News Items

  • news

    Visible to the public "Virginia Reeling from Ransomware"

    Virginia is fighting cyber-fires on two fronts after ransomware attacks affected its state legislature and an agency within its executive branch. In a cyberattack that struck on the evening of December 12, critical IT systems under the Division of Legislative Automated Systems (DLAS) were rendered inaccessible. The attack was focused on certain internal servers, impacting the General Assembly voicemail server and the General Assembly's Legislative Information System (LIS) portal, which allows lawmakers to draft bills and track legislation. Most of the websites for Virginia's legislative agencies and commissions, including the Division of Legislative Services and the Division of Capitol Police, were later forced offline by the attack. A spokesperson confirmed on Monday that ransomware was to blame. DLAS director Dave Burhop said on Monday that while a ransom note had not yet been sent, Virginia was considering alternatives to paying a ransom, including restoring their system using backups. However, Burhop noted that the backups might also have been compromised in the attack. By Tuesday, the ransomware attack had spread to other agencies, the Joint Legislative Audit and Review Commission's website, and the Virginia Law Portal, an online database containing Virginia's constitution and state code.

    Infosecurity reports: "Virginia Reeling from Ransomware"

  • news

    Visible to the public "Microsoft Fixes Spoofing Flaw Used in Emotet Attacks"

    Microsoft has fixed a spoofing vulnerability that was found in its Windows AppX Installer, which attackers were actively exploiting. According to Microsoft, attackers were using specially crafted packages that downloaded the Emotet, Trickbot, and Bazaloader malware families in an attempt to exploit the vulnerability (CVE-2021-43890). The exploitation of the flaw allows malicious actors to craft malicious attachments that they can use in phishing campaigns by luring an email recipient into opening the attachment. The flaw exists in AppX Installer, which is used to install AppX apps on Windows 10 systems. It is one of more than 60 flaws patched on Tuesday by Microsoft as part of the company's regularly scheduled security release. Seven of these vulnerabilities have been ranked as critical-severity remote code execution bugs. One of the more severe vulnerabilities exists in the iSNS Server, ranking 9.8 out of 10 on the CVSS scale. The Internet Storage Name Service (iSNS) protocol maintains data about active Internet Small Computer System Interface (iSCSI) devices connected to the network. Microsoft said that the exploitation of this flaw (CVE-2021-43215) is more likely because an attacker could send a specially crafted request to the iSNS server, resulting in remote code execution. Another critical-severity flaw addressed by Microsoft exists in the Microsoft 4K Wireless Display Adapter, which could enable an unauthenticated attacker to send specially crafted packets to a vulnerable device. Although this flaw (CVE-2021-43899) has a 9.8 CVSS score ranking, its exploitation is said to be less likely since an attacker would have to be on the same network as the Microsoft 4K Display Adapter. This article continues to discuss the spoofing flaw in Microsoft's AppX installer and other vulnerabilities that the company has now addressed.

    Decipher reports "Microsoft Fixes Spoofing Flaw Used in Emotet Attacks"

  • news

    Visible to the public "NIST Gears up for Software Security and IoT Labeling Pilot Programs"

    In September 2021, the National Institute of Standards and Technology (NIST) held the "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software" and solicited comments from stakeholders and experts. NIST was mandated by the Biden administration's Executive Order on Improving the Nation's Cybersecurity to create pilot labeling programs that educate the public about the security of the Internet of Things (IoT) devices and software products they purchase. The goal is to enhance product security by providing security information that consumers and small businesses need to consider when making purchasing decisions. The effort aims to create a label that effectively communicates a product's level of security regarding its design, development, and maintenance. The label will be voluntary, with companies attesting to their security rankings. NIST issued draft "Baseline Criteria for Consumer Software Cybersecurity Labeling" on November 1 and a discussion draft on "Consumer Cybersecurity Labeling for IoT Products" on December 3. The tentative general guidelines NIST has developed for IoT label criteria include product identification, product configuration, data protection, interface access controls, software updates, documentation, cybersecurity state awareness, information reception, and more. This article continues to discuss the effort to develop a consumer-focused security labeling program and the challenges associated with such a program.

    CSO Online reports "NIST Gears up for Software Security and IoT Labeling Pilot Programs"

  • news

    Visible to the public "Security Researchers Discover Flaws in Wi-Fi Bluetooth SoCs"

    Researchers from the University of Darmstadt have published a paper discussing several security vulnerabilities that could impact billions of devices globally. The highlighted vulnerabilities are said to affect wireless Systems-on-Chip (SoCs) that combine a Wi-Fi and Bluetooth module into a single package and leverage resources shared between the two processors. Various security measures are generally incorporated by devices that use Bluetooth in order to protect against remote attacks. These measures include encryption, random number generation, and real-time process monitoring. However, the researchers outlined new attacks that take advantage of the lack of hardware security in many popular SoCs, can be executed to steal private data (e.g., Wi-Fi keys), and can enable remote code execution. Affected devices include those produced by Broadcom, Cypress, and Silicon Labs. This article continues to discuss the vulnerabilities found in Wi-Fi Bluetooth SoCs that could leave billions of devices open to attack, whether these flaws are fixable, and why it is difficult to defend against hardware bugs.

    Electropages Media reports "Security Researchers Discover Flaws in Wi-Fi Bluetooth SoCs"

  • news

    Visible to the public "Facebook Will Reward Researchers for Reporting Scraping Bugs"

    Facebook today announced that it is expanding its bug bounty and data bounty programs to reward security researchers for reporting scraping vulnerabilities and databases. As part of its bug bounty program, the company will pay monetary rewards to security researchers who discover flaws that allow attackers to bypass existing scraping limitations and gain access to data at scale. Facebook says it is seeking ways to make scraping more costly for the attackers and is now starting a private bounty track with Gold+ HackerPlus researchers to reward reports on scraping methods. Facebook stated that they are looking to reward researchers who identify and report "unprotected or openly public databases containing at least 100,000 unique Facebook user records with PII or sensitive data," email and physical addresses, phone numbers, and affiliation. The reported databases should be unique and previously unknown, and Facebook says it will work with relevant parties to remove the datasets, including contacting law enforcement where necessary, contacting web services providers, or working with developers to address potential vulnerabilities. Facebook promises monetary rewards for valid reports on scraping issues and says it will match valid reports of scraped datasets with charity donations. The minimum bounty payout will be $500. So far, in 2021, the social media platform paid over $2.3 million in bug bounty rewards for more than 800 valid reports (out of 25,000 received) from researchers in more than 46 countries.

    SecurityWeek reports: "Facebook Will Reward Researchers for Reporting Scraping Bugs"

  • news

    Visible to the public "Web App Attacks Surge 251% in Two Years"

    Security researchers at Imperva have found that web application attacks on UK businesses have soared by over 250% since October 2019. The security vendor analyzed nearly 4.7 million web application-related cybersecurity incidents over the period to find that attacks are increasing, on average, by 22% each quarter. The researchers stated that this is likely to be fuelling a vast increase in data breaches. Remote code execution (RCE) and remote file inclusion (RFI) attacks, often used to steal information and hijack websites, surged by 271% over the two years. The researchers also found that half (50%) of all data breaches begin with web applications. During their analysis, the researchers noted that web app attacks increased by 68% from Q2 to Q3 2021, as threat actors sought to flood underground sites with stolen data ahead of the Christmas shopping period. The researchers estimated that around 20 billion compromised records would stem from web app attacks in 2021.

    Infosecurity reports: "Web App Attacks Surge 251% in Two Years"

  • news

    Visible to the public "Ransomware Hits HR Solutions Provider Kronos, Locking Customers Out of Vital Services"

    Ultimate Kronos Group (UKG), a major human resources and workforce management solutions provider, was recently hit by a ransomware attack. A notice sent to affected customers revealed that the ransomware incident impacted the Kronos Private Cloud, which is a part of the business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed. As a result of the ransomware attack, these solutions have been made unavailable, and it may take several weeks to restore system availability. It remains unknown as to whether the attackers were able to steal customer data before encrypting it. The company released a notice on its website stating that it is aware of the vulnerability contained by the open-source Apache logging library Log4j, which is exposing some of the world's most popular applications and services to attack. According to the company, measures have been put in place to detect and prevent exploitation attempts in its environments. The ransomware attack further highlights the challenges routinely faced by third parties. The Kronos/UKG ransomware event will create problems for time-tracking, scheduling, payroll processing, and more. This article continues to discuss the ransomware attack against the HR solutions provider Kronos and the problems this incident will create for many of its clients.

    Help Net Security reports "Ransomware Hits HR Solutions Provider Kronos, Locking Customers Out of Vital Services"

  • news

    Visible to the public "Anubis Android Malware Returns to Target 394 Financial Apps"

    In a new malware campaign, the Anubis banking Trojan is targeting customers of almost 400 financial institutions. The malicious actors behind the malware campaign impersonate an Orange S.A. Android app to steal login credentials. According to researchers at Lookout, the campaign is still in the testing and optimization phase. The new version of Anubis has many capabilities, such as recording screen activity, implementing a SOCKS5 proxy for covert communication, retrieving contacts stored on the targeted device, collecting GPS data, implementing a keylogger, deleting notifications for SMS messages received by the device, submitting USSD code requests to query bank balances, and more. Additionally, like previous versions, the newest Anubis malware can detect whether the compromised device has Google Play Protected enabled and then display a fake system alert to trick the unsuspecting user into deactivating it. This capability gives the malware complete access to the device and enables the freedom for data to be sent to and received from the command-and-control server (C2) without interference. The identity of the actors distributing Anubis remains unclear as they have been careful in hiding their C2 infrastructure registration trace. Cloudflare is used to redirect all network traffic through SSL while the C2 masquerades as a cryptocurrency trading website. This article continues to discuss recent findings surrounding the new version of the Anubis Android banking Trojan regarding its capabilities, distribution mechanisms, and targets.

    Bleeping Computer reports "Anubis Android Malware Returns to Target 394 Financial Apps"

  • news

    Visible to the public "Researchers Unveil New Cyber Protections against 'Logic Bombs'"

    A team of cybersecurity researchers from Rutgers University-New Brunswick and the Georgia Institute of Technology proposed new methods for protecting drones, prostheses, medical devices, and other 3D-printed objects from logic bombs. Rapid prototyping refers to the quick fabrication of a part, model, or assembly using 3D computer-aided design, typically involving 3D printing or additive manufacturing. The use of additive manufacturing is growing in various industries to produce safety-critical products. However, there is currently a lack of trustworthy methods for verifying the integrity of such products against adversarial pre-print design modifications. While next-generation cyber-physical additive manufacturing allows for advanced product designs and capabilities, it is vulnerable to cyberattacks as it increasingly relies on highly networked industrial control systems. The main approach to protecting against such threats relies on host-based intrusion detectors placed within the same target controllers, typically making them the first target of controller attacks. The researchers explored a new class of attacks on printed objects called Mystique that uses emerging 4D printing technology to introduce embedded computer code, known as logic bombs, through the manipulation of the manufacturing process. Mystique causes visually harmless objects to behave maliciously when a logic bomb is triggered by modifications to initially used materials or temperature changes, moisture, or other stimulus changes. The evaluation of Mystique on several 3D printing case studies revealed that it could circumvent prior protections. The researchers proposed two strategies to address this issue. This article continues to discuss the increased vulnerability of additive manufacturing to cyberattacks and solutions proposed by the researchers to protect 3D-printed objects from stealthy logic bombs.

    Rutgers University reports "Researchers Unveil New Cyber Protections against 'Logic Bombs'"

  • news

    Visible to the public "DHS Establishes Its Own Bug Bounty Program, Offering Outsiders $500 to $5K For Discovering Flaws"

    The Homeland Security Department is launching a bug bounty program to invite researchers to probe its systems for flaws. Under the "Hack DHS" initiative, DHS Secretary Alejandro Mayorkas stated that ethical hackers would receive between $500 and $5,000 for identifying vulnerabilities, depending on their severity. The department would verify flaws within 48 hours and fix them within 15 days, or for complex bugs, develop a plan to do so during that period. DHS is later to the bug bounty trend than some other federal agencies, with the Defense Department initiating its "Hack the Pentagon" pilot back in 2016. The IRS that same year began the first civilian federal agency bug bounty program. According to DHS, the program will run throughout fiscal year 2022, which began in October.

    CyberScoop reports: "DHS Establishes Its Own Bug Bounty Program, Offering Outsiders $500 to $5K For Discovering Flaws"

  • news

    Visible to the public "Police Arrest Suspected Ransomware Actor in Romania"

    European and US law enforcers have joined forces to arrest a suspected ransomware affiliate member who targeted firms in an IT supply chain attack. Europol's European Cybercrime Centre (EC3) supported the FBI and Romanian National Police in making the arrest at the suspect's home in Craiova, Romania, in the early hours of yesterday morning. The individual arrested is suspected of targeting a large Romanian IT company that provides services to corporate customers in the retail, energy, and other sectors. According to Europol, the suspect used this access to deploy crypto-ransomware and steal files from many of those customers located both in Romania and abroad. The data stolen by the suspect includes financial information, personal information on employees and customers, and other important documents. Using classic double extortion techniques, the suspect then threatened to publish the information on a data leak site unless a ransom was paid. However, it's unclear whether each individual company was blackmailed or just the original IT provider.

    Infosecurity reports: "Police Arrest Suspected Ransomware Actor in Romania"

  • news

    Visible to the public "Quantum Communication Research Network Launched"

    It is essential to continue efforts to improve the security of information exchange as digitalization grows. A communication network based on the laws of physics is one of the main methods proposed to ensure undetected eavesdropping is made impossible. The joint project QuantumRepeater.Link (QR.X) aims to develop such as system. Quantum computers are expected to render current encryption algorithms obsolete. Therefore, today's encrypted data could be exposed by attackers using quantum computers, thus posing a major threat to the security and privacy of sensitive data. If a quantum computer is specifically programmed for code-breaking, it could easily eavesdrop on traditional computers using standard protocols, but if encryption keys are exchanged in the form of photons (i.e., particles of light), the laws of physics guarantee that any hacking attempt would be discovered. Christoph Becher, Professor of Experimental Physics and head of the Quantum Optics Group at Saarland University, stressed the importance of ensuring that quantum communication operates reliably over long-distance fiber-optic networks covering large areas if it were to become a viable technology in the future. Becher is coordinating an association of over 40 partners from the science and industry fields on developing quantum repeaters and integrating them into existing fiber-optic networks, which is considered one of the biggest technological challenges. Quantum communication is currently restricted to distances of a few hundred kilometers due to unavoidable link limitations. It is impossible to overcome these limitations using signal amplification, as is the case with conventional optical fiber communication methods. Instead, quantum repeaters will break down information into smaller linked pieces using quantum processes in order to enable communication over longer distances. The QuantumRepeater.Link network is based on the Q.Link.X project, in which researchers successfully produced essential basic components of quantum repeaters. In the new project, these components will be optimized and integrated into fiber optic test networks outside protected lab environments. The goal is to demonstrate that an elementary quantum repeater system can function successfully over distances of up to 100 kilometers. This article continues to discuss the goals of the new quantum communication research network.

    SCIENMAG reports "Quantum Communication Research Network Launched"

  • news

    Visible to the public "Log4j Flaw: Attackers Are Making Thousands of Attempts To Exploit This Severe Vulnerability"

    Malicious cyber actors are making more than 100 attempts to exploit a critical security vulnerability contained by the Java logging library Apache Log4j every minute, according to security researchers at Check Point. The Log4j vulnerability, also now known as "Log4Shell," is a zero-day vulnerability, which first emerged on December 9. Researchers warned that the exploitation of the flaw can enable unauthenticated remote code execution and access to servers. Various forms of enterprise and open-source software use Log4j, including cloud platforms, web applications and email services. Therefore, there is a wide range of software at risk because of the many attempts made at exploiting the vulnerability. Sophos researchers have detected hundreds of thousands of attempts to remotely execute code using the Log4j vulnerability in the days following its public disclosure, as well as scans looking for the flaw. This article continues to discuss the severity of the Log4j security issue.

    ZDNet reports "Log4j Flaw: Attackers Are Making Thousands of Attempts To Exploit This Severe Vulnerability"

  • news

    Visible to the public "Sprawling Active Attack Aims to Take Over 1.6M WordPress Sites"

    An active attack against more than 1.6 million WordPress sites is underway, with researchers spotting tens of millions of attempts to exploit four different plugins and several Epsilon Framework themes. The researchers stated that the adversaries' goal is complete site takeover using administrative privileges. The researchers noted the activity is coming from more than 16,000 different IP addresses, according to a Wordfence analysis. There were 13.7 million attacks in the first 36 hours. The researchers said that the attackers are aiming to exploit critical "unauthenticated arbitrary options update vulnerabilities" in the following plugins: Kiwi Social Share (patched in 2018), and WordPress Automatic, Pinterest Automatic and PublishPress Capabilities (all patched this year). In most cases, the attackers update the 'users_can_register' option to enabled, and then set the 'default_role' option to 'administrator.' Doing this makes it possible for attackers to register on any site as an administrator, effectively taking over the site. The activity started on December 8, according to Wordfence. The attackers are also targeting a function-injection vulnerability present in various Epsilon Framework themes, allowing remote code execution (RCE). Epsilon themes enable site builders to choose different flexible design elements to craft the way a website looks and is organized. The researchers stated that due to the severity of these vulnerabilities and the massive campaign targeting them, it is incredibly important to ensure that one's site is protected from compromise. The researchers strongly recommend ensuring that any sites running one of these plugins or themes has been updated to the patched version. To determine if a website has been compromised, admins can review the user accounts on the site to determine if there are any that are unauthorized.

    Threatpost reports: "Sprawling Active Attack Aims to Take Over 1.6M WordPress Sites"

  • news

    Visible to the public "Most Phishing Pages Are Short-Lived"

    New research conducted by Kaspersky has revealed that the lifespan of most phishing pages is as brief as that of an adult mayfly. Between July 19 and August 2, 2021, researchers analyzed 5,307 examples of phishing pages. They found that within 13 hours of monitoring commencing, a quarter of all pages had become inactive. A sizable chunk of links (1,784) ceased functioning after the first day of monitoring, and half of the phishing pages included in the study survived no more than 94 hours. The security researchers emphasized the importance of repelling spam attacks with fraudulent links within the first few hours when the potency of a phishing page is at its highest. The researchers stated that it is important for users to remember that when they receive a link and have doubts about the site's legitimacy, they should wait for a few hours. During that time, not only will the likelihood of getting the link in the anti-phishing databases increase, but the phishing page itself can stop its activity. Explaining why the lifecycle of phishing pages is so fleeting, researchers stated that with every hour of life of a new site, it appears in more anti-phishing databases, which means that fewer potential victims will visit it. What determines the lifespan of a page is how long it takes for site administrators to detect the threat and remove it. The researchers stated that even if phishers have deployed their own server on a purchased domain, if they are suspected of fraudulent activity, then the registrars may deprive the phishers of the right to host the data on it. When a phisher's page is identified by site administrators, the adversary typically prefers to create a new page instead of modifying an existing one. The researchers noted that very rarely, phishers may change the page in order to avoid being blocked. For example, if phishers use a brand as bait, they might alter it to another one. However, most pages are simply blocked by the time phishers decide to change the form of activity.

    Infosecurity reports: "Most Phishing Pages Are Short-Lived"

  • news

    Visible to the public "First Real-World Study Shows the Potential of Gait Authentication to Enhance Smartphone Security"

    Real-world tests conducted by researchers at the University of Plymouth have shown that gait authentication could be a feasible way to protect smartphones and other mobile devices from cybercrime. The study involved asking smartphone users to go through their daily activities while motion sensors in their mobile devices collected data about their stride patterns. The system had an 85 percent accuracy rate in recognizing an individual's gait, increasing to almost 90 percent when they were walking normally and walking fast. There are currently over 6.3 billion smartphone users globally who use their devices for services and storing confidential information. Although passwords, PINs, and biometrics exist, studies have shown that such authentication measures' level of security and usability vary considerably. According to the researchers, the study demonstrates that gait recognition, within an appropriate framework, could be a viable method for protecting individuals' data from potential cybercrime. This article continues to discuss the potential use of gait authentication to strengthen smartphone security.

    The University of Plymouth reports "First Real-World Study Shows the Potential of Gait Authentication to Enhance Smartphone Security"

  • news

    Visible to the public "DARPA Announces SMOKE Program"

    US military network-security researchers have launched a new program to discover more about the tactics of malicious hackers. The Signature Management Using Operational Knowledge and Environments (SMOKE) program was announced on Tuesday. SMOKE is asking the computer industry to develop methods to identify, model, and mitigate the typical behaviors of threat actors. The program aims to develop technologies to generate evasive cyberinfrastructure that accelerates red team cyber operations (CO). DARPA stated that SMOKE will develop data-driven tools to automate the discovery of distinguishable patterns of sophisticated cyber threat infrastructure (i.e., signatures). The agency outlined two key technical objectives of the project. The first is to include informing operators of adversary signatures as they prepare cyberinfrastructure in real-time, and the second is to find a way to provide attribution risk assessments for planning and surveillance of the cyberinfrastructure that is in use. The program's key research challenges include finding a way to automatically build and traverse associations in large-scale cyber datasets, expanding the use of attribution techniques to non-experts, and discovering latent associations between infrastructure elements. Researchers will also be tasked with generating useful statistics for planners to predict how well infrastructure configurations will break from, or conform to, desired infrastructure signatures. DARPA noted that possible approaches that the industry could apply to these challenges include using machine learning to model infrastructure associations through automated pattern recognition and graph-based inference. The start date of the program is anticipated to be August of next year. The deadline to submit proposals to the program is January 31, 2022.

    Infosecurity reports: "DARPA Announces SMOKE Program"

  • news

    Visible to the public "Three-Quarters of Firms Admit Sub-Optimal IoT Security"

    Researchers at Inmarsat have found that global businesses have become more risk aware as they deploy IoT projects, but over three-quarters (77%) admitted that these systems could be more secure. The researchers polled 450 individuals responsible for delivering IoT in their respective organizations worldwide. The most commonly cited security challenges were an external cyberattack on IoT systems (50%), poor network security (49%), insecure or unencrypted edge networks (44%), and employees mishandling data (44%). The researchers also found that nearly half (48%) of respondents claimed to have an IoT security policy in place, versus 32% in 2018. More businesses are also plugging in new security solutions (46% versus 33% in 2018) and creating an external IoT security policy for suppliers and partners (41% compared to 29% in 2018). The researchers noted that unsurprisingly, those with a formal IoT strategy in place are more likely to deploy security measures, and if projects are driven from the top-down, purchasing decisions are more likely to include upgrades to security technology. The researchers stated that with nearly four in five respondents reporting their organization's IoT security could be more robust, many businesses clearly continue to face serious security challenges in their IoT deployments. The researchers also stated that when comparing their latest results with their 2018 IoT survey, they determined that security risks are growing, but businesses are becoming more aware of cybersecurity threats and doing more to respond.

    Infosecurity reports: "Three-Quarters of Firms Admit Sub-Optimal IoT Security"

  • news

    Visible to the public "Researchers Discover GraphQL Authorization Flaws in FinTech SaaS Platform"

    New Application Programming Interface (API) threat research from Salt Labs highlights GraphQL API authorization vulnerabilities contained by a B2B financial technology (FinTech) platform. Findings from the analysis of this FinTech provider's mobile applications and Software-as-a-Service (SaaS) platform bring further attention to authorization-level flaws that emerge with nested queries in GraphQL, which is an open-source language used in building APIs. According to Salt Labs, failure to properly implement authorization checks meant that unauthorized transactions could be submitted against any customer account, and malicious actors could harvest any customer's sensitive data. GraphQL provides some advantages in query options compared to REST APIs, but this flexibility poses a risk as a single API call can include multiple separate queries. The Salt Security State of API Security Report, Q3 2021, revealed that over 60 percent of organizations lack or just have a basic API security strategy. This lack of protection is significant because cyberattacks targeting APIs are increasing together with the adoption of relatively new technologies such as GraphQL. The exploitation of the GraphQL authorization flaws could allow attackers to manipulate API calls into exfiltrating sensitive user data and initiating unauthorized transactions. Salt Labs researchers were able to enter any transaction identifier and gather data records of previous financial transactions. Through the discovered vulnerabilities, any user could extract a customer's sensitive Personally Identifiable Information (PII) and secretly transfer funds out of customers' accounts. These findings emphasize the importance of implementing dedicated API security tooling for organizations with API-based applications and platforms. This article continues to discuss the GraphQL API authorization flaws and the importance of improving API security.

    Security Magazine reports "Researchers Discover GraphQL Authorization Flaws in FinTech SaaS Platform"

  • news

    Visible to the public "Malicious Notepad++ Installers Push StrongPity Malware"

    The hacking group known as StrongPity is spreading malware-laced Notepad++ installers. The group, also known as APT-C-41 and Promethium, was previously observed distributing trojanized WinRAR installers between 2016 and 2018 through highly-targeted campaigns. Notepad++ is a text and source code editor for Windows used by many different organizations. When the tampered Notepad++ installer is executed, the file creates a Windows Data folder and then drops three files, one of which is a keylogger component of the StrongPity malware that records all user keystrokes and saves them to hidden system files in the Windows Data folder. This article continues to discuss observations made from the analysis of the delivery and capabilities of the StrongPity malware and how to avoid installing tampered software.

    Bleeping Computer reports "Malicious Notepad++ Installers Push StrongPity Malware"

  • news

    Visible to the public "300,000 MikroTik Routers Are Ticking Security Time Bombs"

    About 300,000 MikroTik routers are vulnerable to remote attacks that can secretly add the devices to a botnet to steal sensitive user data and engage in Distributed Denial-of-Service (DDoS) attacks. Researchers at the security firm Eclypsium estimated the number of affected routers by performing Internet-wide scans that searched for MikroTik devices using firmware versions known to have vulnerabilities discovered within the past three years. Although the manufacturer has released patches addressing the vulnerabilities, Eclypsium found that many users have not installed them. The vulnerabilities collectively provide many opportunities for threat actors to gain full control over powerful devices, which can then be positioned to target devices behind the Local Area Network (LAN) port and other devices connected to the Internet. This article continues to discuss the vulnerabilities impacting 300,000 MikroTik routers and other notable security incidents involving MikroTik routers.

    Ars Technica reports "300,000 MikroTik Routers Are Ticking Security Time Bombs"

  • news

    Visible to the public "Half of Websites Still Using Legacy Crypto Keys"

    According to new research, the internet is becoming more secure overall, but slightly more than half of websites' digital keys are still generated via legacy encryption algorithms. Security firm Venafi analyzed the world's top one million sites over the past 18 months. The company published their findings in a report titled "TLS Crawler Report." The researchers found that nearly three-quarters (72%) of sites now actively redirect traffic to use HTTPS, an increase of 15% since March 2020. Even better, more than half of the sites studied that use HTTPS are on the latest version of TLS: TLSv1.3. It has now overtaken TLSv1.2 to become the most popular protocol version. The researchers also found that almost one in five of the top one million sites currently use the more secure HSTS (HTTP Strict Transport Security), which is a 44% increase since March 2020. The number of top one million sites using EV certificates is at its lowest point ever in the last six years of analysis. The researchers also found that much more user-friendly Let's Encrypt is now the leading Certificate Authority for TLS certificates, with 28% of sites using it. The researchers also found that nearly 51% of sites still use legacy RSA encryption algorithms to generate authentication keys. The researchers stated that RSA is significantly less secure than modern alternative ECDSA, a public key cryptography encryption algorithm which boasts greater computational complexity and smaller authorization keys.

    Infosecurity reports: "Half of Websites Still Using Legacy Crypto Keys"

  • news

    Visible to the public "Passports Now Most Attacked Form of ID"

    Onfido has recently released its annual report titled "Identity Fraud Report." Document fraud specialists at Onfido process, millions of identity documents every year, helping clients detect fraud across 2,500 document types issued by 195 countries. The company's findings in the report are based on analysis of data collected from October 1, 2020, to October 1, 2021. Researchers at Onfido have found that passports are now the most frequently attacked form of identity document. The researchers also found that fraudsters typically prefer to create a fake document from scratch rather than doctor a genuine ID. The researchers stated that over 90% of ID fraud in the past year involved counterfeit documents using a complete reproduction of an original document instead of adapting an existing ID. Over the past year, 47% of all identity document fraud was classed as "medium" sophisticated fraud, which is a 57% increase compared with the previous year. Losses from identity theft also grew significantly, increasing by 42% to reach $712bn in 2020.

    Infosecurity reports: "Passports Now Most Attacked Form of ID"

  • news

    Visible to the public "The Dark Web Has Its Own People's Court"

    Researchers at the threat intelligence firm Analyst1 analyzed several major cybercrime forums and found that at least two of them have an informal type of court system. These courts allow cybercriminals to file grievances and settle disputes with their peers. Dozens of cases throughout the Dark Web were shown to escalate to these courts daily, waiting for forum administrators to resolve the disputes. The researchers counted more than 600 threads related to cases filed in these courts. In such cases, the amounts of money at dispute typically ranged from a few hundred dollars to a few thousand dollars, with a handful having involved disputes over higher sums. Analyst1 discovered that criminal hackers could file cases against each other for various reasons. For example, a threat actor could file a case if they purchased access to a compromised network from an access broker and then found out that it was already sold to someone else. The threat actor would initiate action against the broker by providing details about the incident in a sub-forum dedicated to settling such cases. If a decision is in favor of the plaintiff, the defendant has a certain amount of time to make amends or face the possibility of being banned from the forum. Well-established cybercrime operators typically make a bitcoin deposit into an escrow account to prove their ability to pay for services. When a dispute is settled in a threat actor's favor, they are paid from this account. A seller/service operator could face reputational damage if they went through arbitration and did not pay out when the arbitrator made their decision. Threat actors operating in large underground forums usually comply with underground court decisions to protect their reputations. This article continues to discuss key findings from the analysis of court systems in cybercrime forums.

    Dark Reading reports "The Dark Web Has Its Own People's Court"

  • news

    Visible to the public "Software Vulnerabilities Up by 20% in 2021"

    Researchers at HackerOne discovered that software vulnerabilities increased by 20% in 2021 compared with 2020. The bug bounty platform said its hackers had uncovered over 66,000 valid vulnerabilities this year, while hacker-powered pentests detected a 264% rise in reported vulnerabilities in 2021 compared to 2020. Additionally, there was a 47% increase in vulnerabilities detected by Vulnerability Disclosure Programs. The researchers stated that the surge in vulnerabilities has partly been driven by the increase in organizations adopting hacker-powered security testing programs. The most commonly discovered bug was cross-site scripting, as it was in 2020. However, there were significant increases in reports of information disclosure (58%) and business logic errors (67%). Of all the vulnerabilities reported, 26% were considered critical, 36% medium severity, and 34% low severity. Encouragingly, the researchers found that the median resolution time fell by 19%, from 33 days in 2020 to 26.7 days in 2021 across all industries. Retail and e-commerce even saw time-to-remediation drop by more than 50% in this period. The researchers also found that the median price of a critical bug rose by 20%, from $2500 in 2020 to $3000 in 2021. Additionally, the average bounty price for a critical bug rose by 13% and by 30% for a high severity rated bug this year.

    Infosecurity reports: "Software Vulnerabilities Up by 20% in 2021"

  • news

    Visible to the public "New Guidance Pushes Federal Agencies Toward Automated Incident Reporting"

    The White House is changing how federal agencies report security incidents to make the incident reporting process easier and more efficient. New guidance issued by the Office of Management and Budget (OMB) will require the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) to develop a strategy to increase the use of automated reporting mechanisms that use machine-readable data. Almost half of the security incidents faced by federal civilian agencies are reported manually through the US-CERT website, requiring significant work on the analysts' end. Automated reporting systems will allow for faster response and notification to other agencies potentially impacted by the same cyber incident. This article continues to discuss the new guidance aimed at moving federal agencies towards automated incident reporting.

    Duo reports "New Guidance Pushes Federal Agencies Toward Automated Incident Reporting"

  • news

    Visible to the public "APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus"

    The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning about the active exploitation of a newly identified vulnerability contained by Zoho's ManageEngine ServiceDesk Plus product. The critical flaw, tracked as CVE-2021-44077, is an unauthenticated Remote Code Execution (RCE) vulnerability that affects all ServiceDesk Plus versions up to, and including version 11305. Malicious actors could exploit the vulnerability to upload executable files and drop webshells, enabling the performance of post-exploitation activities, such as conducting lateral movement, exfiltrating Active Directory (AD) files, and more. According to the FBI and CISA, Advanced Persistent Threat (APT) cyber actors are exploiting the vulnerability. This article continues to discuss the active exploitation of the critical Zoho ManageEngine ServiceDesk Plus vulnerability and the patch released by Zoho to address it.

    Homeland Security Today reports "APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus"

  • news

    Visible to the public "Hotel Guests Locked Out of Rooms After Ransomware Attack"

    A popular Scandinavian hotel chain has warned that a recent ransomware attack may have led to the theft of personal information related to bookings, while current guests are struggling with longer waiting times at check-in. Nordic Choice runs around 200 locations across the region, with brands such as Comfort, Clarion, and Quality. Nordic Choice claimed to have been hit last Thursday with a ransomware attack that impacted "the hotel systems that handle reservations, check-in, check-out and creation of new room keys." One guest took to social media to explain that hotel staff were forced to personally escort guests upstairs to their rooms because key cards were out-of-action. Nordic Choice stated that the Conti variant was to blame. Conti has been responsible for large-scale attacks on Ireland's Health Service Executive (HSE) and an outrageous $40m ransom demand aimed at Broward County Public Schools in the US. Nordic Choice stated that their investigations do not currently give any indication that data has been leaked but that they cannot guarantee that is the case. The information that the adversary may have accessed consists of names, email addresses, telephone numbers, dates of the visits, and any information that guests may have provided in connection with their visit. The hotel chain said it had not sought to engage with its attackers.

    Infosecurity reports: "Hotel Guests Locked Out of Rooms After Ransomware Attack"

  • news

    Visible to the public "Vulnerability in User Interface for Apache Kafka Puts Data of 'Major Global Players' at Risk"

    Kafdrop is an open-source user interface and management interface for the distributed event-streaming platform Apache Kafka found to contain a flaw that puts many companies' data at risk. According to a research paper released by the cybersecurity company Spectral, anyone using Kafdrop with Apache Kafka can be a victim. The undisclosed number of affected companies includes those ranging from major global players to small organizations in healthcare, insurance, media, and more. Kafdrop has reportedly been dowloaded over 20 million times and deployed by more than 80 percent of Fortune 100 companies. The Kafdrop flaw enables anyone to view live Kafka clusters, including financial transactions and mission-critical data, without having to be authenticated. The security flaw exposes secrets in real-time traffic as well as provides authentication tokens and other details that hackers could use to reach a company's cloud provider (e.g., IBM, AWS, and Oracle) where Kafka clusters are often deployed. Those who exploit the vulnerability could access a company's nervous system, thus exposing customer data, transactions, medical records, internal system traffic, and other sensitive information. The flaw resulted in the exposure of a medical organization's handling requests, processing, and inventory of medication, along with customer prescription transactions. Another cluster exposed insurance claims, transactions, and interactions between customers and agents, which hackers can use for impersonation, extortion, or the redirection of funds. Although these findings are significant, the severity will vary by organization based on the data exposed. Organizations handling sensitive data are encouraged to review their access policies, firewall rules, and other details pertaining to their digital security posture, regardless of the technology or cloud vendor used. This article continues to discuss the severity, mitigation, and prevention of the Kafdrop flaw.

    GovInfoSecurity reports "Vulnerability in User Interface for Apache Kafka Puts Data of 'Major Global Players' at Risk"

  • news

    Visible to the public "Microsoft Seizes Domains Used by China-Linked APT 'Nickel'"

    Microsoft says it has seized control of domains that China-linked threat actor Nickel has been employing in malicious attacks targeting organizations in the United States and worldwide. Microsoft took over the websites after filing pleadings with the U.S. District Court for the Eastern District of Virginia. While the move will prevent the group's access to some of its victims, it is unlikely to put an end to Nickel's activities. However, Microsoft does believe that the infrastructure it just seized was used as part of the group's most recent wave of attacks. Microsoft noted that obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft's secure servers will help them protect existing and future victims while learning more about Nickel's activities. Microsoft stated that Nickel has been using the now seized websites to execute attacks on victims in a total of 29 countries in Europe, Central and South America, the Caribbean, and North America, primarily for harvesting intelligence from government agencies, human rights organizations, and think tanks since 2019. Nickel has been active since at least 2013 and is also tracked as APT15, KE3CHANG, Royal APT, Playful Dragon, and Vixen Panda. The Chinese government likely sponsors the hacking group, as its activities often align with China's geopolitical interests. Microsoft noted that Nickel uses vulnerable virtual private network (VPN) appliances (Pulse Secure VPN) and stolen credentials to compromise targets, as well as custom, hard-to-detect malware that helps it with intrusions, surveillance, and data exfiltration. Nickel targeted internet-facing web applications on vulnerable, unpatched on-premises Exchange Server and SharePoint systems, but not new vulnerabilities in Microsoft products.

    SecurityWeek reports: "Microsoft Seizes Domains Used by China-Linked APT 'Nickel'"

  • news

    Visible to the public "This Framework Will Improve the Security of All Firefox Users"

    A team of researchers from the University of California San Diego, the University of Texas at Austin, and Mozilla developed a new approach to improving browser security. They designed a new framework called RLBox to increase the security of the Firefox browser. Mozilla has started using RLBox on all Firefox platforms. The framework practices sandboxing by separating third-party libraries vulnerable to attacks from the rest of the browser to contain possible damage. Browsers such as Firefox depend on third-party libraries to support XML parsing, spell checking, font rendering, and other functionalities. However, these libraries are often written in low-level programming languages such as C, thus increasing susceptibility to attacks as it is easy to introduce vulnerabilities in C code. Through the application of RLBox, users can be protected from the vulnerabilities contained by such libraries as well as supply-chain attacks in which these libraries are exploited. In order to deal with the exploitation of zero-day vulnerabilities and supply chains by sophisticated attackers, multiple defense layers and new methods are needed to minimize how much code we need to trust for security. This article continues to discuss the purpose, use, and components of the RLBox framework.

    Jacobs School of Engineering reports "This Framework Will Improve the Security of All Firefox Users"

  • news

    Visible to the public "IT Pros See Zero Trust as a Key Element of Security Strategy"

    Dimensional Research surveyed over 1,000 IT security professionals for One Identity and found that 75 percent of organizations consider implementing a Zero Trust security model essential to strengthening their overall cybersecurity posture. However, the survey showed that only 14 percent have fully implemented a Zero Trust solution. Zero Trust is based on the principle that strict access controls are maintained, and nobody is trusted by default, including those already within the network perimeter. In addition, the Zero Trust approach acknowledges that threats exist both inside and outside network boundaries. This article continues to discuss key findings from the survey regarding IT security professionals' understanding and implementation of the Zero Trust approach.

    BetaNews reports "IT Pros See Zero Trust as a Key Element of Security Strategy"

  • news

    Visible to the public "Ransomware Victims Pay $700K in Extra Extortion Fees"

    Researchers at CrowdStrike have discovered that a staggering 96% of ransomware victims that agree to their extorters' demands are subsequently forced to pay additional fees amounting to hundreds of thousands of dollars. The security vendor's 2021 CrowdStrike Global Security Attitude Survey was compiled from interviews with 2200 senior IT and cybersecurity decision-makers in the US, EMEA, and APAC. The researchers found that two-thirds (66%) of respondents had suffered at least one ransomware attack over the past year, with average payments increasing 63% over the year. They were lowest on average in EMEA ($1.3m), followed by the US ($1.6m), and highest in APAC ($2.4m). The average demand from ransomware groups was $6m. One of the security researchers claimed organizations would be better off spending money on improving protective measures than actually paying the ransom. On average, respondents estimated it would take 146 hours to detect a cybersecurity incident, up from 117 hours in 2020. Once detected, it takes organizations a further 11 hours to triage, investigate and understand a security incident and 16 hours to contain and remediate one. Some 69% of respondents said they suffered an incident because of staff working remotely.

    Infosecurity reports: "Ransomware Victims Pay $700K in Extra Extortion Fees"

  • news

    Visible to the public "Meta Expands Facebook Protect Program to Activists, Journalists, Government Officials"

    Meta, the new name for Facebook, has expanded it's Facebook Protect security program to journalists, government officials, human rights defenders, and activist who are often targets online. The program offers enhances security like two factor authentication and alerts for potential hacking threats. Almost 1 million accounts have turned on this protection since it came online in September 2021. It also gives members tips for improving security.

    THN reports "Meta Expands Facebook Protect Program to Activists, Journalists, Government Officials"

  • news

    Visible to the public "Research Finds Models Used to Detect Malicious Users on Popular Social Sites are Vulnerable to Attack"

    Research led by Georgia Tech (Georgia Institute of Technology) has resulted in the discovery of a new threat against deep learning models used to detect malicious users on popular e-commerce, social media, and web platforms such as Facebook. These platforms try to bolster their security by creating Machine Learning (ML) and Artificial Intelligence (AI) models that identify and separate malicious and at-risk users from benign users. However, the research team was able to reduce the efficacy of the classification models used to differentiate between malicious and benign users through the application of a newly developed adversarial attack model called PETGEN (Personalized Text Generation). The PETGEN attack model generates text posts that mimic a personalized writing style and have knowledge about a given target site's context. The posts generated by the attack model are also aware of the historical use of a target site and recent topical interests. PETGEN represents the first time researchers successfully performed adversarial attacks on deep user sequence classification models. Srijan Kumar, School of Computational Science and Engineering assistant professor and co-investigator, pointed out that it is important to act as attackers to identify model vulnerabilities and the possible ways in which malicious accounts can circumvent detection systems. The team carried out experiments on two real-world datasets from Yelp and Wikipedia to show that PETGEN significantly reduces the performance of popular deep user sequence embedding-based classification models. Findings from this research pave the path towards the next generation of adversary-aware sequence classification models. This article continues to discuss the new adversarial attack model PETGEN.

    Georgia Tech reports "Research Finds Models Used to Detect Malicious Users on Popular Social Sites are Vulnerable to Attack"

  • news

    Visible to the public "Hackers Steal $150 Million Worth of Cryptocurrency From BitMart"

    Cryptocurrency trading platform BitMart on Sunday announced that it has suspended withdrawals after discovering a cybersecurity incident that resulted in theft. The platform claims that only the Ethereum (ETH) and Binance Smart Chain (BSC) hot wallets were impacted, and notes that the two wallets were compromised using stolen private keys. According to BitMart, the attackers were able to steal $150 million in cryptocurrency from the two wallets. Blockchain security company PeckShield, on the other hand, estimates that the exchange, in fact, lost roughly $196 million. PeckShield also says that the hackers swapped the stolen tokens using the 1inch decentralized exchange aggregator and then used the privacy mixer Tornado Cash to deposit the funds, which allowed them to keep their identities hidden. The exchange platform says the compromised ETH and BSC hot wallets contained only a small percentage of its assets and that all of its remaining wallets are secure and unharmed. BitMart stated that they would use their own funding to cover the incident and compensate affected users.

    SecurityWeek reports: "Hackers Steal $150 Million Worth of Cryptocurrency From BitMart"

  • news

    Visible to the public "17 Malware Frameworks Target Air-Gapped Systems for Espionage"

    ESET analyzed 17 espionage frameworks designed to target air-gapped networks, finding that they all leverage USB drives and are meant to target Windows systems. The list of these frameworks has been developed over the course of 15 years, but the last four of the frameworks appeared in 2020, suggesting that the interest in targeting isolated systems has increased among threat actors. An air-gapped network is isolated and not connected to any other network. Air-gapping is a security measure often used in high-security environments such as those in the realms of military, government, industrial control, and more. Air-gapped networks are meant to protect highly sensitive information, making them attractive to nation-states and other motivated adversaries. Such adversaries have the resources required to execute attacks against air-gapped systems. Some of the frameworks have been attributed to nation-state threat actors such as DarkHotel, Sednit, Tropic Trooper, Equation Group, Goblin Panda, and Mustang Panda. Possible strategies for protecting air-gapped networks from cyberattacks include disabling direct access to emails on connected systems, disabling USB ports on air-gapped systems, sanitizing USB drives inserted in air-gapped systems, preventing execution on removable drives, and ensuring that air-gapped systems are always updated. This article continues to discuss findings from the analysis of 17 malware frameworks designed to target air-gapped networks and how to protect such networks from cyberattacks.

    Security Week reports "17 Malware Frameworks Target Air-Gapped Systems for Espionage"

  • news

    Visible to the public "Finland Warns About 'FluBot' Malware Spread Via SMS"

    Finland's National Cyber Security Center (NCSC-FI) issued an alert about a FluBot malware campaign that has been targeting Android users in the country since July 2021. The infamous banking malware, now active in Finland, has affected thousands of users across Australia and the UK. FluBot targets Android users through malicious messages or pop-ups. The messages, used to distribute FluBot, alert victims about a new voicemail or a missed call from an unknown number. They contain a link that redirects the user to a malicious website, where the malware is then deployed on the targeted device. FluBot malware is capable of stealing sensitive information from the compromised device and infecting other installed banking apps. This article continues to discuss the FluBot malware that is now targeting Android users in Finland and mitigation measures for affected users recommended by NCSC-FI.

    CISO MAG reports "Finland Warns About 'FluBot' Malware Spread Via SMS"

  • news

    Visible to the public "Cuba Ransomware Nets Nearly $50m"

    According to the FBI, threat actors behind the Cuba ransomware variant have already amassed $44m through targeting at least 49 victims. The FBI noted that the group had demanded at least $74m from its victims. These victims frequently come from critical infrastructure sectors like financial, government, healthcare, manufacturing, and IT. The FBI claimed that the Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims' networks. The FBI noted that Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim's network. Cuba ransomware actors use legitimate Windows services such as PowerShell, PsExec, and other unspecified services and then leverage Windows admin privileges to execute their ransomware and other processes remotely. Following a compromise, the ransomware will install and execute a CobaltStrike beacon as a service on the victim's network via PowerShell. The FBI claimed that it also uses MimiKatz malware to steal RDP credentials and hijack user accounts. It's believed that Cuba ransomware has been active since January 2020.

    Infosecurity reports: "Cuba Ransomware Nets Nearly $50m"

  • news

    Visible to the public META expands Facebook Protect Program

    Meta, the new name for Facebook, has expanded it’s Facebook Protect security program to journalists, government officials, human rights defenders, and activist who are often targets online. The program offers enhances security like two factor authentication and alerts for potential hacking threats. Almost 1 million accounts have turned on this protection since it came online in September 2021. It also gives members tips for improving security. #ScienceofSecurity
  • news

    Visible to the public "Keeping the Unseen Safe: Improving Digital Privacy for Blind People"

    Like sighted people, blind people post on Instagram, text photos to group chats, and more. They also learn about their visual surroundings through photos. Blind users often share their images with Microsoft's Seeing AI, Be My Eyes, and other identification software to learn about their visual surroundings. The demand for such software is high, as indicated by the 20 million times Seeing AI has been used. However, when blind users share images, there is an increased risk of them unknowingly capturing private information such as a return address. A cross-institutional team has been awarded over $1 million through a Safe and Trustworthy Cyberspace (SaTC) grant from the National Science Foundation (NSF) to explore the issue. The team's goal is to develop a novel system capable of alerting blind users when an image contains information considered private. In a general use case, the tool will alert the user about what private information is detected and then present a choice to either discard the image, share the image as-is, or share an edited version where the private content is made obscure. This article continues to discuss the team's four-year interdisciplinary project aimed at strengthening digital privacy for blind people.

    The University of Colorado Boulder reports "Keeping the Unseen Safe: Improving Digital Privacy for Blind People"

  • news

    Visible to the public "Colorado Energy Firm Lost 25 Years of Data After Hack"

    The Delta-Montrose Electric Association (DMEA) in Colorado faced a severe hack that resulted in the takedown of 90 percent of its internal systems and the loss of 25 years of historical data. The incident affected the company's customer service systems, payment processing tools, billing systems, and more. According to the firm, the hackers targeted specific parts of its internal network, damaging stored documents, spreadsheets, and forms. The incident also impacted the company's phone and email systems. DMEA claims that sensitive data belonging to customers or staff was not compromised, but they now need to restore their systems using a phased restoration methodology. This article continues to discuss the hack experienced by DMEA and other similar incidents.

    Cyber Intel Mag reports "Colorado Energy Firm Lost 25 Years of Data After Hack"

  • news

    Visible to the public "Phishing Scam Targets Military Families"

    Threat researchers at Lookout are helping to take down a phishing campaign targeting members of the United States military and their families. The scammers behind the long-running campaign impersonate military support organizations and personnel to commit advance fee fraud, stealing sensitive personal and financial information for monetary gain. The researchers stated that it is clear that the adversaries are looking to steal sensitive data from victims, such as their photo identification, bank account information, name, address, and phone number. If given the data, the adversaries could easily steal the victim's identity, empty their bank account and impersonate the individual online. The campaign's backbone is a series of websites that have been designed to appear as though they are affiliated with the military. To bring an added touch of authenticity to the sites, the operators add advertisements for Department of Defense services to their malicious content. The sites offer expensive services that are never delivered or trick users into thinking that they are in a romantic relationship with a member of the military. Fake services offered include care packages, leave applications, and communication permits. Infrastructure indicators coupled with open-sourced intelligence point to Nigeria as the scammers' operational base. So far, researchers have identified 50 military scam sites tied to this threat campaign, which further investigation showed was linked to other cybercriminal activity.

    Infosecurity reports: "Phishing Scam Targets Military Families"

  • news

    Visible to the public "Omicron Phishing Campaign Hits User Inboxes"

    According to researchers, online fraudsters have reacted quickly to news of a potentially new severe COVID-19 variant and have carefully crafted a phishing email campaign. Consumer rights group Which? spotted the email, which is designed to appear as if sent from the NHS, and urges recipients to get a new PCR test for the Omicron variant. Two separate versions of the same email feature a link and a legitimate-looking "get it now" button. The email falsely claims that the new COVID variant requires new test kits, and the email invites readers to visit a site. But clicking the link takes the victims to, which is a copycat of the NHS website set up just days ago. The phishing site then asks users to enter their full name, date of birth, address, mobile number, and email address, as well as their mother's maiden name, which scammers could use to craft follow-on identity fraud attacks. It also asks for a small payment of 1.24 pounds for 'delivery.' The researchers presume that if users proceed with this, then they will also have their bank card details stolen. The researchers reported the scam to the National Cyber Security Centre's Suspicious Email Reporting Service.

    Infosecurity reports: "Omicron Phishing Campaign Hits User Inboxes"

  • news

    Visible to the public "14 New Attacks on Web Browsers Detected"

    Researchers from the Ruhr University Bochum (RUB) and Niederrhein University of Applied Sciences have discovered 14 new types of attacks on web browsers. These attacks are known as cross-site leaks (XS-Leaks). Through the use of XS-Leaks, a malicious website can collect visitors' personal data by interacting with other websites in the background. The researchers looked at the protection of 56 combinations of web browsers and operating systems against 34 different XS-Leaks. They developed the tool to automatically scan browsers for these leaks. Chrome, Firefox, and other popular browsers were found to be vulnerable to a considerable number of XS-Leaks. The group systematically analyzed XS-Leaks by first identifying three characteristics of such attacks. Based on these characteristics, they derived a formal model that helps gain further understanding of XS-Leaks and detect new attacks. The identification of the 14 new attack categories resulted from this systematic search for new attacks. This article continues to discuss how XS-Leaks work and the website developed by the researchers to analyze many different combinations of browsers and operating systems for their vulnerability to these attacks.

    RUB reports "14 New Attacks on Web Browsers Detected"

  • news

    Visible to the public Pub Crawl #56

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "Data Hacked for 400,000 Planned Parenthood Patients in Los Angeles"

    The Los Angeles branch of Planned Parenthood was hit by a data breach involving about 400,000 patients. However, there is no indication that the information accessed by the adversary was used for fraudulent purposes the group said. The organization stated that a hacker installed computer malware between Oct. 9 and Oct. 17 and "exfiltrated" files containing patient names and possibly addresses, insurance and medical information, including procedures they may have undergone. The organization noted that "patients are encouraged to review statements from their healthcare providers or health insurers and contact them immediately if they see charges for services they did not receive." The attack involved ransomware, and the group didn't immediately say whether any ransom was paid. The breach is currently under investigation.

    Bloomberg reports: "Data Hacked for 400,000 Planned Parenthood Patients in Los Angeles"

  • news

    Visible to the public "Double Extortion Ransomware Victims Soar 935%"

    Security researchers at Group-IB have recorded a 935% year-on-year increase in double extortion attacks, with data from over 2300 companies posted onto ransomware extortion sites. The Group-IB findings are from the second half of 2020 to the first half of 2021. The researchers claimed that during that time, an "unholy alliance" of initial access brokers and ransomware-as-a-service (RaaS) affiliate programs has led to a surge in breaches. In total, the number of breach victims on ransomware data leak sites surged from 229 in the previous reporting period to 2371, Group-IB noted. During the same period, the number of leak sites more than doubled to 28, and the number of RaaS affiliates increased 19%, with 21 new groups discovered. The researchers warned that, even if victim organizations pay the ransom, their data often end up on these sites. The researchers stated that Conti was the most aggressive ransomware group, leaking data on 361 victims (16.5%), followed by Lockbit (251), Avaddon (164), REvil (155) and Pysa (118). The initial access broker landscape has also matured significantly over the past year. Group-IB claimed to have discovered 229 new players in the market, with the total now standing at 262. The number of offers on underground sites to sell access to companies almost tripled, from 362 to 1,099.

    Infosecurity reports: "Double Extortion Ransomware Victims Soar 935%"

  • news

    Visible to the public "Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware"

    The BlackByte ransomware gang is breaching corporate networks through the exploitation of Microsoft Exchange ProxyShell vulnerabilities. The ProxyShell vulnerabilities can be chained together to enable unauthenticated, remote code execution, thus allowing an attacker to take over an Exchange server. Security updates were released in April and May 2021 to fix the vulnerabilities. However, malicious actors have still been exploiting them to breach servers, install web shells, deliver ransomware, and more. Researchers at the security firm Red Canary analyzed a BlackByte ransomware attack, finding that the group exploited ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server. Web shells are small scripts uploaded to web servers that allow attackers to gain persistent access to a device, remotely execute commands, or upload more files to the server. The BlackByte ransomware executable handles both privilege escalation and the ability to perform lateral movement in the compromised environment. The malware sets three registry values: one for local privilege elevation, one for enabling network connection sharing between privilege levels, and one to allow long path values for file paths, names, and namespaces. It deletes the "Raccine Rules Updater" scheduled task before encryption to prevent last-minute interceptions. The malware also wipes shadow copies through WMI objects using an obfuscated PowerShell command. WinRAR and anonymous file-sharing platforms are used to exfiltrate stolen files. Trustwave released a decryptor for BlackByte ransomware in October, but it is unlikely that the group is still using the same tactics that enabled victims to recover their files for free. This article continues to discuss the exploitation of ProxyShell flaws in BlackByte ransomware attacks.

    Bleeping Computer reports "Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware"

  • news

    Visible to the public "Sabbath Hackers Are Targeting US Schools and Hospitals"

    Security researchers are warning of the rebranding of a hacking group now known as Sabbath. The group's rebranding is an attempt to avoid examination while executing ransomware attacks against hospitals, schools, and other critical infrastructure organizations in the US and Canada. The gang became known in October 2021 when it publicly shamed and extorted a US school district on Reddit and from a now-suspended Twitter account. According to security researchers at Mandiant, the group demanded multi-million-dollar ransom payments after launching ransomware. The group was also reported to have emailed staff, parents, and students to further pressure the school district to give in to their demands for payment. The researchers said the group used public data leaks to extort and shame victims. They added that Sabbath's public shaming web portal and blog published in October 2021 are identical to Arcane's from June 2021. The new web portal and blog include the same content with minor changes to the name, color scheme, and logo. Between the rebranding from Arcane to Sabbath, there also seems to be few technical changes made to the affiliate model used to execute attacks. The infrastructure from both ransomware affiliate services is still the same. This article continues to discuss the tactics and targets of the rebranded hacking group.

    ITPro reports "Sabbath Hackers Are Targeting US Schools and Hospitals"