New Windows Malware Scans Victims' Mobile Phones for Data to Steal"

  • news

    Visible to the public "Schoolyard Bully Trojan Apps Stole Facebook Credentials From Over 300,000 Android Users"

    A new Android threat campaign called the Schoolyard Bully Trojan has infected over 300,000 users in 71 countries. The malware, which is primarily designed to steal Facebook credentials, is disguised as legitimate education-themed applications in order to trick unsuspecting users into downloading it. The apps, which were previously available for download from the official Google Play Store, have since been removed. Nonetheless, they are still available on third-party app stores. According to Zimperium researchers Nipun Gupta and Aazim Bill SE Yaswant, this Trojan steals Facebook credentials via JavaScript injection. It does this by launching Facebook's login page in a WebView and embedding malicious JavaScript code within it to exfiltrate the user's phone number, email address, and password to a configured command-and-control (C2) server. In order to avoid detection by antivirus software, the Schoolyard Bully Trojan also makes use of native libraries such as "libabc.so." While the malware targets Vietnamese language apps, it has also been discovered in a number of other apps available in over 70 countries, highlighting the scope of the attacks. This article continues to discuss the Schoolyard Bully Trojan apps stealing Facebook credentials from more than 300,000 Android users.

    THN reports "Schoolyard Bully Trojan Apps Stole Facebook Credentials From Over 300,000 Android Users"

  • news

    Visible to the public "Smart Inverters' Vulnerability to Cyberattacks Needs to Be Identified and Countered, According to Concordia Researchers"

    Distributed Energy Resources (DERs) are facilities owned by individuals or small businesses that can generate, store, and return power to energy grids, thus changing how power is used. As society seeks alternative energy sources, the technology is becoming more prevalent, but its growth has created a new field of vulnerabilities that invite cyberattacks. In order to interface with power grids, DERs such as home-based solar panels or electric vehicle chargers rely on field devices known as smart inverters. According to a new study conducted by researchers at Concordia University, these devices' reliance on digital information and communication technology can be attacked in various ways by malicious actors, posing serious consequences for the public. The researchers surveyed the smart inverter cybersecurity landscape and identified attack strategies at the device and grid levels. They also explored how to defend against, mitigate, and avoid these attack strategies. The researchers have described how attacks on smart inverters can take different forms, ranging from threats to individual devices to threats to the entire grid. Device attacks can disrupt communications between the device and the utility regulating energy flow, as well as with other devices, but hardware attacks are also possible. Reconnaissance, replay attacks, Distributed Denial-of-Service (DDoS) attacks, and Man-in-the-Middle (MITM) attacks could all be performed on communications links between the inverters and devices. Physical firmware attacks and hall spoofing, which involves manipulating electromagnetic fields around a device, are examples of tactics that target hardware. The researchers noted the possibility of cyberattacks on centralized control architectures and distributed control systems at the microgrid level. Many of these attacks involve injecting false data into the communications stream between the device and the regulator or preventing commands from being sent from the controller to the devices. These can cause power, voltage, and frequency oscillations, potentially hindering the microgrid's ability to distribute energy. This article continues to discuss the study on the cybersecurity of smart inverters in the smart grid.

    Concordia University reports "Smart Inverters' Vulnerability to Cyberattacks Needs to Be Identified and Countered, According to Concordia Researchers"

  • news

    Visible to the public "Sandworm Hacking Group Linked to New Ransomware Deployed in Ukraine"

    According to recent research from the cybersecurity firm ESET, there is a wave of ransomware attacks in Ukraine that may be the work of the state-backed Russian hacking group Sandworm. Several Ukrainian organizations were affected by RansomBoggs malware before it was recently found by ESET researchers. During the attack, several references were made to the animated film Monsters, Inc. The main character of the film, James P. Sullivan, is made the author of the ransom note that was sent to infected computers. There are references to the movie in the code, the executable file, and the hackers' Telegram account are all named Sullivan. The executable file and the hackers' Telegram account are both called Sullivan, and references to the film can be found throughout the code. RansomBoggs targeted at least five Ukrainian organizations. ESET has not detected this ransomware family in attacks outside of Ukraine. The use of RansomBoggs is similar to previous Sandworm attacks, which were linked to the 2017 NotPetya cyberattack, and disrupted Ukrainian government organizations, banks, media, and electricity suppliers. According to ESET spokeswoman Yulia Andrienko, RansomBoggs appears to be fake ransomware because the authors are not interested in extorting victims and instead want to disrupt organizations by locking up their data. Aside from the Monsters Inc. theme, she claims the ransomware is fairly standard. Sandworm has been active in Ukraine since the beginning of Russia's full-scale invasion in February, and it has been linked to other destructive attacks, including an April cyberattack on a Ukrainian energy provider using a new variant of the Industroyer malware. Hackers used the PowerShell script POWERGAP, as seen in the Industroyer2 attack, to deploy RansomBoggs payloads from the domain controller on the victims' networks. In March, a PowerShell script was also used to deliver the destructive CaddyWiper malware to several dozen systems at Ukrainian organizations. This article continues to discuss Sandworm hacking group suspected to be behind the new RansomBoggs attacks against organizations in Ukraine.

    The Record reports "Sandworm Hacking Group Linked to New Ransomware Deployed in Ukraine"

  • news

    Visible to the public "Control Failures Are the Primary Reason for Most Data Breaches"

    Panaseer has released the third edition of its Security Leaders Peer Report, which examines the concerns and constraints that CISOs and other senior cybersecurity leaders face in the US and the UK. According to Censuswide's survey of more than 800 respondents from large organizations, the failure of controls expected to be in place is the primary reason for data breaches, and 79 percent of enterprises have experienced cyber incidents that could have been avoided with existing safeguards. Therefore, while most breaches are preventable, they continue to occur, and security leaders are becoming increasingly frustrated. In addition, the report explores how the high-pressure environment in which security professionals work affects them personally. Many respondents stated that the inability to continuously measure enterprise-wide security posture and identify control failures is the root cause of their frustrations. Incidents that an expected control should have stopped were closely followed, with 68 percent frustrated by the inability to stop preventable breaches. Respondents also cited data and tooling issues as a greater motivator for security team resignations than higher pay and more seniority. Only 44 percent of organizations are extremely confident in their ability to continuously measure their control gaps. Respondents cited a lack of internal resources (39 percent), an inability to demonstrate remediation (38 percent), ineffective tooling (34 percent), and poor control failure visibility (34 percent), as reasons for their lack of confidence. However, 82 percent believe that monitoring and addressing expected control failure and risk would have a greater impact on their security posture than purchasing additional tools. This is especially important given the issue of tool sprawl. The two previous reports found that organizations often use more than 75 or even 100 security tools. This article continues to discuss key findings from Panaseer's third edition of its Security Leaders Peer Report.

    Continuity Central reports "Control Failures Are the Primary Reason for Most Data Breaches"

  • news

    Visible to the public "Predatory Loan Apps Found Targeting Victims in Google Play and Apple App Store"

    Researchers at the cybersecurity company Lookout discovered over 300 loan apps in both Google Play and the Apple App Store exhibiting predatory behavior, such as exfiltrating sensitive user data and harassing borrowers for payment. The apps, which can be found in Africa, Southeast Asia, India, Colombia, and Mexico, claim to provide quick, fully digital loan approvals with reasonable loan terms. However, the apps take advantage of potential victims' desire for quick cash to entice them into predatory loan contracts. Borrowers must grant access to sensitive information on their devices, such as contacts, phone history, and SMS messages, in order to obtain a loan through the apps. In addition to gaining access to data that would be unnecessary for a valid loan application process, many predatory loan operators have been described as engaging in "scam-like" behavior. Victims of the apps reported that the loans had hidden fees, high interest rates, and repayment terms that were far less favorable than what was advertised on the app stores. Lookout Threat Lab researchers also discovered evidence that data exfiltrated from devices is sometimes used to put customer pressure on repayment. Although the researchers do not use the term "extortion," those behind the apps often threaten to reveal a borrower's debt or other personal information to their network of contacts if the inflated loan payments are not made. Of the apps discovered, 251 were Android apps listed in Google Play, and 35 were found in the Apple App Store. The apps that were listed for iOS users were among the top 100 finance apps in regional app stores, indicating that Apple was unintentionally promoting them. This article continues to discuss the malicious loan apps found in Google Play and the Apple App Store.

    SiliconANGLE reports "Predatory Loan Apps Found Targeting Victims in Google Play and Apple App Store"

  • news

    Visible to the public "MIT Policy Hackathon Produces New Solutions for Technology Policy Challenges"

    The MIT Policy Hackathon, run by students from the Institute for Data, Systems, and Society (IDSS), is an interdisciplinary competition that brings together participants from all over the world to explore potential solutions to some of society's most pressing issues. Unlike other competitions of its kind, MIT's event, according to Jorge Sandoval, a second-year graduate student in MIT's Technology and Policy Program (TPP), emphasizes a humanistic approach. The goal of the hackathon is to promote technology applications that are humanistic or human-centered. The initiative allows participants to analyze aspects of technology in contexts where they interact with society and people, an opportunity that most technical competitions do not provide because their primary focus is on technology. The competition began with 50 teams divided into four challenge categories. Internet and Cybersecurity, Environmental Justice, Logistics, and Housing and City Planning were among the categories this year. This article continues to discuss the MIT Policy Hackathon exploring solutions to challenges in cybersecurity and more.

    MIT reports "MIT Policy Hackathon Produces New Solutions for Technology Policy Challenges"

  • news

    Visible to the public "Cyber and Physical Threats Illuminate Need for Security Convergence in Energy Sector"

    Security convergence refers to joining cyber and physical security into a single organizational structure. Since ASIS International and the Information Systems Audit and Control Association (ISACA) established the Alliance for Enterprise Security Risk Management, an organization dedicated to security convergence, it has been a topic of discussion among practitioners. Yet, according to Megan Gates in the latest issue of Security Management, only 52.5 percent of large companies surveyed are "fully or partially converged." Gates also makes reference to the Colonial Pipeline incident, which showed the need for security functions to be combined after a crippling ransomware attack in May. Colonial Pipeline had operated as a siloed program for physical and cybersecurity. With cyber and physical security information siloes in place, critical infrastructure providers, especially those in the energy sector, cannot operate effectively. State actors are increasingly using cyberattacks on the grid to punish adversaries in a non-attributional or obfuscated manner. Earlier this year, the Department of Homeland Security (DHS) issued a warning about domestic violent extremists targeting infrastructure to launch physical attacks in order to cause widespread chaos and undermine public trust in the government. The Nord Stream pipeline was sabotaged beneath the Baltic Sea in September, serving as a reminder of the disruption that a surgical attack can cause on vulnerable infrastructure. The threat of a converged attack, in which a sophisticated threat actor gains access to a critical site or location and introduces malware directly into ICS/SCADA systems, has only increased. A coordinated cyber and physical attack on disparate key bulk-electric system nodes simultaneously could have amplifying and cascading consequences. A converged or dedicated cross-functional team can charter a combined threat working group, develop an internal risk intelligence function, and incorporate threat-informed validation of security controls and procedures to manage these security contingencies or risks with low probability but high consequence. This article continues to discuss cyber and physical threats and the need for security convergence in the energy sector.

    HSToday reports "Cyber and Physical Threats Illuminate Need for Security Convergence in Energy Sector"

  • news

    Visible to the public "Three Out of Four Organizations Are Still Vulnerable to Log4Shell"

    The Log4j or Log4Shell vulnerability first made headlines in December 2021, sending shockwaves through the cybersecurity community. According to new Tenable research based on data from more than 500 million tests, 72 percent of organizations are still vulnerable to Log4Shell as of October of this year. An analysis revealed that one in every ten assets was vulnerable to Log4Shell as of December 2021, including various servers, web applications, containers, and Internet of Things (IoT) devices. The data showed that by October 2022, 2.5 percent of assets were vulnerable. Despite this, nearly one-third (29 percent) of these assets had Log4Shell recurrences after full remediation. Full remediation is difficult to achieve for such a widespread vulnerability, and it is essential to remember that vulnerability remediation is not a "one and done" process, according to Bob Huber, CSO at Tenable. Although an organization may have been fully remediated at some point, they are likely to encounter Log4Shell repeatedly as they add new assets to their environments. Eradicating Log4Shell is a never-ending battle that requires organizations to constantly scan their environments for the flaw and other known vulnerabilities. Some industries have managed better than others, with engineering (45 percent), legal services (38 percent), financial services (35 percent), non-profit (33 percent), and government (30 percent) leading the pack in terms of the number of organizations fully remediated. About 28 percent of Certified Information Systems Auditor (CISA)-defined critical infrastructure organizations have completed full remediation. This article continues to discuss the long-lasting impact of the Log4Shell vulnerability on organizations.

    BetaNews reports "Three Out of Four Organizations Are Still Vulnerable to Log4Shell"

  • news

    Visible to the public "Majority of US Defense Contractors Not Meeting Basic Cybersecurity Requirements"

    According to researchers at CyberSheath, nearly nine in 10 (87%) of US defense contractors are failing to meet basic cybersecurity regulation requirements. The researchers surveyed 300 US-based Department of Defense (DoD) contractors and found that just 13% of respondents have a Supplier Risk Performance System (SPRS) score of 70 or above. Under the Defense Federal Acquisition Regulation Supplement (DFARS), a score of 110 is required for full compliance. The researchers noted that anecdotally, a score of 70 is believed to be "good enough" to be considered compliant. DFARS, which was enacted into law in 2017, is designed to bolster cybersecurity in the defense industrial base. In the future, defense contractors will have to comply with the Cybersecurity Maturity Model Certification (CMMC), a certification framework they must pass to bid for contracts with the DoD. The first version of CMMC was released in January 2020, with an updated version, 2.0, coming into effect in May 2023. The researchers stated that the study suggests that the vast majority of DoD defense contractors are neither meeting current DFARS obligations nor in a position to comply with the updated version of CMMC. The researchers stated that this could have major consequences for defense contractors, nearly half of whom would lose up to 40% of their revenue if DoD contract loss occurs. The researchers also found that 70% of respondents have not deployed security information and event management (SIEM), 79% lack a comprehensive multi-factor authentication system, 73% do not have an endpoint detection response (EDR) solution and 80% lack a vulnerability management solution. The researchers stated that a major factor in non-compliance appears to be a lack of understanding of government cybersecurity regulations, which was cited by 82% of respondents. Around three-fifths of respondents rated the difficulty of understanding CMMC compliance as seven out of 10.

    Infosecurity reports: "Majority of US Defense Contractors Not Meeting Basic Cybersecurity Requirements"

  • news

    Visible to the public "New Connected Device Security Maturity Model Helps Orgs Strengthen Cybersecurity"

    Ordr, a connected device security firm, has released a maturity model to aimed at helping healthcare organizations evaluate and improve their connected devices' security. The guide is divided into five maturity stages, each with recommended actions and detailed descriptions. Medical devices and other connected devices continue to pose a security risk to healthcare organizations. Although legislators have expressed interest in the issue, experts have stated that healthcare organizations must continue to prioritize device security internally while waiting for legislation to be passed. The idea of a maturity model is not unique to connected device security. According to the document, the National Institute of Standards and Technology (NIST) and others have developed models to help organizations progress from the most basic security levels to the most advanced levels in a logical sequence. Purchasing the most sophisticated tools is only useful if the other components required for an organization to successfully leverage its capabilities are in place. Therefore, it is important in all of these models, to begin with people and processes. Asset visibility is the first step in the new maturity model. It is impossible to secure all connected devices on a network if organizations do not know what they are. This step includes suggestions for automating new device discovery and identifying initial device risk. The maturity model suggests that organizations focus on vulnerability and risk management. Organizations are encouraged to gain a comprehensive view of risk at this stage by identifying known vulnerabilities, using external sources such as threat feeds, and identifying risky traffic patterns. Reactive and proactive security are the third and fourth steps. The maturity model recommends that organizations use the insights from previous stages to help teams understand device risk and establish priorities during the reactive security stage. In order to reduce the attack surface, the model recommends that teams automate workflows and policies and implement zero-trust segmentation during the proactive security stage. This article continues to discuss the maturity model published by Ordr to help healthcare organizations evaluate and improve the security of their connected devices.

    HealthITSecurity reports "New Connected Device Security Maturity Model Helps Orgs Strengthen Cybersecurity"

  • news

    Visible to the public Spotlight on Lablet Research #36 - Coordinated Machine Learning-Based Vulnerability and Security Patching for Resilient Virtual Computing Infrastructure

    Spotlight on Lablet Research #36 -

    Coordinated Machine Learning-Based Vulnerability and Security Patching for Resilient Virtual Computing Infrastructure

  • news

    Visible to the public SoS Musings #67 - Bolstering Firmware Security

    SoS Musings #67 -

    Bolstering Firmware Security

  • news

    Visible to the public Cybersecurity Snapshots #36 - Phobos Ransomware

    Cybersecurity Snapshots #36 -

    Phobos Ransomware

  • news

    Visible to the public "Zero-Day Flaw Discovered in Quarkus Java Framework"

    Security researchers at Contrast Security have discovered a high-severity zero-day vulnerability in the Red Hat build of Quarkus, a full-stack, Kubernetes-native Java framework optimized for Java virtual machines (JVMs) and native compilation. Tracked CVE-2022-4116, the flaw has a CVSS v3 base score rating of 9.8 and can be found in the Dev UI Config Editor, which is vulnerable to drive-by localhost attacks, potentially leading to remote code execution (RCE). According to the researchers, exploiting the vulnerability is relatively straightforward and can be done by a threat actor without any privileges. The researchers noted that, to be clear, CVE-2022-4116 doesn't impact services running in production; it only impacts developers building services using Quarkus. If a developer running Quarkus locally visits a website with malicious JavaScript, that JavaScript can silently execute code on the developer's machine. The researchers are not sure how extensively the Red Hat build of Quarkus is used. Having been started only in 2019, Quarkus is now reportedly getting more popular, particularly in Kubernetes use cases, given its ease of use and significantly lighter demand on hardware resources to run and to run applications. The researchers noted that the Quarkus team released a fix for CVE-2022-4116 with version 2.14.2.Final and 2.13.5.Final long-term support (LTS) that requires the Dev UI to check the origin header so that it only accepts requests that contain a specific header set by the browser and not modifiable by JavaScript. The researchers stated that while CVE-2022-4116 has been fixed, there are likely many more equivalent vulnerabilities in other frameworks.

    Infosecurity reports: "Zero-Day Flaw Discovered in Quarkus Java Framework"

  • news

    Visible to the public "Where CISOs Rely on AI and Machine Learning to Strengthen Cybersecurity"

    As malware-less attacks become increasingly difficult to detect and stop, CISOs face a threat landscape in which malicious actors grow more sophisticated than security and Information Technology (IT) teams can keep up. However, Artificial Intelligence (AI) and Machine Learning (ML) are proving effective in bolstering cybersecurity by increasing response speeds and securing digital transformation projects in the works. Both AI and ML technologies help cybersecurity and IT teams improve the insights, productivity, and economies of scale that smaller teams can achieve. Ninety-three percent of IT executives are already using or planning to use AI and ML to strengthen their cybersecurity technology stacks. Sixty-four percent of those IT executives have incorporated AI for security into at least one of their security life cycle processes, and 29 percent are exploring vendors. The need to complete more revenue-related projects with fewer resources is one of the main factors driving adoption, according to CISOs who spoke with VentureBeat. Additionally, apps and platforms powered by AI and ML help address the cybersecurity skills gap that puts organizations at a higher risk of breaches. To effectively secure assets, 3.4 million more cybersecurity workers are required, according to the (ISC)2 Cybersecurity Workforce Study. CISOs also require the real-time data insights provided by AI and ML-based systems in order to fine-tune predictive models, gain a comprehensive view of their networks, and continue implementing their zero-trust security framework and strategy. Therefore, enterprise spending on AI- and ML-based cybersecurity solutions is expected to grow at a 24 percent Compound Annual Growth Rate (CAGR) through 2027, reaching a market value of $46 billion. This article continues to discuss how CISOs can use AI and ML to improve cybersecurity.

    VB reports "Where CISOs Rely on AI and Machine Learning to Strengthen Cybersecurity"

  • news

    Visible to the public Cyber Scene #74 - Chips Ahoy on Cyber Thursday Horizon

    Cyber Scene #74 -

    Chips Ahoy on Cyber Thursday Horizon

  • news

    Visible to the public "Businesses Increasing Cyber Spend Without Clear Strategy, Fastly Finds"

    According to security researchers at Fastly, most businesses worldwide claim to be confident that their current cybersecurity budgets are fit for their needs, but at the same time, they would be willing to spend more. The researchers noted that while 71% of businesses highlighted their confidence in their current budgets, 73% of the same businesses are willing to increase their budget. In the US specifically, over 85% of IT leaders consider their current budget adequate, but 79% are still thinking of increasing it. The researchers noted that one explanation is that IT leaders fear lagging behind the evolving cyber threat landscape and put their trust in technology to help them catch up and prepare for future cybersecurity risks. The researchers stated that overwhelmed and overworked, and IT leaders are putting their faith in an abundance of tools and technologies and hoping for their best. But according to the researchers, the majority of organizations are increasing spending with no clear strategy. The researchers noted that spending more money doesn't necessarily equate to a safer business. Instead, it can create the illusion of security and ironically put the businesses at even greater risk down the line when their security tools don't work. According to the researchers, 39% of current cybersecurity tools are not fully deployed and active, and 42% of the ones that are fully operational overlap, protecting organizations against the same threats. The researchers stated that for IT leaders, this abundance of overlapping technologies means more time spent managing them, despite gaining no additional benefits from solutions doing the same job. The researchers stated that when these tools do run, they regularly do not work. The researchers concluded that increasing budgets won't necessarily guarantee an organization's security. Instead, many organizations need a full re-evaluation of their cybersecurity toolings and a reinvestment into a smaller set of interoperable, best-in-breed technologies that work together to provide an effective, tailored security solution.

    Infosecurity reports: "Businesses Increasing Cyber Spend Without Clear Strategy, Fastly Finds"

  • news

    Visible to the public "Most Small Biz IaaS Users Seeing Surge in Attacks"

    Security researchers at Sophos have found that SMBs are increasingly exposed via their cloud infrastructure, with over half experiencing an increase in the volume (56%) and complexity (59%) of attacks over the past year. The researchers surveyed 4984 IT professionals across 31 countries whose organizations use Infrastructure as a Service (IaaS). The researchers noted that most (53%) respondents claimed they also experienced an increased impact from the attacks they suffered over the past year, while two-thirds (67%) admitted that they were hit by ransomware. The researchers noted that there might be a few clues as to why this might be: only 37% of respondents said they track and detect resource misconfigurations, and only 43% routinely scan IaaS resources for software vulnerabilities. Two-thirds (66%) don't have visibility of all resources and their configurations, while just a third (33%) said they're able to continuously detect, investigate and remove IaaS cyber threats. The researchers noted that securing access to cloud resources is also an issue for many. Only two-thirds (40%) of surveyed SMBs have intrusion prevention (IPS) in place, and only slightly more (44%) use a web application firewall (WAF) to protect their web-facing applications and APIs. The researchers stated that with the market for public cloud services set to grow to nearly $600bn next year, SMBs must prioritize security.

    Infosecurity reports: "Most Small Biz IaaS Users Seeing Surge in Attacks"

  • news

    Visible to the public "China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines"

    Researchers at Mandiant discovered an alleged China-linked cyberespionage group, UNC4191, using Universal Serial Bus (USB) devices as attack vectors in campaigns targeting entities in the Philippines. This campaign has been active since September 2021 and has targeted public and private sector entities primarily in Southeast Asia, as well as organizations in the US, Europe, and APJ. Even when the targeted organizations were based elsewhere, the specific systems targeted by UNC4191 were discovered to be physically located in the Philippines. In order to side-load malware, the attackers used legitimately signed binaries. Mandiant has been tracking the use of three new families, MISTCLOAK, DARKDEW, and BLUEHAZE. The infection chain starts when a user plugs in a compromised removable device and manually executes a renamed signed binary from the storage volume's root directory. The initial binaries are versions of USB Network Gate, a legitimately signed application developed by the company Electronic Team. These are used to deliver the MISTCLOAK malware, which masquerades as a legitimate Dynamic Link Library (DLL). When the target system is infected, UNC4191 launches a renamed NCAT binary and executes a reverse shell to keep a foothold. The malicious code is wormable and replicates itself by infecting new removable drives plugged into a compromised system, meaning the payloads spread to other systems and may compromise air-gapped systems. The threat actors have been observed enumerating domain trusts and querying domain and local group permissions within minutes. This article continues to discuss the UNC4191 Advanced Persistent Threat (APT) group using USB devices in attacks against entities in the Philippines.

    Security Affairs reports "China-Linked UNC4191 APT Relies on USB Devices in Attacks Against Entities in the Philippines"

  • news

    Visible to the public "33% Of Attacks in the Cloud Leverage Credential Access"

    The Elastic Global Threat Report 2022 details the evolving nature of cybersecurity threats as well as the increased sophistication of cloud and endpoint-related attacks. Thirty-three percent of cloud attacks use credential access, suggesting that users overestimate the security of their cloud environments and, as a result, fail to configure and protect them adequately. Fifty-eight percent of initial access attempts used a combination of traditional brute-force attempts and password spraying using previously compromised credentials. AWS accounted for nearly 57 percent of cloud security telemetry, followed by Google Cloud (22 percent) and Azure (21 percent). Although commercial adversary simulation software such as CobaltStrike benefits many teams' environment defense, it is also being used as a malicious tool for mass-malware implants. According to Elastic Security Labs, CobaltStrike was the most common malicious binary or payload for Windows endpoints, making up nearly 35 percent of all detections, followed by AgentTesla at 25 percent and RedLineStealer at 10 percent. Threat actors use more than 50 endpoint infiltration techniques, indicating that endpoint security is effective, as its sophistication requires threat actors to constantly find new or novel methods of attack in order to be successful. While credential access techniques have been a priority for attackers, their investment in defense evasion techniques shows a reaction to security technology advancements that have impacted their success. When combined with execution techniques, attackers can circumvent advanced endpoint controls while remaining undetected within the environments of organizations. This article continues to discuss key findings from the 2022 Elastic Global Threat Report.

    Help Net Security reports "33% Of Attacks in the Cloud Leverage Credential Access"

  • news

    Visible to the public "The Metaverse Could Become a Top Avenue for Cyberattacks in 2023"

    Both maturing and emerging consumer-facing cyber threats could add to the numerous challenges that enterprise security teams will face in 2023. In their analysis of how the cyber threat landscape is likely to change over the coming year, researchers predict that threat actors will advance the use of many of their current tactics while also looking into new attack vectors via social media, streaming services, and online gaming platforms. For business administrators, the expansion of brands into the metaverse may expose them to attack. The metaverse is a theoretical universal and immersive virtual world made possible by the use of virtual reality and social media on the Internet. In the age of remote work and Bring-Your-Own-Device (BYOD), any consumer threat is potentially an enterprise threat, so Information Technology (IT) security teams must keep up with the latest developments in this area. Cybercriminals are expected to continue exploiting the post-pandemic surge in consumer interest in online streaming services in order to distribute malware, steal data, and carry out other malicious activity. Many of the attacks will go after people looking for alternative sources to download a legitimate streaming app or a specific episode of a show. Cybercriminals will use highly anticipated titles and streaming service provider names such as Netflix, Hulu, and Amazon Prime Video to trick users into downloading malware or visiting phishing sites. Consumers will also be subjected to more gaming subscription fraud and scams involving virtual currencies and artifacts. Attackers will primarily target games that use currencies and allow the sale of in-game items and boosters because they provide a means for threat actors to process money obtained through other illegal activities. This article continues to discuss how cybercriminals can use the metaverse as an attack avenue.

    Dark Reading reports "The Metaverse Could Become a Top Avenue for Cyberattacks in 2023"

  • news

    Visible to the public "Crafty Threat Actor Uses 'Aged' Domains to Evade Security Platforms"

    'CashRewindo,' a sophisticated threat actor, has been using 'aged' domains in global malvertising campaigns that lead to investment scam sites. Malvertising is the injection of malicious JavaScript code into legitimate advertising networks' digital ads, redirecting website visitors to pages that host phishing forms, drop malware, or run scams. CashRewindo malvertising campaigns have impacted people in Europe, North and South America, Asia, and Africa, with customized language and currency used to appear legitimate to the local audience. Confiant analysts have been monitoring CashRewindo since 2018, and the threat actor stands out for an unusually crafty approach to setting up malicious advertising operations with great attention to detail. Domain aging occurs when threat actors register domains and then wait years to use them in order to avoid detection by security platforms. This method works because old domains that have not been involved in malicious activity for a long time gain trust on the Internet, making them less likely to be flagged as suspicious by security tools. According to Confiant, CashRewindo uses domains that have been inactive for at least two years before having their certificates updated and a virtual server assigned. The security firm identified at least 487 domains used by the specific threat actor, some of which were registered as early as 2008 and were used for the first time in 2022. Victims arrive at these landing pages after clicking on infected ads on legitimate websites. This article continues to discuss the use of aged domains in CashRewindo malvertising campaigns.

    Bleeping Computer reports "Crafty Threat Actor Uses 'Aged' Domains to Evade Security Platforms"

  • news

    Visible to the public "This Malicious App Abused Hacked Devices to Create Fake Accounts on Multiple Platforms"

    A malicious Android SMS app found on the Google Play Store has been discovered to stealthily harvest text messages in order to create accounts on a variety of platforms such as Facebook, Google, and WhatsApp. The app, Symoo, had more than 100,000 downloads and served as a relay for messages to a server advertising an account creation service. This is accomplished by using phone numbers associated with infected devices to obtain the one-time password that is typically sent to verify the user when creating new accounts. The malware requests the user's phone number on the first screen, according to security researcher Maxime Ingrao, who discovered the malware. It also requests SMS permissions. Then it pretends to load the application but stays on this page the entire time, in order to hide the interface of the received SMS and prevent the user from seeing the SMS of subscriptions to various services. Amazon, Discord, Facebook, Google, Instagram, KakaoTalk, Microsoft, Nike, Telegram, TikTok, Tinder, Viber, and WhatsApp are among the major services impacted by this operation. This article continues to discuss the malicious app used to harvest text messages to create accounts on a wide range of platforms.

    THN reports "This Malicious App Abused Hacked Devices to Create Fake Accounts on Multiple Platforms"

  • news

    Visible to the public "Trio of New Vulnerabilities Allow Code Manipulation, Denial of Service (And Worse) For Industrial Controllers"

    Vedere Labs researchers revealed three new security flaws that can be exploited to attack automated industrial controllers and widely used software applied to program millions of smart devices in critical infrastructure. The vulnerabilities, tracked as CVE-2022-4048, CVE-2022-3079, and CVE-2022-3270, enable logic manipulation and Denial-of-Service (DoS), mainly affecting products from two major German vendors: Festo automated controllers and CODESYS runtime. Developers use CODESYS to program smart devices. The application is used by hundreds of device manufacturers across multiple industrial sectors. The flaws are part of OT Icefall, a larger research project undertaken by Vedere Labs to increase awareness of security flaws in Operational Technology (OT) systems that control the machinery powering much of critical infrastructure. Earlier this year, the company disclosed nearly 60 of such vulnerabilities impacting over a dozen major industrial products and equipment. According to Daniel Dos Santos, head of security research at Vedere Labs, the three vulnerabilities exploit poor cryptography, a lack of authentication, and insecure engineering. These are among the most common ones discovered as part of the project, and they highlight long-standing core security and supply chain challenges faced in many industrial sectors. An attacker could exploit CODESYS' weak built-in cryptographic protocols to decrypt or manipulate protected code, or exploit authentication failures in Festo controllers to gain access to a previously hidden web application page that allows them to persistently reboot the device, shutting it down. DoS can be especially dangerous for OT equipment and critical infrastructure entities operating around the clock. Vedere Labs has discovered and reported at least three different methods for exploiting the vulnerability and forcing a reboot of Festo Programmable Logic Controllers (PLCs). This article continues to discuss the three security vulnerabilities disclosed by researchers at Vedere Labs and OT being insecure by design.

    SC Media reports "Trio of New Vulnerabilities Allow Code Manipulation, Denial of Service (And Worse) For Industrial Controllers"

  • news

    Visible to the public "What the Census Bureau Can Learn From the IRS About Detecting Cyberattacks"

    Separate reports from agency watchdogs revealed the difference proper detection control implementation could make in limiting the impact of attempted cyber intrusions. One report highlighted a foiled ransomware attack against the Internal Revenue Service (IRS), and the other covered an internal penetration test of the Census Bureau's resilience. According to a November 23 report, IRS personnel told the Treasury Department's Inspector General for Tax Administration (TIGTA) that their centralized information security hub responded to and neutralized a ransomware attack detected in May. The TIGTA report linked the IRS' successful detection and response to testing procedures incorporated into its policies in accordance with the National Institute of Standards and Technology (NIST) and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) guidelines. Another Commerce Department inspector general report showed how incomplete implementation of similar policies, in this case at the Census Bureau, can produce wildly disparate results. The Census Bureau is required to record and monitor network activity and respond to alerts about potential security incidents, but it failed to do so, according to a November 22 report based on a covert penetration test it conducted from August 2021 to March this year. This article continues to discuss lessons that the Census Bureau can learn from the IRS in regard to detecting cyberattacks.

    NextGov reports "What the Census Bureau Can Learn From the IRS About Detecting Cyberattacks"

  • news

    Visible to the public "Five Principles to Help Secure Technology Supply Chains"

    Factory fires were once the most common source of supply chain disruption, but the landscape has shifted as globalization has resulted in distributed supply chains. Logistics powered by Artificial Intelligence (AI) enable just-in-time component delivery. New threats, such as ransomware, pose new risks to manufacturers, making cyberattacks one of the most significant sources of disruption. With new risks and threats, the new supply chain normal calls for a new approach to securing technology supply chains. It is critical to illuminate supply chains so that organizations can see what they are purchasing and from whom. Although most businesses know who their direct suppliers are, few know who their second-tier suppliers are. The Software Bill of Materials (SBOM) initiative seeks to provide this illumination on the software side. As vendors start requiring SBOMs from their suppliers, a list of all the software libraries and building blocks that go into a finished product or service can be inventoried. It is important to be able to make risk- and threat-informed supplier decisions. For example, software that relies on an unmaintained open-source library may pose a risk. Similarly, Chinese companies' products may pose a threat. The 2023 National Defense Authorization Act (NDAA) includes language requiring the Department of Homeland Security (DHS) to only purchase software with no known vulnerabilities for critical functions. This article continues to discuss principles to help bolster the security of technology supply chains.

    HSToday reports "Five Principles to Help Secure Technology Supply Chains"

  • news

    Visible to the public "Attacks Using Encryption Are Successfully Breaching Many Organizations"

    Vectra AI recently published a report titled "The Evolving Role of Network Detection and Response (NDR)." According to the report, 70 percent of organizations have been the victim of an attack that used encrypted traffic to avoid detection. Almost half (45 percent) revealed having fallen victim to such attacks multiple times. Sixty-six percent still lack visibility into all encrypted traffic, thus increasing their vulnerability to future encrypted attacks. According to the report, cybersecurity and networking professionals are struggling to keep up with rapidly increasing threat detection and response workloads, which prevents analysts from dealing with sophisticated threats. Forty-five percent of cybersecurity and networking professionals believe threat detection and response workloads have increased, with 40 percent citing more cloud resources and 36 percent citing more network devices. In addition, 37 percent believe threat sophistication has increased, making it difficult for analysts to detect legitimate attacks. Furthermore, the lag between exploitation and detection gives attackers a lot of time to breach a network, according to 69 percent of respondents, with 29 percent citing communication issues between the Security Operations Center (SOC) and other Information Technology (IT) teams. This article continues to discuss key findings from Vectra AI's report on changing role of NDR.

    Continuity Central reports "Attacks Using Encryption Are Successfully Breaching Many Organizations"

  • news

    Visible to the public "Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability"

    Security researchers at Cyble have recently observed initial access brokers (IABs) selling access to enterprise networks likely compromised via a recently patched critical vulnerability in Fortinet products. Tracked as CVE-2022-40684 and impacting FortiOS, FortiProxy, and FortiSwitchManager products, the vulnerability was publicly disclosed in early October, when it was already exploited in malicious attacks. The researchers noted that the issue is an authentication bypass allowing a remote attacker to use specially crafted HTTP or HTTPS requests to perform unauthorized operations on a vulnerable appliance's admin interface. The researchers stated that, essentially, the security defect provides the attacker with admin access to SSH on the target appliance, allowing the attacker to update or add a valid public SSH key to the device and gain complete control over it. According to Cyble, there are more than 100,000 FortiGate firewalls accessible from the internet, and any of these instances that have not been patched might become a target for the attackers. Cyble noted that it has already seen cybercriminals offering access to networks that were likely compromised via CVE-2022-40684. The researchers say that they observed a threat actor "distributing multiple unauthorized Fortinet VPN access over one of the Russian cybercrime forums. While analyzing the access, it was found that the attacker was attempting to add their own public key to the admin user's account. The victim organizations were using outdated FortiOS. Hence, with high confidence, the researchers concluded that the threat actor behind this sale exploited CVE-2022-40684. The researchers noted that attacks targeting Fortinet instances have been ongoing since October 17. In mid-October, Fortinet raised the alarm on the increasing number of attacks targeting CVE-2022-40684, warning of a slow patching pace and of the public availability of proof-of-concept (PoC) code.

    SecurityWeek reports: "Cybercriminals Selling Access to Networks Compromised via Recent Fortinet Vulnerability"

  • news

    Visible to the public "Community Health Network Notifies 1.5M of Data Breach Stemming From Tracking Tech"

    Community Health Network, an Indiana-based integrated healthcare system, notified 1.5 million people about a data breach caused by the use of third-party tracking technologies from companies such as Facebook and Google. Facebook's parent company, Meta, is under investigation for using tracking pixels on hospital websites and inside password-protected patent portals. Tracking pixels are commonly used to track visitor activity and trends, as well as for targeted marketing. The tracking technology was used by Community Health Network to better understand how patients and other users interacted with its website, according to the health system. When Community Health Network became aware of concerns about the use of third-party tracking technologies by healthcare organizations, it launched an internal investigation that included hiring a third-party forensic firm to perform a thorough technical evaluation of the technologies used on its websites and applications. Community Health Network began disabling and removing certain technologies from its websites and applications after discovering that the third-party technology had been installed on its patient portal and some appointment scheduling sites. The investigation revealed on September 22, 2022, that the configuration of certain technologies enabled more information to be collected and transmitted to each corresponding third-party tracking technology vendor than Community Health Network had intended. The type of information that could be transmitted varied depending on the user's activity and the configuration of each device. IP addresses, locations, scheduled appointment times, MyChart communications, and other information could have been included. This article continues to discuss the Community Health Network data breach, as well as the breach faced by Kaiser Permanente and the ransomware attack on the provider of prosthetics, orthotics, and accessibility solutions Wright & Filippis.

    HealthITSecurity reports "Community Health Network Notifies 1.5M of Data Breach Stemming From Tracking Tech"

  • news

    Visible to the public "Virginia County Confirms Personal Information Stolen in Ransomware Attack"

    Southampton County in Virginia recently started informing individuals that their personal information might have been compromised in a ransomware attack. The incident was identified in September when a threat actor accessed a server at Southampton and encrypted the data that was stored on it. The county stated that it took steps to contain the attack immediately after identifying it and that it launched an investigation into the incident to determine the type of data that might have been compromised. The county noted that the investigation revealed that personal information such as names, addresses, driver's license numbers, and Social Security numbers might have been compromised. Southampton County also confirmed that the threat actor behind the attack has posted some of the stolen data online. The county noted that after they recovered from this incident, a single W-2 form appeared on the dark web with the criminal claiming that they removed sensitive data from the encrypted Southampton server. The server in question held some archived County information. In September, the LockBit 3.0 gang boasted on their leaks site on the Tor network about the attack on Southampton County. The ransomware gang has only made public several screenshots showing mostly the names of folders allegedly stolen from the county's systems. However, the page dedicated to Southampton also displays a "destroy all information" button and a "download data at any moment" button, both with a price tag of $90,000.

    SecurityWeek reports: "Virginia County Confirms Personal Information Stolen in Ransomware Attack"

  • news

    Visible to the public "Ransomware Gang Takes Credit for Maple Leaf Foods Hack"

    The Black Basta ransomware group has recently taken credit for the recently disclosed attack on Canadian meat giant Maple Leaf Foods. The cybercriminals have made public several screenshots of technical documents, financial information, and other corporate files to demonstrate that they gained access to Maple Leaf Foods systems. Maple Leaf Foods announced in early November that it was experiencing an outage due to a cyberattack. Maple Leaf Foods employs roughly 14,000 people and has a presence in Canada, the US, and Asia. Maple Leaf Foods is not the only major Canadian company targeted by the Black Basta ransomware group. The adversaries recently also targeted the supermarket and pharmacy chain Sobeys. The group has also hacked into the systems of defense giant Elbit. The Black Basta gang has named more than 100 organizations on its leak website. The group's success is not surprising, considering it's likely linked to the notorious Russian cybercrime group FIN7.

    SecurityWeek reports: "Ransomware Gang Takes Credit for Maple Leaf Foods Hack"

  • news

    Visible to the public "Research Institute RISE Engages Ethical Hackers at New Cybersecurity Test Facility"

    RISE, a Swedish state-owned research institute, is in the pilot phase of establishing what it calls Europe's most advanced cybersecurity hub for vehicles, which has been planned since 2021. The RISE Cyber Test Lab for Automotive facilitates vehicle testing by utilizing cutting-edge cyber technology and rigorous analysis methods. Developers can assess vulnerabilities in key areas such as virtual testing and digital twins, embedded software in-vehicle units, and vehicle cloud-based software using various test benches. In addition, simulation/virtualization, subsystem testing, and semi-virtual and full vehicle evaluation in controlled environments will be available as evaluation services. RISE says that the Cyber Test Lab will provide a complete chain of testing capabilities by connecting RISE's existing Cyber Range digital test bed with its driverless vehicle test areas at Automotive Wireless Test and Research Facility and AstaZero, both of which are also in Sweden. Therefore, developers can stress-test new technologies and products in various ways throughout the research and development process. Furthermore, through collaborations with telecommunication experts and ethical hackers, Cyber Test Lab will provide specialized knowledge. The industry's use of ethical hackers, according to Tomas Bodeklint, head of operations at Cyber Test Lab, is critical in testing vehicles to their limits. The ethical hackers are chosen from the existing Cyber Range in Stockholm. The Cyber Test Lab's launch is especially significant when cyberattacks and cyber threats against infrastructure and connected technology are becoming a rapidly growing problem worldwide. This article continues to discuss the RISE Cyber Test Lab.

    Automotive Testing Technology International Magazine reports "Research Institute RISE Engages Ethical Hackers at New Cybersecurity Test Facility"

  • news

    Visible to the public  "New 'Faraday Cage' Research Facility to Help Combat Digital Crime"

    Specific computer forensic testing procedures for electronic systems require using an isolated environment free of electromagnetic interference, known as a "Faraday Cage." Therefore, a team of digital forensics researchers at the University of Huddersfield has now replicated the same technology on a larger scale in order to research and develop new techniques to combat cybercrime. Professor Simon Parkinson, Director of the University's Center for Cybersecurity, has been the leader in the installation of the new Faraday Cage facility. This new facility allows for the rapid development and testing of new digital forensic processes to assist law enforcement in meeting the massive growth rate in digital crime, according to Professor Parkinson. Professor Parkinson, Dr. Saad Khan, and Dr. Monika Roopak have been using the facility to investigate ways to help police forces and law enforcement agencies meet the enormous demand for viewing, processing, and analyzing digital evidence. One of these areas has involved investigating instances of illegal image storage and distribution. The facility and its research are also being used to teach students studying computer science, cybersecurity, and digital forensics, ensuring that students are learning the most up-to-date techniques for combating digital crime. This article continues to discuss the goals of the new Faraday Cage facility at the University of Huddersfield.

    University of Huddersfield reports "New 'Faraday Cage' Research Facility to Help Combat Digital Crime"

  • news

    Visible to the public "Experts Find 16,000+ Scam FIFA World Cup Domains"

    Security researchers at Group-IB have warned of a deluge of phishing scams, fake apps, and malicious merchandising sites spoofing the branding of the FIFA World Cup in Qatar to target football fans. The researchers tracked over 16,000 scam domains and 40 malicious apps in the Google Play store that were using FIFA World Cup 2022 branding to lure users. The researchers stated that scammers are using a range of tactics to part football fans from their money, personal information, and credentials. They've launched fake merchandising sites and spoofed ticketing sites designed to harvest money and/or bank details from victims. The researchers noted that in both cases, social media marketplace ads and malicious social media accounts help to direct traffic to the fake sites. The researchers said that the fake apps are set up to do a similar job, stealing banking and account credentials by promising access to purchase tickets. In other cases, scam job sites have been set up using the World Cup as a lure to steal victims' personal data. The researchers spotted at least five of these, using keywords such as "job" and "Qatar" and driving traffic to the sites from over 30 specially designed social media pages. The researchers stated that another tactic to obtain personal information is to create fake surveys impersonating major brands, as well as the World Cup itself. These promise a gift for filling out the form with personal information and phone numbers. Victims are also often asked to share a link to the scam on WhatsApp. The researchers identified more than 16,000 of these fake surveys. The security company also revealed that over 90 users of the official fan ID app, Hayya, had their accounts hijacked after passwords were lifted via commodity info-stealing malware such as RedLine and Erbium.

    Infosecurity reports: "Experts Find 16,000+ Scam FIFA World Cup Domains"

  • news

    Visible to the public "Why Microsegmentation is Critical for Securing CI/CD"

    Cloud-native technology, microservices architectures, and DevOps or DevSecOps teams working in close collaboration throughout the development life cycle represent modern development environments. At the heart of this environment, the Continuous Integration (CI) and Continuous Delivery (CD) pipeline is becoming an increasingly valuable target for cybercriminals. SolarWinds and Kaseya supply chain attacks illustrate the significant dangers of failing to properly secure CI/CD tooling. Microsegmentation is a growing practice that serves as the foundation for zero trust security implementations. DevOps teams can achieve unprecedented security and reduce the impact of successful breaches by introducing microsegmentation into the CI/CD pipeline, especially in the context of Kubernetes. Microsegmentation is a method of directing traffic between servers in the same network segment, with an emphasis on server-to-server traffic. In order to reflect the roles and permissions within an organization, a specific server can be defined to only communicate with another server. In addition, a specific application can be defined to only communicate with another host. Policies and permissions for microsegmentation are based on resource identity and can be independent of the underlying infrastructure, thus distinguishing microsegmentation from network segmentation, which is tightly coupled to the infrastructure and relies on network IP addresses. Microsegmentation is an effective method for defining access rules within and between intelligent groups of workloads based on their characteristics. The concept of microsegmentation is a critical component of Zero Trust Network Access (ZTNA), the technology that underpins zero trust security implementations. It provides more robust and reliable network security because it does not rely on dynamically changing networks or the technical requirements imposed on them. It also simplifies network management by replacing hundreds of address-based rules with a few identity-based policies. This article continues to discuss the concept and benefits of microsegmentation.

    Security Boulevard reports "Why Microsegmentation is Critical for Securing CI/CD"

  • news

    Visible to the public "Police Shutter 13,000 Sites in Piracy Crackdown"

    According to Europol, a wide-ranging effort to disrupt counterfeiting and online piracy across the EU resulted in the closure of 12,526 websites hosting illegal content. As of Cyber Monday, police disconnected 32 servers used to distribute the content for 2294 television channels. They also shuttered 15 online stores selling counterfeit products on social media sites and seized 127,365 fake clothes, watches, shoes, accessories, perfumes, electronics, and other items worth over 3.8m euros ($3.9m). Europol noted that law enforcers across 27 countries participated in Europol's 13th Operation In Our Sites, which ran from May 1 to November 14. Europol warned that a growing number of counterfeit items are made today inside the EU and that IP-related offenses are increasingly linked to serious and organized crime. In total, 10 search warrants were issued, and 14 people were detained or accused of IP crimes, including four who were arrested in Spain. According to Europol, the prime suspect, in this case, had been earning 150,000 euros per month, lived in a luxury villa, drove expensive cars, and took luxury holidays worldwide. Meanwhile, police in Bulgaria probed a criminal network using Facebook accounts and websites to sell counterfeit clothes imitating well-known brands. Workshops featuring sewing and embossing machines were raided, and items worth 35,000 euros were seized. Europol urged consumers to be on their guard when buying items online. Europol added that social media channels are often used to promote e-commerce stores selling counterfeit products. A Europol report released in March claimed that the value of counterfeit goods in 2019 was 119bn euros or nearly 6% of total EU imports. However, Europol noted that the number has likely surged during the pandemic thanks to the expansion of e-commerce during the period.

    Infosecurity reports: "Police Shutter 13,000 Sites in Piracy Crackdown"