News Items

  • news

    Visible to the public "Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple"

    An ethical hacker named Alex Birsan has demonstrated a novel supply-chain attack that breached the systems of more than 35 technology players, including Microsoft, Apple, PayPal, Shopify, Netflix, Tesla, and Uber, by exploiting public, open-source developer tools. The attack injects malicious code into common tools for installing dependencies in developer projects that typically use public depositories from GitHub sites. The malicious code then uses these dependencies to propagate malware through a targeted company's internal applications and systems. Once he began to target companies with his attack, he stated that "the success rate was simply astonishing." The vulnerability he exploited, which he called dependency confusion, was detected inside more than 35 organizations to date and across three tested programming languages Python, Ruby, and Java. The researcher received more than $130,000 in both bug bounties and pre-approved financial arrangements with targeted organizations.

    Threatpost reports: "Supply-Chain Hack Breaches 35 Companies, Including PayPal, Microsoft, Apple"

  • news

    Visible to the public "Microsoft Says It's Time to Attack Your Machine-Learning Models"

    Hyrum Anderson, the principal architect of the Azure Trustworthy Machine Learning (ML) group at Microsoft, gave a presentation at the recent USENIX ENIGMA Conference in which they called on mature companies to conduct red team attacks against their ML systems to find vulnerabilities and strengthen their defenses. In order to better understand the impact of attacks on ML, Microsoft's internal red team recreated an ML automated system that can assign hardware resources in response to cloud requests. The team's testing of the offline version of the system revealed adversarial examples that can lead to Denial-of-Service (DoS). Data-science teams should defensively protect their data and model, as well as perform sanity checks to make sure that the ML model is not over-provisioning resources, thus increasing robustness. Anderson says that just because a model is not accessible externally does not mean it is safe against attacks. Internal models are not secure by default as there are paths that attackers can take to cause downstream effects in an overall system. Anderson emphasized that organizations face the risk of exposure if they use ML due to the gap between this technology and security. The USENIX presentation is a part of Microsoft's efforts to bring further attention to the possibility of adversarial attacks on ML models. These types of attacks are often highly technical, making it difficult for most companies to know how to assess their security. Anderson suggests that the security community increases its exploration of adversarial ML attacks and considers this issue as a part of the broader threat landscape. According to a survey conducted by Microsoft last year, nearly 90 percent of organizations do not know how to protect their ML systems against attacks. This article continues to discuss why mature companies should perform red team attacks against their ML systems, the lack of awareness among organizations about how to protect ML systems from attacks, and Microsoft's research on adversarial ML attacks.

    Dark Reading reports "Microsoft Says It's Time to Attack Your Machine-Learning Models"

  • news

    Visible to the public "Researchers Discover Exposed Comcast Database Containing 1.5 Billion Records"

    The WebsitePlanet research team, in collaboration with Jeremiah Fowler, a security researcher, discovered a database containing more than 1.5 billion records without password protection. The database consists of references that suggest that it belongs to the cable and internet giant Comcast. The records exposed by the database included dashboard permissions, logs, client IPs, email addresses, and hashed passwords. Attackers can gain insight into the internal functionality, logging, and network structure using the remote and internal IP addresses, node names, and other details revealed by the unprotected database. The email addresses and passwords exposed by the database belonged to Comcast's Development team. According to the research team, the server also exposed alerts, job scheduling records, and error logs that showed cluster names, device names, as well as privileged internal rules and tasks. This article continues to discuss the discovery of a non-password protected Comcast database containing 1.5 billion records, the type of information exposed by the database, the malicious activities that could be performed by cybercriminals through the abuse of this information, and how Comcast responded to the research team's findings.

    Security Magazine reports "Researchers Discover Exposed Comcast Database Containing 1.5 Billion Records"

  • news

    Visible to the public "Cyberpunk 2077 Maker Was Hit With a Ransomware Attack—and Won't Pay Up"

    The Polish video game company CD Projekt Red, which developed Cyberpunk 2077, one of the top-selling titles of 2020, has been hit by a ransomware attack. CD Projekt Red recently revealed that it had been the victim of a ransomware attack in which unidentified actors gained access to the company's internal network, encrypted some computers, and stole data. The attackers claim to have stolen source code for Cyberpunk 2077 and other games such as Witcher 3. They also say they stole information about the company's investor relations and human resources, as well as financial accounting information. According to CD Projekt Red, there is no evidence that suggests the compromise of customer data in the breach. CD Projekt Red says it will not give in to the attackers' demand for a ransom payment. The company is currently restoring its systems from backups. Researchers from the antivirus firm Emsisoft believe the ransomware used in the attack is HelloKitty, based on the familiarity of the ransom note's style and naming convention. Tony Robinson, an independent researcher, suggests that the motive behind the attack may also be to seek revenge in addition to financial gain. The incident occurred as CD Projekt Red faces significant criticism due to the release of its highly anticipated Cyberpunk 2077 game with numerous bugs and performance issues on different platforms. This article continues to discuss the ransomware group, potential motives, and impact of the ransomware attack on CD Projekt Red, and the company's decision not to pay the attackers' demanded ransom.

    Wired reports "Cyberpunk 2077 Maker Was Hit With a Ransomware Attack--and Won't Pay Up"

  • news

    Visible to the public "Hacker Tries to Poison Water Supply of Florida Town"

    A threat actor remotely accessed the IT system of the water treatment facility of Oldsmar, Florida, and tried to poison the town's water supply by raising the levels of sodium hydroxide, or lye, in the water supply. According to local authorities, the attack happened just two days before the NFL's Super Bowl LV was held nearby in Tampa Bay. An operator at the plant first noticed a brief intrusion Friday, Feb. 5, around 8:00 a.m. Someone remotely accessed the computer system the operator was monitoring that controls chemical levels in the water and other operations. The operator "didn't think much of it" because it's normal for his supervisors to use the remote access feature to monitor his computer screen at times. However, around 1:30 p.m., an adversary again remotely accessed the computer system. The operator observed the mouse moving around on the screen to access various systems that control the water being treated. During the second intrusion, which lasted three to five minutes, the intruder changed the level of sodium hydroxide in the water from 100 parts per million to 11,100 parts per million, which is a significant and potentially dangerous increase. Sodium hydroxide, also known as lye, is the main ingredient in liquid drain cleaners and is used to control water acidity and remove metals from drinking water in water-treatment plants. Fortunately, the operator quickly changed the level back to normal after the intrusion and alerted supervisors, who then contacted the Pinellas County Sheriff's Office. The FBI and U.S. Secret Service were also notified and worked over the weekend to investigate and discover who was behind the attack. At this time, authorities have leads but have not identified a suspect, nor do they know if the attack came from inside the United States or outside the country.

    Threatpost reports: "Hacker Tries to Poison Water Supply of Florida Town"

  • news

    Visible to the public "Microsoft to Alert Enterprise Security Teams When Nation-State Attackers Target Their Employees"

    Microsoft will be introducing a new security alert that will notify enterprise security teams when an employee is being targeted by suspected nation-state attackers this month. The Microsoft Threat Intelligence Center follows these threats, builds comprehensive profiles of the activity, and works closely with all Microsoft security teams to implement detections and mitigations to protect their customers. The notification will appear in Microsoft Defender's dashboard for Office 365, a cloud-based email filtering service that protects enterprise Office 365 users against advanced and targeted threats (e.g., BEC, credential, and phishing). This will allow security teams to immediately start with remediation actions independently of the targeted user, who will also receive an email alert but might not see it or react to it with the required haste. The new feature might be a direct consequence of the recent SolarWinds hack. The attackers, who are believed to be government-backed, have also compromised some of the company's Office 365 email accounts (though that was not the initial attack vector).

    Help Net Security reports: "Microsoft to Alert Enterprise Security Teams When Nation-State Attackers Target Their Employees"

  • news

    Visible to the public "Personal Data, Fodder for Cyberwarfare? New Models for Stepping up Cybersecurity"

    Regner Sabillon, a doctoral student at the Open University of Catalonia (UOC), has published a book titled "Cyber Security Auditing, Assurance, and Awareness Through CSAM and CATRAM," which has been praised by the US website BookAuthority as the best new cybersecurity book to read in 2021. Sabillon's book explores multiple case studies and emphasizes the importance of taking appropriate measures to protect data against cyberattacks. The book is based on his research on models that can efficiently address the growing frequency and sophistication of cyberattacks. In his book, Sabillon highlights the need to update security models to prevent increasingly complex cyberattacks targeting top-tier institutions, regular citizens, businesses, and government agencies. Victor Cavaller, a Professor in the Department of Information and Communication Sciences at UOC who co-supervised Sabillon's research, explained that the study involved a comprehensive review of cybersecurity systems that different organizations around the world are implementing. Cavaller also explained that the book proposes Audit and Awareness Training models proven to be useful and effective in several institutions where they have significantly improved the ability of computer protection. This research offers greater insight into the level of maturity of cybersecurity at different companies and institutions, thus providing a starting point for increasing these levels. Sabillon hopes to further shed light on current issues in the cybersecurity domain, including the theft of individuals' personal or sensitive data, the tampering of private businesses' intellectual property, and the continuous advancement of cyberattacks. This article continues to discuss the topics covered by Sabillon's book, including cyberwarfare and security models.

    UOC reports "Personal Data, Fodder for Cyberwarfare? New Models for Stepping up Cybersecurity"

  • news

    Visible to the public "Hacking Group Also Used an IE Zero-Day Against Security Researchers"

    Last month, Google's Threat Analysis Group revealed an ongoing campaign, targeting security researchers. It was revealed that the North Korean state-sponsored hacking group known as the Lazarus Group is behind the campaign. According to Google, the Lazarus Group employed a novel engineering method that involves contacting target security researchers and asking them to collaborate on vulnerability and exploit development. Once the security researcher agrees to collaborate, the attackers send them malicious Visual Studio Projects and links to websites hosting exploit kits that would install backdoors on their computer. Microsoft revealed that it had observed the Lazarus Group sending MHTML files containing malicious JavaScript to researchers. Researchers at the South Korean cybersecurity firm ENKI recently reported that Lazarus had targeted individuals on their research team with MHTML files. They found that an Internet Explorer zero-day vulnerability was exploited in the attacks they faced. The exploitation of the Internet Explorer bug allows attackers to upload a list of running processes, screen captures, and network information to their command-and-control (C2) server. This article continues to discuss the Lazarus Group's malicious campaign targeting security researchers and the abuse of an Internet Explorer zero-day in attacks against ENKI's security researchers.

    BleepingComputer reports "Hacking Group Also Used an IE Zero-Day Against Security Researchers"

  • news

    Visible to the public "Three Ways MITRE ATT&CK Can Improve Your Organizational Security"

    Ganesh Pai, the CEO of the security analytics company Uptycs, has outlined the different ways in which MITRE ATT&CK can help organizations improve their security. MITRE ATT&CK is an objective, third-party standard that security leaders and practitioners can use to evaluate their detection coverage and EDR (Endpoint Detection and Response) solutions. The standard was built using real-world observations, thus providing greater insight into attacker techniques. It allows red teams to reproduce the behavior of different threat groups. ATT&CK also covers the post-compromise lateral movement overlooked by the Cyber Kill Chain, which helps in the design of capabilities to detect attackers who have penetrated perimeter defenses as well as insider threats who are abusing legitimate credentials. This article continues to discuss how organizations can effectively apply MITRE ATT&CK.

    Help Net Security reports "Three Ways MITRE ATT&CK Can Improve Your Organizational Security"

  • news

    Visible to the public "With One Update, This Malicious Android App Hijacked Millions of Devices"

    Researchers at Malwarebytes have discovered that a popular barcode scanner app on Google Play was transformed into malware by adversaries. Lavabird Ltd.'s Barcode Scanner was an Android app available on Google's official app repository for years. The app accounted for over 10 million installs, offered a QR code reader and a barcode generator. The mobile application appeared to be legitimate, trustworthy software, with many users having installed the app years ago without any problems, until recently. Many users of the application have recently started to complain of adverts appearing unexpectedly on their Android devices. A software update issued on roughly December 4, 2020, changed the app's functions to push advertising without warning and was heavily concealed to avoid detection. Malwarebytes reported its findings to Google, and they have now pulled the app from Google Play. Users of the application need to uninstall the now-malicious app from their mobile devices manually.

    ZDNet reports: "With One Update, This Malicious Android App Hijacked Millions of Devices"

  • news

    Visible to the public "Machine Learning Algorithm May Be the Key to Timely, Inexpensive Cyber-Defense"

    Zero-day attacks on vulnerable computer networks and cyber-infrastructure can significantly overwhelm traditional defenses, leading to billions of dollars in damage and weeks of manual work to recover systems after they have been infiltrated. A team of researchers led by the Pennsylvania State University have now developed a machine learning approach based on a technique called reinforcement learning. Organizations can adopt the approach to defend against attacks on their systems. The team's approach is an adaptive machine learning-driven method that addresses the current limitations of the Moving Target Defense (MTD) technique in which changes across multiple system dimensions are controlled to increase uncertainty and complexity for attackers. This technique reduces attackers' window of opportunity and increases the costs of their attack efforts. However, MTD techniques face two limitations, with the first being the time-consuming nature of manual selection and the second being that manually selected configurations may not be the most cost-effective technique. According to the researchers, the typical amount of time it takes to respond to an attack is at most 15 days, which requires significant funds and resources. The team tested their reinforcement learning algorithm in a network consisting of 10 machines. The setup included web and mail servers, along with a Gateway server, SQL server, DNS server, and an admin server. The researchers also added specific vulnerabilities to produce multiple attack scenarios. This article continues to discuss the costs of zero-day attacks on organizations and the machine learning approach developed by a Penn State-led team of researchers to help organizations defend against such attacks in a powerful and cost-effective way.

    The Pennsylvania State University reports "Machine Learning Algorithm May Be the Key to Timely, Inexpensive Cyber-Defense"

  • news

    Visible to the public "Web Application Attacks Grow Reliant on Automated Tools"

    A new report released by Barracuda Networks researchers shares findings from two months of attack data analysis. The findings reveal that cybercriminals have grown more reliant on the use of automated tools to perform their attacks. According to the report, the top five threat types dominated by attacks involving the use of automated tools include fuzzing attacks, injection attacks, fake bots, application Distributed Denial-of-Service (DDoS), and blocked bots. There are two types of attackers who use bots to exploit vulnerabilities in the performance of automated attacks. Most activity comes from attackers that deploy automated attacks at scale rather than target a specific website. The group with a smaller amount of traffic uses automated tools for attacks targeting e-commerce websites and other sites that can generate profit for them. The researchers pointed out that these threats could be manifested through fake bots posing as Google bots to circumvent detection mechanisms or app DDoS attacks attempting to disrupt a website by covertly overloading a web app. Researchers say that most attack traffic stems from fuzzing or reconnaissance tools used to examine apps for security flaws. When performing injection attacks, most attackers have used tools such as sqlmap to break into apps. Many of these injection attacks were script kiddie-level noise, meaning the attacks were launched against an application without reconnaissance to customize the attacks. This article continues to discuss cybercriminals' growing dependence on automated tools as well as researchers' observations surrounding the most common types of automated attacks.

    Dark Reading reports "Web Application Attacks Grow Reliant on Automated Tools"

  • news

    Visible to the public IBM offers Education Security Grants to 6 school systems

    To help public school districts better prepare for ransomware attacks, IBM is awarding 6 Education Security Preparedness grants valued at $500,000 to school systems who apply via

  • news

    Visible to the public "Plex Media Servers Are Being Abused For DDoS Attacks"

    Researchers at security firm Netscout have found that DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks. The security researchers scanned the internet and found 27,000 Plex Media servers left exposed online that could be abused for DDoS attacks. Plex Media server is a web application for Windows, Mac, and Linux that's usually used for video or audio streaming and multimedia asset management. The app can be installed on regular web servers or usually ships with network-attached storage (NAS) systems, digital media players, or other types of multimedia-streaming IoT devices. The researchers stated that when a server/device running a Plex Media server app is booted and connected to a network, it will start a local scan for other compatible devices via the Simple Service Discovery Protocol (SSDP). The problem comes when a Plex Media server discovers a local router that has SSDP support enabled. When this happens, the Plex Media server will add a NAT forwarding rule to the router, exposing its Plex Media SSDP (PMSSDP) service directly on the internet on UDP port 32414. The SSDP protocol has been known for years to be a perfect vector to amplify the size of a DDoS attack, making Plex Media servers a juicy and untapped source of DDoS bots for DDoS-for-hire operations. The researchers also stated that adversaries only have to scan the internet for devices with this port enabled and then abuse them to amplify web traffic they send to a DDoS attack victim. The amplification factor is around 4.68, with a Plex Media server amplifying incoming PMSSDP packets from 52 bytes to about 281 bytes before sending the packet to the victim.

    ZDNet reports: "Plex Media Servers Are Being Abused For DDoS Attacks"

  • news

    Visible to the public "Spotify Suffers Second Credential-Stuffing Cyberattack in 3 Months"

    Spotify is being affected by another credential-stuffing cyberattack, just three months after the last one. A researcher named Bob Diachenko on Thursday uncovered a malicious #Spotify logger database, with 100K+ account details (leaked elsewhere online) being misused and compromised as part of a credential-stuffing attack. As many as 100,000 of the music streaming service's customers could face account takeover. Spotify stated that the attacks were carried out using an ill-gotten set of data and the organization worked to have the fraudulent database taken down by the ISP hosting it. Spotify has notified the users affected by the attack and has made the users change their passwords. Cybercriminals carrying out credential-stuffing take advantage of people who reuse the same passwords across multiple online accounts. Attackers build automated scripts that systematically try stolen IDs and passwords against various types of accounts.

    Threatpost reports: "Spotify Suffers Second Credential-Stuffing Cyberattack in 3 Months"

  • news

    Visible to the public "A Coordinated Takedown Targets 'OGUser' Account Thieves"

    Instagram, TikTok, and Twitter have taken action against the hacker community called OGUsers, in which members buy and sell stolen social media accounts. Hackers affiliated with OGUsers were allegedly behind the attack faced by Twitter last year that resulted in the temporary takeover of several accounts belonging to well-known figures and companies, including Jeff Bezos, Uber, and Apple. In a coordinated effort to crack down on OGUsers account takeovers, TikTok, Twitter, Instagram are seizing stolen accounts. The coordinated actions also involve sending cease and desist letters to the most active members of the OGUsers account theft operation. In addition to compromising accounts to steal credentials, skilled OGUsers hackers have performed sophisticated phishing attacks and made attempts to extort customer service employees and IT technicians at high-value companies into providing bulk access to more accounts. With bulk access, OGUsers have performed SIM-swapping attacks to take control of a target's phone number, thus giving them the ability to request password resets for some websites or a victim's two-factor authentication code. Twitter announced that it recently banned a number of accounts tied to OGUsers activity. TikTok reclaimed usernames being used for account squatting. This article continues to discuss the OGUsers hacker community and the coordinated action to take down OGUser account thieves.

    Wired reports "A Coordinated Takedown Targets 'OGUser' Account Thieves"

  • news

    Visible to the public "Agent Tesla Trojan Can Evade Endpoint Protection, Sophos Reports"

    Sophos researchers have reported the continued refinement of the Trojan called Agent Tesla. New evidence suggests that Agent Tesla is now capable of disabling endpoint protection. Agent Tesla emerged in 2014, spreading through spam emails with attachments. It is widely distributed in online underground marketplaces. According to the researchers, there are currently two versions of Agent Tesla being used in the wild, both of which can steal credentials from email clients, virtual private network clients, software, and web browsers, as well as record screens and keystrokes. The differences between the two versions include the use of the Tor anonymizing network client and Telegram messaging API for command and control. Agent Tesla is said to be one of the most common Windows-based threats as it was among the top malware families delivered via email in 2020. In December 2020, Agent Tesla payloads made up 20% of malicious email attachment attacks detected and stopped by Sophos scanners. Criminals are continuing to update Agent Tesla to improve its ability to circumvent endpoint and email protection tools. This article continues to discuss the capabilities and continued evolution of Agent Tesla, and Sophos' recommendations for IT administrators on how to mitigate the threat of this Trojan.

    SecurityBrief reports "Agent Tesla Trojan Can Evade Endpoint Protection, Sophos Reports"

  • news

    Visible to the public "Recent Sudo Vulnerability Affects Apple, Cisco Products"

    Researchers at the cybersecurity firm Qualys discovered a bug in the Sudo utility that affects Apple's macOS Big Sur operating system and multiple Cisco products. Administrators can use the Sudo utility to delegate root-level admin authority to specific users or groups of users while logging all of their commands and activities. The Sudo utility allows administrators to enable or restrict a user's execution of commands on a host system, as well as centrally manage user privileges per host. The security flaw found in the utility, tracked as CVE-2021-3156 and dubbed Baron Samedit by Qualys researchers, is a heap-based buffer overflow. Unprivileged users can exploit the Sudo vulnerability to gain root privileges on the vulnerable host. The researchers only demonstrated the exploitation of the flaw on several Linux distributions, like Debian, Fedora, and Ubuntu. However, the researchers warn that most Unix- and Linux-based systems could be affected by the vulnerability. This article continues to discuss the recently discovered Sudo vulnerability regarding its potential exploitation and impact, in addition to the responses to this security flaw.

    Security Week reports "Recent Sudo Vulnerability Affects Apple, Cisco Products"

  • news

    Visible to the public "Microsoft Office 365 Attacks Sparked from Google Firebase"

    Researchers at Armorblox have discovered a savvy phishing campaign that manages to evade native Microsoft security defenses and is bent on stealing Microsoft login credentials. The phishing campaign is using Google Firebase to bypass email security measures in Microsoft Office 365. The phishing campaign is made up of invoice-themed emails and was sent to at least 20,000 mailboxes. The emails carry a subject line, "TRANSFER OF PAYMENT NOTICE FOR INVOICE," and contain a link to download an "invoice" from the cloud. If a victim clicks on that link, it begins a series of redirects that eventually takes the victim to a page with Microsoft Office branding that is hosted on Google Firebase. The page is a phishing page used by adversaries to harvest Microsoft login information, secondary email addresses, and phone numbers. The researchers stated that "since all workplace accounts are so closely interlinked, sharing credentials to one of your accounts can prove to be very dangerous as cybercriminals send emails in your name to trick your customers, partners, acquaintances and family members."

    Threatpost reports: "Microsoft Office 365 Attacks Sparked from Google Firebase"

  • news

    Visible to the public "Disclosed ICS Vulnerabilities Surged During Second Half of 2020"

    Researchers at Claroty discovered that a substantial rise in industrial control system (ICS) vulnerabilities were disclosed in the second half of 2020. The research revealed a 33% increase in the number of disclosed ICS vulnerabilities than in the first half of 2020. Throughout the six-months, a total of 449 vulnerabilities affecting ICS products from 59 vendors were highlighted, 70% of which were assigned high or critical Common Vulnerability Scoring System (CVSS) scores. Many of the vulnerabilities do not require authentication for exploitation. More than two-thirds of disclosed vulnerabilities were remotely exploitable through network attack vectors. The sectors that experienced the most significant rises in ICS vulnerabilities compared to the second half of 2019 were critical manufacturing (15%), energy (8%), water and wastewater (54%), and commercial facilities (14%). An encouraging finding from the research was that third-party researchers were responsible for 61% of discoveries, which indicates a growing focus on including ICS alongside IT security research. This increased focus on identifying ICS vulnerabilities partly explains the surge in detections disclosed.

    Infosecurity reports: "Disclosed ICS Vulnerabilities Surged During Second Half of 2020"

  • news

    Visible to the public "'Zoombombing' Research Shows Legitimate Meeting Attendees Cause Most Attacks"

    The rapid transition to remote working, learning, and more, due to the COVID-19 virus spread, has sparked an increase in the use of the videoconferencing app Zoom. However, the migration has led to multiple incidents of "Zoombombing" in which uninvited attendees break into active online meetings to share inappropriate content and cause disorder. Google Meet, Skype, and other similar apps also faced similar issues. Such incidents have raised concern among cybersecurity experts over these apps' ability to protect against hackers. According to a new study by researchers at Binghamton University and Boston University, most Zoombombing incidents are inside jobs. Assistant Professor Jeremy Blackburn and Ph.D. student Utkucan Balci from the Department of Computer Science at Binghamton's Thomas J. Watson College of Engineering and Applied Science collaborated with Boston University Assistant Professor Gianluca Stringhini and Ph.D. student Chen Ling to analyze over 200 Zoom calls made in the first seven months of 2020. They found that the majority of Zoombombings are not the result of attackers coming across meeting invitations or the performance of brute-force attacks, but rather insiders who have legitimate access to these Zoom meetings, such as high school and college students. The researchers found that authorized users have shared links, passwords, and other information on sites like Twitter and 4chan, along with a request to disrupt meetings. This article continues to discuss the growing occurrence of Zoombombing incidents during the COVID-19 pandemic, insiders being the primary perpetrators behind these incidents, and how insider threats make common protections against Zoombombing ineffective.

    Binghamton University reports "'Zoombombing' Research Shows Legitimate Meeting Attendees Cause Most Attacks"

  • news

    Visible to the public "Kobalos – A Complex Linux Threat to High Performance Computing Infrastructure"

    Cybersecurity researchers at ESET researchers have discovered a new form of malware that predominantly targets high-performance computing (HPC) clusters. The malware dubbed Kobalos is portable to Linux, BSD, Solaris, and possibly AIX and Windows operating systems. Kobalos is said to be a generic backdoor as it contains broad commands that do not reveal its attackers' intent. The malware grants remote access to the file system, provides the ability to spawn terminal sessions, and allows proxying connections to other servers infected by Kobalos. One way the operators have reached a Kobalos-infected machine is by embedding the malware in the OpenSSH server executable and triggering the backdoor code if the connection comes from a specific TCP source port. Kobalos is unique because the code for running a C&C server is in the malware itself. The operators can turn any compromised server into a C&C server through a single command. The researchers have found that in most systems infected with Kobalos, the SSH client is compromised to steal credentials. ESET researchers recommend enabling two-factor authentication on SSH to mitigate the Kobalos threat since one of the ways this malware propagates to different systems is by using stolen credentials. This article continues to discuss the capabilities, targets, propagation, and remediation of the unique multiplatform malware Kobalos.

    WeLiveSecurity reports "Kobalos - A Complex Linux Threat to High Performance Computing Infrastructure"

  • news

    Visible to the public "USC and Amazon Establish Center for Secure and Trusted Machine Learning"

    The University of Southern California (USC) and Amazon recently announced their partnership aimed at creating a joint research center. This center will focus on the development of new methods to bolster the privacy, security, and trustworthiness of Machine Learning (ML). The USC Viterbi School of Engineering will house the Center for Secure and Trusted Machine Learning. USC and Amazon researchers will be supported by the center in developing novel approaches to ML solutions that preserve privacy and strengthen security. Each year, the Center for Secure and Trusted Machine Learning will support research projects focused on developing new privacy-preserving ML solutions that are secure and highly scalable. The center will provide annual fellowships to doctoral students working in this area of research, offering them greater insight into solution-driven research and how the industry works. In addition, Amazon and USC will host annual workshops, training events, and recruiting events for students, as well as public research symposiums to share knowledge with the ML and Artificial Intelligence (AI) communities. This article continues to discuss the USC-Amazon Center for Secure and Trusted Machine Learning and the joint mission to drive innovative advancements in privacy and security-preserving ML solutions.

    USC Viterbi reports "USC and Amazon Establish Center for Secure and Trusted Machine Learning"

  • news

    Visible to the public "Exclusive: Suspected Chinese Hackers Used SolarWinds Bug to Spy on U.S. Payroll Agency – Sources"

    Security researchers have found that Chinese hackers exploited a flaw in SolarWinds Corp's software to help break into U.S. government computers last year. The attackers used computer infrastructure and hacking tools previously deployed by state-backed Chinese cyberspies. The software flaw exploited by the suspected Chinese group is separate from the one the United States has accused Russian government operatives of using to compromise up to 18,000 SolarWinds customers, including sensitive federal agencies, by hijacking the company's Orion network monitoring software. The researchers found that the National Finance Center (NFC), a federal payroll agency inside the U.S. Department of Agriculture, was among the affected organizations, raising fears that data on thousands of government employees may have been compromised. It is unknown what information the attackers were able to steal from the National Finance Center (NFC) or how deep they burrowed into its systems. However, former U.S. government officials say the potential impact could be massive. The NFC is responsible for handling multiple government agencies' payroll, including several involved in national security, such as the FBI, State Department, and Homeland Security Department. Records held by the NFC include federal employee social security numbers, phone numbers, personal email addresses, and banking information. The NFC services more than 160 diverse agencies, providing payroll services to more than 600,000 Federal employees. Tom Warrick, a former senior official at the U.S Department of Homeland Security, stated that this breach could be a severe security breach depending on what data was compromised. The information that the hackers might have obtained could allow adversaries to know more about U.S. officials, improving their ability to collect intelligence.

    Reuters reports: "Exclusive: Suspected Chinese Hackers Used SolarWinds Bug to Spy on U.S. Payroll Agency - Sources"

  • news

    Visible to the public "Spies Target Gamers With Malware Inserted Into Software Updates, ESET Says"

    Hackers have targeted gamers for a number of reasons, including stealing data, installing adware, or disrupting gameplay. According to cybersecurity researchers at ESET, a highly targeted malware operation is taking place in Asia. The actors behind the malicious operation compromised the update mechanism of the emulator program called NoxPlayer, which enables Android games to be played on PCs and Macs. NoxPlayer is developed by BigNox, a Hong Kong-based company. Evidence has shown that BigNox infrastructure was compromised by the attackers to deliver malware to customers' computers through BigNox updates. Nearly 150 million people use NoxPlayer globally. However, out of the 100,000 ESET users who have NoxPlayer installed, only five of them received the malware. Those victims are located in Taiwan, Hong Kong, and Sri Lanka. Researchers believe that the malware campaign's primary goal is espionage, as the three different malware families observed being distributed via the updates showed signs of surveillance-related capabilities instead of signs of trying to make financial gains. This article continues to discuss the new supply chain attack that uses software updates to infect gamers' computers with malware and the other security incidents in which gamers have been targeted by attackers.

    CyberScoop reports "Spies Target Gamers With Malware Inserted Into Software Updates, ESET Says"

  • news

    Visible to the public "Increase in Physical Security Incidents Adds to IT Security Pressures"

    The results of a survey conducted by the remote video-monitoring service provider Pro-Vigil indicate that many organizations have changed their physical security strategies in response to concerns stemming from the COVID-19 pandemic. There has been an increase in physical security incidents since the pandemic started, thus adding to IT security teams' workloads. Almost 20 percent of the 124 business operations leaders who participated in Pro-Vigil's recent survey, revealed that their organizations had faced more physical security incidents in 2020 than in 2019. One-third of those surveyed expect to see an increase in physical security incidents in 2021. Concerns ignited by the rise of such incidents have caused 40 percent of the organizations in the survey to make changes to their security strategy. These changes include the implementation of more video cameras and the placement of more security guards. Although these changes are necessary, they have directly impacted IT security teams in that the more physical security is deployed, the more cybersecurity must be strengthened. Organizations have become increasingly aware of the cyber risks posed by digital technologies being used for physical security. Therefore, these technologies require stricter IT security requirements when deploying them. IT security teams must protect digital camera systems, IP-based access control, and other related products from cyberattacks. This article continues to discuss the growth in physical security incidents and the impact of this increase on organizations' IT security teams and security strategies.

    Dark Reading reports "Increase in Physical Security Incidents Adds to IT Security Pressures"

  • news

    Visible to the public "Social Media Oversharing Exposes 80% of Office Workers"

    Researchers at Tessian polled 4000 UK and US professionals and interviewed 10 hackers specializing in social engineering to compile its latest research: How to Hack a Human. The researchers concluded that over 80 percent of British and American employees overshare on social media, potentially exposing themselves and their organization to online fraud, phishing, and other cyber-threats. Half the survey respondents share names and photos of their children, 72% mention birthdays, and 81% mention their job status on social media. The researchers stated that this information might seem harmless, but hackers will stitch them together to create a complete picture of their targets and make scams as believable as possible. More than half of the participants admitted they have public profiles on Facebook, and only a third of the participants had a private Instagram account. Most of the participants post on social media every week, and 42% post every day. The researchers also found that social engineering attacks and wire fraud attacks increased by 15% during the last six months of 2020, versus the previous six. Some 88% of respondents said they had received a suspicious email in 2020. The researchers believe that organizations need to help their employees to understand how their information can be used against them in phishing attacks if we're going to stop hackers from hacking humans.

    Infosecurity reports: "Social Media Oversharing Exposes 80% of Office Workers"

  • news

    Visible to the public "Proposed Public Health Emergency Bill Targets COVID-19 Tech Privacy"

    The Public Health Privacy Act was recently introduced by a group of Democratic Senators and Congressional members to address issues regarding the privacy and security of technologies used for COVID-19 response. These technologies include contact tracing apps, vaccine monitoring tools, and digital monitoring tools. The bill aims to tackle a common issue faced by many of these third-party technologies, which is the fact that most of them do not fall under the Health Insurance Portability and Accountability Act (HIPAA). The 51 percent increase in cyberattacks on healthcare web apps since the beginning of vaccine distribution, as well as the performance of third-party tracking via the majority of COVID-19 sites, have further ignited concerns about security and privacy. The proposed legislation will enforce privacy and data security rights for health information. The bill would protect the civil liberties of those using COVID-19-related technologies to bolster public trust, which will, in turn, increase the use of such technologies and help prevent the spread of COVID-19. It would also help healthcare leaders use these technologies and relevant health data to improve the national response to the pandemic. If the bill is passed, it will ensure that the data collected for public health purposes is used appropriately. This article continues to discuss the Public Health Emergency Privacy Act and other efforts to strengthen privacy protections for COVID-19 health data.

    HealthITSecurity reports "Proposed Public Health Emergency Bill Targets COVID-19 Tech Privacy"

  • news

    Visible to the public "Identity Theft Spikes Due to COVID-19 Relief"

    According to the Federal Trade Commission (FTC), cases of identity theft in the United States doubled in 2020, mainly due to cybercriminals taking advantage of people affected economically by COVID-19 who filed to receive government benefits. According to researchers, the FTC received about 1.4 million reports of identity theft last year. In 2020, there were 394,280 reports about government benefits fraud compared with 12,900 reports in 2019. There were also 99,650 cases of fraud involving business or personal loans, compared with 43,920 reports in 2019. In 2020, the FTC got 89,390 reports of tax-identity theft, compared with 27,450 reports in 2019.

    Threatpost reports: "Identity Theft Spikes Due to COVID-19 Relief"

  • news

    Visible to the public "DARPA Announces Results of First Hardware Bug Bounty"

    The Defense Advanced Research Agency (DARPA) has announced the results of its Findings Exploits to Thwart Tampering (FETT) Bug Bounty program. The purpose of the FETT Bug Bounty was to prove the value of secure hardware architectures developed under DARPA's System Security Integration Through Hardware and Firmware (SSITH) program and highlight critical areas in need of more attention to strengthen defenses. DARPA collaborated with the Department of Defense's Defense Digital Service (DDS) and the crowdsourced security platform Synack on this effort. Synack's penetration testing process was used to conduct the bug bounty and support communications relating to discovered vulnerabilities. DARPA is sharing the results of the FETT Bug Bounty program after three months of reviewing over 13,000 hours of hacking exploits performed by more than 580 cybersecurity researchers. The Synack Red Team (SRT) disclosed ten vulnerabilities, seven of which were rated "critical," while the remaining three were considered "high," based on the Common Vulnerability Scoring System 3.0 standards. Most of the critical vulnerabilities identified during FETT stemmed from interactions between the SSITH hardware, SSITH firmware, and the operating system software, indicating the need to further investigate hardware/software co-design approaches and verification methods. This article continues to discuss the purpose, structure, and outcomes of DARPA's FETT Bug Bounty program, as well as the objective and current status of the SSITH program.

    Homeland Security Today reports "DARPA Announces Results of First Hardware Bug Bounty"

  • news

    Visible to the public "Sprite Spider Emerging as One of the Most Destructive Ransomware Threat Actors"

    CrowdStrike cybersecurity leaders Sergei Frankoff and Eric Loui presented details about the ransomware actor called Sprite Spider at the recent SANS Cyber Threat Intelligence Summit. Sprite Spider is expected to be one of the most destructive ransomware threat actors in 2021. The group behind Sprite Spider's attacks has grown significantly in sophistication and severity since 2015. According to researchers, Sprite Spider emerged in 2015, using a banking Trojan dubbed Shifu. In 2017, Sprite Spider added a malware loader called Vatet. The group then deployed a Remote Access Trojan (RAT) called PyXie in 2018 and ransomware named DEFRAY777 in 2019. The gang often escapes detection by hiding its code in open-source projects like Notepad++. The gang only writes Vatet to disk, making it difficult for analysts to track them. This article continues to discuss the evolution of Sprite Spider and how this threat actor's kill chain is similar to that of Advanced Persistent Threat (APT) groups ten years ago, as well as the use of commodity malware infections as precursors to major ransomware attacks and the need for robust defenses to combat the growing sophistication of ransomware attackers.

    CSO Online reports "Sprite Spider Emerging as One of the Most Destructive Ransomware Threat Actors"

  • news

    Visible to the public "Ransomware: Average Ransom Payment Declines to $154,108"

    Researchers at ransomware incident response firm Coveware discovered that although ransomware attacks are continuing to pummel organizations, fewer victims have paid a ransom. When they do, on average, they're paying less than before. The researchers based their research on thousands of ransomware cases that it helped investigate from October to December of last year. From Q3 to Q4 last year, the average ransom payment declined by 34%, reaching $154,108, while the median ransom payment dropped by 55% to $49,450. The most common type of ransomware tied to successful attacks that Coveware investigated in Q4 2020 was Sodinokibi, aka REvil, which accounted for nearly one-fifth of all cases. Other top strains were Egregor, followed by Ryuk, NetWalker, Maze, Conti, and DopplePaymer.

    HealthcareInfoSecurity reports: "Ransomware: Average Ransom Payment Declines to $154,108"

  • news

    Visible to the public "Is the Trickbot Botnet Back Again?"

    An analysis conducted by Menlo Security revealed that Trickbot malware has returned. According to Menlo Security, Trickbot is back with a new phishing campaign targeting users in North American insurance and legal organizations. Trickbot operators have been observed applying various phishing methods to trick users into downloading the Trojan onto their devices. The new campaign encourages users to click on a phishing link in the email, which redirects them to a compromised server. The victim is presented with a web page containing a "Download Photo Proof" button that downloads the malicious JavaScript if clicked. Previous Trickbot campaigns weaponized email attachments. Trickbot was behind many malware and ransomware attacks in 2020, exploiting the fear and confusion surrounding the COVID-19 pandemic. This Trojan can move laterally through a network, exfiltrate credentials from web browsers, steal OpenSSH keys, install additional payloads such as ransomware, and more. This article continues to discuss the recent return of Trickbot in a new malicious spam campaign, previous Trickbot campaigns, the capabilities of this malware, and Microsoft's disruption of Trickbot operations in October 2020.

    CISO MAG reports "Is the Trickbot Botnet Back Again?"

  • news

    Visible to the public "Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code"

    The Libgcrypt project has rushed out a fix for a critical bug in version 1.9.0 of the free-source cryptographic library. Libgcrypt is a general-purpose cryptographic library for developers to use when building applications. It can be used across Linus, Unix, macOSX applications and can be enabled using a cross-compiler system for Microsoft Windows. Google Project Zero researcher Tavis Ormandy discovered the bug. The researcher stated that the bug is simple to exploit and can be exploited by merely decrypting a block of data. An exploit would allow an attacker to write arbitrary data to a target machine and execute code. The security flaw is a heap-buffer overflow bug in Libgcrypt 1.9.0 (released on January 19). The previous versions are not affected by the flaw. The issue is patched (CVE pending) in Libgcrypt version 1.9.1. The flawed version is no longer available for download, but it is unclear how many developers downloaded it to build their applications before it was taken down. The researcher urged developers to replace the buggy library with the newest version.

    Threatpost reports: "Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code"

  • news

    Visible to the public Cybersecurity researchers are the target of North Korean hackers

    Cybersecurity researchers are being targeted on social media by North Korean hackers. The hackers are pretending to be cybersecurity bloggers as they try to engage researchers working on vulnerability research across companies on Twitter and Linkedin.

  • news

    Visible to the public "Neustar Highlights Rise in Ransom-Related DDoS Attacks and Greater Use of Existing Attack Vectors"

    Neustar, the global information services and technology company, released a report titled "Cyber Threats and Trends: Pandemic Style," which provides insight into companies' security risks stemming from the acceleration of the digital revolution prompted by the COVID-19 pandemic. According to the report, based on data from Neustar's Security Operation Center (SOC), there was a 154 percent increase in the number of cyberattacks between 2019 and 2020. This percentage increase encompasses the growth in ransom-related Distributed Denial-of-Service (RDDoS) attacks and the increase in the use of existing attack vectors such as web applications. The report also highlights key findings pertaining to the number, volume, duration, and severity of DDoS attacks launched in 2020. While RDDoS attacks are not new for many online industries, the malicious actors behind such attacks have recently shifted their focus to organizations in various sectors, including financial services, government, and telecommunications. Researchers suggest that attackers adopt DDoS as a ransom vector because DDoS attacks require less time and planning than attacks involving malware. Neustar also saw an increase in Domain Name System (DNS) attacks as more consumers visit websites during peak online shopping times. More than 70 percent of organizations admitted to lacking confidence in their ability to respond to DNS attacks. This article continues to discuss key findings shared in Neustar's latest report on cyber threats and trends in 2020.

    AiThority reports "Neustar Highlights Rise in Ransom-Related DDoS Attacks and Greater Use of Existing Attack Vectors"

  • news

    Visible to the public "Advancing Applied Research in Cybersecurity"

    A partnership has been formed between the Forge Institute, the University of Arkansas Fayetteville (UA-Fayetteville), and the University of Arkansas Little Rock (UA-Little Rock) to improve applied research in cybersecurity in order to strengthen US national security. This partnership gathers resources, research, capabilities, and relationships among the three organizations. The Forge Institute says the partnership will promote research, create more collaboration opportunities, as well as increase economic growth and job creation in the state of Arkansas. Professor Philip Huff (UA-Little Rock) and Dr. Chris Farnell (UA-Fayetteville) will be the initial university collaborators, focusing on the next generation of cybersecurity defensive capabilities for industrial control systems (ICS/SCADA) to strengthen the security of US critical infrastructure. The joint team will apply the capabilities of the National Center for Reliable Electric Power Transmission (NCREPT) testbed at UA-Fayetteville, the UA Little Rock Cyber Gym, and the Forge Institute. The National Security Agency (NSA) and the US Department of Homeland Security (DHS) designated UA-Fayetteville and UA-Little Rock as Academic Centers of Excellence. This collaboration will help advance the development of solutions for addressing the growing complexity and number of cyber and national security challenges. This article continues to discuss the new partnership aimed to advance applied research in cybersecurity to support national defense.

    Homeland Security News Wire reports "Advancing Applied Research in Cybersecurity"

  • news

    Visible to the public "Pirated Themes And Plugins Are The Most Widespread Threat to WordPress Sites"

    Researchers at Wordfence found that pirated themes and plugins were the most common source of malware infections on WordPress sites in 2020. The security firm said its malware scanner detected more than 70 million malicious files on more than 1.2 million WordPress sites in 2020. The scanner also found malware originating from a nulled plugin or theme on 206,000 sites, accounting for over 17% of all infected sites. Of these 206,000 sites, 154,928 were infected with a version of the WP-VCD malware, a WordPress malware strain known for its use of pirated/nulled themes for distribution. This particular malware operation was so successful last year that it accounted for 13% of all infected sites in 2020. The researchers also found that 2020 was a massive year in terms of brute-force attacks. The researchers reported seeing more than 90 billion malicious and automated login attempts. These attacks came from 57 million different IP addresses, most likely part of attack botnets and proxy networks, and amounted to 2,800 malicious login attempts per second against Wordfence customers.

    ZDNet reports: "Pirated Themes And Plugins Are The Most Widespread Threat to WordPress Sites"

  • news

    Visible to the public "Google Researcher Discovers New iOS Security System"

    Apple has added a new security system discovered by Samuel Grob, a security researcher with Google's Project Zero team, to iPhones and iPads. The new iOS security feature named BlastDoor protects users from attacks launched through the iMessage instant messaging client as this service has been the target of multiple attacks in the past. Several researchers have pointed out the iMessage service's inadequate sanitization of incoming user data. In the past three years, there had been multiple cases in which security researchers or real-world attackers discovered and exploited iMessage remote code execution (RCE) bugs to gain control over an iPhone via the delivery of texts, photos, or videos. BlastDoor helps iMessage handle incoming content. It is a sandbox service that unpacks and processes incoming messages' content in an isolated environment where hidden malicious code cannot interact with the rest of the operating system or recover a user's data. Although iOS has multiple sandbox mechanisms, the BlastDoor sandbox is only added to iMessage's source code. This article continues to discuss the new BlastDoor service and its impact on the security of iMessage, as well as some notable attacks that prompted the development of this iOS security feature.

    ZDNet reports "Google Researcher Discovers New iOS Security System"

  • news

    Visible to the public "66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home"

    Researchers from Go Shred conducted a survey and have discovered that two-thirds of remote workers risk potentially breaching GDPR guidelines by printing out work-related documents at home and are averaging five documents every week. Such documents include meeting notes/agendas (42%), internal documents including procedure manuals (32%), contracts and commercial documents (30%) and receipts/expense forms (27%). A quarter of home workers admitted to printing confidential employee information, including payroll, addresses, and medical information, with 13% having printed CVs or application forms. When participants were asked whether they have disposed of any printed documents since working from home, 24% of respondents said they haven't disposed of them yet as they plan to take them back to the office, and 24% said they used a home shredding machine but disposed of the documents in their own waste. Most concerning is that 8% of those polled said they have no plans to dispose of the work-related documents they have printed at home, with 7% saying they haven't done so because they do not know how to. The researchers stated that it is vital that organization leaders review their current processes and educate their staff on the current guidelines. Working from home demands a different security standard than being in the office, especially with data security and disposing of confidential information.

    Infosecurity reports: "66% of Workers Risk Breaching GDPR by Printing Work-Related Docs at Home"

  • news

    Visible to the public "Researchers Identify Enterprise Attack Using New Ransomware"

    A new ransomware variant dubbed Babuk Locker hit five different companies. The actors behind Babuk Locker target corporations by encrypting files across network-connected devices and asking for up to $85,000 in ransom payment. An investigation of the new attack revealed that Babuk Locker comes with a list of services to close before it begins its encryption process. The first service it closes is the Volume Shadow Copy Service (VSS), a technology included in Microsoft Windows to create backup copies of computer files or volumes when they are in use. Locking this service down makes it more difficult for victims to recover their data. Babuk Locker also blocks the Windows Restart Manager from closing services using files to circumvent obstacles in the opening and encryption of a victim's files. This article continues to discuss Babuk Locker's methods, other similar ransomware threats, and how organizations can defend against threats like Babuk Locker.

    Security Intelligence reports "Researchers Identify Enterprise Attack Using New Ransomware"

  • news

    Visible to the public "Dead System Admin's Credentials Used for Ransomware Attack"

    The security firm Sophos released a report discussing the use of a deceased system administrator's credentials by the operators of the Nefilim ransomware to plant crypto-locking malware. Using these credentials, the Nefilim ransomware operators infected about 100 vulnerable systems. Nefilim, also known as Nemty, is a relatively new ransomware strain that has been used in attacks targeting organizations with unpatched or inadequately secured Citrix remote access technology. Nefilim ransomware was used in attacks against the appliance maker Whirpool and the Australian shipping giant Toll Group. In a recent case study about this ransomware variant, the operators had compromised the account of a system administrator who had died three months previously. The admin account, with its high-level access, allowed the gang to steal credentials for other accounts and a large amount of data before launching the Nefilim ransomware and locking files. This article further discusses the history of Nefilim ransomware and the operators' use of a dead system administrator's credentials to launch an attack against an organization.

    BankInfoSecurity reports "Dead System Admin's Credentials Used for Ransomware Attack"

  • news

    Visible to the public Winter 2021 SoS Quarterly Lablet Meeting 

    Winter 2021 SoS Quarterly Lablet Meeting

  • news

    Visible to the public "Pirated Software Sites Deliver Fresh DanaBot Malware"

    Researchers at Proofpoint have discovered that websites advertising pirated and cracked software are being used to deliver an updated version of the DanaBot banking Trojan, which can steal individuals' online banking credentials. Cybercriminal groups have used the most recent version of the banking Trojan, which became available in October 2020, to target customers of financial institutions in the U.S., Canada, Germany, the U.K., Australia, Italy, Poland, Mexico, and Ukraine. When victims download and execute a software key, two stealer components are loaded onto the compromised device. The first stealer is capable of collecting browser details, system information, and cryptocurrency wallets. The second stealer is used to install a cryptocurrency miner and the main DanaBot payload. The researchers stated that users should avoid downloading pirated software.

    HealthcareInfoSecurity reports: "Pirated Software Sites Deliver Fresh DanaBot Malware"

  • news

    Visible to the public "#DataPrivacyDay: Leaks and Breaches Soared 93% in 2020"

    Researchers at Imperva and Entrust have found that breaches and leaks of sensitive information from organizations doubled last year, even as consumer concerns over data privacy surged. Unauthorized transmissions of data from organizations' networks to external destinations soared 93% in 2020. The researchers stated that it is silly to believe that only human access to data leads to compromise. Over 50% of access requests to databases are coming not from users but from application to application. During the study, participants in a survey told the researchers that they are concerned about data privacy, and 64% said their awareness about the issue has increased over the past 12 months. However, many (63%) were willing to hand over more information to applications in return for greater personalization. Nearly half of the participants said they don't review the T&Cs of an app before downloading, most claiming it was because they take too long to read.

    Infosecurity reports: "#DataPrivacyDay: Leaks and Breaches Soared 93% in 2020"

  • news

    Visible to the public "Department of Justice Launches Global Action Against NetWalker Ransomware"

    The U.S. Department of Justice (DoJ) has launched a coordinated international law enforcement action against NetWalker ransomware, which has impacted many companies, municipalities, hospitals, emergency services, school districts, colleges, and universities. During the COVID-19 pandemic, attackers using NetWalker have increasingly targeted the healthcare sector. Actions taken against the growing threat of NetWalker ransomware includes charges against responsible actors, disrupting online criminal infrastructure, and, where possible, recovering ransom payments made by victims. Criminal charges have been filed against Sebastien Vachon-Desjardins, a Canadian national, alleged to have obtained more than $27.6 million from NetWalker ransomware attacks. The DoJ has seized nearly $500,000 in cryptocurrency from ransom payments. In addition, the DoJ disabled a dark web hidden resource, used to communicate with NetWalker ransomware victims. This article continues to discuss the global action taken to disrupt the NetWalker ransomware operation.

    The Department of Justice reports "Department of Justice Launches Global Action Against NetWalker Ransomware"

  • news

    Visible to the public "Google Warns of 'Novel Social Engineering Method' Used to Hack Security Researchers"

    Google's Threat Analysis Group has revealed an ongoing campaign targeting security researchers. The actors behind this campaign are believed to be backed by the North Korean government. According to Google, the government-backed hackers have been observed employing a novel engineering method in which target security researchers are contacted and asked if they want to collaborate on vulnerability research with the actors. Once the security researcher agrees to collaborate, the hackers then send a Visual Studio Project containing malware to infect the target's computer and communicate with the attackers' command-and-control (C2) servers. The attackers use various platforms, including Telegram, LinkedIn, and Discord, to communicate with potential targets. Google provided a list of specific hacker accounts in its blog post about the new campaign, urging those who have interacted with the accounts to scan their systems for malware. It also recommended that security researchers separate their research activities from day-to-day activities such as general web browsing, using different computers. This article continues to discuss the new malicious campaign targeting security researchers and its use of a novel social engineering method, along with other recent incidents of researchers being targeted by hackers.

    The Verge reports "Google Warns of 'Novel Social Engineering Method' Used to Hack Security Researchers"

  • news

    Visible to the public "Critical Vulns Discovered in Vendor Implementations of Key OT Protocol"

    The Claroty Research Team's analysis of the Open Platform Communications (OPC) network protocol uncovered several security vulnerabilities and vendor implementation issues. This protocol is widely implemented in Operational Technology (OT) networks. The flaws discovered by Claroty impact products from three vendors whose products are integrated into other vendors' white-label products as a third-party component. The three vendors have patched the vulnerabilities. According to Claroty, the security issues expose organizations to Distributed Denial-of-Service attacks, remote code execution, the theft of sensitive data, and more. The vulnerabilities were found in Softing's Industrial Automation OPC library, Kepware PTC's ThingWorx Kepware Edge and KEPServerEX OPC servers, and the MatrikonOPC Tunneller. This article continues to discuss what the OPC protocol is designed to do, the flaws found in the vendor implementations of this protocol, and the growing interest in OT security.

    Dark Reading reports "Critical Vulns Discovered in Vendor Implementations of Key OT Protocol"

  • news

    Visible to the public "New and Hardened Quantum Crypto System Notches 'Milestone' Open-Air Test"

    The race continues to develop post-quantum cryptographic methods. Chinese researchers achieved success when they conducted an open-air test of a new generation quantum crypto system. Unlike the previous iteration of quantum cryptography, the new system has a feature that allows for untrustworthy relay stations. However, the new and more secure quantum crypto system is said to be difficult to implement. It uses the quantum interference of single photons (light particles) to create secret cryptographic keys. These keys are indistinguishable despite their generation by independent lasers. A sender and receiver can securely communicate with each other using trusted lasers, even if the detectors performing the photons' quantum interference measurements are not trustworthy. Therefore, the cryptographic key can still be transmitted securely in the event that detectors at the relay station are untrusted or have been hacked. This article continues to discuss the successful testing of the measurement-device-independent quantum key distribution (MDI-QKD) quantum crypto system.

    IEEE Spectrum reports "New and Hardened Quantum Crypto System Notches 'Milestone' Open-Air Test"

  • news

    Visible to the public SoS Musings #45 - Privacy in Data Sharing and Analytics

    SoS Musings #45 -

    Privacy in Data Sharing and Analytics