News Items

  • news

    Visible to the public SoS Musings #47 - The Problem with False Positives in Security Operations

    SoS Musings #47 -

    The Problem with False Positives in Security Operations

  • news

    Visible to the public "Dark Web Bursting With COVID-19 Vaccines, Vaccine Passports"

    Security researchers at Check Point have observed a 300 percent increase in listings on the dark web marketplaces advertising vaccine doses, falsified vaccine certifications, negative test results, and more in the last three months. According to the researchers, there are more than 1,200 listings that are offering various vaccines, including Moderna, Pfizer, AstraZeneca, Sputnik, Johnson & Johnson, and Sinopharm. The legitimacy of the doses remains unknown. However, even if the doses were legitimate, there is no guarantee that they have been stored properly. The researchers attempted to purchase the Sinopharm vaccine from one of the dark web vendors. Negotiations for purchasing the vaccine took place on Telegram. The vendor provided reassurance that the vaccine doses were real. The researchers paid $500 in bitcoin for the vaccine then received a FedEx shipping label, but they did not receive the shipment. Dark web vendors are suspected to be having greater success with selling falsified vaccine cards and negative test results, as the researchers have seen more vaccination certificates being offered than vaccines. This article continues to discuss the researchers' observations surrounding the increase in COVID-19-related listings on dark web marketplaces.

    Ars Technica reports "Dark Web Bursting With COVID-19 Vaccines, Vaccine Passports"

  • news

    Visible to the public "Protecting Open-Source Software by Analyzing Community Behavior"

    The Defense Advanced Research Projects Agency (DARPA) wants to develop a dynamic and continuously updated open-source software (OSS) situational awareness capability to preserve the security of the US Defense Department's OSS supply chain. The SocialCyber program will maintain the integrity and security of an OSS project by providing early warnings about weaknesses. DARPA is looking to develop an overall security assessment of an OSS project's complex cyber-socio-technical ecosystem by gathering data pertaining to the security of a project's architecture, participants' social behaviors, attack surfaces, and security economics. The program will explore hybrid methods that can help analyze source code, communication artifacts in relation to development, and social media activity. The analysis of these factors will help detect and combat malicious cyber-social operations as well as safeguard the security and privacy of the Defense Department's open-source infrastructure. This article continues to discuss the aim of the SocialCyber program.

    GCN reports "Protecting Open-Source Software by Analyzing Community Behavior"

  • news

    Visible to the public "New Cybersecurity Programs to Protect US Energy"

    The Department of Energy's (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has announced three new researcher programs aimed at strengthening the security of America's energy system against cyberattacks and physical hazards. The new schemes will address potential vulnerabilities in the global supply chains and explore ways to protect critical infrastructure from geomagnetic and electromagnetic interference. The new programs will also focus on establishing a research and talent pipeline for the next generation of cybersecurity professionals. These programs will gather experts from industry, academia, and government to help enhance the energy sector's resilience. CESER pointed out the major threats facing America's critical energy infrastructure, which include digital hazards such as cyberattacks and environmental dangers like climate change, wildfires, and extreme weather. This article continues to discuss the goals and importance of the three new cybersecurity research programs.

    Infosecurity Magazine reports "New Cybersecurity Programs to Protect US Energy"

  • news

    Visible to the public Deepfakes - AI-Generated Media

    Deepfakes - AI-Generated Media

  • news

    Visible to the public Spotlight on Lablet Research #16 - Securing Safety-Critical Machine Learning Algorithms

    Spotlight on Lablet Research #16 -

    Project: Securing Safety-Critical Machine Learning Algorithms

  • news

    Visible to the public Cybersecurity Snapshots #16 - REvil/Shodinokibi Was the Most Widespread Ransomware in 2020

    Cybersecurity Snapshots #16 -

    REvil/Shodinokibi Was the Most Widespread Ransomware in 2020

  • news

    Visible to the public "CISA Warns of Security Flaws in GE Power Management Devices"

    The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of critical-severity security flaws in GE's Universal Relay (UR) family of power management devices. GE's UR devices are computing devices that allow users to control the amount of electrical power consumed by various devices. GE has issued patches for the following affected UR device families: B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, and T60. CISA warned that if not updated, the affected products could be exploited to allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition. GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10 or greater to resolve these vulnerabilities. Overall, nine vulnerabilities were patched across the affected devices. The most serious of these (CVE-2021-27426) has a CVSS score of 9.8 out of 10, making it critical. The flaw stems from insecure default variable initialization.

    Threatpost reports: "CISA Warns of Security Flaws in GE Power Management Devices"

  • news

    Visible to the public "Shell Latest to Fall to Accellion FTA Exploits"

    The oil giant Shell is a customer of Accellion's File Transfer Appliance (FTA) product and is the latest company to announce that they were affected by a data breach due to adversaries targeting vulnerabilities in the legacy file transfer software. Shell has stated that they have addressed the exploited vulnerabilities and begun an investigation into the incident. Their core IT system was unaffected as FTA is isolated from the rest of its digital infrastructure. They found that an unauthorized party gained access to various files during a limited window of time through the ongoing investigation. Some of the files contained personal data, and others included data from Shell companies and some of their stakeholders. Shell did not state when they discovered the breach and which vulnerabilities were targeted. Accellion patched two zero-day bugs in late December. Other organizations known to have been breached due to adversaries targeting vulnerabilities in the legacy file transfer software include the New Zealand central bank, aircraft maker Bombardier, retail giant Kroger, and legal firm Jones Day.

    Infosecurity reports: "Shell Latest to Fall to Accellion FTA Exploits"

  • news

    Visible to the public "COVID-19 Related Cyber-Attacks Leveraged Government Announcements"

    Researchers from the University of Oxford, WMG, University of Warwick, Abertay University, University of Kent, and the University of Strathclyde worked together in a study titled, "Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the Pandemic," which has been published in the Computers and Security journal. The study reveals a clear connection between cybercrime campaigns and governmental policy announcements. This pattern has been suspected for a while, but this is the first study on it that involves hundreds of cases globally to make this direct connection. There have been many reports of scams involving the impersonation of public authorities like the World Health Organization, as well as organizations such as supermarkets and airlines, since the outbreak of the COVID-19 pandemic in 2019. These scams have also targeted members of the public, who are now spending more time online. Many of the COVID-19 cyberattacks analyzed in this study begin with a phishing campaign that fools victims into downloading a file or accessing a URL. The file or the URL act as the carrier of malware, which then acts as the vehicle for fraud when installed. The analysis showed that the likelihood of the attack's success increased when the phishing campaign leverages media and governmental announcements. The researchers observed a surge in cyberattacks targeting critical infrastructures, governments, organizations, and end-users, influenced by governmental announcements. The researchers observed targeted attacks, the selling of counterfeited medical equipment to hospitals, the denial of essential services via ransomware attacks, the sale of fake online COVID-19 testing equipment, and more. This article continues to discuss the performance and key findings from the collaborative study.

    The University of Oxford reports "COVID-19 Related Cyber-Attacks Leveraged Government Announcements"

  • news

    Visible to the public "CopperStealer Malware Infected up to 5,000 Hosts per Day Over First Three Months of 2021"

    CopperStealer is a newly documented China-based malware that has stolen user credentials on major platforms, including Facebook, Instagram, Apple, Amazon, Bing, PayPal, Tumblr, Twitter, and Google. Proofpoint researchers were first alerted about the malware sample in late January. According to Chris Morgan, the senior cyber threat intelligence analyst at Digital Shadows, CopperStealer offers its users various options for exfiltrating sensitive data and dropping additional malware. The targeting of several different social media platforms indicates that the CopperStealer malware operator likely wants to takeover targeted accounts to perform additional malicious activities. It has been confirmed that threat actors from the People's Republic of China (PRC) are linked to the creation of CopperStealer. These threat actors are known to have previously used compromised social media accounts to spread misinformation as well as influence operations in regard to PRC events. The delivery of CopperStealer relies on users' interaction with torrent sites that offer free versions of legitimate software. This article continues to discuss the discovery, creation, capabilities, delivery, impact, and mitigation of the CopperStealer malware.

    SC Media reports "CopperStealer Malware Infected up to 5,000 Hosts per Day Over First Three Months of 2021"

  • news

    Visible to the public "Critical Security Bugs Fixed in Virtual Learning Software"

    Researchers at McAfee Labs Advanced Threat Research discovered critical vulnerabilities in the Netop Vision Pro system that could allow attackers to hijack school networks, deliver malware, determine students' IP addresses, eavesdrop, and more. Netop, the company behind the popular software tool designed to let teachers remotely access student computers, has fixed four security bugs in its platform. The flaws were disclosed to Netop on Dec. 11. By late February, the company had issued an update addressing several of the concerns (in Netop Vision Pro version 9.7.2). The researchers disclosed that the new update fixed the local privilege escalations, encrypted formerly plaintext Windows credentials, and mitigated the arbitrary read/writes on the remote filesystem within the MChat client. The researchers stated that the network traffic is still unencrypted, including the screenshots of the student computers. Netop has assured the researchers that it is working on implementing encryption on all network traffic for a future update.

    Threatpost reports: "Critical Security Bugs Fixed in Virtual Learning Software"

  • news

    Visible to the public "Tool Created to Aid Cleanup From Microsoft Hack in Broad Use"

    Microsoft released a new one-click tool called the Microsoft Exchange On-Premises Mitigation Tool to help businesses protect themselves from threats associated with the recent Microsoft email server software hack. According to the White House's National Security Council (NSC), the tool has been downloaded more than 25,000 times since its release. An NSC spokesperson revealed that the number of vulnerable systems has decreased by 45 percent because of the tool. The one-click Microsoft tool scans systems for compromises and then fixes them. This article continues to discuss the capabilities, development, and impact of the one-click Microsoft tool, as well as the recent Exchange Server on-premises attacks.

    POLITICO reports "Tool Created to Aid Cleanup From Microsoft Hack in Broad Use"

  • news

    Visible to the public Pub Crawl #48

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public Ransomware gangs are on the rise

    Ransomware gangs are on the rise and making off with bigger payoffs. The average ransom paid tripled over the last year to #312,493 finds a Palo Alto Networks Unit 42 report. There is also a quicker spread of successful ransom techniques among the gangs. The government and industry are trying to strike back by taking down the criminals and their servers. Ransom ware victims should alert law enforcement as soon as possible after

  • news

    Visible to the public "Twitter Images Can Be Abused to Hide ZIP, MP3 Files" 

    Security researcher and programmer David Buchanan has discovered a new steganography method that involves hiding up to three MB of data inside a Portable Networks Graphics (PNG) image file posted on Twitter. Cybercriminals can use steganography to hide malware and communicate secretly with other criminals. Hackers practice steganography by hiding malicious data in image files, video clips, audio files, and other unsuspected formats. Steganography is an attractive method to hackers because most users would not suspect that such files would be used to execute attacks. Buchanan demonstrated how malicious actors could use this technique on a popular website like Twitter by hiding MP3 audio files and ZIP archives within PNG images hosted on the social media platform. The PNG files on Twitter represent valid images when previewed. However, by downloading the images and changing their file extension, different content can be obtained from the same files. Buchanan posted an example 6 KB image file on Twitter that contains an entire ZIP archive, which includes his source code. Anyone can use this source code to pack miscellaneous contents into a PNG image. In another example, Buchanan tweeted an image that plays a song when downloaded, renamed to .mp3, and opened in the VLC media player. Twitter attempts to strip unnecessary metadata from PNG uploads but does not remove the data appended to the end of the DEFLATE stream, which is the part of the file that stores the compressed pixel data. This article continues to discuss the new steganography method that cybercriminals could use to hide malicious commands, payload, and other content inside photos posted on Twitter, as well as other steganographic techniques recently discovered by researchers.

    Bleeping Computer reports "Twitter Images Can Be Abused to Hide ZIP, MP3 Files"

  • news

    Visible to the public "DHS CISA Shares Incident Response Tool for On-Prem Threat Activity"

    The CISA Hunt and Incident Response Program (CHIRP) is a new forensics collection tool developed by the U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) to help network defenders detect signs of advanced persistent threat (APT) compromise within an on-premises environment. CHIRP is a forensics collection tool that will help detect indicators of compromise (IOCs) associated with SolarWinds and Active Directory/M365 threat activities. According to CISA, CHIRP is a command-line executable with a dynamic plugin to search for IOCs. The tool's plugins search through event logs and registry keys, as well as run YARA rules to look for signs of APT tactics, techniques, and procedures. It also has a YAML file containing a list of IOCs associated with malware and APT activity. The current version of CHIRP looks for the presence of TEARDROP and RAINDROP, which are two malware strains identified by security researchers. CHIRP also looks for credential dumping certificate pulls and persistence mechanisms. The tool is available for free on the CISA GitHub repository. Officials will continue monitoring for new threats and will release IOC packages and plugins for the threats. This article continues to discuss the purpose and features of the CHIRP tool.

    HealthITSecurity reports "DHS CISA Shares Incident Response Tool for On-Prem Threat Activity"

  • news

    Visible to the public "The Benefits And Challenges of Passwordless Authentication"

    More and more organizations are adopting passwordless authentication. Researchers at Gartner predict that, by 2022, 60% of large and global enterprises and 90% of midsize enterprises will implement passwordless methods in more than half of use cases. Passwordless authentication can be used both for personal and business purposes. When it comes to personal use almost, every user has multiple online accounts, making it hard to create and even harder to remember all passwords. Therefore, a device with fingerprint or face recognition is handy. For enterprises, the need for passwordless authentication is even more crucial, as it provides the ability to implement more granular access control with a stricter zero-trust policy. Passwordless authentication also allows enterprises to eliminate the burden of remembering new passwords every three months for users and reduces the cost of supporting IT departments' whole system. The researchers argue that although passwordless represents a more secure authentication method, there are still challenges in deploying this model. The most significant issues are associated with the total budget and migration complexity. The budget should include costs for buying hardware and expenses for setup and configuration. There is also the challenge of overcoming the old-school mentality when employees and IT leadership are resistant to a move away from familiar and conventional security methods.

    Help Net Security reports: "The Benefits And Challenges of Passwordless Authentication"

  • news

    Visible to the public "Delphi Study of Risk to Individuals Who Disclose Personal Information Online"

    A Delphi study was done on the risk posed to individuals who disclose personal information online. The study highlighted priorities for protecting personal privacy online. The study is based on the views of a panel of experts in privacy and information security. A literature review provided a corpus of 69 peer-reviewed articles regarding recent research surrounding information privacy risk published between 2014 and 2019. The articles were categorized through the performance of a cluster analysis based on Pearson's correlation coefficient. The analysis resulted in the identification of future research priorities, including personalization, social networks, risk assessment, and regulation. This article continues to discuss the performance and findings from the Delphi study and how it revealed priorities for addressing online risk to individuals.

    The University of London reports "Delphi Study of Risk to Individuals Who Disclose Personal Information Online"

  • news

    Visible to the public "Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data"

    Security researchers found a security blip in the current version of Zoom, which could inadvertently leak users' data to other meeting participants on a call. The data is only leaked briefly, making a potential attack difficult to carry out. The flaw (CVE-2021-28133) stems from a glitch in the video conferencing platform Zoom's screen sharing function. When a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode, researchers found that the contents of the explicitly non-shared application window can be perceived for a "brief moment" by meeting participants. While this would only occur briefly, researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom's built-in recording capabilities or via screen recording software like SimpleScreenRecorder) can go back to the recording and fully view any potentially sensitive data leaked through that transmission. Because this bug would be difficult to exploit intentionally (an attacker would need to be a participant in a meeting where the bug inadvertently leaks data), the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.

    Threatpost reports: "Zoom Screen-Sharing Glitch 'Briefly' Leaks Sensitive Data"

  • news

    Visible to the public "Internet Crime Complaints Surge in 2020, Fueled By Pandemic"

    According to the FBI, suspected internet crime complaints increased by 69% in 2020 compared to 2019 in the US. Total complaints reached 791,790 last year, representing a rise of more than 300,000 compared to 2019. This resulted in total recorded losses of more than $4.1bn to victims, as cyber-criminals took advantage of the shift to online services due to COVID-19 lockdown restrictions. Researchers from the Internet Crime Complaint Center (IC3) found that business email compromise was the costliest scam technique employed. The first most prominent form of internet crime reported was phishing, which surged from 114,702 complaints in 2019 to 241,342 in 2020. Phishing resulted in adjusted losses for victims of over $54m. The second most prominent form of internet crime was non-payment/non-delivery scams, growing from 61,832 in 2019 to 108,869, resulting in losses of more than $265m. Extortion was the third most complained about internet crime last year, rising from 43,101 victims in 2019 to 76,741 in 2020. Total losses from extortion were recorded around $70m.

    Infosecurity reports: "Internet Crime Complaints Surge in 2020, Fueled By Pandemic"

  • news

    Visible to the public "Ransom Payments Have Nearly Tripled"

    In 2020 researchers from Palo Alto Networks found that manufacturing, healthcare, and construction companies suffered 39% of ransomware attacks in 2020. The average ransom paid by companies jumped 171% to more than $312,000. The highest ransom demand was $30 million, and the highest-known paid ransom was $10 million. The researchers stated that as organizations shifted to remote workforces due to the COVID-19 pandemic, ransomware operators adapted their tactics accordingly. Adversaries started to increase the use of malicious emails containing pandemic-based subjects and even malicious mobile apps claiming to offer information about the virus. Researchers at Chainalysis found that ransoms paid using cryptocurrency surged 311% in 2020 and approached a grand total of $350 million.

    Dark Reading reports: "Ransom Payments Have Nearly Tripled"

  • news

    Visible to the public "New Malware Uses Malicious Xcode Project to Install Backdoors on Developer Macs"

    Security researchers at SentinelLabs have discovered a new malware called XcodeSpy that targets Xcode developers. XcodeSpy impacts the Xcode integrated development environment (IDE) on macOS. Xcode is a coding platform that allows developers to create Apple Store applications for iPhone, Mac, and other Apple devices. According to the researchers, malicious actors are abusing the IDE's Run Script feature to infect those using shared Xcode projects. They discovered a trojanized version of the legitimate iOS TabBarInjection Xcode project. When the project is downloaded and launched, it installs a custom variant of the EggShell backdoor that allows attackers to upload files, download files, record a victim's microphone, and more. This article continues to discuss the capabilities, distribution, targets, and potential impact of the new XcodeSpy malware.

    AppleInsider reports "New Malware Uses Malicious Xcode Project to Install Backdoors on Developer Macs"

  • news

    Visible to the public  "Facebook Adds Hardware Security Key Support for Android and iOS"

    Facebook has supported hardware security keys on desktops since 2017. The social media giant has now expanded its support for hardware security keys to iOS and Android devices. Hardware security keys add an extra layer of security to online accounts. The use of these keys is considered a top authentication method that bolsters the protection of users' online data. Those who are frequently targeted by hackers, such as politicians, activists, and other high-profile entities, are encouraged to use them. This article continues to discuss Facebook's expanded support for hardware security keys to mobile devices, the concept of security keys, and who should use them.

    Engadget "Facebook Adds Hardware Security Key Support for Android and iOS"

  • news

    Visible to the public "FBI Warns of PYSA Ransomware Attacks on Education Institutions in US, UK"

    The FBI issued a warning about an increase in PYSA ransomware attacks against education institutions in the United States and the United Kingdom. According to the FBI, PYSA ransomware attacks have targeted higher education, K-12 schools, and seminaries. The cyber actors behind the PYSA attacks remain unidentified. They are known to encrypt data on compromised systems, steal sensitive information, and threaten to leak the information to increase pressure on victims to pay the demanded ransom. The threat actors use phishing attacks and Remote Desktop Protocol (RDP) attacks to gain initial access to targeted networks. The tools used by the attackers include PowerShell Empire, Mimikatz, Koadic, and Advanced Port/IP Scanners. This article continues to discuss the information shared by the FBI's alert about the PYSA ransomware attacks on educational institutions.

    Security Week reports "FBI Warns of PYSA Ransomware Attacks on Education Institutions in US, UK"

  • news

    Visible to the public  "New BYU Algorithm Making ID Verification More Secure by Tracking Facial Movements"

    Studies have revealed significant security flaws in some of the most advanced human biometric identification systems, including those based on fingerprints and retina scans. Researchers at Brigham Young University (BYU) developed an improved and more secure method for using facial recognition for access control. They created a technique called Concurrent Two-Factor Identity Verification (C2FIV) that requires both facial identity and a unique facial motion to gain access. A user must record a short 1-2 second video of a special facial motion or a lip movement while facing the camera and reading a secret phrase. The video is then used as input for the device. The facial features and the features of the facial movement are extracted and stored for later ID verification. This method ensures that the identity verification process is intentional since the verification cannot occur if the user is unconscious. With other biometric identification systems like fingerprint recognition technologies, a user's finger can still be used to unlock their device even if they are unconscious. C2FIV learns facial features and actions like blinking, smiling, eyebrow-raising, and more, simultaneously using an integrated neural network framework that models dynamic, sequential data such as facial motions. This framework considers all frames in a recording. In the preliminary study, the trained neural network verified identities with a 90 percent accuracy rate. D.J. Lee, an electrical and computer engineering professor at BYU and leader in the development of the new facial recognition technology, says the C2FIV system's application could go beyond smartphone access into ATM use, online banking, hotel room entry, safe deposit box access, keyless vehicle access, and more. This article continues to discuss the study, goal, capabilities, potential applications, and future of the C2FIV system.

    BYU reports "New BYU Algorithm Making ID Verification More Secure by Tracking Facial Movements"

  • news

    Visible to the public "Hackers Are Targeting Telecom Companies to Steal 5G Secrets"

    The McAfee Advanced Threat Research Strategic Intelligence team has uncovered a cyber-espionage campaign targeting telecommunications companies in Southeast Asia, Europe, and the United States. The campaign, dubbed Operation Dianxun, aims to steal sensitive data, including secrets regarding 5G technology. According to the researchers, the attacks are linked to a China-based hacking group known as Mustang Panda or RedDelta, which has a history of launching hacking and espionage campaigns. The campaign is suspected to have targeted at least 23 telecommunications companies. The number of targets that were successfully compromised remains unknown. The attacks involve directing victims to a malicious phishing domain controlled by the group that delivers malware. The phishing website masquerades as the Huawei career site and delivers a malicious Flash application that drops the Cobalt Strike backdoor onto the victim's machine. This backdoor gives the attackers visibility into the victim's machine and the ability to steal sensitive information. This article continues to discuss findings surrounding the Operation Dianxun cyber-espionage campaign regarding its perpetrators, targets, tactics, techniques, and procedures.

    ZDNet reports "Hackers Are Targeting Telecom Companies to Steal 5G Secrets"

  • news

    Visible to the public "$4,000 COVID-19 ‘Relief Checks’ Cloak Dridex Malware"

    Researchers at Cofense have discovered that cybercriminals have wasted no time in hopping on the COVID-19 relief legislation just signed into law (American Rescue Plan) as a lure for email-based scams. A campaign began circulating in March that capitalized on Americans' interest in the forthcoming $1,400 relief payments and other aid. The emails impersonate the IRS, using the agency's official logo and a spoofed sender domain of IRS[.]gov. The email claims to offer an application for financial assistance. In reality, the emails provide the Dridex banking trojan. The email says, "It is possible to get aid from the federal government of your choice," and then offers "quotes" such as a $4,000 check, the ability to skip the queue for vaccination, and free food. There is a button in the email that says, "Get apply form," and if the user clicks the button, then users are taken to a Dropbox account where they see an Excel document that says, "Fill this form below to accept Federal State Aid." However, to see this supposed IRS form in its entirety, victims are prompted to enable content. If they do, they trigger macros that set off the infection chain indirectly. The researchers stated that the macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information. The WMI query employed in this case demands that the dropped .XSL file is used to format the response to the query. This formatting directive allows JavaScript contained in the .XSL file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell.

    Threatpost reports: "$4,000 COVID-19 'Relief Checks' Cloak Dridex Malware"

  • news

    Visible to the public "Not Just Hands, Your PDFs Also Need to be Sanitized"

    A new study conducted by researchers at the University of Grenoble Alpes found that most organizations and security agencies are not sanitizing Portable Document Format (PDF) files before publishing or sharing them with others. The study involved the analysis of more than 39,000 PDF files published by 75 security agencies from 47 countries. The researchers were able to measure the quality and quantity of information exposed in these PDF files. According to the researchers, these files can be used by malicious actors to find weak links in an organization. For example, cybercriminals could use the PDF files to find out which employees use outdated software. It was discovered that only seven security agencies sanitize their PDF files before publishing. However, the researchers still found sensitive information within 65 percent of the sanitized PDF files. Some agencies are using inadequate sanitization methods. Proper sanitization requires removing hidden sensitive data from the PDF file, not just information considered important. The National Security Agency (NSA) has provided a list of the different types of hidden data and embedded content that may be contained by PDF files such as scripts, metadata, attached files, stored interactive form data, obscured images, and more. This article continues to discuss findings from the study on the sanitization of PDF files by security agencies, the concept of PDF sanitization, the low adoption of this practice, the types of hidden data found in such files, and the levels of sanitization listed by the NSA.

    CISOMAG reports "Not Just Hands, Your PDFs Also Need to be Sanitized"

  • news

    Visible to the public "FBI Alert Warns of Russian, Chinese Use of Deepfake Content"

    The FBI sent out an alert on Wednesday that malicious actors "almost certainly" will be using deepfakes to advance their influence or cyber-operations in the coming weeks. The FBI anticipates that foreign and criminal cyber actors will increasingly use deepfakes for spearphishing and social engineering attacks. The main fear is that if manipulated media is allowed to proliferate unabated, conspiracy theories and maligned influence will become mainstream. A pro-Chinese government influence operation used profile images generated with artificial intelligence (AI) to lend authenticity to their campaign in one recent disinformation case. In another recent case, researchers found that the Russian Internet Research Agency used Generative Adversarial Networks-generated images for fake profile accounts used to push divisions ahead of the U.S. elections in 2020. To catch synthetic media or deepfakes, the FBI suggests users be alert for warping, distortions, syncing issues, or other inconsistencies in images or videos.

    Cyberscoop reports: "FBI Alert Warns of Russian, Chinese Use of Deepfake Content"

  • news

    Visible to the public "New Threat Report Finds Email Prime Vehicle for Malware"

    The Threat Insights Report recently released by HP and Bronium found that 88 percent of malware was delivered via email in the fourth quarter of 2020. In the delivery of malware by email, threat actors have been successful at circumventing measures implemented for email gateways to filter out malicious emails. Email will remain a major attack vector for cybercriminals due to the continued success at exploiting the human factor. The report also highlighted a 12 percent rise in the delivery of malware that exploits a Microsoft Word remote code execution vulnerability and a 12 percent increase in the use of malicious executable files. Of the malware threats captured in Q4 2020, 29 percent were unknown by hash to antivirus scanning engines when they were isolated, primarily due to the widespread use of packers and obfuscation techniques used by threat actors to avoid detection. On average, it took 8.8 days for malware samples to become known by hash to antivirus engines. Experts call on organizations to invest more in resilience than prevention to minimize the impact of attacks as prevention strategies are expected to continue having a high failure rate due to the constant emergence of zero-day vulnerabilities. This article continues to discuss the use of email as the main vehicle for delivering malware, the circumvention of traditional detection-based tools, what obfuscation techniques are being used by attackers, and the need for organizations to increase their investment in resilience to bolster their security.

    TechNewsWorld reports "New Threat Report Finds Email Prime Vehicle for Malware"

  • news

    Visible to the public "URL Phishing Campaign Hides Attack Behind Morse Code"

    A new URL phishing campaign that uses Morse code was discovered in February 2021. Morse code was invented by Samuel Morse and Alfred Vail in the 19th century. It is a communication method that uses dots and dashes to transmit messages. Phishers are now using this method to hide malicious URLs in email attachments and circumvent detection. According to Bleeping Computer, the URL phishing attack begins with a user receiving an email appearing to be an invoice. Once the recipient opens the attachment, it activates in HTML. The attached URL phishing file includes JavaScript code that maps letters and numbers to the dots and dashes of Morse code. When the JavaScript code runs, it uses a decodeMorse() function to translate the Morse code into a hexadecimal string. This hexadecimal string is then decoded into JavaScript tags that are injected into the HTML page. The tags create an image of a fake Excel spreadsheet that prompts the recipient to sign into their Office 365 account. When the user enters their credentials, the login form will send them to a remote site where the attackers can collect them. The attack falls under the umbrella of spear phishing as it involves sending an email to a specific company. This article continues to discuss the use of Morse code in a new URL phishing campaign, other evasion methods used by phishers, and how organizations can defend themselves against URL phishing attacks.

    Security Intelligence reports "URL Phishing Campaign Hides Attack Behind Morse Code"

  • news

    Visible to the public "Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices"

    Security researchers at Palo Alto Networks' Unit 42 discovered that a new variant of the Mirai botnet is targeting known flaws in D-Link, Netgear, and SonicWall devices, as well as newly discovered flaws in unknown IoT devices. Since February 16, the new variant has been targeting six known vulnerabilities and three previously unknown ones in order to infect systems and add them to a botnet. The researchers stated that upon successful exploitation, the attackers try to download a malicious shell script, which contains further infection behaviors such as downloading and executing Mirai variants and brute-forcers.

    Threatpost reports: "Latest Mirai Variant Targets SonicWall, D-Link and IoT Devices"

  • news

    Visible to the public "Ransomware and IoT Malware Detections Surge by Over 60%"

    Researchers at SonicWall discovered that ransomware threats in 2020 spiked 62% globally and 158% in North America as more sophisticated variants like Ryuk targeted larger organizations with multi-staged attacks. The retail sector saw a 365% increase in ransomware threats in 2020, followed by the healthcare sector (123%) and the government sector (21%). There were nearly 82 million cryptojacking detections, a 28% increase from 2019 figures. The researchers also found that IoT malware detections surged 66% as attackers targeted home networks and remote workers, and overall there was a 74% increase in previously undetected malware variants.

    Infosecurity reports: "Ransomware and IoT Malware Detections Surge by Over 60%"

  • news

    Visible to the public "Cyberstalkers Can Hack Into HDMI Ports – FIU Researchers Are Studying a Way to Detect These Attacks"

    Researchers at Florida International University's (FIU) Cyber-Physical Systems Security Lab (CSL) are studying how to protect individuals and businesses from High-Definition Multimedia Interface (HDMI) attacks. There is a list of commands that HDMI-enabled devices can perform commands with any HDMI connection. For example, an older TV may have a short list of commands such as turning on and off. However, a newer or Wi-Fi-connected smart TV could have a long list of potential commands such as connecting to the internet, sharing information with other devices, and more, which could leave them vulnerable to hacks. With access to an unsecured HDMI-enabled device, a hacker could inject malicious commands to cause the device to carry out unintended actions, like shutting down, potentially posing dangers to individuals and businesses. The CSL team designed a patented solution called HDMI-Watch to track such hacks in real-time. The HDMI-Watch system uses advanced Machine Learning (ML) algorithms to learn about the HDMI commands typically received and transmitted by a device so that the abnormal ones can be detected. Once an abnormal command is detected, the system alerts the user. This article further discusses HDMI applications, how unsecured HDMI-enabled devices can be abused by hackers, and the HDMI-Watch solution designed by FIU researchers to detect HDMI hacks.

    FIU reports "Cyberstalkers Can Hack Into HDMI Ports - FIU Researchers Are Studying a Way to Detect These Attacks"

  • news

    Visible to the public "Skoltech Team Shows How Turing-Like Patterns Fool Neural Networks"

    Researchers at the Skolkovo Institute of Science and Technology have demonstrated the use of Turing-like patterns to cause neural networks to make errors in the recognition of images. Turing patterns refer to patterns found in nature, such as stripes and spots on animals. The results of this research can be used to develop solutions for defending pattern recognition systems against attacks. Although deep neural networks are considered smart and highly capable at recognizing and classifying images, they are still vulnerable to adversarial perturbations, which are small unique details in images that can lead to incorrect neural network output. Studies have brought attention to the threat that adversarial perturbations pose to safety. For example, another team of researchers described how self-driving vehicles could be tricked into seeing innocuous advertisements and logos as traffic signs. The problem is worsened as most known defenses implemented for networks against such attacks can easily be evaded by malicious actors. Researchers still find the nature and roots of adversarial perturbations mysterious. The lack of theory is one of the reasons why adversarial attacks are difficult to combat. This work is a step towards explaining the properties of universal adversarial perturbations (UAPs) by Turing patterns, which will help build a theory of adversarial examples in the future. This study has allowed the team to show ways in which new attacks can be generated against neural networks. This article continues to discuss the performance and purpose of this study on the use of Turing-like patterns to fool neural networks.

    Skoltech reports "Skoltech Team Shows How Turing-Like Patterns Fool Neural Networks"

  • news

    Visible to the public "Utah Company Stored Passport Scans on Unsecured Server"

    A Utah company called Premier Diagnostics has exposed the sensitive information of around 52,000 customers by storing data on an unsecured server. Security researchers at Compartiech found sensitive customer data stored in a publicly accessible database including scans of passports, health insurance ID cards, and driver's licenses. Based on researchers' data, individuals affected by the breach are primarily from Utah, Nevada, and Colorado. In total, more than 200k images of ID scans were exposed in the data breach. However, no payment information was stored in the unsecured database. Premier Diagnostics operates 11 COVID-19 testing sites scattered across the northern section of the Beehive State. Before testing can occur, an individual who suspects that they have been infected with the novel coronavirus must provide a form of ID, which is then photographed and stored. Premier Diagnostics takes a photo of the front and back of their customer's ID and the front and back of their customer's medical insurance card. The organization had stored all that data on a server that was publicly accessible online without a password. After being alerted to the security breach, Premier Diagnostics took steps to secure the data, which has been unavailable to the public since March 1. At the moment, it is unknown if any malicious parties have obtained the information, but it would have been easy for cybercriminals to access and exfiltrate the data.

    Infosecurity reports: "Utah Company Stored Passport Scans on Unsecured Server"

  • news

    Visible to the public "15-Year-Old Linux Kernel Bugs Let Attackers Gain Root Privileges"

    Researchers at the security company GRIMM discovered three vulnerabilities in the Linux kernel's Internet Small Computer Systems Interface (iSCSI). The exploitation of the vulnerabilities could allow local attackers with basic user privileges to become root users on unpatched Linux systems. Since the security bugs can only be exploited locally, potential attackers need to exploit another flaw or use an alternative attack vector to gain access to vulnerable devices. The bugs are 15 years old, as they were introduced in 2006 when the iSCSI kernel subsystem was in its initial development stages. According to Adam Nichols, the Principal of Software Security at GRIMM, the vulnerabilities impact all Linux distributions. Attackers can abuse the bugs to circumvent exploit-blocking security features, including Supervisor Mode Execution Protection (SMEP), Supervisor Mode Access Prevention (SMAP), Kernel Page-Table Isolation (KPTI), and Kernel Address Space Layout Randomization (KASLR). In addition to local elevation of privileges, the three vulnerabilities can result in information leaks and Denial-of-Service (DoS) attacks. This article continues to discuss the discovery, potential exploitation, and impact of the 15-year-old Linux kernel bugs.

    Bleeping Computer reports "15-Year-Old Linux Kernel Bugs Let Attackers Gain Root Privileges"

  • news

    Visible to the public "REvil Group Claims Slew of Ransomware Attacks"

    The REvil ransomware threat group, also known as the Sodinokibi ransomware gang, claims to have infected nine organizations across Africa, Europe, Mexico, and the United States over the past two weeks. The organizations supposedly affected include two law firms, an insurance company, an architectural firm, a construction company, and an agricultural co-op, all located in the United States. The other organizations affected include two large international banks (one in Mexico and one in Africa) and a European manufacturer. Researchers at eSentire stated that REvil cybercriminals posted documents on underground forums that purported to be from the victims' systems, including company computer file directories, partial customer lists, customer quotes, and copies of contracts. The Researchers also stated that the threat group also posted what appears to be several official IDs, either belonging to an employee or a customer of the victim companies. The researchers are not 100 percent sure the claims are accurate. However, after reviewing several of the documents that the Sodinokibi ransomware gang claims are from their new victims, the researchers found that many appear authentic.

    Threatpost reports: "REvil Group Claims Slew of Ransomware Attacks"

  • news

    Visible to the public "IBM Announces Cloud Marketplace For Secure Chip Design"

    IBM has announced the establishment of a cloud marketplace that was built as part of an initiative for securely developing dual-use microelectronics for the commercial industry and the Department of Defense (DoD). The Marketplace for Advanced, Rapid, Quantifiably-assured, Trusted Semiconductors (MARQTS), supports the DoD initiative geared towards advancing design methods with measurable security. The MARQTS has been announced amid growing concerns surrounding the microelectronics supply chain. Last week, the House Armed Services Committee announced the development of a new bipartisan task force that will explore and identify vulnerabilities and threats facing the defense supply chain. The co-chairs of the task force highlighted chips as a significant supply chain vulnerability. This article continues to discuss the goal, creation, and future of the MARQTS, as well as other efforts to bolster supply chain security.

    NextGov reports "IBM Announces Cloud Marketplace For Secure Chip Design"

  • news

    Visible to the public Sending out sensitive information via unapproved channels and apps

    A recent global survey found that 30% of workers have been called out by their managers for sending out sensitive business information via unofficial channels like IM and collaboration apps like Zoom.

  • news

    Visible to the public "Two R&D Projects to Enhance Mobile Network Traffic Security"

    The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly announced the final two research and development (R&D) awards for the Secure and Resilient Mobile Network Infrastructure (SRMNI) project. The project, managed by S&T's Mobile Security and Emergency Communications R&D program, aims to address CISA's top mobile-focused priorities, which are to secure the information and communications technology (ICT) supply chain and critical mobile network infrastructure, including 5G, the fifth generation of wireless technology. William N. Bryan, the S&T Acting Under Secretary, stresses that the security of mobile devices and enterprise networks is critical to the federal workforce's capability to perform government business functions securely. The S&T-led R&D projects will support the development of innovative solutions for analyzing mobile network traffic, improving the protection of government-provided mobile devices, and strengthening the security of enterprise networks. The new SRMNI projects awards focus on the development of solutions to improving the government's ability to identify malware, attacks, and more, in mobile device network traffic. GuidePoint Security will receive $915,000 for its Mobile Network Traffic Visibility for the Enterprise project. AppCensus, Inc. will receive $1.2 million for its Mobile Traffic Intelligence at Scale project. This article continues to discuss the SRMNI project, the two R&D awards announced for the project, and the earlier round of seven SRMNI R&D projects.

    Homeland Security News Wire reports "Two R&D Projects to Enhance Mobile Network Traffic Security"

  • news

    Visible to the public "Serious Vulnerabilities Found in Schneider Electric Power Meters"

    The industrial cybersecurity firm Claroty recently shared details about two potentially critical vulnerabilities discovered in Schneider Electric's PowerLogic smart meters. The vulnerabilities affect some of Schneider Electric's PowerLogic ION and PM series smart meters, which are sold to utilities, industrial companies, data centers, and healthcare organizations. According to Claroty researchers, an unauthenticated attacker can remotely exploit the vulnerabilities found in the meters by sending specially crafted TCP packets to the device. One of the vulnerabilities has been assessed as critical because it can allow an attacker to cause the targeted meter to reboot and possibly execute arbitrary code. The other vulnerability has been assigned a high severity rating as its exploitation only forces the targeted device to reboot. This article continues to discuss the vulnerabilities impacting some of Schneider Electric's PowerLogic ION/PM smart meters.

    Security Week reports "Serious Vulnerabilities Found in Schneider Electric Power Meters"

  • news

    Visible to the public "Two New Ways Backup Can Protect Enterprise SaaS Data"

    Software-as-a-Service (SaaS) apps are attractive targets for bad actors as they contain a lot of information and support business processes and decision-making. Many enterprises assume that SaaS vendors protect their customer's data in those apps, when in reality, most of the vendors do not. The responsibility of protecting SaaS app data should be that of the organizations. Critical SaaS app data can be protected and preserved by having the right backup plan implemented. Organizations should make sure that their SaaS app backup system can limit external access points to their data and preserve all SaaS data, as well as ensure traceability and accountability. This article continues to discuss the importance of protecting SaaS app data and how this data can be backed up.

    Help Net Security reports "Two New Ways Backup Can Protect Enterprise SaaS Data"

  • news

    Visible to the public "'Hacker Games' Launched to Encourage Development of Secure Coding Skills"

    App security testing firm Veracode has launched its inaugural Veracode Hacker Games, an event that aims to encourage the growth of secure coding skills. The Hacker Games is taking place over two weeks, from March 15-25, 2021. Computer science and cybersecurity teams from eight leading universities in the UK and US will be tested on their secure coding skills in a collegiate contest. Veracode will donate $10,000 and $5000 for the first and second-best performing universities. Additionally, all participating institutions will be given complimentary Veracode software for a year. The participants will use Veracode Security Labs to gamify the experience and will be tasked with discovering and fixing dangerous security flaws in real-world applications during a series of hands-on challenges. The initiative, which the UK government supports, comes as cyberattacks against organizations are increasing and becoming more sophisticated. The Veracode Hacker Games was created to help universities make secure coding a core part of their computer science and cybersecurity curriculum while giving students an edge when it comes to putting their skills to the test in a real-world environment.

    Infosecurity reports: "'Hacker Games' Launched to Encourage Development of Secure Coding Skills"

  • news

    Visible to the public "Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds"

    Threat intelligence experts warn of a new version of the Darkside ransomware variant that its creators claim will feature faster encryption speeds, VoIP calling, and virtual machine targeting. The Russian-speaking hacking group claims that the Windows version of Darkside 2.0 encrypts files faster than any other ransomware-as-a-service (RaaS) and is twice as speedy as the previous iteration. Darkside 2.0 now also features multithreading in both Windows and Linux versions. The Linux version of the ransomware can now target VMware ESXi vulnerabilities, meaning it can hijack virtual machines and encrypt their virtual hard drives. The new version of the ransomware is also redesigned to target network-attached storages (NAS), including Synology and OMV, for even more pervasive encryption of victim systems. Darkside 2.0 also features a "call on us" function enabling affiliates to make VoIP calls for free to victims. This allows adversaries to exert extra pressure on victims to pay up.

    Infosecurity reports: "Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds"

  • news

    Visible to the public "'Thousands' of Verkada Cameras Affected by Hacking Breach"

    The Silicon Valley startup Verkada, which provides cloud-based security camera services, has experienced a significant security breach. A group of hackers gained access to live feeds of surveillance cameras in schools, police departments, prisons, hospitals, and health clinics. The hackers also gained access to surveillance footage from the electric car manufacturer Tesla and the software provider Cloudflare. An official statement from a Verkada spokesperson says that the company notified law enforcement and disabled all internal administrator accounts to prevent unauthorized access. They also revealed that the company's internal security system is currently investigating the scale and scope of the problem. The hackers behind the breach claim to have accessed archived video and audio in addition to live feeds. The breach is considered unsophisticated in that the hacking group used a super administrator account to obtain access to the cameras. According to the spokesperson, the group found the administrator account's username and password publicly exposed on the internet. This incident brings further attention to the need to improve cyber protection for physical security devices. Experts have called for more awareness of potential vulnerabilities in such devices and the increased implementation of security solutions that address both cyber and physical attacks. IFSEC Global's Video Surveillance 2020 Report shows that over 70 percent of security end-users and consultants have expressed significant concerns about the vulnerability of their surveillance systems to cyberattacks. This article continues to discuss the Verkada security camera breach and the inadequate protection of surveillance systems.

    Dark Reading reports "'Thousands' of Verkada Cameras Affected by Hacking Breach"

  • news

    Visible to the public "This Malware Was Written in an Unusual Programming Language to Stop It From Being Detected"

    A cybercriminal hacking group is distributing new malware called NimzaLoader that is written in the programming language Nim. According to researchers, this programming language is rarely used to compile malicious code. Cybersecurity researchers at Proofpoint believe the malware was written in this programming language to make it more difficult to detect and analyze. NimzaLoader allows attackers to gain access to Windows computers and execute commands that give them the ability to take control of the machine, steal sensitive information, and more. The malware is suspected to be the work of the TA800 threat group that has targeted a wide range of industries in North America. This article continues to discuss the use of the Nim programming language to develop NimzaLoader malware and the group believed to be behind the malware, as well as the capabilities and distribution of NimzaLoader.

    ZDNet reports "This Malware Was Written in an Unusual Programming Language to Stop It From Being Detected"

  • news

    Visible to the public "Record Number of Cyber-Incidents Hit US Schools in 2020"

    Security researchers discovered that publicly disclosed cybersecurity incidents at US schools surged 18% over the past year. There were 408 cyberattacks that affected schools in 2020, which equates to more than two schools affected by cyberattacks each day. Of the publicly disclosed cybersecurity incidents, the largest number (45%) were recorded as unattributed malware, class and meeting invasions, email invasion, website, and social media defacement. Over a third (36%) were data breach incidents, 12% were ransomware-related, and the rest were recorded as DDoS (5%) or phishing (2%). The researchers blamed the rise of cyberattacks due to the rapid shift to remote learning. Many of the cyberattacks were significant: resulting in school closures, millions of dollars of stolen taxpayer dollars, and student data breaches directly linked to identity theft and credit fraud.

    Infosecurity reports: "Record Number of Cyber-Incidents Hit US Schools in 2020"

  • news

    Visible to the public "FIN8 Cybercrime Group Resurges With Improved Hacking Tool"

    FIN8, the financially-motivated criminal hacking group, has returned after a year-and-a-half hiatus with updated backdoor malware, known as BADHATCH. The gang typically attacks point-of-sale (PoS) systems to steal payment card data. According to researchers, the new and improved backdoor has capabilities such as screen capturing, proxy tunneling, and fileless execution. The backdoor is also now likely capable of stealing credentials. The gang has been using the new version of the BADHATCH backdoor in attacks primarily against companies in the retail, technology, chemical, and insurance industries. Research conducted by Bitdefender reveals that these attacks have hit organizations in the US, Canada, South Africa, Puerto Rico, Panama, and Italy. An earlier version of BADHATCH, observed by researchers at Gigamon and Trend Micro in 2019, enabled the delivery of other malware payloads such as ShellTea and PoSlurp to scrape for credit card data, delete files, and more. This article continues to discuss the return of the FIN8 cybercrime group with an updated version of the BADHATCH backdoor, the new capabilities of this backdoor, the earlier version of BADHATCH, and the history of the FIN8 group.

    CyberScoop reports "FIN8 Cybercrime Group Resurges With Improved Hacking Tool"