News Items

  • news

    Visible to the public "Security Flaw Detected for the Second Time in Credit Cards"

    Researchers working with the Information Security Group at ETH Zurich discovered a way to circumvent the PIN codes for different contactless credit cards. In summer 2020, the researchers demonstrated how to bypass a PIN code for Visa cards. They have now found another bypass that can work with other types of payment cards, specifically Mastercard and Maestro. The researchers' methods are based on the man-in-the-middle (MITM) principle in which attackers position themselves between two communicating parties to exploit data exchanged between them. In the context of this research, the two communication partners are the card and the card terminal. The team replicated this attack, using an Android app they had developed, and two mobile phones enabled by Near-Field Communication (NFC). The Android app was used to falsely signal to the card terminal that a PIN was not required for the authorization of the payment and that the identity of the card owner had been verified. The attack was demonstrated on two Mastercard credit cards and two Maestro debit cards issued by four different banks. According to the researchers, the main root of the security flaws discovered in contactless payment cards is the Europay, Mastercard, and Visa (EMV) international protocol standard. The set of rules contains logical errors that are difficult to detect, mainly because the standard has more than 2,000 pages. This article continues to discuss how the researchers successfully bypassed the PIN code verification step for contactless payment cards and the source of security vulnerabilities found in these cards.

    ETH Zurich reports "Security Flaw Detected for the Second Time in Credit Cards"

  • news

    Visible to the public Pub Crawl #47

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "Most Firms Now Fear Nation State Attack"

    A new study conducted by the Economist Intelligence Unit has found that most businesses now regard state-sponsored or led attacks as a significant threat. The study was done by conducting interviews with over 500 director-level or above executives from companies in Asia-Pacific, Europe, and the United States. The research was conducted before the SolarWinds campaign came to light. The study nevertheless revealed that 80% of participants are concerned about falling victim to a nation-state attack, with a majority claiming these worries have increased over the past five years. The researchers also found that participants wanted their respective governments to play a more significant role in meeting these challenges: 60% said their country only offers a medium or low-level of protection. The researchers stated that the survey is an important call to action for democratic governments to step up and think more inclusively about the kind of cyber-assistance they provide to protect companies in critical sectors and ultimately civilians. During the study, researchers also found a false sense of security among the senior executives interviewed, potentially because they have little direct experience of being attacked. Over two-thirds (68%) of executives said they feel their organization is "very" or "completely" prepared to deal with a cyber-attack.

    Infosecurity reports: "Most Firms Now Fear Nation State Attack"

  • news

    Visible to the public "FBI: Telephony Denial-of-Service Attacks Can Lead to Loss of Lives"

    The FBI recently issued a warning about Telephony Denial-of-Service (TDoS) attacks against critical first-responder facilities and the impact that such attacks can have on public safety. A TDoS attack aims to render a telephone system unavailable by flooding it with junk calls. TDoS attacks can prevent emergency services' telephone lines from receiving and responding to legitimate emergency calls. This article continues to discuss the FBI's warning about TDoS attacks targeting emergency call center operations, the potential consequences of these attacks, the difficulty in detecting TDoS attacks, and what citizens should do in the event of a 911 outage.

    Bleeping Computer reports "FBI: Telephony Denial-of-Service Attacks Can Lead to Loss of Lives"

  • news

    Visible to the public "DARPA Hacks Its Secure Hardware, Fends Off Most Attacks"

    The Defense Advanced Research Agency (DARPA) recently announced the results of its first bug bounty program called Findings Exploits to Thwart Tampering (FETT). The FETT bug bounty was run in partnership with the Department of Defense's Defense Digital Service (DDS) and trusted crowdsourced security company, Synack. FETT aimed to prove the value of hardware security architectures developed under DARPA's "System Security Integration Through Hardware and Firmware" (SSITH) program and point out critical areas of improvement. After 13,000 hours of hacking exploits performed by more than 580 cybersecurity researchers, only ten vulnerabilities were disclosed. Keith Rebello, the DARPA program manager leading SSITH and FETT, described the common types of vulnerabilities as buffer errors, privilege escalations, information leakage attacks, resource management attacks, numeric errors, cryptographic attacks, and code injection attacks. Out of the ten vulnerabilities, seven were rated "critical," based on the Common Vulnerability Scoring System 3.0 standards. Most of the critical vulnerabilities come from weaknesses introduced by interactions between hardware, firmware, and the operating system software, which calls for more exploration of hardware/software co-design and verification methods. The SSITH program is now in the third and final phase of developing security architectures and tools that protect systems from common means of exploitation. During this phase, researchers will improve the performance of their technologies and create a silicon system-on-chip that executes the security improvements. This article continues to discuss findings from DARPA's FETT bug bounty program and the current phase of the SSITH program.

    IEEE Spectrum reports "DARPA Hacks Its Secure Hardware, Fends Off Most Attacks"

  • news

    Visible to the public "NIST Finalizes Cybersecurity Guidance for Positioning, Navigation and Timing Systems"

    The National Institute of Standards and Technology (NIST) released finalized guidance based on its Cybersecurity Framework (CSF). The release of this guidance satisfies Executive Order 13905 on securely using position, navigation, and timing (PNT) services such as the Global Positioning System (GPS). PNT services like the GPS are used by smartphone-based navigation apps and split-second timing technologies that enable stock trading and power grid control. The cybersecurity risks faced by PNT services must be mitigated as these services are essential for national and economic security. This article continues to discuss NIST's finalization of cybersecurity guidance for PNT systems, the importance of bolstering security for PNT services, and how the complete profile will help users apply NIST's CSF to such systems.

    Homeland Security Today reports "NIST Finalizes Cybersecurity Guidance for Positioning, Navigation and Timing Systems"

  • news

    Visible to the public "FireEye IDs Hacking Group Suspected in Accellion, Kroger Breach"

    Mandiant, a division of the security vendor FireEye, has identified UNC2546 as the hacking group behind the recent data breach suffered by the software firm Accellion, which impacted many corporations, law firms, and other organizations. Accellion recently announced that UNC2546 had exploited multiple vulnerabilities contained by its software to install malware. The hacking group infiltrated an Accellion tool to collect information from the company's clients. From there, the group contacted victims and threatened to publish their data. The breach faced by Accellion involved the exploitation of a zero-day vulnerability to infiltrate the Palo Alto-based cloud company's secure file transfer application (FTA). According to FireEye, UNC2546 appears to be financially motivated, as it has sent extortion emails to several organizations since late January 2021. Kroger recently admitted that some of its customers might have had their data compromised because of the Accellion incident. The supermarket chain revealed that the thieves might have stolen names, phone numbers, Social Security numbers, and medical history information. In response, Kroger has discontinued the use of services from Accellion. This article continues to discuss the Accellion data breach, the impact of the breach on other organizations, and how this incident compares to the hack against the US federal contractor SolarWinds.

    CyberScoop reports "FireEye IDs Hacking Group Suspected in Accellion, Kroger Breach"

  • news

    Visible to the public "Malformed URL Prefix Phishing Attacks Spike 6,000%"

    Researchers at GreatHorn have found that sneaky adversaries are flipping backslashes in phishing email URLs to evade protections. The researchers first noticed this new tactic last October and have found that it has been quickly gaining momentum ever since. The researchers observed a nearly 6,000% jump (5,933%) in attacks using "malformed URL prefixes" to bypass protections and deliver phishing emails that look legit between January and February of this year. The URLs do not utilize the standard URL protocols, such as http:// or https://, but instead, use http:/\ in their URL prefix. Many browsers, scanners, and email protections will not detect phishing emails that use malformed URL prefixes because the URLs don't fit the 'known bad' profiles. The researchers suggest that security teams search their organizational email for messages containing URLs that match the threat pattern (http:/\) and remove any matches to keep their systems protected. The researchers also stated that these malformed URL attacks could be mitigated through third-party solutions able to perform more nuanced analysis.

    Threatpost reports: "Malformed URL Prefix Phishing Attacks Spike 6,000%"

  • news

    Visible to the public "30,000 Macs Infected With New Silver Sparrow Malware"

    Recently security researchers have spotted a new malware operation targeting Mac devices that have silently infected almost 30,000 systems. The new malware is named Silver Sparrow. The researchers found that Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany. Despite the high number of infections, details about how the malware was distributed and infected users are still scarce. It's unclear if Silver Sparrow was hidden inside malicious ads, pirated apps, or fake Flash updaters. The purpose of this malware is also unclear, and researchers don't know what its final goal is. The researchers found that once Silver Sparrow infects a system, the malware waits for new commands from its operators. Commands never arrived during the time researchers analyzed it. The researchers warn that this malware shouldn't be interpreted as a failed malware strain. The researchers state that it might be possible that the malware can detect researchers analyzing its behavior and that it is simply avoiding delivering its second-stage payloads to these systems. The malware also comes with support for infecting macOS systems running on Apple's latest M1 chip architecture. The researchers stated that Silver Sparrow is a serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice.

    ZDNet reports: "30,000 Macs Infected With New Silver Sparrow Malware"

  • news

    Visible to the public "Ransomware Actors Leak Data From 3 More Healthcare-Related Entities" 

    The operators of Avaddon, Conti, and REvil ransomware have leaked data from a medical center, health system, IT vendor, and some clients. The REvil ransomware gang posted data allegedly stolen from several clients of the document scanning and management solutions vendor Standley Systems. The REvil hackers claim that the vendor did not respond to their extortion attempts. Impacted clients include Enerquest, WW Steel, the Oklahoma Medical Board, Crawley Petroleum, Ellis Clinic, and Chaparral Energy. The data stolen by the REvil group is said to contain employee passports, licenses, Social Security numbers, medical documents, and other sensitive information. The Conti ransomware group posted some data on the dark web that it claims to have stolen from Rehoboth McKinley Christian Health Care Services in New Mexico, including prescriptions, provider names, scanned patient identifications, diagnoses, and more. Avaddon hackers posted highly sensitive information from the Capital Medical Center in Olympia, Washington, consisting of driver's licenses, lab results, patient procedural documents, patient assessments, and much more. These leaks pose a significant threat to patient privacy. Federal agencies and researchers have observed an increase in these hacking groups' targeted attacks on healthcare-related entities since September 2020. According to research from Coveware, data exfiltration occurs in 70 percent of all ransomware attacks. Hackers are also remaining on victims' networks for longer periods of time to gather as much sensitive data as they can before deploying the final ransomware payload. The National Institute of Standards and Technology (NIST), Office for Civil Rights (OCR), Department of Homeland Security (DHS), FBI, and Microsoft, have provided free ransomware guidance that can help healthcare organizations better detect, mitigate, and respond to ransomware attacks. This article continues to discuss recent leaks of data from healthcare-related entities by Avaddon, Conti, and REvil ransomware actors.

    HealthITSecurity reports "Ransomware Actors Leak Data From 3 More Healthcare-Related Entities"

  • news

    Visible to the public "France to Boost Cyberdefense After Hospital Malware Attacks"

    Emmanuel Macron, the French President, recently announced a plan to improve the protection of public facilities and private companies against cyberattacks after cybercriminals launched ransomware attacks against two hospitals in France. These attacks forced the hospitals to transfer some patients to other facilities, posing a significant threat to patient safety. One of the targeted hospital's phone system went down when it was hit by a ransomware attack. Its internet service and other networks had to be shut off in order to prevent the ransomware from spreading. The hospital also had to postpone surgeries due to the ransomware attack. Healthcare workers at the other targeted hospital had to use pen and paper for record-keeping as the ransomware attack that it had faced disrupted phones and computers. According to the French leader, the ransomware attacks, along with other similar cyber assaults in France, have come from nation-states and mafias. Macron emphasized the need for increased international cooperation between police and criminal justice agencies to help combat such attacks. The National Cybersecurity Agency of France (ANSSI) reported a 255 percent increase in ransomware attacks in 2020 against all sectors and geographical areas of France. However, the increase largely affects the healthcare sector, education system, local authorities, and digital service providers. This article continues to discuss the recent ransomware attacks on two French hospitals, the suspected military hacking group behind these attacks, and the plan to strengthen cyber defenses in France.

    Security Week reports "France to Boost Cyberdefense After Hospital Malware Attacks"

  • news

    Visible to the public 50% of apps in many industry have major vulnerabilty issues

    A recent WhiteHat Security study reports that at least 50% of apps used in manufacturing healthcare, retail, government services, education, and utilities contain one or more exploitable vulnerabilities. Manufacturing was even higher with a 70% having issues. The problems ranged from information leakage, insufficient session expiration, ross site scripting, lack of transport layer protection and content spooling. And one of the big p

  • news

    Visible to the public "Kia Motors Hit With $20M Ransomware Attack – Report"

    Kia Motors America has publicly acknowledged an extended system outage but had denied that it was affected by a ransomware attack. Kia stated that "At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a 'ransomware' attack." Ransomware gang DoppelPymer claimed it was responsible for the outage and that they locked down the company's files in a cyberattack that includes a $20 million ransom demand. That $20 million will gain Kia a decryptor and guarantee not to publish sensitive data bits on the gang's leak site. The ransom note from DoppelPaymer stated that the attack was on Hyundai Motor America, the parent company of Kia Motors America, based in Irvine, Calif. It went on to say that the company has two to three weeks to pay up 404 Bitcoins. The threat actors warn that a delay in payment could result in the ransom being raised to $30 million to add a sense of urgency. The outage affected Kia's mobile apps like Kia Access with UVO Link, UVO eServices, Kia Connect, self-help portals, and customer support. Beyond disrupting critical operations, ransomware threat actors have learned how to add pressure to companies, threatening that their most sensitive stolen data could be exposed on well-known leak sites if they don't pay up fast. This tactic is known as double-extortion. DoppelPaymer ransomware cripples the organization's ability to conduct business and extracts sensitive data that is used for leverage against the victim to get them to pay the ransom. DoppelPaymer, like most other ransomware strains, is generally spread through phishing emails, so researchers suggest that organizations should ensure employees are trained to spot and report any suspicious emails.

    Threatpost reports: "Kia Motors Hit With $20M Ransomware Attack - Report"

  • news

    Visible to the public "Malware Is Now Targeting Apple's New M1 Processor"

    Hackers are increasingly targeting Apple computers, with adware and ransomware being tailored to Macs, and attackers stepping up their efforts to evade Apple's latest defenses. Malware authors are already targeting Apple's new ARM-based M1 processors released in November 2020 for the MacBook Pro, MacBook Air, and Mac Mini. Mac security researcher Patrick Wardle has published a report detailing findings of a Safari adware extension, originally made for Intel x86 chips, that has now been updated to run on the new M1 processor. The malicious extension called GoSearch22 is a member of Pirrit, one of the most active, oldest, and continually evolving Mac adware families. The adware sample poses as a legitimate Safari browser extension while it collects user data and serves illicit ads such as banners and popups that redirect users to other malicious sites. The malicious Safari extension has anti-analysis features, including logic to circumvent debugging tools. The ARM-M1 version of the adware is also harder for certain defensive tools like antivirus engines to detect than the Intel x86 version despite the code being logically identical. According to Wardle, the adware was signed with an Apple developer ID in November, but it has since been revoked by Apple. Researchers from the security firm Red Canary have also reported their discovery and investigation of native M1 malware that appears to be different from Wardle's findings. These discoveries show that malware authors will continue to evolve and adapt as advancements in Apple's hardware and software occur. The native M1 malware that researchers have discovered does not seem to be a highly dangerous threat in itself, but its emergence does indicate that there is more to come, calling on the advancement of detection tools. This article continues to discuss researchers' discoveries of new malware strains targeting Apple's new M1 processor.

    Wired reports "Malware Is Now Targeting Apple's New M1 Processor"

  • news

    Visible to the public "Windows and Linux Servers Targeted by New WatchDog Botnet for Almost Two Years"

    Cybersecurity researchers at Unit42, a security division at Palo Alto Networks, have discovered a cryptomining botnet called WatchDog. According to the researchers, the WatchDog botnet has been active since January 2019, targeting both Windows and Linux systems. The botnet is written in the Go programming language and relies on outdated enterprise apps as a point of entry for attacks. Further analysis of the WatchDog botnet operations found that the botnet operators have used 33 different exploits to target 32 vulnerabilities in Drupal, Elasticsearch, Apache Hadoop, Spring Data Commons, SQL Server, ThinkPHP, Oracle WebLogic, and other software. Based on the analysis of the WatchDog malware binaries, it has been estimated that the botnet infected 500 to 1,000 systems. Since it launched in 2019, the WatchDog mining operation has gained an estimated profit of 2019 Monero cryptocurrency coins (XMR), currently valued at around $32,000. The actual amount of monetary gain from these botnet operations is believed to be significantly higher as the researchers only analyzed a few binaries. WatchDog has not extracted credentials from infected servers, but researchers warn that the operators could easily update the cryptomining botnet to perform credential scans. This article continues to discuss the Unit42 researchers' findings surrounding the WatchDog botnet.

    ZDNet reports "Windows and Linux Servers Targeted by New WatchDog Botnet for Almost Two Years"

  • news

    Visible to the public "SDK Bug Lets Attackers Spy on User’s Video Calls Across Dating, Healthcare Apps"

    Researchers from McAfee Advanced Threat Research (ATR) discovered a flaw (CVE-2020-25605) in a video-calling SDK from a Santa Clara, Calif.-based company called Agora while doing a security audit last year of a personal robot called "temi," which uses the Agora toolkit. Agora provides developer tools and building blocks for providing real-time engagement in apps. Healthcare apps such as Talkspace, Practo, and Dr. First's Backline, among various other types of apps, use the SDK for their call technology. Due to its shared use in many popular apps, the flaw has the potential to affect "millions-potentially billions-of users," the researchers stated. The researchers did not find evidence of the bug being exploited in the wild. The flaw makes it easy for third parties to access details about setting up video calls from within the SDK across various apps due to their unencrypted, cleartext transmission. This paves the way for remote adversaries to access audio and video of any ongoing Agora video call by observing cleartext network traffic. The Researchers reported this research to on April 20, 2020. The flaw remained unpatched for about eight months until December 17, 2020, when the company released a new SDK, version 3.2.1, which mitigated the vulnerability and eliminated the corresponding threat to users.

    Threatpost reports: "SDK Bug Lets Attackers Spy on User's Video Calls Across Dating, Healthcare Apps"

  • news

    Visible to the public "Phishers Tricking Users Via Fake LinkedIn Private Shared Document"

    Security researchers have discovered that phishers are trying to trick LinkedIn users into opening a "LinkedIn Private Shared Document" and entering their login credentials into a fake LinkedIn login page. The phishing message is delivered via LinkedIn's internal messaging system and is made to look like it has been sent by one of the victim's contacts. The message urges the recipient to follow a third-party link to view a document. The researchers stated that there is no such thing as a 'LinkedIn Private Shared Document' and that if one sees this, it should ring the targets' alarm bell. If the victim clicks on the third-party link, they will be redirected to a convincingly spoofed LinkedIn login page. If they enter their login credentials, their account will probably soon be sending out phishing messages to their contacts. The researchers believe that perhaps the adversaries are indiscriminate in whom they target, but compromising high-value targets might allow them to more successfully target a more significant number of LinkedIn contacts or pivot into stealing even more critical credentials (e.g., for Microsoft/Office 365 accounts). The phishing pages are hosted on sites that may also have legitimate work purposes, e.g., Appspot, Firebase, and, making it unlikely that enterprises would block access to them. The researchers stated that the phishing sites use major ASNs, including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful. Researchers suggest that to prevent this type of attack from affecting organizations, then organizations should train their employees to spot this attack and similar attacks. Another option is that an organization should consider blocking the use of social media/networks from work computers.

    Help Net Security reports: "Phishers Tricking Users Via Fake LinkedIn Private Shared Document"

  • news

    Visible to the public "Helping Industry Develop Secure Grid Technologies"

    The power grid has become an increasingly attractive target for cybercriminals. Cybersecurity researchers at Pacific Northwest National Laboratory (PNNL) are developing next-generation tools to bolster the power grid and other critical infrastructure against cyberattacks. PNNL received funding from the U.S. Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER) to develop a cybersecurity maturity model and companion assessment method that can help manufacturers implement cybersecurity best practices throughout the development of hardware, software, and firmware. The Secure Design and Development Maturity Model (SD2M2) is being used to assess the cybersecurity practices of those who develop and build products such as sensors, control systems, and more for the power grid. The SD2M2 is based on the Cybersecurity Capability Maturity Model (C2M2) framework and consists of three components. These components include management priorities, core assessment, and a comparative evaluation. In the priority management phase, leadership establishes goals that encompass a system's background, foundation, design, building, testing, integration, deployment, and end-of-life. Product designers, developers, and testers are prompted to take a self-assessment in the core assessment phase, consisting of 800 practice statements to evaluate their product against a set of cybersecurity practices recognized by the industry. The assessments delivered by the SD2M2 web-based tool are customized based on product or organization type. The comparative evaluation phase provides a report that compares self-assessment results to management priorities, giving better insight into opportunities for improving a product's cybersecurity posture. This article continues to discuss the development, key goals, components, and structure of SD2M2.

    Homeland Security News Wire reports "Helping Industry Develop Secure Grid Technologies"

  • news

    Visible to the public "Analysts Need Advanced Automation Tools to Reduce Fear of Missing Incidents"

    The cybersecurity firm FireEye has announced the release of the IDC InfoBrief titled "The Voice of the Analysts: Improving Security Operations Center Processes Through Adapted Technologies." The report shares findings from a survey of 350 internal and managed security service provider (MSSP) security analysts and managers. According to the report, security analysts are becoming less productive because of widespread alert fatigue, which has led to alerts being overlooked, increased stress, and fear of missing incidents (FOMI). Security analysts are becoming increasingly overwhelmed by floods of false positive alerts generated by different solutions while growing more concerned about missing actual threats. To address this problem, analysts are asking for advanced automation tools to reduce FOMI and to strengthen their Security Operations Centers' (SOC) cybersecurity posture. The report reveals that less than half of enterprise security teams currently have automated tools in place to help perform SOC activities. This article continues to discuss findings from the new report regarding security analysts' alert fatigue stemming from false positive alerts, the increased FOMI, and the need for automated SOC solutions to help alleviate alert fatigue and FOMI.

    Business Wire reports "Analysts Need Advanced Automation Tools to Reduce Fear of Missing Incidents"

  • news

    Visible to the public "Malware Increased by 358% in 2020"

    Researchers from Deep Instinct discovered that malware increased by 358% overall and ransomware increased by 435% compared with 2019. The distribution of Emotet malware increased significantly in 2020 by 4,000%. Malware targeting Android phones increased by 263%. The researchers also found that the month of July had the largest increase in malicious activity by 653% compared with the previous year. Microsoft Office documents were the most manipulated document attack vector and went up by 112%. The study also showed that the sophistication of attacks grew in 2020, with more attacks using advanced evasive tactics that make detection much more difficult.

    Help Net Security reports: "Malware Increased by 358% in 2020"

  • news

    Visible to the public "INL Researchers Publish Book to Prevent Cybersecurity Disruptions, Train Workforce"

    Andy Bochman and Sarah Freeman, two cybersecurity researchers at Idaho National Laboratory (INL), published a new book titled "Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering." The researchers wrote the book to help train employees at public utilities to identify cybersecurity vulnerabilities and develop methods for defending their networks against cyberattacks. Their book provides details about INL's think-like-the-adversary cybersecurity approach called Consequence-driven Cyber-informed Engineering (CCE), developed to improve the security of water treatment facilities, oil and natural gas refineries, the electric grid, and other critical infrastructure systems. The researchers emphasize that much of the technology implemented to control operations at many public utilities were developed in the pre-internet era. Therefore, this technology lacks modern defense capabilities, leaving the utilities vulnerable to cyberattacks that could result in significant disruptions to services. INL's CCE method addresses this challenge through the use of engineering design principles instead of traditional protection strategies, such as intrusion detection software or firewalls, to prevent increasingly sophisticated attacks from impacting utilities' most crucial operations. This article continues to discuss the INL researchers' new book on the CCE method and the development of this method.

    INL reports "INL Researchers Publish Book to Prevent Cybersecurity Disruptions, Train Workforce"

  • news

    Visible to the public "Misconfigured Baby Monitors Allow Unauthorized Viewing"

    Security researchers have discovered a vulnerability affecting multiple baby monitors that could allow an adversary to drop in and view a camera's video stream. Potentially hundreds of thousands of live devices are impacted, the researchers stated. The issue exists in the manufacturers' implementation of the Real-Time Streaming Protocol (RTSP), a set of procedures used by various cameras to control their streaming media. According to the researchers, it's possible to misconfigure its implementation so that no authentication is needed for unknown parties to connect. The specific models that the team tested that proved to be vulnerable include the Hipcam RealServer/V1.0; the webcamXP 5; and the Boa/0.94. 14rc21. The researchers stated that if one owns a baby monitor or any RTSP camera that does not require parties to enter a password each time they connect to the video stream, the images shown on that stream are potentially unsecured and therefore accessible to anyone. The researchers were able to identify unsecured devices either through their 'server header' or their onscreen overlay that details the particular brand.

    Threatpost reports: "Misconfigured Baby Monitors Allow Unauthorized Viewing"

  • news

    Visible to the public "100+ Financial Services Firms Targeted in Ransom DDoS Attacks in 2020"

    The Financial Services Information Sharing and Analysis Center (FS-ISAC) has revealed that more than 100 financial services firms across Europe, North America, Latin America, and Asia were targeted in a flood of Ransom Distributed Denial-of-Service (RDDoS) attacks launched by the same actor in 2020. Those targeted by these attacks include banks, exchanges, payment processing companies, card issuers, payroll companies, money transfer services, and insurance firms. In each attack, the malicious actor delivered extortion notes to the target, threatening to disrupt their website and services by launching a DDoS attack if they do not pay the demanded ransom. According to a statement recently released by the FS-ISAC, the impact of this threat was mitigated mainly through information-sharing by its members via the FS-ISAC Threat Intelligence Exchange. None of the FS-ISAC members that received the extortion note reported paying the ransom. Further analysis of the RDDoS attacks' victims showed that the attackers primarily focused on retail banking or consumer banking as these organizations were hit by more than 40 percent of the attacks. The FS-ISAC said that some companies increased their cybersecurity spending in response to the attacks. There was more than an increase in the number of RDDoS attacks last year. Security vendors have reported an increase in the overall number, size, and duration of DDoS attacks, as well as the combination of multiple attack vectors by such attacks. This article continues to discuss the targeting of over 100 financial companies in RDDoS attacks in 2020 and the overall advancement of DDoS attacks.

    Dark Reading reports "100+ Financial Services Firms Targeted in Ransom DDoS Attacks in 2020"

  • news

    Visible to the public "IRS Alerts U.S. Taxpayers About e-File Identity Theft via Phishing Attacks"

    The Internal Revenue Service (IRS) has had to issue several warnings about the use of the IRS name or logo by scammers seeking to trick consumers into giving access to their financial data to steal their assets. Using the IRS name is a popular tactic among fraudsters because most consumers recognize the name. The latest alert issued by the IRS and Summit Partners warns U.S. taxpayers, tax preparers, and tax professionals of an emerging phishing campaign aimed at stealing Electronic Filing Identification Numbers (EFINs). The phishing emails appear to be sent from "IRS Tax E-Filing" and use the subject line, "Verifying your EFIN before e-filing." The IRS urges users not to take any of the steps outlined in the phishing email, which include emailing documents containing information that would disclose their identities and EFINs. This information can be used to impersonate a tax professional and file fraudulent returns. The emails also threaten to disable the recipient's e-Services account on the IRS website if the user does not take immediate action by clicking the link or attachment. The IRS warns that the links or attachments may install steal information or download malware onto the user's computer. Tax professionals should beware of scammers masquerading as potential clients. Compromising tax professionals can give scammers access to a trove of data consisting of EFINs, Preparer Tax Identification Numbers (PTINs), e-Services usernames, passwords, and more, from multiple clients. This article continues to discuss the latest tax-related phishing campaign and the importance of raising awareness about phishing scams and developing secure solutions that give consumers more control of their data.

    CISO MAG reports "IRS Alerts U.S. Taxpayers About e-File Identity Theft via Phishing Attacks"

  • news

    Visible to the public "Malvertisers Exploited Browser Zero-Day to Redirect Users to Scams"

    The ScamClub malvertising group exploited a zero-day vulnerability in the WebKit web browser engine to deliver malicious payloads that redirect users to scams offering gift cards. WebKit is used in Chrome on iOS and Safari. Over the past three months, ScamClub campaigns have served as high as 16 million malicious ad impressions in a day. The volume of ads pushed by ScamClub malvertisers is so large that the number of malicious ad impressions during a single campaign is still significantly high even if most of the ads are blocked. According to the ad security and quality controls company Confiant, a 1 percent improvement in ScamClub's redirection rate can lead to tens of thousands of impacted impressions during a single campaign. A Confiant security engineer and researcher recently shared their discovery of ScamClub's reliance on a vulnerability in the WebKit that enables the circumvention of the iframe sandboxing policy. This article continues to discuss ScamClub's broad targeting and the large volume of malicious ads that the group pushes, as well as the ScamClub malvertisers' exploitation of a zero-day vulnerability in WebKit to redirect users to scams.

    BleepingComputer reports "Malvertisers Exploited Browser Zero-Day to Redirect Users to Scams"

  • news

    Visible to the public "Cybercrooks Rake in $304M in Romance Scams"

    Researchers at the Federal Trade Commission (FTC) stated that romance scams remain the most successful fraud strategy for cybercrooks and represent a growing sector. According to new data, the researchers found that romance schemes accounted for a record $304 million raked into illicit coffers, which is up about 50 percent from 2019. The gambits typically start with an online connection that turns into daily communications; the scammer hones a relationship with the target from afar before eventually asking for money. A target then sends funds in the form of a gift card (this payment type was up 80 percent in 2020, the FTC found) or a wire transfer. In 2020, the median dollar loss for individual victims of romance scams was around $2,500, which is more than ten times the median loss across all other fraud types, the FTC stated. From 2016 to 2020, total dollar losses increased more than fourfold, and the number of reports of romance scams to the FTC nearly tripled. The losses vary by age group. According to the FTC, people ages 20 to 29 saw the largest increase in targeting, with the number of reports more than doubling since 2019. People ages 40 to 69 were the most likely to report losing money, and people 70 and older reported the highest individual median losses at $9,475.

    Threatpost reports: "Cybercrooks Rake in $304M in Romance Scams"

  • news

    Visible to the public "North Korean Hackers Tried to Steal Pfizer Vaccine Know-How, Lawmaker Says"

    South Korea's intelligence agency has discovered that North Korea attempted to steal information on coronavirus vaccines and treatments by hacking Pfizer Inc. The agency did not elaborate on the timing or success of the attempt. Tuesday's news comes after attempts last year by suspected North Korean hackers to break into the systems of at least nine healthcare firms, such as Johnson & Johnson, Novavax Inc, and AstraZeneca. North Korea is often accused of turning to an army of hackers to fill its cash-strapped coffers amid international sanctions that ban most international trade. Health experts have said the North's hackers may be more interested in selling the stolen data than using it to develop a homegrown vaccine.

    Reuters reports: "North Korean Hackers Tried to Steal Pfizer Vaccine Know-How, Lawmaker Says"

  • news

    Visible to the public "How Apple and Google Let Your Phone Warn You if You've Been Exposed to the Coronavirus While Protecting Your Privacy"

    Virginia has joined the ranks of states that have enabled app-less COVID-19 exposure notification services for iPhone users. The implementation of such services allows iPhone users in those states to get exposure alerts without having to install exposure notification apps. The services use the coronavirus exposure notification system developed by Apple and Google for iOS and Android, which have been updated to work without apps. This system uses the universal Bluetooth short-range wireless communication technology. Coronavirus contact-tracing apps are being used around the world to alert people if they have encountered a person who has tested positive for the virus. However, these apps have raised concerns about privacy as many of them report the identities of exposed people to public health authorities. Several exposure notification projects, including PACT, BlueTrace, and COVID Watch, have been established, taking a similar approach to Apple's and Google's initiative to protect privacy. Researchers from Boston University, whose focus areas are security and privacy in wireless communications, have examined the Apple-Google exposure notification system's specifications, effectiveness, and privacy implications. Although the Apple-Google exposure notification system has a high level of security, it still does not guarantee privacy. According to the researchers, hackers could still track or identify people using different methods, involving the advertising address used by Bluetooth LE devices when broadcasting on an advertising channel, rolling proximity identifiers, and more. This article continues to discuss the use of COVID-19 exposure notification apps and app-less services, as well as findings from the study of the Apple-Google exposure notification system's specifications, effectiveness, and privacy.

    The Conversation reports "How Apple and Google Let Your Phone Warn You if You've Been Exposed to the Coronavirus While Protecting Your Privacy"

  • news

    Visible to the public "France Ties Russia's Sandworm to a Multiyear Hacking Spree"

    The French information security agency ANSSI recently published an advisory warning about Sandworm, a group of hackers within Russia's GRU military intelligence agency. This group has been linked to blackouts in Ukraine as well as NotPetya, which is considered the most destructive malware in history. According to the advisory, Sandworm's hackers have breached several French organizations, most of which are IT providers, particularly web hosting providers. ANSSI says the intrusion campaign began in late 2017 and ran until 2020. The hackers appear to have breached servers running the IT monitoring tool called Centreon. The way in which these servers were hacked remains unknown. However, ANSSI found two different pieces of malware on the servers, one of which is the publicly available backdoor called PAS. The other backdoor is known as Exaramel. Joe Slowik, a researcher with the security firm DomainTools, says that the Sandworm group is linked with destructive operations. Although the endgame linked to the campaign documented by the French authorities is not known, the fact that it is occurring should raise serious concern as the end goal of most of Sandworm's operations, has been to cause significant disruptions. ANSSI did not identify those organizations that have fallen victim to the hacking campaign. However, Centreon's website does list customers, including the defense and aerospace firm Thales, the steel and mining firm ArcelorMittal, the nuclear power firm EDF, Airbus, and the French Department of Justice. Any of these customers could have had servers running Centreon exposed to the internet. Some cybersecurity experts interpreted the ANSSI report as suggesting another software supply chain attack similar to the one launched against SolarWinds, though the report does not mention supply chain compromise. DomainTools' Slowik pointed out that the intrusions were carried out by exploiting internet-facing servers running Centreon's IT monitoring application within victims' networks. This article continues to discuss ANSSI's warning about the Sandworm hacker group's targeting of French organizations and the history of Sandworm.

    Wired reports "France Ties Russia's Sandworm to a Multiyear Hacking Spree"

  • news

    Visible to the public "270 Addresses Are Responsible For 55% of All Cryptocurrency Money Laundering"

    Researchers at a blockchain investigations firm called Chainalysis discovered that criminals who keep their funds in cryptocurrency tend to launder funds through a small cluster of online services. The online services include high-risk (low-reputation) crypto-exchange portals, online gambling platforms, cryptocurrency mixing services, and financial services that support cryptocurrency operations headquartered in high-risk jurisdictions. Criminal activity studied in this report included cryptocurrency addresses linked to online scams, ransomware attacks, terrorist funding, hacks, transactions linked to child abuse materials, and funds linked to payments made to dark web marketplaces offering illegal services like drugs, weapons, and stolen data. The researchers expected that the money laundering resulting from such a broad spectrum of unlawful activity to have taken place across a large number of services, but the researchers found that just a small group of 270 blockchain addresses have laundered around 55% of cryptocurrency associated with criminal activity. The researchers also found that 1,867 addresses received 75% of all criminally-linked cryptocurrency funds in 2020, a sum estimated at around $1.7 billion. The researchers saw a much greater share of illicit cryptocurrency going to addresses taking in between $1 million and $100 million worth of cryptocurrency per year. The researchers believe the growing concentration of deposit addresses receiving illicit cryptocurrency reflects cybercriminals' increasing reliance on a small group of OTC (over-the-counter) brokers and other nested services specializing in money laundering.

    ZDNet reports: "270 Addresses Are Responsible For 55% of All Cryptocurrency Money Laundering"

  • news

    Visible to the public "CISA, FBI Share Recommendations After Water Treatment Hack" 

    The U.S. Homeland Security Department's Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert about the recent compromise of a U.S. drinking water treatment facility, with observations of the incident from CISA, along with the Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). On February 5, 2021, unidentified cyber actors were able to gain unauthorized access to the facility's Supervisory Control and Data Acquisition (SCADA) system to increase the amount of sodium hydroxide (lye) in a small Florida city's water treatment process. However, water treatment plant personnel immediately noticed the unauthorized change and corrected the issue. CISA, the FBI, EPA, and MS-ISAC have observed cybercriminals targeting and exploiting desktop sharing software to gain unauthorized access to systems. It has been confirmed that the hackers used the desktop sharing software TeamViewer to gain access to the city's water system. All of the computers with this remote access tool were discovered using the same password for accessing the water system. A firewall was also not implemented. The CISA alert provides recommendations from the federal agencies for organizations on how to securely implement TeamViewer software, such as setting random passwords to generate 10-character alphanumeric passwords. There are recommendations for bolstering water and waste treatment systems security, which include installing independent cyber-physical safety systems. Organizations are also advised to enable multi-factor authentication, use strong passwords to protect remote desktop protocol credentials, implement firewalls, use the most up-to-date operating system, and more. This article continues to discuss the findings and recommendations provided by CISA's advisory regarding the recent attack on a Florida water treatment facility.

    NextGov reports "CISA, FBI Share Recommendations After Water Treatment Hack"

  • news

    Visible to the public "Illinois Is State Hit Hardest by Cybercrime"

    Researchers at Clario produced a new study looking at the number of cybersecurity-related crime victims and used a combination of government, ONS, and census data mixed with open crime data from local constabularies and police forces. The researchers discovered that the highest concentration of cybercrime victims in the United States are from Illinois. In the US, Illinois topped the table with 14.6 victims per 1,000 people, followed closely by Virginia, which had 13.2 victims per 1,000 people, and New York, which had 11. Total losses due to cybercrime were $107,152,415 in Illinois, $92,467,791 in Virginia, but just $19,876,576 in New York. California was where the most money had been stolen collectively, with $573,624,151 lost to digital thieves. Cybercrime victims in Ohio lost more per person on average ($28,734) than anywhere else in the United States. Some Americans (37%) told the researchers that they reported issues to their local government but had seen no response, while more than half felt that their law enforcement was letting them down online.

    Infosecurity reports: "Illinois Is State Hit Hardest by Cybercrime"

  • news

    Visible to the public vValentine's Day Phishing attack

    This Valentine's Day, lovers beware. What looks like confirmation orders from high end lingerie and flowers shops are really part of a spear-phishing attack that executes the BazaLoader downloader malware.

  • news

    Visible to the public "Tests Reveal Cybersecurity Vulnerabilities of Common Seismological Equipment"

    A new study by Michael Samios of the National Observatory of Athens and his colleagues highlights the cybersecurity vulnerabilities of internet-connected seismic equipment, used to detect and record earthquakes. Common security issues associated with such equipment include non-encrypted data, insecure protocols, and inadequate user authentication mechanisms. These issues leave seismological networks vulnerable to security breaches. Modern seismic stations are being implemented as Internet-of-Things (IoT) stations, consisting of physical devices that connect with other devices and transfer data via the Internet. The researchers tested attacks on various brands of seismographs, accelerographs, and (Global Navigation Satellite System) receivers. Samios and his colleagues demonstrated the launch of Denial-of-Service (DoS) attacks against the devices. The DoS attacks led to the unavailability of devices and enabled the recovery of usernames and passwords. Through these attacks, they identified threats to the equipment that are commonly found in IoT devices. The exploitation of vulnerabilities in seismic monitoring devices could allow malicious actors to alter geographical data, slow down the transmission of data, produce false alarms in earthquake early warning systems, and more. These attacks have the potential to damage public trust and to impact emergency and economic responses to a seismic event. This article continues to discuss the new study and its findings on the vulnerability of seismological equipment to cyberattacks, and what could be done to improve the security of this equipment.

    The Seismological Society of America reports "Tests Reveal Cybersecurity Vulnerabilities of Common Seismological Equipment"

  • news

    Visible to the public "Nearly Two-Thirds of CVEs Are Low Complexity"

    Researchers at Redscan have analyzed 18,000+ Common Vulnerabilities and Exposures (CVEs) recorded in NIST's National Vulnerability Database (NVD). The researchers found that there were more CVEs reported in 2020 than any year previously. Over half (57%) of vulnerabilities in 2020 were classified as "critical' or "high" severity, amounting to over 10,300 CVEs. The researchers also found that 63% of the total number disclosed in 2020 were classed as "low complexity," which means an attacker with low technical skills could exploit them. The number of vulnerabilities classed as "low complexity" has been on the rise since 2017, after mainly falling between 2001 and 2014, according to the researchers. The vulnerabilities that require no user interaction to exploit are also on the rise, representing 68% of all CVEs recorded in 2020.

    Infosecurity reports: "Nearly Two-Thirds of CVEs Are Low Complexity"

  • news

    Visible to the public "Ransomware in the Remote Era: Attackers Impersonate Parents to Target Teachers"

    Cybercriminals have impersonated parents to trick teachers into falling victim to ransomware attacks. In October of last year, Proofpoint researchers discovered a malicious email campaign that used subject lines in relation to class assignments. The emails appeared to come from parents who wanted to submit their child's assignment because the usual submission process had failed. Attackers may have pulled teachers' emails from public listings on school websites. The emails contained a malicious document that downloads a custom ransomware payload. According to researchers, the ransomware strain delivered in this campaign was written in the Go programming language. Victims were instructed to pay $80 in bitcoin. Ransomware attacks in the education sector increased significantly between the second and third quarters of 2020. In another incident last year, a public school district in Hartford, Connecticut, suffered a ransomware attack on its city servers, which delayed the first day of school for students. Such campaigns emphasize the need for the educational sector to strengthen its defenses against ransomware threats. Educational institutions are encouraged to increase network monitoring to better detect signs of attackers that have compromised work accounts. Behavioral analytics could be leveraged to increase the speed at which organizations respond to situations where an account appears to be exhibiting suspicious behavior involving data and systems. This article continues to discuss findings surrounding the October 2020 email campaign in which parents were impersonated to deliver ransomware to teachers, as well as other notable ransomware attacks faced by the education sector, and how educational institutions can defend against such attacks.

    Security Intelligence reports "Ransomware in the Remote Era: Attackers Impersonate Parents to Target Teachers"

  • news

    Visible to the public "Mobile Health Apps Found to Expose Records of Millions of Users"

    The mobile Application Programming Interface (API) security company Approov released a report, revealing discoveries from the analysis of 30 popular mobile health (mHealth) applications conducted by Alissa Knight, a partner at the marketing agency Knight Ink. The analysis found that these applications are vulnerable to API attacks. These attacks could allow unauthorized parties to access Protected Health Information (PHI) and Personally Identifiable Information (PII). There has been an increase in the reliance on mHealth apps during the COVID-19 pandemic, resulting in the generation of more user activities by health apps than other types of mobile apps. According to the research study, certificate pinning was not implemented for any of the analyzed applications, leaving them open to man-in-the-middle (MITM) attacks. More than 70 percent of the analyzed apps contained hardcoded API keys, tokens, and credentials. Half of the APIs did not use token authentication for requests, while one-quarter of the apps were not protected against reverse engineering. Knight found 114 hardcoded API keys and tokens for Google, Microsoft App Center, Cisco Umbrella, Facebook, AWS, Stripe, and more. Half of the records exposed by these applications contained sensitive information, including names, addresses, dates of birth, Social Security numbers, allergies, and medication data, belonging to millions of users. Approov's report provides recommendations for mobile app developers on how to protect customer data and sensitive resources, such as performing penetration testing. This article continues to discuss the discovery of vulnerabilities in mHealth applications and the exposure of patient information by these apps.

    Security Week reports "Mobile Health Apps Found to Expose Records of Millions of Users"

  • news

    Visible to the public "Celeb SIM-Swap Crime Ring Stole $100M from U.S. Victims"

    Recently many alleged SIM-swapping cybercriminals have been arrested across Europe by law-enforcement after the crooks finagled more than $100 million from U.S. victims. The attacks orchestrated by this criminal gang targeted thousands of victims throughout 2020, including famous internet influencers, sports stars, musicians, and their families. In a typical SIM-swapping attack, attackers use stolen, sleuthed, or phished personal information including, a person's mobile phone number, to impersonate a target. The adversaries then contact the victim's mobile carrier and ask to port the line to a different SIM card/device controlled by the attackers. This makes all incoming calls and texts re-routed to the fraudsters. SIM-swapping attacks allow crooks to bypass SMS-based two-factor authentication (2FA). From there, it's easy to use the previously phished information to gain access to and take over online/mobile banking or other high-value accounts. In this latest case, a network of criminals worked together to access the victims' phone numbers and control apps or accounts by changing the passwords. The adversaries stole money, cryptocurrencies, and personal information, including contacts synced with online accounts. The adversaries also hijacked social-media accounts to post content and send messages masquerading as the victim.

    Threatpost reports: "Celeb SIM-Swap Crime Ring Stole $100M from U.S. Victims"

  • news

    Visible to the public "Researchers Identify 223 Vulnerabilities Used in Recent Ransomware Attacks"

    Researchers from RiskSense have identified 223 different IT security vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database that were exploited in the performance of ransomware attacks in 2020. The number of vulnerabilities used in ransomware attacks in 2020 is four times the number of ransomware-related vulnerabilities discovered by RiskSense in 2019. The researchers have also brought further attention to the significant growth and increasing complexity of ransomware families, comparing the discovery of 19 separate ransomware families in 2019 with the identification of at least 125 ransomware groups in 2020. According to researchers, these groups are continuing to expand their operations, develop new malware strains, sell their tools to other malicious parties, and targeting flaws contained by software and web applications. Nearly 40 percent of the 223 CVEs, tied to attacks involving ransomware in 2020, fall under five commonly identified security vulnerabilities, which include permissions, privileges and access controls, code injection, incorrect input validation, improper limitation of operations within the bounds of a memory buffer, and the exposure of sensitive information to unauthorized users. The driving factors behind this expanded attack surface appear to be the transition of businesses into an online model due to the COVID-19 pandemic, as well as developments in digital transformation and the increase in cloud adoption. These factors have pushed many organizations to adopt technologies such as cloud applications, Virtual Private Networks (VPNs), and home networks, with security flaws and misconfigurations that could be abused in ransomware attacks. This article continues to discuss RiskSense researchers' identification of 223 distinct vulnerabilities used in recent ransomware attacks, the factors behind this increase in ransomware-related vulnerabilities, the growing sophistication of ransomware families, and how organizations can improve their ransomware defense.

    SC Media reports "Researchers Identify 223 Vulnerabilities Used in Recent Ransomware Attacks"

  • news

    Visible to the public "Political Bias and Impulsive Behavior Open Door to Misinformation"

    A new peer-reviewed study from researchers at MIT and the UK's Exeter University has been recently conducted and began by identifying 842 random Twitter users who displayed partisan bias towards the Republican or Democratic Party. The researchers then created Eight bot accounts with varying degrees of partisanship to follow the group. The researchers concluded that, no matter the strength of partisanship displayed by the bots and no matter whether Democrat or Republican, Twitter users were almost three times more likely to follow back someone with the same political affiliation as their own. The researchers claimed that previous research had shown conservatives to be more likely to create social ties with those of their political persuasion than liberals, a finding seemingly contradicted by this study. The researchers suggest for more critical thinking and media literacy classes be taught in schools to help individuals determine what is real information and misinformation.

    Infosecurity reports: "Political Bias and Impulsive Behavior Open Door to Misinformation"

  • news

    Visible to the public "Various Malware Lurks in Discord App to Target Gamers"

    Security researchers from Zscaler ThreatLabZ have found multiple active malware campaigns targeting the Discord group-chatting platform. The app is used by gamers and for creating communities on the web, called "servers," either as standalone forums or as part of another website. Discord supports voice, video, or text, allowing all to interact within created communities. Malware found being planted recently in Discord includes Epsilon ransomware, XMRig miner, Redline Stealer, TroubleGrabber, and a broad category of unidentified Discord token grabbers, according to the researchers. The new Discord attacks observed by researchers usually start with spam emails in which users are tricked with legitimate-looking templates into downloading next-stage payloads. The attack vector uses Discord services to form a URL to host a malicious payload. According to the researchers, the campaigns rename malicious files as pirated software or gaming software and use file icons related to gaming to trick victims.

    Threatpost reports: "Various Malware Lurks in Discord App to Target Gamers"

  • news

    Visible to the public "Deepfake Detectors Can Be Defeated, Researchers Show for the First Time"

    Deepfakes refer to synthetic media, including images, audio, and videos, that are manipulated or created using Artificial Intelligence (AI). Deepfakes have received a lot of attention as they can be used to spread misleading or false information. In addition to spreading disinformation, deepfakes can decrease the effectiveness of security systems such as those that apply facial recognition technologies for authentication. Although there have been developments in security measures to detect deepfakes, this synthetic media remains a problem. A team of computer scientists recently demonstrated that it is possible to deceive systems designed to detect deepfake videos. They were able to defeat the detectors with adversarial examples, which are inputs designed to cause AI systems like Machine Learning (ML) models to make mistakes. The researchers inserted adversarial examples into every video frame. They also showed that their attacks can still work after a video has been compressed. The demonstration proves that it is possible for adversaries to create robust adversarial deepfakes even if they do not know the inner workings of the ML model used by the detector. Researchers used two scenarios to test their attacks. One scenario involves attackers having complete access to the detector model, while the other involves attackers only querying the ML model to determine the probabilities of a frame being classified as real or fake. The first scenario resulted in a success rate of over 99 percent for uncompressed videos and 84.96 percent for compressed videos. The success rate in the second scenario was 86.43 percent for uncompressed videos and 78.33 percent for compressed videos. The researchers recommend the performance of adversarial training to improve deepfake detectors. This article continues to discuss the spread of deepfake videos, the attacks demonstrated by researchers that can defeat deepfake detectors, and how these detectors can be improved through adversarial training.

    Homeland Security News Wire reports "Deepfake Detectors Can Be Defeated, Researchers Show for the First Time"

  • news

    Visible to the public "High Demand for Hacker Services on Dark Web Forums"

    According to new research by Positive Technologies, 90 percent of users of dark web forums are seeking hackers who can give them a specific resource or provide a user database. The study involved exploring the ten most prominent forums on the dark web that provide services for those who want to hack websites as well as a place for hackers to buy and sell databases. The study's findings highlight the growing demand for hackers' services and stolen data, ignited by the increase in internet use by organizations and individuals during the COVID-19 pandemic. Researchers found that the most common goal of dark web forum users was to gain access to a web resource, as suggested by 69 percent of ad inquiries. The next most common goal was to gain access to a user or client database from a targeted resource, with this making up 21 percent of all ad inquires. The researchers pointed out that the dark web forum users, most interested in getting this type of information, were competitors and spammers who seek to obtain lists of addresses that can be used to carry out phishing attacks targeting a particular audience. Only 7 percent of forum messages involved individuals offering website hacking services, while 3 percent focused on advertising hacking tools, programs, and sharing hacking experiences. The researchers also observed a high demand for access to e-commerce websites. Prices for purchasing and selling hacking services and website access were seen ranging from $50 to $2000. This article continues to discuss key findings from Positive Technologies' analysis of dark web forums regarding users' most common goals and the most demanded services on these forums, as well as the need to strengthen web application security.

    Infosecurity Magazine reports "High Demand for Hacker Services on Dark Web Forums"

  • news

    Visible to the public "Google Says It's Too Easy for Hackers to Find New Security Flaws"

    New research from Maddie Stone, a researcher who is part of the Google security team called Project Zero, brings further attention to the ease at which hackers keep exploiting zero-day security flaws. It is easy for hackers to exploit zero-day vulnerabilities because of companies' inadequate actions to address weaknesses and loopholes. The research by Stone highlights multiple examples of this problem, some of which cover the issues that Google has faced with its Chrome browser. The problem is common across the industry, with the deployment of incomplete patches that allow hackers to make slight changes to their code to make an exploit work again. Google's Project Zero team is dedicated to tracking, analyzing, and learning from zero-day flaws. So far, Google's team has publicly tracked more than 150 major zero-day bugs. In 2020, Stone's team detected 24 zero-day vulnerabilities that were being exploited in the wild, some of which were extremely similar to ones that have been disclosed before. Three of the vulnerabilities were not properly fixed after they were reported to the vendor, meaning that only a few changes would need to be made to the hacker's code for the attack to continue working. Stone points out that most security teams at software companies lack the time and resources needed to properly fix bugs. She also says that flawed priorities and incentives often prevent security teams from addressing deeper issues at the root of many security flaws. Tech companies must increase investment in correct and comprehensive patches. They are encouraged to give engineers more time to fully investigate the root cause of vulnerabilities to eliminate entire classes of security bugs and exploits. This article continues to discuss attackers' repeated exploitation of the same types of software vulnerabilities and what companies need to do to fix these bugs at a deeper level.

    MIT Technology Review reports "Google Says It's Too Easy for Hackers to Find New Security Flaws"

  • news

    Visible to the public "Credential Theft Attacks Doubled Between 2016 and 2020"

    According to security researchers, the number of attacks resulting in large-scale credential theft has almost doubled over the past four years, although the volume of breached login pairs declined. The average breach volumes declined from 63 million records in 2016 to 17 million in 2020, but poor security practices is driving downstream risk exposure. The researchers found that plaintext storage of passwords was responsible for the most significant number of spilled credentials (43%), followed by unsalted SHA-1 hashed passwords (20%). At the same time, discredited hashing algorithm MD5 remains surprisingly common. Organizations are also poor at detecting breach attempts. The researchers found that the median time to discovering a credential spill between 2018 and 2020 was 120 days, while the average time to discovery was 327 days. Over 60% of the 100 billion credential stuffing attacks detected over the previous two years were targeted at retail, travel, and hospitality businesses, with retail accounting for over 90% of these.

    Infosecurity reports: "Credential Theft Attacks Doubled Between 2016 and 2020"

  • news

    Visible to the public "Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple"

    An ethical hacker named Alex Birsan has demonstrated a novel supply-chain attack that breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, and Uber, by exploiting public, open-source developer tools. The attack injects malicious code into common tools for installing dependencies in developer projects that typically use public depositories from GitHub sites. The malicious code then uses these dependencies to propagate malware through a targeted company's internal applications and systems. Once he began to target companies with his attack, he stated that "the success rate was simply astonishing." The vulnerability he exploited, which he called dependency confusion, was detected inside more than 35 organizations to date and across three tested programming languages Python, Ruby, and Java. The researcher received more than $130,000 in both bug bounties and pre-approved financial arrangements with targeted organizations.

    Threatpost reports: "Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple"

  • news

    Visible to the public "Microsoft Says It's Time to Attack Your Machine-Learning Models"

    Hyrum Anderson, the principal architect of the Azure Trustworthy Machine Learning (ML) group at Microsoft, gave a presentation at the recent USENIX ENIGMA Conference in which they called on mature companies to conduct red team attacks against their ML systems to find vulnerabilities and strengthen their defenses. In order to better understand the impact of attacks on ML, Microsoft's internal red team recreated an ML automated system that can assign hardware resources in response to cloud requests. The team's testing of the offline version of the system revealed adversarial examples that can lead to Denial-of-Service (DoS). Data-science teams should defensively protect their data and model, as well as perform sanity checks to make sure that the ML model is not over-provisioning resources, thus increasing robustness. Anderson says that just because a model is not accessible externally does not mean it is safe against attacks. Internal models are not secure by default as there are paths that attackers can take to cause downstream effects in an overall system. Anderson emphasized that organizations face the risk of exposure if they use ML due to the gap between this technology and security. The USENIX presentation is a part of Microsoft's efforts to bring further attention to the possibility of adversarial attacks on ML models. These types of attacks are often highly technical, making it difficult for most companies to know how to assess their security. Anderson suggests that the security community increases its exploration of adversarial ML attacks and considers this issue as a part of the broader threat landscape. According to a survey conducted by Microsoft last year, nearly 90 percent of organizations do not know how to protect their ML systems against attacks. This article continues to discuss why mature companies should perform red team attacks against their ML systems, the lack of awareness among organizations about how to protect ML systems from attacks, and Microsoft's research on adversarial ML attacks.

    Dark Reading reports "Microsoft Says It's Time to Attack Your Machine-Learning Models"

  • news

    Visible to the public "Researchers Discover Exposed Comcast Database Containing 1.5 Billion Records"

    The WebsitePlanet research team, in collaboration with Jeremiah Fowler, a security researcher, discovered a database containing more than 1.5 billion records without password protection. The database consists of references that suggest that it belongs to the cable and internet giant Comcast. The records exposed by the database included dashboard permissions, logs, client IPs, email addresses, and hashed passwords. Attackers can gain insight into the internal functionality, logging, and network structure using the remote and internal IP addresses, node names, and other details revealed by the unprotected database. The email addresses and passwords exposed by the database belonged to Comcast's Development team. According to the research team, the server also exposed alerts, job scheduling records, and error logs that showed cluster names, device names, as well as privileged internal rules and tasks. This article continues to discuss the discovery of a non-password protected Comcast database containing 1.5 billion records, the type of information exposed by the database, the malicious activities that could be performed by cybercriminals through the abuse of this information, and how Comcast responded to the research team's findings.

    Security Magazine reports "Researchers Discover Exposed Comcast Database Containing 1.5 Billion Records"

  • news

    Visible to the public "Cyberpunk 2077 Maker Was Hit With a Ransomware Attack—and Won't Pay Up"

    The Polish video game company CD Projekt Red, which developed Cyberpunk 2077, one of the top-selling titles of 2020, has been hit by a ransomware attack. CD Projekt Red recently revealed that it had been the victim of a ransomware attack in which unidentified actors gained access to the company's internal network, encrypted some computers, and stole data. The attackers claim to have stolen source code for Cyberpunk 2077 and other games such as Witcher 3. They also say they stole information about the company's investor relations and human resources, as well as financial accounting information. According to CD Projekt Red, there is no evidence that suggests the compromise of customer data in the breach. CD Projekt Red says it will not give in to the attackers' demand for a ransom payment. The company is currently restoring its systems from backups. Researchers from the antivirus firm Emsisoft believe the ransomware used in the attack is HelloKitty, based on the familiarity of the ransom note's style and naming convention. Tony Robinson, an independent researcher, suggests that the motive behind the attack may also be to seek revenge in addition to financial gain. The incident occurred as CD Projekt Red faces significant criticism due to the release of its highly anticipated Cyberpunk 2077 game with numerous bugs and performance issues on different platforms. This article continues to discuss the ransomware group, potential motives, and impact of the ransomware attack on CD Projekt Red, and the company's decision not to pay the attackers' demanded ransom.

    Wired reports "Cyberpunk 2077 Maker Was Hit With a Ransomware Attack--and Won't Pay Up"

  • news

    Visible to the public "Hacker Tries to Poison Water Supply of Florida Town"

    A threat actor remotely accessed the IT system of the water treatment facility of Oldsmar, Florida, and tried to poison the town's water supply by raising the levels of sodium hydroxide, or lye, in the water supply. According to local authorities, the attack happened just two days before the NFL's Super Bowl LV was held nearby in Tampa Bay. An operator at the plant first noticed a brief intrusion Friday, Feb. 5, around 8:00 a.m. Someone remotely accessed the computer system the operator was monitoring that controls chemical levels in the water and other operations. The operator "didn't think much of it" because it's normal for his supervisors to use the remote access feature to monitor his computer screen at times. However, around 1:30 p.m., an adversary again remotely accessed the computer system. The operator observed the mouse moving around on the screen to access various systems that control the water being treated. During the second intrusion, which lasted three to five minutes, the intruder changed the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million, which is a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners and is used to control water acidity and remove metals from drinking water in water-treatment plants. Fortunately, the operator quickly changed the level back to normal after the intrusion and alerted supervisors, who then contacted the Pinellas County Sheriff's Office. The FBI and U.S. Secret Service were also notified and worked over the weekend to investigate and discover who was behind the attack. At this time, authorities have leads but have not identified a suspect, nor do they know if the attack came from inside the United States or outside the country.

    Threatpost reports: "Hacker Tries to Poison Water Supply of Florida Town"