News Items

  • news

    Visible to the public "NIST Updates Cybersecurity Engineering Guidelines"

    The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for system engineers. The document titled "Engineering Trustworthy Secure Systems" resulted from President Joe Biden's 2021 executive order aimed at strengthening the federal government's defenses against large-scale attacks on critical infrastructure. Computer engineers and other professionals on the programming side of cybersecurity are encouraged to use NIST's publication as a resource. It covers actions needed to develop more defensible and resilient systems. The publication addresses machine, physical, and human components that make up systems, as well as the capabilities and services provided by those systems. In the publication, NIST researchers highlight the objectives and concepts of modern security systems, especially the protection of a system's digital assets. One of the key updates made in the document is the emphasis on security assurances. In the realm of software systems engineering, assurance refers to proof that a system's security procedures can adequately mitigate asset loss and thwart cyberattacks. Ron Ross, a NIST fellow and one of the document's authors, emphasized the importance of gathering evidence during the system life cycle to build assurance cases for systems that are used in critical infrastructure. This article continues to discuss NIST's newest draft of "Engineering Trustworthy Secure Systems" and other similar guidelines published by the agency in recent years.

    GCN reports "NIST Updates Cybersecurity Engineering Guidelines"

  • news

    Visible to the public "Dozens of El Salvador Journalists, Activists Hacked"

    According to the University of Toronto's Citizen Lab, cellphones belonging to dozens of journalists and human rights defenders in El Salvador were repeatedly hacked with the Israeli firm NSO Group's sophisticated Pegasus spyware over the past year and a half. The Internet watchdog had identified the operator working almost exclusively in El Salvador in early 2020. El Salvador's government is currently investigating the use of Pegasus to hack phones in the country. NSO has claimed that it only sells its spyware to legitimate government law enforcement and intelligence agencies screened by Israel's Defense Ministry for use against terrorists and criminals. The US government blacklisted NSO last year. NSO said it does not operate the technology when it is given to a client, and therefore, cannot know its customers' targets. However, it said the use of its technology for monitoring activities, dissidents, or journalists goes against the intended use of such tools. Citizen Lab has been identifying Pegasus victims since 2015, finding the use of the spyware against journalists and human rights activists in Mexico and autocratic Middle Eastern countries, including Saudi Arabia. Many other cases have since been found, including some involving US State Department employees in Uganda, British lawyers, and a Polish senator. This article continues to discuss the hacking of El Salvador journalists and activists with Pegasus spyware and other victims of the spyware that have been identified since 2015.

    AP reports "Dozens of El Salvador Journalists, Activists Hacked"

  • news

    Visible to the public "Sabbath Ransomware Gang Targets Critical Infrastructure, Backups"

    The ransomware gang known as Sabbath is targeting critical infrastructure groups in North America. Sabbath has targeted US and Canadian critical infrastructure, including education, national resources, and health sectors. For example, the threat group extorted a US school district on social media in October 2021, demanding the payment of a multi-million dollar ransom. The Sabbath ransomware group also steals data in bulk and destroys backups in targeted attacks. Organizations are encouraged to limit access to legacy systems, improve visibility over network assets, and use threat intelligence to defend against Sabbath ransomware attacks. This article continues to discuss notable Sabbath ransomware incidents, the increased targeting of data backups by ransomware groups, and how organizations could defend themselves against Sabbath ransomware attacks.

    SecurityIntelligence reports "Sabbath Ransomware Gang Targets Critical Infrastructure, Backups"

  • news

    Visible to the public “Phishers Are Targeting Office 365 Users by Exploiting Adobe Cloud”

    Jeremy Fuchs, a security researcher with Avanan, warns of the creation and use of Adobe Creative Cloud accounts by malicious actors to send phishing emails that can evade traditional checks and some advanced threat protection solutions. These attacks emerged in December 2021, exploiting the design of Adobe's apps to support collaboration by sharing documents. The attack involves creating, importing, and hosting a legitimate-looking PDF on Adobe Cloud that points to a fake Office 365-themed login page hosted on Weebly. This article continues to discuss phishers' exploitation of Adobe Cloud to target Office 365 users.

    Help Net Security reports "Phishers Are Targeting Office 365 Users by Exploiting Adobe Cloud"

  • news

    Visible to the public "Bad News for Hackers! Patchwork Group Expose Themselves in Malware Campaign"

    However sophisticated and resourceful cybercriminals can be, they still make mistakes. The India-based threat actor group called Patchwork, which has targeted users and government organizations in Pakistan, accidentally left its hacking strategies exposed online. Since 2015, Patchwork has affected various entities in Pakistan through the performance of spearphishing attacks. According to Malwarebytes, the attackers inadvertently exposed their malware details, captured keystrokes, and screenshots. Patchwork was found to have used malicious RTF files to drop a new variant of the BADNEWS Trojan dubbed Ragnatela in a campaign that lasted from late November to early December 2021. This article continues to discuss the Patchwork group's accidental exposure of its own hacking strategies, the group's use of Ragnatela in its recent campaign, the capabilities of this Trojan, and those that have fallen victim to it.

    CISO MAG reports "Bad News for Hackers! Patchwork Group Expose Themselves in Malware Campaign"

  • news

    Visible to the public "Teenage Hacker Gains Remote Control of 25 Teslas in 13 Countries"

    A young hacker named David Colombo claimed to have found a way to gain remote control over 25 Tesla electric vehicles in 13 countries. According to Colombo, the flaw used to trigger different actions remotely was not a vulnerability in Tesla's infrastructure but an error made on the owners' end. He claimed to have been able to disable a car's remote camera system, unlock doors, determine the vehicle's exact location, and more. However, Colombo clarified that he could not control steering, acceleration, or breaking. He is currently talking to the not-for-profit organization MITRE about how to properly report the hack as a CVE. The hack is also under investigation by Tesla's security team.

    PCMag reports "Teenage Hacker Gains Remote Control of 25 Teslas in 13 Countries"

  • news

    Visible to the public "Clinical Review Vendor Reports Data Breach"

    A cyberattack on the Medical Review Institute of America (MRIoA) may have exposed the personal data of 134,571 individuals. MRIoA provides clinical reviews and virtual medical opinions. MRIoA is based in Salt Lake City, Utah. MRIoA stated that it was "the victim of a sophisticated cyber incident" discovered on November 9, 2021, that resulted in an adversary gaining unauthorized access to its network and exfiltrating data. MRIoA stated that the attackers broke into its computer system by exploiting an alleged vulnerability in a product made by SonicWall. The firewall maker confirmed that an intruder had accessed MRIoA's environment through a SonicWall vulnerability on November 2, 2021. Information affected by the incident may have included first and last name, gender, home address, phone number, email address, date of birth, and social security number. Additionally, information affected may have included clinical information, such as medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name, and medical account number. Other information that may have been breached includes financial information, including health insurance policy and group plan number, group plan provider, and claim information. In the wake of the attack, MRIoA said it had new servers "built from the ground up to ensure all threat remnants were removed."

    Infosecurity reports: "Clinical Review Vendor Reports Data Breach"

  • news

    Visible to the public "Cisco Patches Critical Vulnerability in Contact Center Products"

    Cisco on Wednesday announced patches for a critical vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM). Tracked as CVE-2022-20658 (CVSS score of 9.6), the issue exists because there was no server-side validation of user permissions, which allowed an attacker to submit a crafted HTTP request to exploit the bug on a vulnerable system. Cisco stated that a successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated with the vulnerable Cisco Unified CCMP. Cisco also noted that an attacker would need to have valid Advanced User credentials to successfully exploit the vulnerability. The security flaw was addressed with the release of Unified CCMP/ Unified CCDM versions 11.6.1 ES17, 12.0.1 ES5, and 12.5.1 ES5. Version 12.6.1 of the software is not affected. Cisco says it is unaware of the vulnerability being exploited in malicious attacks.

    SecurityWeek reports: "Cisco Patches Critical Vulnerability in Contact Center Products"

  • news

    Visible to the public "Cyber-Thieves Raid Grass Valley"

    A cyberattack on a city in California has resulted in the exfiltration of personal and financial data belonging to vendors, city employees, and their spouses. A notice published by Grass Valley states that an unknown attacker was able to access some of the city's IT systems for four months last year. The city said that the attacker exploited the unauthorized access they enjoyed between April 13 and July 1, 2021, to steal data belonging to an unspecified number of individuals. Victims affected by the data breach include Grass Valley employees, former employees, spouses, dependents, and individual vendors hired by the city. Other victims include individuals whose information may have been provided to the Grass Valley Police Department and individuals whose information was provided to the Grass Valley Community Development Department in loan application documents. The information exposed during the attack was found to include social security numbers, driver's license numbers, vendor names, and limited medical or health insurance information. For individuals whose information may have been provided to the Grass Valley Police Department, the impacted data included the name and one or more of the following: social security number, driver's license number, financial account information, payment card information, limited medical or health insurance information, passport number and username and password credentials to an online account. Individuals who had applied for a community development loan may have had names and social security numbers, driver's license numbers, financial account numbers, and payment card numbers compromised. Grass Valley started notifying victims of the data breach on January 7, 2022.

    Infosecurity reports: "Cyber-Thieves Raid Grass Valley"

  • news

    Visible to the public "Hackers Hit Healthcare Data Management Company"

    The protected health information (PHI) of thousands of individuals may have been exposed in a hacking incident at a healthcare information management company based in Georgia. Ciox Health, headquartered in Alpharetta, provides various services, including information release, medical record retrieval, and health information management to more than 30 healthcare providers. According to a notice recently issued by Ciox Health, an unauthorized person accessed the email account of a Ciox employee between June 24, 2021 and July 2, 2021. The company warned that the threat actor may have used that access to download emails and attachments associated with the compromised account. Information that the adversary may have accessed included patient names, provider names, dates of birth and/or dates of service. Social security numbers or driver's license numbers, health insurance information and/or clinical or treatment information were also exposed in what Ciox described as "very limited instances." The data breach was reported to the US Department of Health and Human Services' Office for Civil Rights on December 30 as a hacking/IT incident impacting 12,493 individuals.

    Infosecurity reports: "Hackers Hit Healthcare Data Management Company"

  • news

    Visible to the public "KCodes NetUSB Kernel Remote Code Execution Flaw Impacts Millions of Devices"

    Researchers at the cybersecurity firm SentinelOne have shared findings from their analysis of a flaw in the KCodes NetUSB kernel module that puts millions of end-user router devices from Netgear, TP-Link, Tenda, EDIMAX, D-Link, Western Digital, and more, at risk of Remote Code Execution (RCE). KCodes NetUSB is proprietary software that allows devices such as routers, printers, and flash storage devices to provide USB-based services over IP. The bug was discovered during the examination of a Netgear device by the SentinelOne vulnerability researcher, Max Van Amerongen. The kernel module, NetUSB, was found improperly validating the size of packets fetched through remote connections, potentially resulting in a heap buffer overflow. This article continues to discuss the discovery, potential exploitation, severity, and disclosure of the KCodes NetUSB flaw.

    ZDNet reports "KCodes NetUSB Kernel Remote Code Execution Flaw Impacts Millions of Devices"

  • news

    Visible to the public "Industrial Firms Advised Not to Ignore Security Risks Posed by URL Parsing Confusion"

    A team of researchers from the industrial cybersecurity firm Claroty and the developer security company Snyk analyzed 16 URL parsing libraries. Findings from the analysis further highlighted how inconsistencies could lead to different types of vulnerabilities. The analysis revealed five types of inconsistencies, including backslash confusion (URLs containing backslashes), scheme confusion (URLs with a malformed or missing scheme), slash confusion (URL with an irregular number of slashes), URL encoded data confusion (URLs containing URL encoded data), and scheme mixup (a URL belonging to a particular scheme without a scheme-specific parser). These inconsistencies could lead to Server-Side Request Forgery (SSRF), open redirect, Cross-Site Scripting (XSS), Denial-of-Service (DoS), and filter bypass issues. Eight CVE identifiers have been assigned to the vulnerabilities discovered by the researchers. They were privately disclosed to developers and patched before research findings were shared with the public. One vulnerability related to URL parsing confusion is the Log4Shell flaw in Log4j, an open-source Apache Java-based logging framework used by developers to record activity within software applications and online services. This article continues to discuss key findings from the analysis of 16 URL parsing libraries and the implications of URL parsing confusion for industrial systems.

    Security Week reports "Industrial Firms Advised Not to Ignore Security Risks Posed by URL Parsing Confusion"

  • news

    Visible to the public "Fully Undetected SysJoker Backdoor Malware Targets Windows, Linux & macOS"

    Security researchers at Intezer have discovered a new malware dubbed SysJoker. The brand-new multiplatform malware, likely distributed via malicious npm packages, is spreading under the radar, with Linux and Mac versions going fully undetected in VirusTotal. The Windows version, according to the researchers, has only six detections. These were uploaded to VirusTotal with the suffix ".ts," which is used for TypeScript files. SysJoker is used to establish initial access on a target machine. Once installed, it can execute follow-on code as well as additional commands, through which malicious actors can carry out follow-on attacks or pivot to move further into a corporate network. This kind of initial access is also a hot commodity on underground cyberforums, where ransomware groups and others can purchase it. The researchers stated that SysJoker was first seen in December during a cyberattack on a Linux-based web server of a "leading educational institution." Its command-and-control (C2) domain registration and other sample data show that this malware appears to have been created in the second half of 2021.

    Threatpost reports: "Fully Undetected SysJoker Backdoor Malware Targets Windows, Linux & macOS"

  • news

    Visible to the public "Microsoft: macOS 'Powerdir' Flaw Could Let Attackers Gain Access to User Data"

    Microsoft has disclosed a vulnerability found in Apple's macOS that could allow an attacker to gain unauthorized access to protected user data by circumventing the operating system's Transparency, Consent, and Control (TCC) technology. After the Microsoft Security Vulnerability Research (MSVR) team reported its finding to Apple's product security team on July 15, 2021, the vulnerability dubbed Powerdir was addressed in a rollout of security updates released on December 13, 2021. The TCC technology was designed to help users configure the privacy settings of applications on their devices. To maintain the security of the TCC technology, Apple created a feature that prevents unauthorized code execution and established a policy to limit TCC access only to applications with full disk access. However, the Powerdir flaw would allow attackers to evade this feature and execute an attack on a macOS device. This article continues to discuss the Powerdir flaw and other TCC vulnerabilities that Apple has patched in recent years.

    Dark Reading reports "Microsoft: macOS 'Powerdir' Flaw Could Let Attackers Gain Access to User Data"

  • news

    Visible to the public "Corporate Cyberattacks Spike 50% in 2021"

    Researchers at Check Point have found that global weekly cyberattacks hit an all-time high in Q4 2021 of 925 attempts per organization. The researchers analyzed information collected by hundreds of millions of global sensors from Check Point's Threat Prevention products across networks, endpoints, and mobiles. The researchers claimed attempted attacks have been continuously increasing since Q2 2020, with 50% more attacks seen per week on corporate networks in 2021 compared to 2020. The researchers noted that the education and research sector experienced the highest volume of attacks during 2021, amounting to an average of 1605 per organization every week, a 75% increase from 2020. It was followed by government/military with 1136 attacks, up 47% year-on-year, and communications with 1079, up 51%. Africa experienced the highest volume of weekly attacks in 2021, with an average of 1582 per organization, a 13% increase from 2020. However, European organizations experienced the most significant increase in weekly attacks, up 68% to 670. The researchers stated that ransomware was particularly prevalent over 2021. Check Point warned last October that attacks had spiked 40% since 2020, with one out of every 61 organizations worldwide impacted each week. The researchers urge firms to segment their networks, patch promptly, educate their employees and layer up advanced security controls like sandboxing and anomaly detection.

    Infosecurity reports: "Corporate Cyberattacks Spike 50% in 2021"

  • news

    Visible to the public "Seeking a Way of Preventing Audio Models for AI Machine Learning From Being Fooled"

    Researchers at the UPV/EHU-University of the Basque Country have proven that the distortion metrics, used to detect whether an audio perturbation designed to fool Artificial Intelligence (AI) models, are not a reliable measure of human perception. Such perturbations can be used by malicious actors to cause AI models to produce inaccurate predictions. Distortion metrics are used to assess the effectiveness of the methods involved in generating such attacks. AI is increasingly based on Machine Learning (ML) models trained on large datasets. Likewise, human-computer interaction is now more reliant on speech communication, primarily because of the advanced performance of ML models in speech recognition tasks. However, malicious actors can fool these models using adversarial examples, which are inputs intentionally perturbed to cause incorrect predictions without humans noticing changes. Much research has been conducted on developing new techniques for generating adversarial perturbations, but there has been less attention on how humans perceive these perturbations. This realm must be explored as adversarial perturbation methods only pose a threat if they cannot be detected by humans. The researchers investigated the extent to which the distortion metrics presented in the literature for audio adversarial examples are reliable in measuring the human perception of perturbations by asking 36 people to evaluate adversarial examples or audio perturbations according to different factors. They also proposed a stronger evaluation method resulting from the analysis of certain properties or factors relevant in assessing detectability. This article continues to discuss the performance and results of the study on the human evaluation of universal audio adversarial perturbations.

    ScienceDaily reports "Seeking a Way of Preventing Audio Models for AI Machine Learning From Being Fooled"

  • news

    Visible to the public "How Cybercriminals Turn Paper Checks Stolen from Mailboxes into Bitcoin"

    David Maimon, Associate Professor of Criminal Justice at Georgia State University and the Evidence-Based Cybersecurity Research group he directs, explored 60 black market communication channels on the Internet to gain more insight into the online fraud ecosystem and to systematically gain data on it to identify trends. One of the observations made by Maimon and his team of graduate students is the rise in stolen checks, believed to be taken from US Postal Service and personal mailboxes. They looked at 60 online chat room channels, including group chats on messaging apps such as WhatsApp, ICQ, and Telegram, where people were known to sell fraudulent documents. An analysis of data gathered from those channels revealed that an average of 1,325 stolen checks were being sold every week in October 2021, a significant increase from the 634 being sold per week in September and 409 in August. Cybercriminals can use these stolen checks to steal a victim's identity, submit false applications for loans, access the victim's bank account, and more. This article continues to discuss the increased distribution and use of stolen checks among cybercriminals.

    NextGov reports "How Cybercriminals Turn Paper Checks Stolen from Mailboxes into Bitcoin"

  • news

    Visible to the public "FBI: Cybercriminals Are Mailing Out USB Drives That Install Ransomware"

    The Federal Bureau of Investigation (FBI) is warning of a cybercrime group that has been mailing out USB thumb drives in an effort to spread ransomware. The USB drives, sent in the mail through the US Postal Service and United Parcel Service, contain 'BadUSB' attacks. One USB drive was found to contain a message appearing to be a COVID-19 warning from the US Department of Health and Human Services (DHHS). Other malicious USB drives were sent with a gift card claiming to be from Amazon. BadUSB exploits the USB standard's versatility, thus enabling an attacker to reprogram a USB drive to perform malicious activities such as emulating a keyboard to create commands a computer, installing malware before the OS booting, spoofing a network card, redirecting traffic, and more. This article continues to discuss additional information shared by the FBI about new BadUSB attacks.

    ZDNet reports "FBI: Cybercriminals Are Mailing Out USB Drives That Install Ransomware"

  • news

    Visible to the public "Cyberattack on New Mexico County"

    A cyberattack has forced the government of New Mexico's most populous county to close most of its county buildings to the public. Bernalillo County had to take some of its IT systems offline after becoming the target of a digital assault that county officials suspect was a ransomware attack. In a statement, the county said that all public safety departments, such as emergency 911 communications, the Sheriff's Office, and Fire and Rescue, were operating as usual "using back-up contingencies." However, the incident caused the county's Metropolitan Detention Center to cancel inmate visits last Wednesday. The county did not share any information about how or by whom the attack was orchestrated. Nor has the county stated if any data has been compromised or if it has received a ransom demand. The attack on Bernalillo County is also disrupting the local real estate industry. With key county IT systems offline, realtors cannot access information such as taxes and deeds that are needed to complete property sales.

    Infosecurity reports: "Cyberattack on New Mexico County"

  • news

    Visible to the public "Online Pharmacy Service Ravkoo Discloses Data Breach"

    Ravkoo, a United States-based online pharmacy service, has started notifying patients of a data breach that potentially resulted in the exposure of personal information. Initially discovered in late September, the breach resulted from a cyberattack targeting Ravkoo's prescription portal, which is hosted on Amazon Web Services (AWS). Ravkoo stated that some prescription and health information might have been compromised during the incident. Potentially impacted information also includes names, email addresses, and phone numbers. Ravkoo noted that no Social Security numbers were compromised, as this type of information is not stored on the targeted portal. Ravkoo also says that it has informed the relevant authorities of the incident, and it has been working with forensic experts to investigate the incident and strengthen its security posture.

    SecurityWeek reports: "Online Pharmacy Service Ravkoo Discloses Data Breach"

  • news

    Visible to the public Pub Crawl #57

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "Attackers Steal 1.1 M User Accounts Through Credential Stuffing"

    User login credentials remain a major target for cybercriminals, as they provide access to organizations' critical infrastructures and systems. Threat actors are using various attack vectors such as credential stuffing to steal usernames and passwords. Credential stuffing refers to an attack in which usernames and passwords leaked in previous data breaches are used to gain access to accounts created on other online services. These attacks use bots for automation to enter many username and password combinations into login pages across multiple online services. According to the New York State Office of the Attorney General (OAG), threat actors have compromised more than 1.1 million user accounts belonging to 17 companies through the launch of credential stuffing attacks. This article continues to discuss the concept of credential stuffing attacks, the compromise of over 1.1 million user accounts through these attacks, and recommended security measures to protect online accounts.

    CISO MAG reports "Attackers Steal 1.1 M User Accounts Through Credential Stuffing"

  • news

    Visible to the public "Cyberattack on Fertility Centers of Illinois"

    A company that operates multiple fertility centers across Northern Illinois has suffered a data breach because of a cyberattack. Fertility Centers of Illinois (FCI) reported that the data breach affected 79,943 current and former patients. The unidentified adversary had access to some of the patients' protected health information (PHI) and could access personal data belonging to FCI employees. FCI hired third-party computer forensic specialists after the company detected suspicious network activity on February 1, 2021. Cybersecurity measures implemented by FCI ensured that the company's electronic medical record system could not be accessed, but the attacker was able to get into administrative files and folders. By August 27, 2021, FCI reviewed the contents of the compromised files and determined that they contained a range of patient data, including names in combination with one or more of the following types of information: Social Security numbers, passport numbers, financial account information, payment card information, diagnoses, treatment information, medical record numbers, billing/claims information, prescription information, Medicare/Medicaid identification information, health insurance group numbers, health insurance subscriber numbers, patient account numbers, encounter numbers, referring physicians, usernames and passwords with PINs, or account login information. Employee information potentially compromised in the cyberattack included names, employer-assigned identification numbers, ill-health/retirement information, occupational health-related information, medical benefits and entitlements information, patkeys/reason for absence and sickness certificates.

    Infosecurity reports: "Cyberattack on Fertility Centers of Illinois"

  • news

    Visible to the public "Thousands of Schools Impacted After IT Provider Hit by Ransomware"

    A leading provider of school website infrastructure has been hit by a ransomware attack, potentially disrupting thousands of global customers. Finalsite claims to serve over 8000 schools worldwide, offering content management, communications, mobile software, and enrolment software. Finalsite detected on Tuesday, January 4, that ransomware was present on certain systems in their environment. A message posted by the firm on Twitter yesterday apologized for the "prolonged outage" customers have been forced to endure as a result of the attack. Finalsite is currently trying to restore backup systems and is trying to bring their networks back to full performance. Finalsite claimed it had uncovered no evidence that data had been stolen as part of the raid but admitted that forensic work was still ongoing. Currently, there is no sign of exactly how many schools have been impacted by the attack, although a Reddit user claimed around 2,200 might have been disrupted. The Reddit user claimed that many districts, because of the prolonged outage caused by the ransomware, are complaining that they cannot use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol.

    Infosecurity reports: "Thousands of Schools Impacted After IT Provider Hit by Ransomware"

  • news

    Visible to the public "New Mac Malware Samples Underscore Growing Threat"

    Some malware samples that emerged in 2021 further proved that Apple's technologies are not invulnerable to attacks. The security researcher, Patrick Wardle, released a list of new Mac malware threats that emerged last year, identifying the infection vector, installation, persistence mechanisms, and other features for each malware sample. His list is intended to give security professionals better insight into threats facing macOS at a time when its use increased, largely due to the shift to remote work during the COVID-19 pandemic. A 2021 survey of 300 IT professionals revealed that employee use of Apple devices had increased significantly. Over 50 percent of the respondents reported that requests for Apple devices had also grown. Wardle's list consists of eight new malware samples that target macOS. It includes ElectroRAT, a cross-platform Remote Access Trojan (RAT), and Silver Sparrow, a malware tool that targets Apple's M1 chip. It also includes a cross-platform password stealer called XLoader as well as a macOS implant dubbed MacMa. Each of the malware samples was discovered by different antivirus and security firms. Last year's most significant Mac malware threats fell under the categories of cryptominers, adware, information stealers, and cross-platform Trojans. Although Macs have some security advantages, they are becoming less effective because malware is increasingly targeting browser plugins instead of the underlying OS. Malware developers are also creating more cross-platform applications independent of the OS. Jaron Bradley, macOS Detections Manager at Jamf, pointed out that threat actors had put a lot of effort into attacking Macs in 2021. Such efforts included looking for new zero-day vulnerabilities and exploiting them to deliver Mac-specific malware. The distribution of Mac-specific malware implementing zero-day bypasses shows that attackers are becoming more familiar with macOS and willing to spend time building these exploits. This article continues to discuss Wardle's list of new Mac malware samples that surfaced in 2021 and the misperception about Macs.

    Dark Reading reports "New Mac Malware Samples Underscore Growing Threat"

  • news

    Visible to the public "Deposits to Illicit Crypto Addresses Nearly Doubled in 2021, Chainalysis Finds"

    Researchers at Chainalysis have found that cryptocurrency-based crime hit a new all-time high in 2021. According to the researchers, illicit addresses tracked by Chainalysis received $14 billion in deposits over the course of 2021, almost double the amount they collected in 2020. Rather than digital extortion, researchers found that cryptocurrency-related scams, namely investment-related fraud and straight theft, saw the biggest jumps in 2021. The researchers stated that illicit revenue from scams rose by 82% in 2021 to $7.8 billion worth of cryptocurrency. Researchers attribute a large part of the growth to an increase in so-called "rug pulls," a fraud scheme in which developers set up seemingly legitimate cryptocurrency projects with the intent to steal investors' money and disappear.

    CyberScoop reports: "Deposits to Illicit Crypto Addresses Nearly Doubled in 2021, Chainalysis Finds"

  • news

    Visible to the public "Cybersecurity Researchers Warn About Cyberattacks by 'Elephant Beetle'"

    Researchers at the cybersecurity company Sygnia have detailed a highly organized and stealthy cybercriminal operation dubbed 'Elephant Beetle.' The Elephant Beetle threat group has stolen millions of dollars from financial organizations, primarily focusing on organizations in Latin America. The researchers warn that the campaign could expand its attacks to organizations globally. According to the researchers, the actors behind the attacks take their time to examine compromised victims' financial systems to create fraudulent transactions hidden in regular activity, adding up to millions of dollars being stolen. The threat group uses legacy Java applications running on Linux-based machines and web servers as an initial entry point as such applications likely contain unpatched vulnerabilities. The vulnerabilities exploited by Elephant Beetle to gain network access are Primefaces Application Expression Language Injection, WebSphere Application Server SOAP Deserialization Exploit, SAP NetWeaver Invoker Servlet Exploit, and SAP NetWeaver ConfigServlet Remote Code Execution. The initial payload is an obfuscated web shell-enabling remote code execution or a sequence of exploitations that run different commands on the target machine. Elephant Beetle uses more than 80 unique tools and scripts to conduct the attacks and identify additional security flaws while hiding inside networks for months at a time. The attackers focus on smaller transactions to avoid suspicion, but all the transactions against victims add up to millions of dollars. Phrases and keywords used in code involved in Elephant Beetle incidents suggest that the actors behind the attacks are Spanish-speaking. Researchers have also noted that many of the command-and-control (C2) servers used by Elephant Beetle appear to be in Mexico. This article continues to discuss findings surrounding the organized financial-theft operation, Elephant Beetle.

    ZDNet reports "Cybersecurity Researchers Warn About Cyberattacks by 'Elephant Beetle'"

  • news

    Visible to the public "Malware Can Fake iPhone Shutdown via 'NoReboot' Technique"

    Researchers at mobile security firm ZecOps have discovered how a piece of iOS malware can achieve "persistence" on a device by faking its shutdown process. Malware designed to target iPhones is not uncommon, but many of these threats are not capable of staying on a device after it has been rebooted, the researchers noted. The researchers stated that instead of developing a sophisticated persistence exploit for their malware, threat actors could simply monitor the victim's actions and simulate a shutdown of the iPhone when the victim attempts to turn off their device. ZecOps has dubbed the method "NoReboot" and described it as the "ultimate persistence bug" that cannot be patched. The researchers found that when a user initiates a shutdown event by pressing and holding the volume button until the "power off" slider appears, the adversary can inject their code into the InCallService, SpringBoard, and BackBoard daemons. Instead of shutting down the device, the attacker can get SpringBoard and BackBoard to make it look like the device has been powered off by disabling all physical feedback, including the screen, sounds, vibration, the camera indicator, and touch feedback. The attacker can display the system boot animation when the user wants to power on the iPhone to avoid raising suspicion. ZecOps has made available a proof-of-concept (PoC) exploit, and it has published a video showing the method in action. The video shows how an attacker with access to a phone could continue spying on the victim while the device appears to be powered off. The researchers stated that vendors that are interested in fixing this issue should provide a hardware indicator if the phone is powered on/off, and similarly for the microphone and camera.

    SecurityWeek reports: "Malware Can Fake iPhone Shutdown via 'NoReboot' Technique"

  • news

    Visible to the public "Aiding Evaluation of Adversarial AI Defenses"

    Existing Machine Learning (ML) models have many inherent vulnerabilities that leave the technology open to spoofing, corruption, and other forms of deception. Attacks against Artificial Intelligence (AI) algorithms could lead to altered content recommendation engines, the disruption of self-driving vehicles, and more. These vulnerabilities raise concerns as ML models become increasingly integrated into critical infrastructure and systems. A program launched by DARPA (Defense Advanced Research Projects Agency), called Guaranteeing AI Robustness against Deception (GARD), aims to develop a new generation of defenses against adversarial attacks on ML models in order to get ahead of this safety challenge. One of GARD's objectives is to develop a testbed for characterizing ML defenses and evaluating the scope of their applicability. The field of adversarial AI is relatively new, so there are only a few methods for testing and evaluating potential defenses. In addition, these existing methods have been found to lack rigor and sophistication. It is critical to ensure that emerging defenses keep pace with or outperform the capabilities of known attacks to establish trust and guarantee their eventual use. GARD researchers have developed several resources and virtual tools to strengthen the community's efforts in evaluating and verifying the efficacy of existing and emerging ML models and defenses against adversarial attacks. GARD researchers from Two Six Technologies, IBM, MITRE, Google Research, and the University of Chicago, worked together to create a virtual testbed, toolbox, and benchmarking dataset, as well as training materials to support this effort. They made these assets available through a public repository for the broader research community to use. The virtual testbed, called Armory, enables repeatable, scalable, and robust evaluations of adversarial defenses. It allows researchers to test their defenses against known attacks and relevant scenarios. The Armory testbed also lets researchers make changes to scenarios to ensure that their defenses can be used across various attacks. This article continues to discuss the goals and developments of the GARD program.

    Homeland Security News Wire reports "Aiding Evaluation of Adversarial AI Defenses"

  • news

    Visible to the public "K-12 Cybersecurity Act Signed Into Law"

    President Biden signed the K12 Cybersecurity Act which should strengthen the cybersecurity of US K-12 schools. This includes assessing the cybersecurity risks effecting K-12 schools such as securing information systems and protecting student and employee data. Other goals include developing guidelines for this sector to minimize risks, publishing an online training toolkit, and posting the assessment findings and recommendations online. All this effort will be under the direction of the CISA director. Currently most schools lack cyber awareness and training and are often the targets of malware and ransomware attacks.

    SecurityIntelligence reports "K-12 Cybersecurity Act Signed Into Law"

  • news

    Visible to the public This New Year, why not resolve to ditch your dodgy old passwords?

    This New Year, why not resolve to ditch your dodgy old passwords?

    Most of the classic New Year resolutions revolve around improving your health and lifestyle. But this year, why not consider cleaning up your passwords too?

  • news

    Visible to the public 2021 Cybersecurity Person Of The Year: Jen Easterly

    2021 Cybersecurity Person Of The Year: Jen Easterly

    The editors at Cybercrime Magazine named Jen Easterly, director, Cybersecurity and Infrastructure Security Agency (, “Cybersecurity Person of the Year” for her outstanding contributions to the industry in 2021.

    Easterly was named CISA’s director earlier this year. She leads CISA’s efforts to understand, manage, and reduce risk to the cyber and physical infrastructure Americans rely on every day.

  • news

    Visible to the public SoS Musings #56 - The Cybersecurity Workforce Gap Remains

    SoS Musings #56 -

    The Cybersecurity Workforce Gap Remains

  • news

    Visible to the public Cyber Scene #63 - Cyber Flight Plan: Heavy Cloud Cover; Clipped Wings Alert

    Cyber Scene #63 -

    Cyber Flight Plan: Heavy Cloud Cover; Clipped Wings Alert

  • news

    Visible to the public Cybersecurity Snapshots #25 - Schools and Universities Targeted by Hackers During Pandemic

    Cybersecurity Snapshots #25 -

    Schools and Universities Targeted by Hackers During Pandemic

  • news

    Visible to the public Spotlight on Lablet Research #25 - Governance for Big Data

    Spotlight on Lablet Research #25 -

    Governance for Big Data

  • news

    Visible to the public "Broward Health Data Breach Impacts 1.3 Million People"

    Broward Health has discovered that a data breach has compromised the personal information of their patients and employees. The incident impacts roughly 1,358,000 individuals. The incident was disclosed on January 1, 2022, when the organization announced that unauthorized access to a third-party medical provider resulted in patient and employee data being compromised. The organization stated that the threat actor gained access to the system on October 15, and the intrusion was discovered on October 19. The potentially compromised data includes names, birth dates, contact information (addresses and phone numbers), driver's license numbers, Social Security numbers, financial information, insurance data, and medical information such as condition, diagnosis, medical history, treatment, and medical record number. The company stated that this personal information was exfiltrated, or removed, from Broward Health's systems, however, there is no evidence the intruder actually misused the information.

    SecurityWeek reports: "Broward Health Data Breach Impacts 1.3 Million People"

  • news

    Visible to the public "Info-Stealing Malware Hits 100+ Countries"

    Researchers at Check Point warn of a new malware campaign that has already stolen passwords and user information from over 2000 victims in 111 countries worldwide. ZLoader is a known banking Trojan that uses web injection to steal cookies, passwords, and sensitive information. It has also been linked to the delivery of the infamous Conti and Ryuk ransomware variants. In the past, researchers noted that ZLoader has been delivered via both traditional phishing email campaigns and abuse of online advertising platforms, where attackers purchase ads pointing to legitimate-looking websites hosting the malware. The researchers found that the new campaign, attributed to cybercrime group Malsmoke, begins with the installation of a legitimate remote management program from Atera pretending to be a Java installation. This provides the attacker full access to the targeted system, enabling them to upload and download files and run additional scripts. One of these scripts purportedly runs "mshta.exe" with the file "appContast.dll" as the parameter. The researchers noted that although appContast.dll is signed by Microsoft, the attackers found a way to exploit the firm's digital signature verification method to add extra information to the file. This info downloads and runs the final Zloader payload. One malware researcher named Kobi Eisenkraft stated that people need to know that they can't immediately trust a file's digital signature. The researchers noted that the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis. The researchers are strongly urging users to apply Microsoft's update for strict Authenticode verification since it is not applied by default. Users were also advised not to install programs from unknown sources and not to click on links or open attachments in unsolicited messages. Most of the victims of the new malware campaign are located in the US (40%), followed by Canada (14%) and India (6%).

    Infosecurity reports: "Info-Stealing Malware Hits 100+ Countries"

  • news

    Visible to the public "Sophisticated iLOBleed Rootkit Targets HP Servers"

    The Tehran-based security firm Amnpardaz discovered and analyzed malware dubbed iLOBleed. It is described as a sophisticated rootkit designed to target HP servers. Findings suggest that it has been used to target organizations in Iran, but no other information has been shared about those who have fallen victim to the malware. The rootkit's sophistication indicates that an Advanced Persistent Actor (APT) is likely behind it. According to Amnpardaz, iLOBleed is an implant that targets Hewlett Packard Enterprise's (HPE) Integrated Lights-Out (iLO) embedded server management technology. This technology allows users to monitor, configure, and update their servers remotely. HP servers' motherboard is embedded with iLO. The rootkit, which was first discovered in 2020, appears to use iLO firmware vulnerabilities found and disclosed over the past years. Although these vulnerabilities could have been fixed in more recent versions of HP firmware, it is possible for an attacker to downgrade the firmware to a more vulnerable version, which can be done on most systems. In addition, users cannot disable iLO completely. The iLOBleed rootkit can be delivered to targeted devices via the dedicated iLO network port. A user with administrator or root privileges can also deliver the rootkit through the server's operating system. When it is deployed on a device, the rootkit adds a malicious module to the iLO firmware, giving the attackers complete control over the compromised machine. Rootkits such as iLOBleed are highly persistent and stealthy. This article continues to discuss findings regarding the targets, delivery, and process of the iLOBleed rootkit.

    Security Week reports "Sophisticated iLOBleed Rootkit Targets HP Servers"

  • news

    Visible to the public "Cyber Threats to Critical Manufacturing Sector Industrial Control Systems"

    The Critical Manufacturing Sector is at risk due to the expansion of the cyber threat landscape and attack surface, and limited cybersecurity workforces associated with the COVID-19 pandemic. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has identified potential vulnerabilities in Industrial Control Systems (ICS) resulting from increased remote-based ICS management and industry adaptation to working conditions during the pandemic. These vulnerabilities include expanded cyberattack surfaces, reduced network segmentation and securitization, and unauthorized access (both physical and online). This article continues to discuss CISA's insights regarding cyber threats to the control systems that manage industrial processes in the Critical Manufacturing Sector.

    HSToday reports "Cyber Threats to Critical Manufacturing Sector Industrial Control Systems"

  • news

    Visible to the public "McMenamins Data Breach Affects 12 Years of Employee Info"

    A ransomware attack faced by the restaurant and hotel chain McMenamins on December 12, 2021, compromised 12 years of internal employee data. The ransomware attack forced the organization to shut down different operations, but its locations can still serve customers. McMenamins has confirmed that the attackers were able to compromise internal data belonging to employees who have worked for the company between January 1, 1998, and June 30, 2010. This set of data includes personal information such as names, home addresses, telephone numbers, email addresses, medical notes, Social Security numbers, income amounts, and more. The attackers could sell or use this data to carry out phishing attacks, commit identity theft, and other malicious activities. McMenamins is offering identity and credit protection services to past and current employees in response to the discovery. The organization has also dedicated a call center to answer questions about the ransomware incident. Letters have been sent to all affected individuals about what information was compromised and how they can protect their identity and credit. This article continues to discuss the impact and perpetrators of the December ransomware attack against McMenamins.

    Threatpost reports "McMenamins Data Breach Affects 12 Years of Employee Info"

  • news

    Visible to the public "Don't Copy-Paste Commands From Web Pages — You Can Get Hacked"

    Gabriel Friedlander, the founder of the security awareness training platform Wizer, has demonstrated that copying and pasting commands from web pages into a console or terminal can put one's system at risk of getting hacked. Whether they are beginners or experts, developers will often copy commonly used commands from a web page such as Stack Overflow and then paste them into their Windows command prompt, Linux terminal, or other application. However, Friedlander has found that a web page could covertly replace the contents of what goes on a user's clipboard, thus changing what is copied to something vastly different from what the user wanted to copy. The developer may only realize the mistake after pasting the text, at which point it could be too late. Friedlander published a proof-of-concept (POC) on his blog in which he asked readers to copy a simple command that is familiar to most system administrators and developers. When the command is pasted into a text box or Notepad, the result is a completely different command with a newline (or return) character at the end of it, meaning it would execute when it is pasted directly into a Linux terminal. Those who paste the text from Friedlander's blog may think they just copied the "sudo apt update" command used to fetch updated information on software installed on a system, but it is actually something different. This article continues to discuss Friedlander's findings regarding the possibility of getting hacked by copying and pasting commands from web pages into a console or terminal.

    Bleeping Computer reports "Don't Copy-Paste Commands From Web Pages -- You Can Get Hacked"

  • news

    Visible to the public "Saltzer Health Informs Patients of Personal Information Exposure"

    Intermountain Healthcare-owned Saltzer Health is informing patients that their personal information might have been compromised after an unauthorized party gained access to an employee email account. The organization operates 12 clinics and urgent care facilities in Boise, Caldwell, Meridian, and Nampa, Idaho, and said the attackers had access to the employee email account between May 25 and June 1, 2021. The company stated that the investigation into the incident revealed that the email account contained personal information that was potentially compromised during unauthorized access. Potentially affected information includes names and contact information, driver's license numbers and state identification numbers, and, in some cases, Social Security numbers and financial account details. Medical information affected by the unauthorized access includes diagnosis, medical history, treatment details, prescription medication information, and physician information, along with health insurance information. Saltzer Health's told the U.S. Department of Health and Human Services that the incident potentially impacted 15,650 people. The organization stated it has taken steps to mitigate the risk of data compromise within its environment, including resetting the affected email account's password and monitoring its network for any suspicious activity. According to Saltzer Health, it hasn't received reports of identity theft or fraud following the incident.

    SecurityWeek reports: "Saltzer Health Informs Patients of Personal Information Exposure"

  • news

    Visible to the public "HSCA Releases Cybersecurity Guidelines for Medical Device Manufacturers"

    The Healthcare Supply Chain Association (HSCA) recently released guidelines for medical device manufacturers and healthcare providers on cybersecurity and patient privacy practices. HSCA's new guidance covers cybersecurity training, software, equipment acquisition standards, risk coverage, data encryption, information sharing, and more. The guidelines also provide tips on how healthcare organizations and medical device manufacturers can identify red flags before doing business with a third-party vendor or organization. In addition, HSCA calls on third-party vendors to follow strict cybersecurity standards to protect the privacy of patient data. Todd Ebert, HSCA president and CEO, pointed out that the widespread adoption of telemedicine and shift to virtual operations during the COVID-19 pandemic has shown how vital information technology, software, and medical devices are in improving patient care. However, recent cyberattacks have proven that medical devices and services are vulnerable to cybersecurity threats that could put patient health, safety, and privacy at risk. HSCA recommends that healthcare organizations and suppliers participate in one or more Information Sharing and Analysis Organizations (ISAOs), such as the Health Information Sharing and Analysis Center (H-ISAC). The trade association advises against working with manufacturers that do not actively participate in an ISAO. Healthcare organizations are encouraged to designate an information technology officer or a network security officer and provide role-appropriate cybersecurity training to employees. HSCA also suggests that healthcare organizations and suppliers implement firewalls, network segmentation, and strict access control. This article continues to discuss the cybersecurity guidelines released by HSCA for medical device manufacturers and healthcare providers.

    HealthITSecurity reports "HSCA Releases Cybersecurity Guidelines for Medical Device Manufacturers"

  • news

    Visible to the public "AT&T And Verizon Will Delay 5G Expansion Over Aircraft Interference Concerns"

    AT&T and Verizon won't start rolling out their C-band 5G service on January 5th like they originally planned. Instead, they have agreed to comply with a request from the Federal Aviation Administration and the Transportation Department to push back their 5G expansion by two more weeks. Authorities asked the companies for extra time to investigate concerns regarding possible interference with aircraft systems and electronics. Airlines and aircraft manufacturers are worried that the new frequencies are too close to those used by airplanes' radar altimeter, which provides data on the distance between the plane and the ground. Interferences with the airplane's radar altimeter could lead to unsafe landings. Wireless industry giants argue, however, that the C-band service's powers are low enough and that the gap in frequencies is large enough to prevent interference.

    Engadget reports: "AT&T And Verizon Will Delay 5G Expansion Over Aircraft Interference Concerns"

  • news

    Visible to the public "An Apple HomeKit Bug Can Send iOS Devices Into a Death Spiral"

    New security research has revealed a vulnerability that can cause iOS devices to freeze, crash, and reboot if a user connects to a sabotaged Apple Home device. The bug, discovered by security researcher Trevor Spiniolas, can be exploited via Apple's HomeKit API, which is the software interface that enables an iOS app to control compatible smart home devices. According to Spiniolas, if an attacker creates a HomeKit device with a significantly long name, such as one with a length of around 500,000 characters, then an iOS device connecting to it will become unresponsive when it reads the device name. The iOS device will start freezing and rebooting, which can only stop if the device is wiped and restored. Users are urged to immediately reject any invitations to join an unfamiliar Home network in order to protect themselves from the attack. In addition, iOS users currently using smart home devices should disable the setting "Show Home Controls" in the Control Center to limit which information can be accessed through the center. The new vulnerability impacts the latest iOS version, 15.2, and goes as far back as version 14.7. This article continues to discuss the potential impact of the Apple HomeKit vulnerability, how iOS users can guard against an attack executed through this bug, and Apple's response to the disclosure of the flaw.

    The Verge reports "An Apple HomeKit Bug Can Send iOS Devices Into a Death Spiral"

  • news

    Visible to the public "In the Fight Against Cybercrime, Takedowns Are Only Temporary"

    In November 2021, ten months after Emotet's servers and infrastructure were taken down by an international task force, the botnet returned. The new Emotet consisted of two botnets that used different encryption for communication and additional commands than the previous version taken down in January 2021. The threat had made up 7 percent of attacks on organizations globally, at the time, and often delivered malware or ransomware to 1.6 million compromised machines. The revival of Emotet brings further attention to the lack of permanence of botnet takedowns. According to David Monnier, a fellow with the threat intelligence firm Team Cymru, Emotet's resurgence as well as the return of TrickBot in 2020 calls on the industry and government agencies to further examine whether the takedown tactic needs to be revised or revisited. Attackers' ability to learn from their actions and return with improved tactics, techniques, and procedures (TTPs), prevents many takedown efforts from being successful. Although defenders and law enforcement are getting better in takedown efforts, the balance is currently in favor of attackers. While the balance still seems to favor attackers, defenders must continue striving to increase the speed of disruption efforts and increase the time it takes for attackers to recover by taking down servers and infrastructure. Consistent effort will keep pressure on malicious actors and make cybercrime less profitable. This article continues to discuss the temporary Emotet shutdown, why many cybercrime shutdowns lack permanence, and the importance of continuing efforts to disrupt cybercrime activity.

    Dark Reading reports "In the Fight Against Cybercrime, Takedowns Are Only Temporary"

  • news

    Visible to the public "Multiple Vulnerabilities Impact Netgear Nighthawk R6700 Routers"

    According to Tenable researchers, Netgear Nighthawk R6700v3 routers running the latest firmware are affected by multiple vulnerabilities. The most important of these security defects results in an authenticated attacker being able to inject commands that would be executed when the device checks for updates. Tracked as CVE-2021-20173, the issue exists because unsanitized input is being sent to system() calls in the upnpd binary. The adversary can send requests from the SOAP interface to force update checks and trigger the execution of commands. Furthermore, Tenable's researchers discovered that communication to and from the device's web and SOAP interfaces is not encrypted, meaning that sensitive information such as usernames and passwords is transmitted in cleartext. The researchers also noticed that the device stores usernames and passwords in plaintext, including the admin password. Another identified vulnerability (CVE-2021-23147) could allow an attacker with physical access to the device to connect to the UART port via a serial connection and run commands as root without authentication. Additionally, Tenable's researchers discovered that the device uses instances of known vulnerable jQuery libraries, as well as a minidlna.exe iteration that contains publicly known vulnerabilities. Netgear Nighthawk R6700v3 routers running firmware version are known to be vulnerable. The researchers reported the bugs to Netgear at the end of September, but the vendor hasn't released patches until now.

    SecurityWeek reports: "Multiple Vulnerabilities Impact Netgear Nighthawk R6700 Routers"

  • news

    Visible to the public "Copycat And Fad Hackers Will be The Bane of Supply Chain Security in 2022"

    Security researchers have warned that replicable attacks and a low barrier to entry will ensure the rate of supply chain attacks increases in 2022. The researchers stated that by compromising a centralized service, platform, or software, attackers can then either conduct widespread infiltration of the customers and clients of the original victim or may choose to cherry-pick from the most valuable potential targets. Doing this can save adversaries time and money, as one successful attack can open the door to potentially thousands of victims at once. In an analysis of 24 recent software supply chain attacks, including those experienced by Codecov, Kaseya, SolarWinds, and Mimecast, the European Union Agency for Cybersecurity (ENISA) said that the planning and execution stage of supply chain attacks are usually complex, but the attack methods often chosen are not. The researchers noted that supply chain attacks can be conducted through the exploitation of software vulnerabilities, malware, phishing, stolen certificates, compromised employee credentials & accounts, vulnerable open source components, and firmware tampering, among other vectors. Ilkka Turunen, Field CTO of Sonatype, said that malicious software supply chain activity is likely to increase in 2022 due to low barrier to entry attack methods, such as dependency confusion, which is a "highly replicable" attack method. Security researchers also believe that ransomware incidents will also increase in 2022. Forcepoint researchers expect to see a "significant" rise in copycat attacks against the supply chain in 2022. The researchers at Forcepoint are urging organizations to conduct frequent code reviews of software used. They also encourage organizations to keep security in mind during every step of the software development and deployment process.

    ZDNet reports: "Copycat And Fad Hackers Will be The Bane of Supply Chain Security in 2022"

  • news

    Visible to the public "Polygon Bug Put $23 Billion in Cryptocurrency at Risk"

    On December 3, white hat hackers at the bug bounty platform Immunefi discovered a vulnerability in Polygon, a framework used to build Ethereum-compatible blockchain networks. The bug would have put 9,276,584,332 MATIC, worth almost $23 billion, at risk. MATIC is the cryptocurrency of the Polygon network. With help from Immunefi, Polygon's core development team was able to fix the critical network vulnerability. It was found in the network's proof-of-stake genesis contract. Before the Polygon team addressed it, a malicious hacker exploited the bug to steal about 801,601 MATIC, worth nearly $2 million at the time. According to Immunefi, the vulnerability stemmed from a lack of balance/allowance checks in the transfer function of Polygon's MRC20 contract. An attacker would have been able to steal all available MATIC from that contract by exploiting the bug. Polygon paid the two white hat hackers who discovered the vulnerability a total bounty of $3.46 million. This article continues to discuss the Polygon bug that put $23 billion worth of MATIC at risk and concerns surrounding how Polygon addressed the vulnerability.

    BankInfoSecurity reports "Polygon Bug Put $23 Billion in Cryptocurrency at Risk"