News Items

  • news

    Visible to the public "42% of UK Gamers Have Experienced a Cyber-Attack on Their Account or Device"

    Security researchers at NortonLifeLock conducted a new survey of 700 UK adults who currently play online games and uncovered some alarming trends around gamer-to-gamer cyber risks. More than two in five (42%) UK gamers have experienced a cyberattack targeting their gaming account or device. The most common types of cyberattacks affecting gamers included detecting malicious software on a gaming device (20%), having in-game digital currency, characters, or other items stolen (12%), and detecting unauthorized access to an online gaming account (12%). Of the 42% who experienced an attack, over three-quarters (78%) reported being financially affected as a result, losing an average of PS145. Nearly one in five (19%) hardcore gamers revealed they had been doxxed, a process in which their personal information was stolen and shared publicly online. The researchers also found that over a quarter (28%) of respondents admitted they are at least somewhat likely to hack the gaming account of a friend, family member, or romantic partner if they knew it would give them a competitive advantage in an online game. Among hardcore gamers, this sentiment rose to 48%. Around half of the participants use the same username (54%) and password (46%) for more than one gaming account. Additionally, 38% admitted using public Wi-Fi to play games online, 37% have shared personal information, such as names and birthdays while playing a game online, 29% have downloaded a cheaper or free version of a game, and 29% have downloaded add-ons from a website not associated with the game distributor.

    Infosecurity reports: "42% of UK Gamers Have Experienced a Cyber-Attack on Their Account or Device"

  • news

    Visible to the public  "New Mac Malware Delivered in Watering-Hole Attacks"

    According to researchers with Google's Threat Analysis Group (TAG), a watering-hole attack on Hong Kong websites infected site visitors with new Mac malware. Watering-hole attacks target a specific group of users by infecting the websites that they often visit and tricking them into visiting the malicious sites. This specific watering-hole attack abused an XNU privilege-escalation vulnerability to install a previously unreported backdoor on victims' systems. Erye Hernandez, a Google TAG researcher, said the watering-hole attack affected websites belonging to an unnamed media outlet and a pro-democracy labor and political group. It remains unclear how the websites were initially compromised. When the researchers obtained the exploitation chain, they found a parameter recording the number of exploitation attempts, which was revealed to be 200. The compromised websites had two iframes that delivered exploits from an attacker-controlled server. One was for iOS and the other one was for macOS. The researchers could not uncover the full exploit chain for iOS, but they did find that it used a type confusion issue to perform code execution in Safari. They also discovered the use of Ironsquirrel in the exploit chain, which is an open-source framework that delivers encrypted browser exploits to the victim's browser. Mac malware called OSX.CDDS was delivered. The capabilities of this malware include device fingerprinting, screen capturing, file downloading, terminal command execution, audio recording, and keylogging. This article continues to discuss the watering-hole attack in which a now-patched Apple vulnerability was used to infect website visitors with OSX.CDDS Mac malware.

    Decipher reports "New Mac Malware Delivered in Watering-Hole Attacks"

  • news

    Visible to the public "Costco Store Payment Terminal Breached by Data Skimmer"

    The big-box retail store company Costco has faced a breach at one of its store terminals. A card skimming device was used at a payment counter to steal customers' payment card data. Following the discovery of the payment card skimming device, Costco issued notification letters to customers about the possibility of their card data being stolen if they recently made a purchase at that specific store. Costco warned that unauthorized parties may have acquired the magnetic stripe of payment cards, thus gathering names, card numbers, card expiration dates, and CVVs. The data skimmer was discovered during a routine inspection of pin pads by Costco personnel, after which law enforcement was notified. The device was a physical device that was placed on the payment card scanner to intercept details from the cards' magnetic stripes. The skim game also involves the use of digital skimming or e-skimming techniques to steal customer data, which have been used by Magecart attackers. These attackers have been discovered distributing PHP web shells, known as Smilodon or Megalodon, disguised as favicon to gain remote access to targeted servers. The Magecart Group 12 is a cybercriminal gang known for its attacks against Magento online stores. This article continues to discuss the physical payment card skimming device recently discovered at a Costco warehouse and the use of digital skimmers by Magecart attackers.

    CISO MAG reports "Costco Store Payment Terminal Breached by Data Skimmer"

  • news

    Visible to the public New Adobe open source project is using machine learning to detect software attacks.

    The project called LotL, (Living off the Land), extracts features of specific commands and then classifies them as either good or bad commands and sets up a set of tags for follow-on detection by a decision tree. Lotl uses supervised learning and an open source dataset of real-world attacks to extract features of specific commands in a way inspired by the process that human experts and analyst might use.
  • news

    Visible to the public "Lazarus Hackers Target Researchers With Trojanized IDA Pro"

    Lazarus, the North Korean state-sponsored hacking group, is targeting security researchers with a trojanized pirated version of the popular IDA Pro reverse engineering application. IDA Pro converts an executable into assembly language, which allows security researchers and programmers to analyze a program's functioning and discover potential vulnerabilities. Security researchers commonly use IDA to analyze legitimate software for bugs and malware to determine what malicious behavior it performs. As IDA Pro is an expensive application, some researchers download a pirated cracked version of it. Any pirated software could contain malicious executables, which is what ESET researcher Anton Cherepanov discovered in a pirated version of IDA Pro distributed by the Lazarus hacking group. The malicious version of IDA Pro 7.5, discovered by Cherepanov, is being distributed online to target security researchers. The modified IDA installer includes two malicious DLLs that will be executed when the program is installed. The first DLL called win_fw.dll creates a new task in the Windows Task Scheduler that executes the second malicious DLL called idahelper.dll. The idahelper.dll program will then connect to a malicious site to download payloads suspected to be the NukeSped Remote Access Trojan (RAT). Using the installed RAT, threat actors can gain access to a security researcher's device to take screenshots, steal files, log keystrokes, and more. This article continues to discuss the Lazarus group's targeting of security researchers with a trojanized version of the IDA Pro reverse engineering application.

    Bleeping Computer reports "Lazarus Hackers Target Researchers With Trojanized IDA Pro"

  • news

    Visible to the public "Critical Flaw in WordPress Plugin Leads to Database Wipe"

    According to a warning from researchers at Packstack, a critical security flaw has been discovered in the WP Reset PRO WordPress plugin, which could allow an authenticated user to wipe a website's entire database. Any authenticated user, regardless of their authorization, can exploit the issue to wipe all tables in a WordPress installation's database. This would result in the restart of the WordPress installation process, thus an attacker could abuse this to create an administrator account onto the WordPress website. An attacker could further exploit the newly created account to upload malicious plugins to the website or install Trojan backdoors. WP Reset PRO helps site administrators easily reset a website's database to the default installation while leaving files intact in order to restore damaged sites and remove customizations. The plugin registers a few actions in the admin_action_* scope, including table deletion operations. A check is not performed to determine whether the user is authorized to perform such an action. As this vulnerability exists, someone could just visit the site's homepage to start the WordPress installation process, warned the researchers. WebFactory Ltd, which develops both the WP Reset and its PRO version, addressed the issue in version 5.99 of the plugin. This article continues to discuss the potential exploitation and impact of the flaw found in the WordPress plugin.

    Security Week reports "Critical Flaw in WordPress Plugin Leads to Database Wipe"

  • news

    Visible to the public "AMD Reveals EPYC Flaws"

    AMD has revealed 50 new CVE-listed bugs, 23 of which are rated high, meaning they are rated between 7.0 and 8.9 on the Common Vulnerability Scoring System. The AMD Graphics Driver for Windows 10 contains 27 flaws, with 18 of them being rated high. The exploitation of these flaws could result in the escalation of privilege, denial of service (DoS), unauthorized execution of code, memory corruption, information disclosure, and the ability for an unprivileged user to drop malicious DLL files onto a system. All three generations of AMD's EPYC processors have 22 flaws, with four of them being rated high. One of these flaws allows a side effect of an integrated chipset option to be used by an attacker to bypass SPI ROM protections. Another one of the flaws exists in the AMD System Management Unit (SMU), which could allow a malicious user to manipulate mailbox entries, leading to arbitrary code execution. This article continues to discuss product vulnerabilities recently revealed by AMD and Intel.

    The Register reports "AMD Reveals EPYC Flaws"

  • news

    Visible to the public "New BazarBackdoor Attack Discovered"

    Security researchers at SophosLabs discovered a new cyberattack involving a malware family known as both BazarBackdoor and BazarLoader. In the attack, adversaries use socially engineered emails to scare their targets into opening an attachment and clicking on a malicious link. Malware is then delivered to the victim through a fairly novel mechanism: the abuse of the appxbundle format used by the Windows 10 app installer. In the email, the adversaries impersonate a company manager and address the victim by name. Using an abrupt and threatening style, the attackers tell the victim that a complaint has been filed against them and demand to know why this information wasn't sent to the manager. The researchers stated that the messages themselves were very short, but they were crafted with an understanding of the human psychology behind the adrenaline-rush of fear and had been personalized with both the name of the recipient and the targeted organization in both the subject line and the body. The recipient is urged to click through to a website where the complaint has seemingly been posted for them to review. This link, if clicked, will eventually lead the user to the malware. The researchers stated that the malware used in this attack steals profiling data, such as the amount of RAM and CPU power that each infected device has. The malware used in the attack also includes a function to download and install more malware.

    Infosecurity reports: "New BazarBackdoor Attack Discovered"

  • news

    Visible to the public "Lyceum APT Group Adds ISPs to Its Target List"

    A new report from Accenture reveals that the Iranian-backed hacking group known as Lyceum has been infiltrating Internet Service Providers (ISPs) and telecommunications companies since July. The group, also known as Hexane, Spirlin, and Siamesekitten has been in operation since 2018, targeting oil and gas companies in the Middle East, Africa, and Central Asia. According to researchers from Accenture's Cyber Threat Intelligence (ACTI) group and Prevailion's Adversarial Counterintelligence Team (PACT), Lyceum has executed attacks against ISPs and telecommunications organizations in Israel, Morocco, Tunisia, and Saudi Arabia between July and October this year. The group also targeted an unnamed African country's foreign affairs department. Telecommunications companies and ISPs are considered highly attractive targets for cyberespionage activities because they provide access to various organizations and subscribers as well as to their own internal systems, which can be abused to carry out additional malicious activities. The researchers pointed out that the threat actors and their sponsors can use companies within these industries to spy on individuals of interest. A ministry of foreign affairs in Africa is seen as a highly valuable target because they have intelligence on the current state of bilateral relationships between countries and insight into prospective dealings. Secureworks found that the group's initial attack vector involves accessing a company's systems using credentials stolen through the performance of password spraying or brute-force attacks. It also includes delivering malicious documents via spear-phishing from the compromised accounts to executives, human resources staff, and IT personnel. Researchers identified the use of two malware families called Shark and Milan by Lyceum operators. This article continues to discuss the history and recent findings surrounding the Lyceum group's activities.

    GovInfoSecurity reports "Lyceum APT Group Adds ISPs to Its Target List"

  • news

    Visible to the public "Microsoft Announces Plan to Cut Cybersecurity Workforce Shortage in Half by 2025"

    Microsoft is working with community colleges to provide free training and resources to help ease the cybersecurity professional shortage. This includes training for faculty at 150 community colleges and scholarships to 25,000 students. By targeting community colleges, Microsoft believes they will also be diversifying the industry which is currently overwhelmingly male and white. The students at community colleges are 57% women and 40% minorities. This initiative supports commitments Microsoft made at a recent White House Cybersecurity summit.

    CNBC reports "Microsoft Announces Plan to Cut Cybersecurity Workforce Shortage in Half by 2025"

  • news

    Visible to the public "DDoS Attacks Were a More Serious Threat in Q3 2021 Than Ever Before"

    Researchers at Link11's Security Operation Centre (LSOC) have found that DDoS attacks are on the rise and are becoming more complex. The researchers registered an increasing number of high-volume attacks. The researchers found that there was a 17% increase in DDoS attacks compared to Q3 2020. The most significant DDoS attack that the researchers stopped was measured at 633 Gbps. In addition, the researchers saw over 100 DDoS attacks with more than 50 Gbps peak bandwidth in Q3 2021. The researchers stated that adversaries are using more complex attack patterns to launch DDoS attacks and found that 78% of DDoS attacks were multi-vector attacks that combined several techniques. The researchers also found that 33% of adversaries relied on cloud instances to launch their DDoS attacks.

    Help Net Security reports: "DDoS Attacks Were a More Serious Threat in Q3 2021 Than Ever Before"

  • news

    Visible to the public "Proposed Illegal Image Detectors on Devices Are 'Easily Fooled'"

    The use of built-in scanners on devices such as phones, tablets, and laptops to detect illegal images has been proposed by companies and governments. However, researchers from Imperial College London found that the proposed algorithms to detect such images on devices can easily be fooled with imperceptible changes to the images. Their findings were published as part of the USENIX Security Conference. The researchers tested the robustness of five similar algorithms and discovered that altering an illegal image's unique signature on a device can allow it to evade the detection algorithms almost 100 percent of the time. Their testing proved that perceptual hashing-based client-side scanning (PH-CSS) algorithms are not a magic bullet solution for detecting illegal content on personal devices. This finding raises questions about the effectiveness and proportionality of current plans to combat illegal material through on-device scanning. According to senior author Dr. Yves-Alexandre de Montjoye, of Imperial's Department of Computing and Data Science Institute, applying a specifically designed filter imperceptible to the human eye allowed the team to mislead the algorithm into perceiving two nearly identical images as different. The researchers' algorithm was able to generate various filters, which can make it difficult to develop countermeasures. Apple recently postponed plans to introduce PH-CSS on all its personal devices due to privacy concerns. Certain governments have also been reported to be considering using PH-CSS as a law enforcement technique. This article continues to discuss the study that found it possible to easily fool algorithms proposed to detect illegal images on devices and the concept of PH-CSS algorithms.

    Imperial College London reports "Proposed Illegal Image Detectors on Devices Are 'Easily Fooled'"

  • news

    Visible to the public "US Firms Hit with Largest Ransoms Globally"

    Researchers at Mimecast have found that over 80% of global organizations have been hit by ransomware in the past two years, but executives still have a false sense of security about being able to prevent future attacks. Victim organizations in the U.S. are paying a much higher price for security breaches. The average ransom in the U.S. was $6.3m, versus just $848,000 in the U.K. and $59,000 in Australia. On average, 39% of victims said they paid. The ransom itself comprises only one element of the financial and reputational risk stemming from a successful attack. Respondents of the survey also noted that successful attacks also lead to operational disruption (42%), significant downtime (36%), lost revenue (28%), and lost current customers (21%). Two-fifths (39%) of executives also claimed they could lose their jobs over an attack, while a quarter (24%) saw changes to the C-suite following a breach. The researchers stated that executives appear over-confident in their organization's ability to repel attacks. Most executives (83%) believe they can get all their data back without paying a ransom, while over three-quarters (77%) think they can get operations back to normal within just five days. The most common threat vector that respondents listed was malicious attachments in phishing emails (54%). Many respondents argued that their organization needs more advanced security (45%) and more frequent end-user training (46%) to tackle the threat.

    Infosecurity reports: "US Firms Hit with Largest Ransoms Globally"

  • news

    Visible to the public "Hacker-for-Hire Group Spied on More Than 3,500 Targets in 18 Months"

    The Russian-speaking hacker-for-hire group dubbed Void Balaur has been spying on over 3,500 individuals, such as politicians, human rights activists, doctors, journalists, and more, stealing their private information and selling it to various financially and politically driven customers. Politicians in Uzbekistan, Belarus, Ukraine, Russia, Norway, France, Italy, and Armenia have fallen victim to the group's attacks. Some victims felt so threatened by Void Balaur's activities that they decided to leave their country and go into exile in other countries. Void Balaur has also targeted mobile companies, cellular equipment vendors, satellite communication companies, ATM manufacturers, point-of-sale system vendors, financial companies, and biotechnology firms. According to researchers from Trend Micro, the group has likely been active since September 2015. Void Balaur has acquired and sold highly private information, including passport details, SMS messages, phone call records, caller locations, information about purchased plane and train tickets, traffic camera shorts, Interpol records, and credit reports. The threat group's customers have not yet been identified, but some of them appear to be members of underground forums, such as Probiv, Darkmoney, and Tenec, in which all types of stolen data are traded. This article continues to discuss findings regarding Void Balaur's targets, tactics, techniques, and procedures.

    Dark Reading reports "Hacker-for-Hire Group Spied on More Than 3,500 Targets in 18 Months"

  • news

    Visible to the public "U.S. Offers $10 Million Reward for Information on DarkSide Ransomware Group"

    In an effort to put pressure on the DarkSide Ransomeware Group, the government announced on Thursday a $10 million reward for information about the key leadership individuals in the DarkSide ransomware group--or any of it's rebranded groups. The State Department's $5 million dollar bounties are for intel and information that could help authorities arrest and convict others conspiring with the transnational organized crime syndicate. These efforts are in response to the DarkSide's attack on Colonial Pipeline that disrupted fuel distribution to the East Cost for a week. The extra security after that attack led the Darkside to close its open operations--but they have been attempting to come back in the form of BlackMatter.

    The Hacker News reports "U.S. Offers $10 Million Reward for Information on DarkSide Ransomware Group"

  • news

    Visible to the public "12 New Flaws Used in Ransomware Attacks in Q3"

    Researchers at Cyber Security Works and Cyware conducted a new study and found that there was a 4.5% increase in CVEs associated with ransomware and a 3.4% increase in ransomware families compared with Q2 2021. A dozen new vulnerabilities were used in ransomware attacks this quarter, bringing the total number of bugs associated with ransomware to 278. Five of the newly found vulnerabilities can be used to achieve remote code execution (RCE), while two can be used to exploit web apps and launch denial-of-service (DoS) attacks. The researchers also found that ransomware groups are still finding and exploiting zero-day weaknesses before CVEs are hatched and patched. During their research, the researchers identified five new ransomware families, bringing the total to 151.

    Threatpost reports: "12 New Flaws Used in Ransomware Attacks in Q3"

  • news

    Visible to the public "BusyBox Flaws Highlight Need for Consistent IoT Updates"

    Researchers from the DevOps specialist company JFrog and the industrial cybersecurity company Claroty detailed 14 vulnerabilities found in the BusyBox userspace tool used in millions of embedded devices that run Linux-based firmware. BusyBox is a software utilities suite that is considered a Swiss army knife of embedded Linux. It contains implementations of the most common Linux command-line tools along with a shell and a DHCP client and server, all of which are packaged as a single binary. In a report, researchers from JFrog emphasized that many OT and IoT devices are likely to be found running BusyBox, including popular Programmable Logic Controllers (PLCs), Human-Machine Interfaces (HMIs), and Remote Terminal Units (RTUs). Through the use of static and dynamic analysis techniques, the researchers found vulnerabilities in several BusyBox applets, such as man (manual pages), ash (shell), hush (shell), awk (text manipulation/scripting), and more. The exploitation of these vulnerabilities could result in Denial-of-Service (DoS) conditions on PLCs and other devices found in OT environments, potentially disrupting critical industrial processes. In addition to DoS attacks, the vulnerabilities could result in Remote Code Execution (RCE) and information leaks. Firmware developers are urged to upgrade to BusyBox 1.34.0 as it fixes the flaws. However, if that is not possible because of compatibility issues, earlier versions can be compiled without the vulnerable applets as a workaround. This article continues to discuss findings surrounding the BusyBox flaws as well as the importance of regular updates for IoT and OT devices.

    CSO Online reports "BusyBox Flaws Highlight Need for Consistent IoT Updates"

  • news

    Visible to the public "Divide Between IT and OT Teams Stops Businesses Having a Unified Security Strategy"

    According to a report released by Dragos and the Ponemon Institute, over 63 percent of organizations have faced an ICS/OT cybersecurity incident in the past two years, but only 21 percent of organizations have a mature ICS/OT cybersecurity program in which emerging threats prompt priority actions, and C-level executives are regularly informed about the security of their OT. In addition, only 43 percent of organizations have cybersecurity policies and procedures aligned with their ICS and OT security objectives. Just 39 percent have IT and OT teams working together to achieve a mature security posture across both environments, while only 35 percent have a unified security strategy in place to secure those environments despite the need for different controls and priorities. Steve Applegate, the chief information security officer at Dragos, pointed out that most organizations lack the IT/OT governance framework needed to push the development of a unified security strategy due to the shortage of OT-specific cybersecurity expertise. This article continues to discuss key findings from the report and the cultural divide between IT and OT teams preventing organizations from having a unified strategy to protect both environments.

    BetaNews reports "Divide Between IT and OT Teams Stops Businesses Having a Unified Security Strategy"

  • news

    Visible to the public "CDSL Data Breach Exposes Sensitive Details of 44 Million Indian Investors"

    The Central Depository Services Limited (CDSL), India's popular securities depository services provider, experienced a data breach at its subsidiary CDSL Ventures Limited (CVL). According to CyberX9's research team, the data breach exposed personal and financial information belonging to more than 43.9 million investors in India. The team identified a critical authorization vulnerability in a public CDSL KYC API, which led to the exposure of a significant amount of sensitive data to the Internet. Although the vulnerability was fixed following its disclosure to the CDSL, the CyberX9 was able to bypass the patch, thus exposing the same data of the impacted investors again. The vulnerability was fixed again after the team reported it to the Indian Computer Emergency Response Team (CERT-IN ) and National Critical Information Infrastructure Protection Centre (NCIIPC). This article continues to discuss the CDSL data breach.

    CISO MAG reports "CDSL Data Breach Exposes Sensitive Details of 44 Million Indian Investors"

  • news

    Visible to the public "Over 80% of CNI Firms Have Been Breached in Past 36 Months"

    Security researchers at Skybox Security stated that most IT and security leaders in critical infrastructure (CNI) organizations are underestimating the scale of the cyberthreat, despite having suffered breaches over the past three years. The researchers polled 179 operational technology (OT) security decision-makers in the US, UK, Germany, and Australia, with most hailing from companies with $1bn or more in revenue from the manufacturing, energy, and utility industries. The researchers found that 73% of CIOs and CISOs are "highly confident" their organizations will not suffer an OT breach next year, despite 83% having suffered such an incident over the past 36 months. Only 37% of hands-on plant managers were similarly confident, highlighting the disconnect between perception and reality at a senior decision-making level. The researchers also found that a third (34%) of respondents appeared to be over-relying on insurance as a security strategy, claiming it is a sufficient solution. The security researchers stated that new OT vulnerabilities were up 46% compared to the first half of 2020. The researchers noted that despite the rise in vulnerabilities and recent attacks, many security teams do not make OT security a corporate priority because some security team personnel deny they are vulnerable yet admit to being breached. The researchers also stated that the belief that their infrastructure is safe despite evidence to the contrary has led to inadequate OT security measures.

    Infosecurity reports: "Over 80% of CNI Firms Have Been Breached in Past 36 Months"

  • news

    Visible to the public A Proclamation on Critical Infrastructure Security and Resilience Month, 2021


    For generations, American infrastructure — from the Erie Canal and the Transcontinental Railroad to the Hoover Dam — has been a cornerstone of our economic power, providing jobs, facilitating transportation, bolstering security, and overcoming barriers posed by distance and geography.  During Critical Infrastructure Security and Resilience Month, we renew our commitment to securing and enhancing the resilience of our Nation’s critical infrastructure.

  • news

    Visible to the public "Gravitational Force of Ransomware Black Hole Pulls in Other Cyberthreats to Create One Massive, Interconnected Ransomware Delivery System"

    The Sophos 2022 Threat Report covers the gravitational force of the ransomware black hole that is pulling in other cyber threats to form one interconnected ransomware delivery system. The report analyzes the growing modularity of the ransomware landscape, the continued adaption of cyber threats to distribute ransomware, the use of multiple forms of extortion by ransomware attackers, and cryptocurrency as the fuel behind cybercrimes. Sophos expects to see continued attempts to abuse IT administration tools and exploitable Internet-facing services by both sophisticated attackers and less-skilled cybercriminals. Malicious actors are expected to increase their abuse of Cobalt Strike Beacons, mimikatz, PowerSploit, and other adversary simulation tools. Sophos also expects to see a growing interest in Linux-based systems among attackers during 2022, both in the cloud and on web and virtual servers. In addition, Sophos researchers say the application of Artificial Intelligence (AI) in cybersecurity operations will accelerate as Machine Learning (ML) models continue to be proven useful in threat detection and alert prioritization. However, adversaries are also expected to increasingly apply AI in their attacks. This article continues to discuss the key trends analyzed in the Sophos 2022 Threat Report.

    GlobeNewswire reports "Gravitational Force of Ransomware Black Hole Pulls in Other Cyberthreats to Create One Massive, Interconnected Ransomware Delivery System"

  • news

    Visible to the public  "Kudos, Not Consequences, Are an Ideal Tactic for Security Training Engagement"

    It is essential to continue finding strategies that could help companies ensure employee engagement in security awareness training programs. According to panelists who spoke at CyberRisk Alliance's 2021 InfoSec World conference, giving out punishments for bad security practices may be effective for reducing undesirable behavior in the short term, but it is not effective in the long run. They suggested instilling good cyber habits through positive reinforcement, rewards, gamification, and interactivity instead. However, some companies believe in giving employees a wake-up call in the form of negative consequences if they perform an unsafe action or fail a simulated phishing test. The panel moderator Cindy Liebes pointed out that many researchers and cybersecurity awareness experts will say fear tactics and cybersecurity training do not really change behavior. In some cases, punishments could stop employees from reporting incidents out of fear. Companies are encouraged to move away from consequence models to models in which employees are empowered and made to feel like they are part of the fight against cybercrime. This article continues to discuss the negative consequence models put in place by some companies to deter reckless security behavior and why they should adopt positive reinforcement models to improve security training engagement.

    SC Magazine reports "Kudos, Not Consequences, Are an Ideal Tactic for Security Training Engagement"

  • news

    Visible to the public "These Vulnerabilities Could Leave Millions of Connected Medical Devices Open to Attack"

    Cybersecurity researchers at Forescout and Medigate released details pertaining to critical vulnerabilities contained by millions of connected devices in hospital networks that could allow malicious actors to interfere with medical equipment and patient monitors in addition to Internet of Things (IoT) devices used for controlling lighting, ventilation, and more. They disclosed a set of 13 vulnerabilities dubbed Nucleus:13 that exist in Nucleus Net TCP/IP stacks, potentially impacting millions of devices. Attackers could use these vulnerabilities for Remote Code Execution (RCE), Denial-of-Service (DoS) attacks, and data leakage. However, the researchers say it is still uncertain whether cybercriminals have exploited the vulnerabilities in the wild. Nucleus Net TCP/IP stacks are widely used in critical safety devices in hospitals, such as anesthesia machines, patient monitors, and other devices. As these stacks are common, they are easy for attackers to identify and target. Some of the connected devices can be found on the IoT search engine Shodan, and if they are publicly facing the Internet, it is possible to launch remote attacks against them. According to a Siemens spokesperson, all the vulnerabilities have been addressed in the latest fix releases of active Nucleus version lines. The researchers still recommend segmenting networks to limit the exposure of any devices or software that could contain vulnerabilities but cannot be patched. This article continues to discuss the discovery and potential impact of Nucleus:13.

    ZDNet reports "These Vulnerabilities Could Leave Millions of Connected Medical Devices Open to Attack"

  • news

    Visible to the public "Passport Scammers Spoof Texas HSI"

    Officials at the United States Immigration and Customs Enforcement's (ICE) Homeland Security Investigations (HSI) department in Texas have issued a warning about a new phone scam. Threat actors carrying out the malicious campaign have been impersonating special agents at the San Antonio HSI to call up members of the public. Victims are told that a problem has been detected with their passport, and they are then threatened with arrest by the imposter agent unless they make a payment to the HSI. HSI stated that the scammers claim the passport is involved in some type of crime and threaten the caller by indicating police will be dispatched to their home to arrest them. The fraudsters have found a way to make it appear to the victim that the call they are receiving is coming from the HSI San Antonio main phone number, 210-979-4500. HSI officials stated that HSI special agents and local police do not call people on the phone to warn them they are about to be arrested, and agents neither request financial information, such as bank account and credit card account information, nor demand money from someone to dismiss an investigation or remove an arrest warrant. HSI noted that individuals who are targeted by the scammers can help law enforcement to catch the criminals by trying to collect contact information from the caller and reporting it to the anonymous ICE tip line, 1 (866) 347-2423 or completing an online tip form.

    Infosecurity reports: "Passport Scammers Spoof Texas HSI"

  • news

    Visible to the public "Robinhood Says Millions of Customer Names and Email Addresses Taken in Data Breach"

    Online stock trading platform Robinhood has confirmed it was hacked last week. More than five million customer email addresses and two million customer names were taken during the breach. The company said that a malicious hacker had socially engineered a customer service representative over the phone on November 3rd to obtain access to customer support systems. That allowed the hacker to get customer names and email addresses and the additional full names, dates of birth, and ZIP code of 310 customers. Robinhood said that ten customers had "more extensive account details revealed." Robinhood did not say what information specifically, though they stated that no Social Security numbers, bank account numbers, or debit card numbers were exposed. The information accessed by the adversary can be used to facilitate further attacks against victims, like targeted phishing emails, since names and dates of birth can often be used to verify a person's identity. The company said once it secured its systems, the hacker then "demanded an extortion payment." Robinhood instead notified law enforcement and security firm Mandiant to investigate the breach.

    TechCrunch reports: "Robinhood Says Millions of Customer Names and Email Addresses Taken in Data Breach"

  • news

    Visible to the public "CISA Urges Vendors To Patch BrakTooth Bugs After Exploits Release"

    Researchers from the Singapore University of Technology and Design (SUTD) released public exploit code and a proof of concept (POC) tool to test Bluetooth devices for a set of 16 System-on-a-Chip (SoC) flaws known as BrakTooth. The researchers discovered these security vulnerabilities to be impacting commercial Bluetooth stacks on more than 1,400 chipsets used in billions of devices, including devices such as smartphones, computers, audio devices, Internet of Things (IoT) devices, and industrial equipment. Devices including Dell desktops, MacBooks, iPhones, Volo infotainment systems, and more, are on the list of devices with vulnerable SoCs. The exploitation of these security flaws could result in a Denial-of-Service (DoS) condition through firmware crashes or the complete takeover of a targeted device via Arbitrary Code Execution (ACE). The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) is urging vendors to patch the BrakTooth vulnerabilities after the security researchers made the POC tool available for testing BlueTooth devices against BrakTooth exploits. The federal agency is also asking manufacturers and developers to review details about the vulnerabilities published by the researchers in August, as well as update vulnerable Bluetooth SoC applications or employ workarounds. This article continues to discuss the potential exploitation and impact of the BrakTooth vulnerabilities, along with efforts to address them.

    Bleeping Computer reports "CISA Urges Vendors To Patch BrakTooth Bugs After Exploits Release"

  • news

    Visible to the public "Phishing: Attackers Use DocuSign to Send Malicious Links"

    Attackers are using the electronic agreement management company DocuSign to distribute malicious phishing links. The phishing attack involves a malicious actor registering an account with DocuSign or compromising another user's account. From there, the actor uploads a file to the account. Then the attacker sends a DocuSign envelope to their target, who, in turn, receives an email invitation from the platform, prompting them to review and sign an electronic document by clicking a hyperlinked button. The email bypasses detection since it is technically clean as DocuSign's servers host the phishing link, thus allowing it to successfully reach a recipient's inbox. The document-signing process is the same for a legitimate file, but the difference is that clicking on the link redirects the recipient to a phishing site designed to steal their login credentials for Dropbox, Microsoft, and other services. This article continues to discuss the phishing attack process involving the abuse of DocuSign, other recent DocuSign-themed phishing campaigns, and how users can protect themselves from phishing attacks spoofing DocuSign.

    Security Intelligence reports "Phishing: Attackers Use DocuSign to Send Malicious Links"

  • news

    Visible to the public "Cisco Talos Reports New Variant of Babuk Ransomware Targeting Exchange Servers"

    Cisco Talos is warning US companies about a new variant of the Babuk ransomware. The malicious campaign deploying the new variant was discovered in mid-October but is suspected to have been active since July 2021. According to researchers, the initial infection vector is an exploitation of ProxyShell vulnerabilities contained by Microsoft Exchange Servers through the use of the China Chopper web shell. Babuk can impact various hardware and software platforms, but its new version targets Windows, encrypting the machine, interrupting the system backup process, and deleting volume shadow copies. This article continues to discuss the recently discovered malicious campaign deploying a new variant of the Babuk ransomware via an unusual infection chain method.

    TechRepublic reports "Cisco Talos Reports New Variant of Babuk Ransomware Targeting Exchange Servers"

  • news

    Visible to the public Pub Crawl #55

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "US House Passes Acts to Help SMBs with Cybersecurity"

    The United States House of Representatives has passed two bills to strengthen the cybersecurity of small businesses. The Small Business Development Center Cyber Training Act of 2021 attracted strong support among House members of all political persuasions and was passed last Tuesday with a vote of 409 in favor to 14 against. The Small Business Development Center Cyber Training Act would establish a cyber counseling certification program at Small Business Development Centers (SBDCs) to better assist small businesses with their cybersecurity and cyber-strategy needs. If enacted into law, the legislation would authorize the Small Business Administration (SBA) to reimburse SBDCs for employee certification costs up to $350,000 per fiscal year. On Tuesday, the House also approved the Small Business Administration (SBA) Cyber Awareness Act, which would require the SBA to generate a report about its cybersecurity capabilities and inform Congress if a cybersecurity breach occurred that could potentially compromise sensitive information. Representative Jason Crow, who co-sponsored the legislation, said: "This bill would ensure we are doing everything we can to protect the millions of small businesses that the SBA serves and prepare them for 21st-century threats."

    Infosecurity reports: "US House Passes Acts to Help SMBs with Cybersecurity"

  • news

    Visible to the public The White House Office of Science and Technology Policy Launches “The Time is Now: Advancing Equity in Science and Technology Ideation Challenge”

    The Time is Now: Advancing Equity in Science and Technology Ideation Challenge, is open for submissions until November 19, 2021.

    Science and technology must include and benefit all of America. Help make that a reality!

    We need your insight to transform this Nation for the better.

  • news

    Visible to the public "Amazon Spoofed in New Attack"

    Researchers at Avanan have discovered a new cyberattack that spoofs Amazon to steal victims' financial credentials. The digital deception combines brand impersonation with social engineering. The researchers first saw this scam in October 2021, and it is a two-part scam that begins with an email. The researchers stated that victims receive what looks like a typical Amazon order confirmation email containing links that all direct the user to the legitimate Amazon site. When trying to call the number listed, which is not an Amazon number, the scam begins, with the end goal of obtaining credit card information. Victims who dial the phone number will not receive an answer. However, a few hours later, they will get a call back from attackers based in India. To get the victims to call "Amazon," the attackers include high-price items on the fictitious emailed invoice. The researchers noted that this method of stealing financial details results not only in monetary gain for the hackers but serves as a form of phone number harvesting, enabling them to carry out further attacks by voicemail or text message.

    Infosecurity reports: "Amazon Spoofed in New Attack"

  • news

    Visible to the public

    In an effort to put pressure on the DarkSide Ransomeware Group, the government announced on Thursday a $10 million reward for information about the key leadership individuals in the DarkSide ransomware group—or any of it’s rebranded groups. The State Department’s $5 million dollar bounties are for intel and information that could help authorities arrest and convict others conspiring with the transnational organized crime syndicate. These efforts are in response to the DarkSide’s attack on Colonial Pipeline that disrupted fuel distribution to the East Cost for a week.
  • news

    Visible to the public "DoD Suspends Cybersecurity Certification Program Pending Major Changes"

    The US Department of Defense (DoD) has scaled back the Cybersecurity Maturity Model Certification Model (CMMC) program it rolled out in 2020 to verify the cybersecurity of DoD suppliers. The implementation of the program has been stopped until the changes are made official. The program was supposed to be rolled out over a five-year period with the goal of requiring every defense contractor in possession of certain Controlled Unclassified Information (CUI) to be certified by a third party to show that they are compliant with the CMMC standard. The department will suspend CMMC piloting efforts until CMMC 2.0 changes become effective through title 32 CFR and title 48 CFR rulemaking processes. When the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented, as needed, into acquisition regulation through title 48 rulemaking, the CMMC 2.0 program requirements will become mandatory. The previous iteration of the CMMC framework mapped cybersecurity processes and practices across five maturity levels. CMMC 2.0 will reduce the model to three levels, removing levels two and four. This article continues to discuss the purpose of CMMC and the enhanced CMMC 2.0 program.

    NextGov reports "DoD Suspends Cybersecurity Certification Program Pending Major Changes"

  • news

    Visible to the public  "CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch"

    The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) issued a Binding Operational Directive (BOD), giving federal civilian agencies six months to patch nearly 300 vulnerabilities known to have been exploited in the wild. The list of known exploited vulnerabilities includes those discovered in products from SonicWall, Sophos, Sumavision, Symantec, TeamViewer, Telerik, Tenda, ThinkPHP, Trend Micro, TVT, Unraid, vBulletin, VMware, WordPress, Yealink, Zoho (ManageEngine), ZyXEL, Accellion, Adobe, Apple, Apache, Android, Arcadyan, Arm, Atlassian, BQE, Cisco, Citrix, D-Link, DNN, Docker, and more. CISA's list specifies that security bugs identified this year must be fixed by November 17, 2021, while the patching deadline for other vulnerabilities is May 3, 2022. While the BOD only requires federal civilian agencies to address the security flaws, CISA urges private companies and other government organizations to remediate the vulnerabilities. This article continues to discuss the catalog of 300 known exploited vulnerabilities provided by CISA and the BOD issued that instructs government agencies to patch those security flaws.

    Security Week reports "CISA Lists 300 Exploited Vulnerabilities That Organizations Need to Patch"

  • news

    Visible to the public "Ransomware Attack on Lab in Florida"

    A ransomware attack on a laboratory based in Florida has exposed the personal health information (PHI) of more than 30,000 patients. Nationwide Laboratory Services, which is based in Boca Raton, identified suspicious activity on its network on May 19, 2021. An examination of the activity revealed that attackers had used ransomware to encrypt files across the healthcare provider's network, making their contents inaccessible. Digital forensics revealed that cyberattackers had broken into areas of Nationwide Laboratory Services' network that contained patients' PHI. The adversaries behind the ransomware assault encrypted files in which patient data was stored, including names, dates of birth, lab test results, medical record numbers, Medicare numbers, and health insurance information. Nationwide Laboratory Services also found that a limited number of individuals had Social Security numbers also impacted. The lab said that the cyberattack did not affect all patients and that the amount of data exposed in the incident differed from patient to patient.

    Infosecurity reports: "Ransomware Attack on Lab in Florida"

  • news

    Visible to the public "Thousands Of Students' Personal Information Exposed by A Medical School"

    A recent report from vpnMentor revealed the exposure of personally identifiable information (PII) belonging to thousands of medical school students in the US due to an unprotected Amazon S3 bucket. The server was found to lack security restrictions, thus leaving it open to the public. It contained 157 GB of data, with nearly 200,000 files. The server's owner was identified as the LA-based firm Phlebotomy Training Specialists, which provides phlebotomy certification and training to locations including Arizona, Michigan, Texas, Utah, California, and more. According to vpnMentor, the stored documents were backed up from September 2020, although some of them were produced before then. The insecure bucket contained copies of ID cards, dates of birth, student photographs, home addresses, and other forms of PII. In addition, the researchers found more than 27,000 tracking forms, some of which had student transcripts, images of training certificates, and the last four digits of Social Security numbers. This article continues to discuss the discovery of exposed personal data of thousands of medical students and the response to the researchers' findings.

    Cyber Intel Mag reports "Thousands Of Students' Personal Information Exposed by A Medical School"

  • news

    Visible to the public "Squid Game Crypto Scammers Rip Off Investors for Millions"

    Investors in the new cryptocurrency SQUID tokens have fallen for what cryptocurrency watchers call a classic "rug-pull" scam. When SQUID tokens were first released last week, they were valued at $0.01. On November 1st, the price started escalating dramatically, but investors were blocked from selling SQUID by a so-called "anti-dumping mechanism." Meanwhile, scammers cashed out, according to complaints received by CoinMarketCap. SQUID's value peaked at $2,861.80 and dropped to zero within hours. The victims lost around $3.38 million because of the scam. All it took to keep investors from selling was a simple piece of code, researchers at PhishLabs HelpSyst4ems explained.

    Threatpost reports: "Squid Game Crypto Scammers Rip Off Investors for Millions"

  • news

    Visible to the public "NIST Seeks Public Input on Consumer Software Labeling for Cybersecurity"

    The National Institute of Standards and Technology (NIST) has drafted cybersecurity criteria for consumer software in an effort towards helping consumers make better decisions when purchasing software. The criteria aims to assist in the development and voluntary use of labels that would show whether software incorporates a baseline level of security measures. The document titled "Draft Baseline Criteria for Consumer Software Cybersecurity Labeling" is a part of NIST's response to the May 12, 2021, Executive Order (EO) 140128 on improving the nation's cybersecurity, which calls on NIST to identify secure software development practices or criteria for a consumer software labeling program. The criteria should reflect a baseline level of cybersecurity and be easy for consumers to use. It is based on suggestions from the public through position papers, a workshop, and discussions with stakeholders. The agency is seeking the public's feedback about the baseline of technical requirements for the software and the related label. NIST proposes that the software provider would have to meet all of the technical requirements to qualify for a label. These requirements are referred to as attestations or claims about the software's security, which are categorized as descriptive attestations, secure software development attestations, critical cybersecurity attributes and capability attestations, and data inventory and protection attestations. The labeling effort should educate consumers about what the labels mean and show where they can get additional information about those cybersecurity attributes. This article continues to discuss the consumer software cybersecurity labeling effort.

    HSToday reports "NIST Seeks Public Input on Consumer Software Labeling for Cybersecurity"

  • news

    Visible to the public "Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar"

    Security researchers at Malwarebytes have discovered that a new Magecart threat actor is stealing people's payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines (VM) so it targets only actual victims and not security researchers. The researchers discovered the new campaign, which adds an extra browser process that uses the WebGL JavaScript API to check a user's machine to ensure it's not running on a VM. The researchers stated that by performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.

    Threatpost reports: "Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar"

  • news

    Visible to the public "Top 10 Ways Attackers Are Increasing Pressure on Their Ransomware Victims to Pay"

    Researchers at Sophos conducted a new study on ransomware and based their findings on evidence and insight from a team of 24/7 incident responders who help organizations under active cyberattacks. The researchers found a shift in ransomware pressure techniques from solely encrypting data to including other pain points, such as harassing employees. The researchers found that the top 10 ways attackers are increasing pressure on their ransomware victims to get them to pay the ransom include:

    • Stealing data and threatening to publish or auction it online
    • Emailing and calling employees, including senior executives, threatening to reveal their personal information
    • Notifying or threatening to notify business partners, customers, the media, and more of the data breach and exfiltration
    • Silencing victims by warning them not to contact the authorities
    • Recruiting insiders to help them breach networks
    • Resetting passwords
    • Phishing attacks targeting victim email accounts
    • Deleting online backups and shadow volume copies
    • Printing physical copies of the ransom note on all connected devices, including point of sale terminals
    • Launching distributed denial-of-service attacks against the target's websit

    Help Net Security reports: "Top 10 Ways Attackers Are Increasing Pressure on Their Ransomware Victims to Pay"

  • news

    Visible to the public "Securing Data Transfers With Relativity: Information Cannot Travel Faster Than the Speed of Light"

    A team of researchers from the University of Geneva (UNIGE), Switzerland, has developed a new system to secure data transfers based on the physical principle of relativity. As the volume of data transferred continues to grow, it is essential to bolster the security of these exchanges. When an individual confirms their identity when they want to withdraw money from an ATM, they must disclose their personal data to the bank, which processes this information, such as the identification number and the pin code. If the prover and the verifier are the only ones who know this data, confidentiality is guaranteed, but if others access this information by hacking into the bank's server, security is compromised. The system developed by the team to counter hacking against data transfers applies the concept of zero-knowledge proof, the security of which is based on the physical principle of relativity. The idea is that information cannot travel faster than the speed of light. Their system enables users to identify themselves in complete confidentiality without having to provide any personal information. The principle of zero-knowledge proof was invented in the mid-1980s and has been applied in recent years, particularly for cryptocurrencies. However, these implementations are weak because they are based on a mathematical assumption that a specific encoding function is hard to decode. If this assumption is invalidated, which cannot be ruled out today, security is jeopardized because the data would become accessible. The team is demonstrating a relativistic zero-knowledge proof, described as a completely different system in practice. The security provided is based on the principle of relativity instead of a mathematical hypothesis. As the principle of relativity is a mainstay of modern physics, it will probably never be challenged. Therefore, the Geneva researchers' protocol is said to guarantee security. This article continues to discuss the new system developed by the Geneva researchers that secures data transfers based on the physical principle of relativity.

    SciTechDaily reports "Securing Data Transfers With Relativity: Information Cannot Travel Faster Than the Speed of Light"

  • news

    Visible to the public "Government Action Needed to Ensure Insurance Against Major Hacking of Driverless Vehicles, Experts Warn"

    Matthew Channon from the University of Exeter and James Marson from Sheffield Hallam University conducted a study, suggesting that government action is needed for driverless cars to be insured against malicious hacks. Driverless vehicles use software that makes it possible for them to communicate with each other. This type of software is being used and tested on public transport and is expected to be implemented into private vehicles in the future. Although the technology can improve transport safety, if it were to be hacked by malicious actors, it could lead to major accidents and damages to fleets of vehicles, potentially resulting in financial loss, injury, and death. Traditional vehicle insurance would not cover the mass hacking of driverless cars, and such an incident could result in great financial loss for the industry. Existing liability systems are said to be inadequate or inapplicable to driverless vehicles. Channon said it is impossible to measure the risk of driverless vehicles being hacked, but it is essential to prepare. The researchers recommend the introduction of an insurance-backed "Maliciously Compromised Connected Vehicle Agreement" to compensate low-cost hacks and a guarantee fund backed by the government to compensate high-cost hacks. This article continues to discuss the study calling on the government to help ensure insurance against the mass hacking of driverless vehicles and why this type of insurance is important.

    University of Exeter reports "Government Action Needed to Ensure Insurance Against Major Hacking of Driverless Vehicles, Experts Warn"

  • news

    Visible to the public "Cybercriminals Target Transport and Logistics Industry"

    A team of researchers with Intel 471 shared their new observations of cybercriminals hitting organizations in the supply chain sector with cyberattacks and claiming to have accessed networks for companies that operate maritime, air, and ground cargo transport. The threat of potential cyberattacks adds to the widespread challenges being faced by the global supply chain, including the COVID-19 pandemic, the shortage of workers available to transport cargo, and more. The researchers warn that a cybersecurity crisis at one of these logistics and shipping companies could significantly impact the global consumer economy, considering how volatile things are right now. Over the past few months, the team detected several network access brokers selling credentials on underground forums, claiming that they belonged to logistics companies. They claimed to have obtained the credentials by exploiting vulnerabilities contained by remote access solutions, including Remote Desktop Protocol (RDP), Citrix, and SonicWall. For example, in August, the researchers saw a threat actor claiming that they had access to the corporate networks of a US-based transportation management and software supplier, and a US-based commodity transportations services company. According to the researchers, the threat actor, known to work with groups that launch the Conti ransomware, gave a Conti affiliate group access to a botnet with a Virtual Network Computing (VNC) function. The botnet was used to download and execute a Cobalt Strike beacon on infected machines. The Intel 471 threat researchers call on logistics companies' security teams to continuously monitor and track adversaries, their tools, and behavior to prevent attacks. However, many companies in this sector lack strong security protections, as suggested by an April report revealing that 90 percent of organizations studied had open remote desktop ports and inadequate email security. This article continues to discuss findings surrounding the targeting of the transport and logistics industry by cybercriminals.

    Decipher reports "Cybercriminals Target Transport and Logistics Industry"

  • news

    Visible to the public "Annual Cost of Child Identity Fraud Almost $1Bn"

    Researchers at Javelin Strategy & Research discovered that the annual cost of child identity theft and fraud in the United States is nearly $1bn. The researchers put out a report titled "2021 Child Identity Fraud." The researchers analyzed factors that put children at the highest risk of identity theft and fraud. Risk factors examined for the research included behaviors, characteristics, and social media platforms. The researchers found that children who use Twitch (31%), Twitter (30%), and Facebook (25%) were most likely to have their personal information exposed in a data breach. Another key finding was that more than 1.25 million children in the United States became victims of identity theft and fraud in the past year. Resolving the situation cost the average family more than $1,100 and was a slow process. The researchers also found that over half of all child identity theft and fraud cases involve children ages nine and younger and that most (70%) victims know their perpetrators. The researchers advised families to limit and monitor the use of social media and messaging platforms by minors and to be on the lookout for cyber-bullying.

    Infosecurity reports: "Annual Cost of Child Identity Fraud Almost $1Bn"

  • news

    Visible to the public "Holiday Shopping Disruption Beckons as Retail Bot Attacks Surge 13%"

    Security experts at Imperva are warning of potential disruption to the upcoming holiday shopping season after recording a double-digit year-on-year increase in bot-driven cyberattacks so far in 2021. The researchers found that half (57%) of attacks targeting retail websites this year were carried out by bots, versus just 33% across other industries. Account takeover attempts, looking to hijack customers' accounts to steal personal and financial info, reached 33% so far in 2021, versus 26% across other verticals. The researchers stated that these attacks are usually carried out by "sophisticated" bots, capable of mimicking human mouse movements and clicks to defeat retailers' cyber defenses. The bots are responsible for account takeover and denial of inventory, where items are added to account baskets to take them out of circulation, making them unavailable for legitimate customers. The researchers stated that this could exacerbate existing supply chain issues that threaten stock availability this holiday season. The researchers also recorded a surge in DDoS attacks, including a 200% month-on-month increase in September 2021. The researchers warned that as retailers build out their website functionality with chatbots and web analytics and connect customers via API to features such as product search and order fulfillment tracking, their cyberattack surface will continue to expand.

    Infosecurity reports: "Holiday Shopping Disruption Beckons as Retail Bot Attacks Surge 13%"

  • news

    Visible to the public "Free Tool Scans Web Servers for Vulnerability to HTTP Header-Smuggling Attacks"

    Daniel Thatcher, a researcher and penetration tester at Intruder, has developed a technique for testing and identifying how HTTP/HTTPS headers could be used by malicious threat actors to sneak code into back-end servers. Thatcher will share his findings on HTTP header-smuggling at Black Hat Europe in London, as well as release a free tool for testing web servers for bugs that attackers could use to carry out HTTP header-smuggling attacks. HTTP/HTTPS headers contain cookies, the IP address, and more. Header-smuggling is a method involving the sneaking of malicious or phony information to the back-end server within the HTTP header by the front-end server. According to Thatcher, attackers can use header-smuggling to exploit other weaknesses in web applications too. He will demonstrate how header-smuggling was used to evade IP-address restrictions in the AWS API Gateway, which resulted in a cache-poisoning exploit. Although he has not yet shared any details on his AWS research, he says a "specific issue" in the AWS gateway was used. In his research, HTTP header-smuggling was found to make cache-poisoning easier to do, thus potentially allowing an attacker to overwrite any cached pages with their own content. Thatcher's methodology leverages the errors returned by HTTP servers when an invalid value is provided in the Content-Length header. This article continues to discuss the concept of HTTP header-smuggling, the tool developed to scan web servers for vulnerabilities to such attacks, and who should be responsible for fixing or preventing this type of HTTP/HTTPS abuse.

    Dark Reading reports "Free Tool Scans Web Servers for Vulnerability to HTTP Header-Smuggling Attacks"

  • news

    Visible to the public "Hackers-for-Hire Drive Evolution of Threat Landscape"

    The European Union Agency for Cybersecurity (ENISA) has released its annual report on the state of the cybersecurity threat landscape. The 9th annual ENISA Threat Landscape (ETL) report covers April 20 to July 2021. The report provides recommendations alongside identified threats, attack techniques, notable incidents, and trends. The constantly growing online presence, the transitioning of traditional infrastructures to online solutions, advanced interconnectivity, and the abuse of new capabilities provided by emerging technologies have all contributed to the increased sophistication, complexity, and impact of cybersecurity threats. Ransomware attacks are cited as the main threat for that period of reporting, followed by malware, cryptojacking, email-related threats, data threats, threats against availability and integrity, disinformation/misinformation, non-malicious threats, and supply chain attacks. The COVID-19 crisis opened doors for adversaries to use the panic and uncertainty surrounding the pandemic as lures in their attack campaigns. Financial gain appears to be the main driver behind these activities. Threat actors have been observed using various techniques, including, but limited to, Ransomware-as-a-Service (RaaS)-type business models, multiple extortion ransomware schemes, Business Email Compromise (BEC), Phishing-as-a-Service (PhaaS), and Disinformation-as-a-Service (DaaS) business models. In the discussion of cybersecurity threat actors, the report focused on state-sponsored attackers, cybercriminals, hacker-for-hire actors, and hacktivists who are integral components of the threat landscape. This article continues to discuss the key findings and development of the ETL report.

    Homeland Security News Wire reports "Hackers-for-Hire Drive Evolution of Threat Landscape"