News Items

  • news

    Visible to the public "US, European Police Say They’ve Disrupted The Notorious Emotet Botnet"

    U.S. and European law enforcement agencies stated Wednesday that they had seized control of the computing infrastructure used by Emotet, a botnet of infected machines that has been one of the most pervasive cybercrime threats over the last six years. The botnet has wreaked havoc on state and local institutions in the U.S. and abroad. The Department of Homeland Security has estimated that Emotet infections have cost U.S. state and local governments $1 million per incident to clean up. The investigators gained control of the infrastructure and took it down from the inside, Europol stated. Taking down the infrastructure is a big blow to the botnet that has haunted the internet for years. It is unclear whether the criminals behind Emotet will be able to rebuild their operations. Botnets can be resilient; TrickBot, another big botnet, has survived big efforts to disrupt its operations from Microsoft and U.S. Cyber Command.

    Cyberscoop reports: "US, European Police Say They've Disrupted The Notorious Emotet Botnet"

  • news

    Visible to the public Cybersecurity Snapshots #14 - The Rise of Ryuk

    Cybersecurity Snapshots #14 -

    The Rise of Ryuk

  • news

    Visible to the public "DDoS Attacks Surge in 2020 Due to #COVID19"

    Researchers at NETSCOUT discovered that distributed denial-of-service (DDoS) attacks rose substantially last year following the digital shift brought about by COVID-19. The researchers stated that over 10 million attacks of this nature occurred in 2020, which is around 1.6 million higher than in 2019. It is normal for the number of DDoS attacks to increase, but the growth rate that the researchers observed suggests that cyber-criminals have sought to exploit the growth of internet use and home working during the pandemic. The researchers also found that attack frequency was up 20% across the whole of 2020, excluding the pre-pandemic months of January, February, and most of March. The researchers recorded the largest single number of monthly DDoS attacks they had ever seen in May 2020, at 929,000, with monthly rates regularly exceeding 800,000 from March.

    Infosecurity reports: "DDoS Attacks Surge in 2020 Due to #COVID19"

  • news

    Visible to the public "Ransomware Hackers Launder Bitcoin Through Just a Handful of Locations, Researchers Find"

    Cybercrime investigators suggest that the growing trend of increasingly large ransomware cash demands and attack frequency is the result of a specialized black market economy, not the work of a large number of criminals. This specialized black market economy is said to consist of hackers with various skill-sets that collaborate with each other to commit cybercrimes. Any profits gained from these crimes are split among the collaborating hackers. It seems that most of the black market economy is made up of a relatively small number of attack groups. These groups operate under a malware-as-a-service business model, taking a significant piece of the profits and relying on money laundering schemes to conceal the paths they have taken. Researchers have looked at this activity via the blockchain, which is a decentralized distributed ledger where cryptocurrency transactions are processed and finalized. Ransomware victims typically use bitcoin to pay attackers to unlock their systems and decrypt their data. These transactions are recorded on the blockchain. Chainalaysis analyzed bitcoin deposit addresses tied to attack groups to learn more about hackers' financial relationships and how they move illicit money. The company found that over $340 million in bitcoin has traveled through known ransomware wallets. Ransomware attackers have been observed moving most of their funds to cryptocurrency exchanges and mixers in which cryptocurrency from different sources are blended to hide its origin. This article continues to discuss findings surrounding the ransomware industry regarding how attack groups operate, collaborate, and move stolen funds, in addition to the financial impact that ransomware attacks have had on US organizations.

    CyberScoop reports "Ransomware Hackers Launder Bitcoin Through Just a Handful of Locations, Researchers Find"

  • news

    Visible to the public DevSecOps - Baking in Cybersecurity

    DevSecOps - Baking in Cybersecurity

  • news

    Visible to the public Spotlight on Lablet Research #14 - A Human Agent-Focused Approach to Security Modeling

    Spotlight on Lablet Research #14 -

    Project: A Human Agent-Focused Approach to Security Modeling

  • news

    Visible to the public Cyber Scene #52 - Cyber: Capitol Offense and Counter

    Cyber Scene #52 -

    Cyber: Capitol Offense and Counter

  • news

    Visible to the public Pub Crawl #46

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "TikTok Flaw Lay Bare Phone Numbers, User IDs For Phishing Attacks"

    Researchers at Checkpoint Research discovered a vulnerability in the popular TikTok short-form video-sharing platform, which could have allowed adversaries to easily compile users' phone numbers, unique user IDs, and other data that could be used for phishing attacks. The vulnerability was in the "Find Friends" feature of the TikTok mobile app. This feature allows users to find their friends, either via their contacts, via Facebook, or by inviting friends. To launch an attack, a bad actor would need to first bypass TikTok's HTTP message signing mechanism, which aims to protect threat actors from tampering with HTTP messages or modifying the HTTP request body. The researchers were able to achieve this using TikTok's own signing service, executed in the background. Using a dynamic analysis framework like Frida, an adversary could hook the function, change the data of the function's arguments (in this case, the contacts the attacker wants to sync), and re-sign the modified request send to the TikTok application server. From there, the adversary could automate the process of uploading and syncing contacts at a large scale. This would have allowed the adversary to build a database of users and their connected phone numbers. The researchers reported the vulnerability, and a patch has been released that has fixed the issue.

    Threatpost reports: "TikTok Flaw Lay Bare Phone Numbers, User IDs For Phishing Attacks"

  • news

    Visible to the public "The Role AI Plays in Safeguarding Government Data"

    As the use of web-based applications continues to grow due to the increase in remote work during the COVID-19 pandemic, it is now more important than ever for the government to adopt better strategies for protecting classified data and reducing threats. Teams responsible for protecting data need new capabilities to bolster cybersecurity, especially as many government agencies continue to face challenges such as lack of resources, growing data sets, and more. The pandemic has forced governments to accelerate digital transformation efforts, including the implementation of Artificial Intelligence (AI) to support cybersecurity operations. The increase in AI investment will help combat challenges experienced by security and data governance teams, such as high rates of false positives resulting from manual processes, strains in human surveillance, and the security industry skills gap. AI technology can automate and significantly simplify tasks performed across business processes. Using AI, government agencies can strengthen data protection, improve compliance efforts, and free up time for other activities while providing an extra layer of risk management. AI can lighten manual human tasks using algorithms and training models capable of classifying documents and providing classification recommendations to security teams. AI can also help teams identify abnormal security behavior that may require attention and decrease false positives in order to improve the prioritization of alerts and threats. This article continues to discuss the acceleration of digital transformation by governments during the pandemic, current cybersecurity challenges faced by security teams, and how AI can help improve cybersecurity operations.

    NextGov reports "The Role AI Plays in Safeguarding Government Data"

  • news

    Visible to the public "Illinois Court Exposes More Than 323,000 Sensitive Records"

    WebsitePlanet researchers and a security researcher named Jeremiah Fowler discovered an unsecured Elasticsearch server containing more than 323,000 Cook County, Illinois, court-related related records. Cook County is the second-most-populous county in the US. According to the researchers, the records contained personally identifiable information (PII), including full names, home addresses, email addresses, and course case numbers, in addition to notes on case statuses. The data was in plaintext without password protection. The researchers warn that the information exposed by the inadequately secured database could allow threat actors to launch various types of attacks such as identity theft and blackmail. This article continues to discuss the discovery and potential impact of this exposure of over 323,000 sensitive court-record records.

    Security Week reports "Illinois Court Exposes More Than 323,000 Sensitive Records"

  • news

    Visible to the public "Amazon Kindle RCE Attack Starts with an Email"

    A researcher at Realmode Labs found three vulnerabilities in the Amazon Kindle e-reader. The first vulnerability found could allow an adversary to send an e-book to the victim's Kindle device. The second vulnerability found would allow an adversary to run arbitrary code while the e-book is parse, under the context of a weak user. The third vulnerability would allow the attacker to escalate privileges and run code as root. The discovery of these vulnerabilities earned the researcher $18,000 from the Amazon bug-bounty program. The researcher also found that it was possible to email malicious e-books to the devices via the "Send to Kindle" feature to start a chain of attack. He is calling this attack "KindleDrip". The first step in a KindleDrip attack is to send a malicious e-book to a target. The file is sent as an attachment and automatically shows up in the user's library. The victim does not receive an alert that something new has been installed in the bookshelf. When the victim enters the innocent-looking book and touches one of the links in the table of contents, the link opens the built-in browser with an HTML page that contains a malicious JPEG XR image. The image is parsed, and malicious code now runs as root. The payload changes the boot background and restarts the device. Then, the attacker receives private credentials from the device and can log into the victim's account. To make the attack work, an attacker would first need to know the email address assigned to the victim's device.

    Threatpost reports: "Amazon Kindle RCE Attack Starts with an Email"

  • news

    Visible to the public "SonicWall Network Attacked via Zero Day in Its Secure Access Solution"

    The cybersecurity company SonicWall has announced that highly sophisticated threat actors targeted its secure remote access products. SonicWall's product line includes security solutions for networks, remote access, email, cloud technology, and endpoints. SonicWall revealed that attackers might have exploited zero-day flaws in its Secure Mobile Access (SMA) 100 Series, specifically SMA client version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance. Affected SonicWall customers are advised to use only SSL-VPN connections to the SMA appliance from whitelisted IPs, enable multi-factor authentication (MFA) on all SonicWall SMA accounts, and more. This article continues to discuss the coordinated attack on SonicWall's internal systems involving the exploitation of zero-day vulnerabilities contained by some of its remote access products as well as mitigation guidelines provided to customers by the company.

    SC Media reports "SonicWall Network Attacked via Zero Day in Its Secure Access Solution"

  • news

    Visible to the public FreakOut Bot exploits Linux systems

    A new Internet Relay Chat (IRC) called FreakOut exploited vulnerabilities to attack denial of service and cryptomining attacks on Linux systems. The bot was activated in November 2020 and already has 300 users and five channels. Once compromised, the systems are used for spreading the attacks across the victim's enterprise networks and beyond.

    #cybersecurity #ScienceofSecurity

  • news

    Visible to the public "New Website Launched to Document Vulnerabilities in Malware Strains"

    A security researcher named John Page has launched a new website called MalVun that lists vulnerabilities in malware code. The site aims to help other security professionals break, disable, and uninstall malware on infected hosts. The site is described as a vulnerability disclosure portal. It lists the malware's name and a technical description of its vulnerabilities. The site also provides a proof-of-concept (PoC) exploit code so security researchers can reproduce the issue. MalVun currently lists 45 security flaws, some of which were discovered in current threats such as Phorpiex (Trik) and older malware strains like Bayrob. As outside submissions are not being accepted yet, all of the vulnerabilities listed on MalVun were found by Page. Although there are benefits offered by MalVun, it has ignited concerns about how it could indirectly help malware authors by pointing out the vulnerabilities in their code, potentially impacting the effectiveness of tools used by security firms and incident responders to combat malware. Other security researchers who support the practice of hacking back against malware operators have shown their support for the site. This article continues to discuss the contents and purpose of the MalVun portal, as well as the controversy surrounding the practice of "hacking back."

    ZDNet reports "New Website Launched to Document Vulnerabilities in Malware Strains"

  • news

    Visible to the public "The Largest Darknet Forum 'Joker's Stash' is Shutting Down"

    An infamous dark web marketplace called Joker's Stash, where cybercriminals trade stolen card data, will shut down on February 15, 2021. Its operators announced the site's closure through messages and advertisements on various hacking forums. It is suspected that the operators of Joker's Stash are closing the platform because they fear intrusions by federal authorities. Officials from the US FBI and Interpol recently seized some servers used by Joker's Stash, which temporarily disrupted the site's activity. This article continues to discuss the shutdown of the largest darknet forum Joker's Stash, a recent coordinated police operation that disrupted the site's operations, and notable data breaches involving this carding platform.

    CISO MAG reports "The Largest Darknet Forum 'Joker's Stash' is Shutting Down"

  • news

    Visible to the public "Einstein Healthcare Network Announces August Breach"

    Einstein Health Network, a Pennsylvania-based company operating medical rehab, outpatient, and primary care centers, recently announced that it was affected by a breach of its employee email system, which exposed patient personal and medical information. The organization waited more than five months to notify the public of the breach, which violates the HHS 60-day breach notification rule, but they will most likely not be penalized. According to Einstein, an unauthorized person on August 5th accessed employee emails, and the suspicious activity continued until August 17th. Einstein knew about the suspicious activity in employee email accounts since August 10th. Emails that were accessed by the attacker contained patient information, which may have included patients' names, dates of birth, medical records, patient account numbers, and treatment or clinical information such as diagnoses, medications, providers, types of treatment, and treatment locations. Some of the emails also contained health insurance information and Social Security numbers.

    Threatpost reports: "Einstein Healthcare Network Announces August Breach"

  • news

    Visible to the public "Human Error to Blame as Exposed Records Top 37 Billion in 2020"

    Researchers at Risk Based Security discovered that reported global breach volumes dropped 48% last year compared to 2019, but the number of exposed records soared 141% to top 37 billion. The researchers also found that in total, there were 3923 breaches last year. Of the breached records, 30.4 billion (82%) came from just five incidents, all of which were down to misconfigured databases or services. External actors accounted for 77% of the breaches, and 69% were caused by human error or oversight. The researchers also stated that stolen credentials were the number one method of entry for attackers. Double extortion attacks are also growing in popularity. 676 of the breaches this year (17%) included ransomware as an element, which is an increase of 100% compared to 2019.

    Infosecurity report: "Human Error to Blame as Exposed Records Top 37 Billion in 2020"

  • news

    Visible to the public "Exploit Allows Root Access to SAP"

    A team of researchers with Onapsis Research Labs discovered a publicly available exploit on the code-hosting platform GitHub that affects SAP. The exploit was published on January 14 by a Russian researcher named Dmitry Chastuhin. According to the researchers, the exploit can be used against the SAP Solution Manager (SolMan), an administrative system similar to Active Directory in Windows that is employed in every SAP environment. The fully functional exploit abuses a vulnerability tracked as CVE-2020-6207 in which the SAP SolMan does not perform any authentication checks for a service. The exploitation of this vulnerability could lead to a takeover of all SMDAgents connected to the Solution Manager. An attack through the abuse of this flaw puts an organization's mission-critical data, SAP applications, and business processes at risk. This article continues to discuss the publicly available exploit that enables root access to SAP and the impact that this exploit could have on organizations' cybersecurity and regulatory compliance.

    Infosecurity Magazine reports "Exploit Allows Root Access to SAP"

  • news

    Visible to the public "QNAP Warns Users of a New Crypto-Miner Named Dovecat Infecting Their Devices"

    The Taiwanese hardware vendor QNAP is warning their customers about Dovecat, a new malware strain targeting its network-attached storage (NAS) devices to infect and exploit them to mine cryptocurrency without their knowledge. The company revealed that QNAP NAS devices could become infected by Dovecat when connected to the Internet with weak user passwords. As the infection vector has been linked to weak passwords, users are advised to use stronger admin passwords, install a firewall, disable unused services, enable Network Access protection to protect accounts from brute force attacks, avoid using default port numbers, and more, in order to prevent Dovecat infections. This article continues to discuss the discovery and capabilities of Dovecat malware and what steps users should take to protect themselves.

    ZDNet reports "QNAP Warns Users of a New Crypto-Miner Named Dovecat Infecting Their Devices"

  • news

    Visible to the public "Windows Remote Desktop Servers Now Used to Amplify DDoS Attacks"

    Windows Remote Desktop Protocol (RDP) servers are being used by DDoS-for-hire services as an amplification vector in the execution of Distributed Denial-of-Service (DDoS) attacks. The Microsoft RDP service allows authenticated remote virtual desktop infrastructure (VDI) access to Windows servers and workstations. Attacks in which Windows RDP servers are used as amplifiers can result in the shutdown of an organization's remote-access services as well as additional service disruption due to state-table exhaustion of stateful firewalls, load balancers, and more. In order to mitigate the impact of these attacks, organizations should disable the vulnerable UDP-based service on Windows RDP servers or make the servers available only via a Virtual Private Network (VPN). This article continues to discuss DDoS-for-hire services' use of Windows RDP servers to amplify attacks and recommended mitigation measures.

    BleepingComputer reports "Windows Remote Desktop Servers Now Used to Amplify DDoS Attacks"

  • news

    Visible to the public "Google Searches Expose Stolen Corporate Credentials"

    Researchers at Check Point and Security firm Otorio uncovered a phishing campaign that managed to bypass Microsoft Office 365 Advanced Threat Protection filtering to steal more than 1,000 corporate credentials. In August 2020, the campaign began and used emails that spoof notifications from Xerox scans to lure victims into clicking on malicious HTML attachments. Organizations targeted in the campaign included retail, manufacturing, healthcare, and IT. The adversaries also had a special interest in targeting energy and construction companies. The adversaries behind the recently discovered phishing campaign unintentionally left more than 1,000 stolen credentials online via simple Google searches.

    Threatpost reports: "Google Searches Expose Stolen Corporate Credentials"

  • news

    Visible to the public "SolarWinds Attack Underscores 'New Dimension' in Cyber-Espionage Tactics"

    The cybersecurity firm Malwarebytes has revealed that it was also targeted by the same nation-state hackers who infected SolarWinds' Orion network management software, which impacted US government agencies and corporations, including Microsoft and FireEye. The SolarWinds cyberattack further highlights how attackers are shifting their focus towards targeting cloud-based services to compromise credentials and access organizations' most sensitive information. Symantec released details about a fourth malware tool called Raindrop used in the SolarWinds attack campaign to move laterally within a network and deploy a malicious Cobalt Strike payload on other computers. FireEye Mandiant's incident response experts published a white paper explaining the methods that SolarWinds attackers and other threat groups use to hack organizations from their on-premise networks to cloud services such as Microsoft 365. Mandiant also released a free script-based tool on GitHub to help detect signs indicating the use of these attack techniques. According to Mandiant, attackers have moved laterally from the victim's network to 365 cloud-based accounts using a mix of four different approaches. This article continues to discuss the targeting of Malwarebytes by SolarWinds hackers, the Raindrop malware tool used in the attack campaign, and the tool released by FireEye Mandiant to help detect signs of the SolarWinds attack.

    Dark Reading reports "SolarWinds Attack Underscores 'New Dimension' in Cyber-Espionage Tactics"

  • news

    Visible to the public "Research Team Develops Fast and Affordable Quantum Random Number Generator"

    A team of scientists has developed a quantum random number generator said to be fast and affordable. The device produces randomness at a rate of 8.05 gigabits per second, making it the fastest secure quantum random number generator ever. The study is a step forward in developing commercial random generators for cryptography and complex systems modeling. Random number generation is an essential component of the encryption processes that protect data. The researchers used photons' intrinsically and fundamentally unpredictable behavior to generate true randomness. This article continues to discuss the new quantum random number generator, the importance of generating random numbers for encryption, the use of photons' unpredictable behavior to produce randomness, and how the researchers confirmed the randomness generated by the device.

    Help Net Security reports "Research Team Develops Fast and Affordable Quantum Random Number Generator"

  • news

    Visible to the public  "Hundreds of Networks Still Host Devices Infected With VPNFilter Malware"

    According to researchers at Trend Micro, hundreds of networks still contain VPNFilter malware, leaving infected devices open to being controlled by malicious actors. VPNFilter was identified in 2018 and is believed to be operated by the Russian state-sponsored hacker group Sofacy. This malware has infected routers and network-attached storage (NAS) devices from ASUS, D-Link, MikroTik, Ubiquiti, Linksys, UPVEL, and more. VPNFilter has various modules that allow it to map networks, exploit endpoints connected to infected devices, exfiltrate data, encrypt command-and-control (C&C) server communications, create a network of proxies for future abuse, and find more victims. To determine whether the botnet remains a real threat, Trend Micro reached out to the Shadowserver Foundation, which worked with Cisco Talos, the FBI, and the US Department of Justice. They sinkholed the domain from which VPNFilter attempts to obtain the address of its C&C server. The analysis of data collected from the sinkhole reveals that more than 5,000 unique devices are still connecting to the domain, suggesting that the devices are still infected by VPNFilter. Trend Micro emphasizes that the number of infections not only represents individual machines but also thousands of infected networks. This article continues to discuss the history of VPNFilter malware, recent discoveries surrounding its continued impact, and how to address this problem.

    Security Week reports "Hundreds of Networks Still Host Devices Infected With VPNFilter Malware"

  • news

    Visible to the public "Linux Devices Under Attack by New FreakOut Malware"

    Researchers at Check Point Research have discovered a novel malware variant is targeting Linux devices. The malware is called FreakOut. FreakOut has various capabilities, including port scanning, information gathering, and data packet and network sniffing. The malware is actively adding infected Linux devices to a botnet and can launch DDoS, network flooding attacks, and cryptomining activities. The malware first targets Linux devices with specific products that have not been patched against various flaws. These include a critical remote command execution flaw (CVE-2020-28188) in TerraMaster TOS (TerraMaster Operating System). Versions before 4.2.06 are affected by the flaw. The malware also targets a critical deserialization glitch (CVE-2021-3007) in Zend Framework, a popular collection of library packages used for building web applications. This flaw exists in versions higher than Zend Framework 3.0.0. A critical deserialization of untrusted data issue (CVE-2020-7961) in Liferay Portal is also targeted. Versions affected include 7.2.1 CE GA2. Researchers are advising organizations to check any of these devices urgently and update and patch them to fix these vulnerabilities as soon as possible.

    Threatpost reports: "Linux Devices Under Attack by New FreakOut Malware"

  • news

    Visible to the public "560 Healthcare Providers Fell Victim to Ransomware Attacks in 2020"

    The cybersecurity form Emsisoft released a report on the state of ransomware in the US, which reveals that at least 2,354 US government, healthcare, and schools were impacted by ransomware attacks in 2020. Emsisoft data shows that 560 healthcare provide facilities fell victim to ransomware attacks last year. The education sector faced the highest number of successful attacks, with 1,681 schools, colleges, and universities impacted by ransomware attacks. Federal, state, and municipal governments and agencies disclosed 113 successful ransomware attacks. According to Emsisoft's report, the second half of 2020 saw the greatest impact from ransomware attacks. Ransomware attacks on healthcare providers had resulted in Electronic Health Record (EHR) downtime, the diversion of ambulances, the inaccessibility of lab tests, and other life-threatening disruptions. Emsisoft predicts twice as many more cases of data theft in 2021 than there were in 2020 due to the continued advancement of attack methods used by cybercriminals. Healthcare providers, in particular, are urged to adopt a proactive approach to strengthening cybersecurity. Microsoft, the Office for Civil Rights, the FBI, and the CISA have provided insights that can help security leaders combat the ransomware threat. This article continues to discuss findings shared by Emsisoft's report regarding ransomware attacks faced by the US healthcare sector and other sectors in 2020, as well as predictions about cyberattacks in 2021.

    HealthITSecurity reports "560 Healthcare Providers Fell Victim to Ransomware Attacks in 2020"

  • news

    Visible to the public "Hackers 'Manipulated' Stolen COVID Vaccine Papers, Says EU Agency"

    The European Medicines Agency (EMA) recently revealed that hackers leaked and manipulated documents about the BioNTech-Pfizer and Moderna COVID-19 vaccines. According to the EU agency, these documents were manipulated in a way that could damage public trust in the COVID-19 vaccines. The hack is currently under investigation by Dutch police and the EMA. This article continues to discuss the leak of COVID-19 vaccine documents stolen in a cyberattack on the EMA in December 2020.

    Homeland Security News Wire reports "Hackers 'Manipulated' Stolen COVID Vaccine Papers, Says EU Agency"

  • news

    Visible to the public "Most Financial Services Have Suffered COVID-Linked Cyber-Attacks"

    Researchers at password security firm Keeper Security commissioned the Ponemon Institue to poll over 370 UK IT security leaders who work at financial services firms as part of a larger global study and found that this past year 70% of financial services firms experienced a successful cyberattack. Most of the participants of the study blamed COVID-related conditions for the successful cyberattacks. More than half of the respondents to the survey argued that cyberattacks are increasing in severity due to employees working from home, and 41% argued that remote workers are putting organizations at risk of a major data breach. The respondents were most concerned about a lack of physical security wherever their employees are remote working from (48%) and their devices becoming infected with malware (34%). Respondents flagged insufficient budget and lack of knowledge on combatting cyberattacks as the biggest IT security challenges with remote working.

    Infosecurity reports: "Most Financial Services Have Suffered COVID-Linked Cyber-Attacks"

  • news

    Visible to the public "FBI Warns of Increase in Vishing Attacks"

    The FBI is warning that hackers are increasingly using voice phishing, also known as vishing, to target remote workers as a way to harvest VPN and other credentials to gain initial access to corporate networks. After gaining access to the network, many adversaries found that they had the ability to escalate privileges of the compromised employees' accounts, which allowed them to gain further access into the network, often causing significant financial damage. Security experts suggest that organizations should train employees on how to spot these phishing attempts. The FBI is also advising organizations to deploy multifactor authentication and review whether the level of access employees have to certain internal systems and networks is appropriate.

    Gov Info Security reports: "FBI Warns of Increase in Vishing Attacks"

  • news

    Visible to the public "Flaws in Widely Used Dnsmasq Software Leave Millions of Linux-Based Devices Exposed"

    Security experts from the Internet of Things (IoT) security firm JSOF have released details about a set of seven vulnerabilities collectively called DNSpooq that impact Dnsmasq, a DNS transfer client used for many Linux-based systems such as routers and other IoT devices. Dnsmasq is usually contained by the firmware of various networking devices, including home business routers and different types of embedded and IoT systems such as firewalls, Voice over Internet Protocol (VoIP) phones, and vehicle Wi-Fi systems. The exploitation of these flaws enables the launch of DNS cache poisoning attacks in which attackers send queries to a vulnerable Dnsmasq-based forwarder to force the server to cache rogue or poisoned DNS entries. These attacks result in the redirection of users to malicious sites. The seven DNSpooq vulnerabilities also include buffer overflows that can lead to remote code execution. JSOF identified more than 40 affected vendors, including Google, Cisco Systems, Dell, Netgear, OpenStack, Linksys, and General Electric. This article continues to discuss the attacks that could be performed by exploiting the Dnsmasq vulnerabilities and the mitigation of these flaws.

    CSO Online reports "Flaws in Widely Used Dnsmasq Software Leave Millions of Linux-Based Devices Exposed"

  • news

    Visible to the public "Highway Safety Agency Wants Car Makers to Know What's in Their Software"

    The National Highway Traffic Safety Administration (NHTSA) released a new draft of voluntary cybersecurity best practices with a focus on secure software use in vehicles. The updated draft incorporates comments gathered from a 2016 best practices document that the highway safety agency issued in response to the growing connectivity of modern vehicles as well as the continued addition of new electronics to these vehicles. These advancements introduce new opportunities for malicious hackers to launch attacks against modern vehicles, posing a significant threat to drivers' safety. For example, a hacker can remotely turn a car's automatic emergency braking innovation against its driver. In addition to the comments on the 2016 document, the updated draft reflects industry standards and research conducted by the agency on over-the-air updates, encryption techniques, cybersecurity penetration testing, and diagnostics. The revised best practices also bring further attention to the importance of considering cybersecurity throughout the software supply chain and the lifecycle management processes of developing, implementing, and updating software-enabled systems. This article continues to discuss NHTSA's revised draft of cybersecurity best practices document for the safety of modern vehicles and the importance of a secure software development process in the automotive sector.

    NextGov reports "Highway Safety Agency Wants Car Makers to Know What's in Their Software"

  • news

    Visible to the public "'Chimera' Threat Group Abuses Microsoft & Google Cloud Services"

    Researchers with NCC Group and Fox-IT have detailed a new threat group called Chimera. According to the researchers, this group targets Microsoft and Google cloud services to achieve goals aligned with the Chinese government's interests. Chimera tries to exfiltrate data belonging to various target organizations, including those in the semiconductor and airline industries, via cloud services. Chimera was involved in multiple incident response engagements between October 2019 and April 2020. The researchers revealed that Chimera has remained undetected in a network for up to three years. Chimera performs credential stuffing or password spraying attacks against a victim's remote service using usernames and passwords from previous breaches. This article continues to discuss the Chimera threat group's interests, targets, and attack methods.

    Dark Reading reports "'Chimera' Threat Group Abuses Microsoft & Google Cloud Services"

  • news

    Visible to the public "'Scam-as-a-Service' Scheme Spreads"

    Researchers at the global threat hunting and adversary-centric cyber intelligence company Group-IB discovered a Russian-speaking scam-as-a-service operation called Classiscam. This operation, which started two years ago, now involves 40 interconnected gangs. These gangs operate in Russia, France, Poland, Romania, the US, and other countries. Group-IB reports that the groups are using fake online advertisements for products such as cameras, game consoles, laptops, smartphones, and more, to lure buyers into visiting phishing pages where they can harvest personal information and payment data. These groups made a total of at least $6.5 million in 2020. The brands spoofed by the Classiscam operation include the French marketplace Leboncoin, the Polish online brand Allegro, the Czech website Sbazar, and Romania's FAN Courier site. According to Group-IB, the criminal group expanded its operation in response to the significant increase in online shopping during the COVID-19 pandemic. The hackers behind Classiscam set up Telegram chatbots to automate the management and expansion of the scheme. These bots generate ready-to-use pages that mimic classified advertising, marketplace, and phishing URLs. This article continues to discuss the advancement of the Classiscam scheme regarding its operators, techniques, and tools.

    BankInfoSecurity reports "'Scam-as-a-Service' Scheme Spreads"

  • news

    Visible to the public "Researchers Estimate Ryuk Ransomware Operations to Be Worth $150 Million"

    Researchers from HYAS and Advanced Inteligence LLC looked at transactions for known Bitcoin addresses associated with Ryuk ransomware and have concluded that the Ryuk ransomware criminal enterprise is worth more than $150,000,000. Ryuk ransomware was first seen in the wild in 2018 and is operated by Russian cybercriminals. Ryuk has become one of the most prevalent malware families, being used in various high-profile attacks, such as targeting the Pennsylvania-based UHS and Alabama hospital chain DCH Health System. The researchers believe that Ryuk is operated by the same cybercriminals behind the TrickBot Trojan. The researchers traced 61 deposit addresses associated with the ransomware and found that most of the funds were sent to exchanges through intermediaries for cash out. The cybercriminals appear to be primarily using the Asian crypto-exchanges Huobi and Binance. Additionally, the researchers found that Ryuk operators are sending "significant flows of cryptocurrency" to several small addresses that the researchers believe is a crime service that exchanges the cryptocurrency for local currency or another digital currency.

    SecurityWeek reports: "Researchers Estimate Ryuk Ransomware Operations to Be Worth $150 Million"

  • news

    Visible to the public $10 Billion in new funding proposed for CISA and GSA for cybersecurity

    The Biden administration proposes new legislation to include more $10 billion to improve the Federal Government's cybersecurity and IT after the massive Russian cyber attack. Funds are planned for CISA and GSA to launch new cybersecurity and IT shared services and the raid hiring of technology experts.

  • news

    Visible to the public "NSA: DNS-over-HTTPS Provides 'False Sense of Security'"

    DNS-over-HTTPS (DoH) continues to grow in popularity among enterprises to improve privacy and integrity. The privacy protocol is supposed to help prevent eavesdropping and the manipulation of DNS traffic. However, the US National Security Agency (NSA) is warning enterprises of the false sense of security that the adoption of encrypted DNS services can give them. Encrypted DNS services are useful for home and mobile users and networks that do not use DNS controls, but the US security agency does not recommend the use of such services for most enterprises. The agency has pointed out that DoH can disrupt tools used to monitor DNS traffic for malicious or suspicious activity. The NSA also warns that DoH can be used to hide malware command-and-control (C&C) communications traffic. This article continues to discuss the concept and growing popularity of DoH and why the NSA urges most enterprises to avoid using DoH inside their networks.

    Infosecurity Magazine reports "NSA: DNS-over-HTTPS Provides 'False Sense of Security'"

  • news

    Visible to the public "Google Boots 164 Apps from Play Marketplace for Shady Ad Practices"

    Researchers at WhiteOps discovered 164 apps that mimic legitimate apps to garner downloads to trick the user into seeing a whole bunch of unexpected ads. The bad apps that were discovered didn't cover their tracks once they were downloaded onto a users device. The researchers reported the bad apps to Google, and Google has removed the 164 apps, which were downloaded a total of 10 million times from the Google Play marketplace. The researchers recommend that users should block any apps that call ads from activities inside the package com.tdc.adservice.

    Threapost reports: "Google Boots 164 Apps from Play Marketplace for Shady Ad Practices"

  • news

    Visible to the public "What the Automotive Industry Needs to Learn from Nissan's Cybersecurity Error"

    Nissan North America source code was leaked online because of the misconfiguration of a company Git server left exposed with default credentials. The Git repository contained the source code of Nissan NA Mobile apps, Dealer Business Systems, client acquisition and retention tools, market research tools, the Nissan ASIST diagnostics tool, internal core mobile library, vehicle logistics portal, and more. According to Tillie Kottmann, the Swiss IT consultant and developer who discovered the code, this data has been offered on torrent links and Telegram groups. Nissan's data breach is one of many cybersecurity incidents faced by automakers. Carmakers have to find a balance between security and convenience. A study released by Upstream Security found that cyber hacks might cost the auto industry $24 billion within five years. Another study by Ponemon revealed that almost 30% of companies in the automotive segment do not have a cybersecurity team in place. Many automotive companies do not even work with third-party vendors to help bolster the security of software in connected cars. This article continues to discuss Nissan's data breach, cybersecurity incidents experienced by other car manufacturers, the lack of consideration for cybersecurity among automakers, and the need for enterprises to consider connected cars as an insider threat.

    CISO MAG reports "What the Automotive Industry Needs to Learn from Nissan's Cybersecurity Error"

  • news

    Visible to the public "Researchers Explore How to Share Data and Keep Privacy"

    Researchers from the Australian National University (ANU) and the University of Duisburg-Essen in German published a new book titled Linking Sensitive Data, which discusses how data sharing and the preservation of people's privacy can be improved. Improving how we share sensitive data could help solve problems faced in healthcare and national security. The authors call for privacy to be a top priority as linking sensitive data from different sources grows more common. One example that highlights the importance of improving data privacy is the linking of personal medical records with travel and immigration data to help countries manage the spread of COVID-19. The researchers at ANU have been developing new techniques to prevent the exposure of personally identifiable information (PII). Their techniques involve the use of encoding and encryption methods. This article continues to discuss the new book and the importance of improving the way we share sensitive data.

    The Australian National University reports "Researchers Explore How to Share Data and Keep Privacy"

  • news

    Visible to the public "Hackers Compromise Mimecast Certificate For Microsoft Authentication"

    The email security vendor Mimecast has announced that hackers compromised a Mimecast-issued certificate used to authenticate several of the company's products to Microsoft 365 Exchange Web Services. The certificate, discovered to be compromised, is used to authenticate Mimecast's Sync and Recover, Continuity Monitor, and Internal Email Protect (IEP) products to Microsoft 365. Mimecast was made aware of the incident by Microsoft. According to Mimecast, about 10% of its customers use the compromised connection. Those using this certificate-based connection to Microsoft 365 are urged to immediately delete the existing connection within their Microsoft 365 tenant. Once they delete this connection, they should re-establish a new certificate-based connection using the new certificate that has been issued by Mimecast. The company declined to comment on whether this attack was carried out by the same sophisticated attackers behind the SolarWinds supply-chain attack. This article continues to discuss the compromise of a Mimecast certificate used for Microsoft authentication, the impact of this incident on the company's stock, and the SolarWinds hacking campaign.

    CRN reports "Hackers Compromise Mimecast Certificate For Microsoft Authentication"

  • news

    Visible to the public "Ring Adds End-to-End Encryption to Quell Security Uproar"

    Ring smart doorbells have faced years of criticism from cybersecurity experts for flaws in their system that opened video and data collected by the system to be stolen by adversaries. After many cybersecurity experts stated that Ring lacked attention to basic digital security, the smart doorbell maker is now providing an end-to-end encryption feature free to users. According to Ring, the new feature can be added to less than 50 percent of its in-use products. Older model smart-doorbell products, such as its first and second-generation video doorbells, cannot be upgraded with the added protection.

    Threatpost reports: "Ring Adds End-to-End Encryption to Quell Security Uproar"

  • news

    Visible to the public "What if Opting Out of Data Collection Were Easy?"

    Many sites allow users to opt-out of some of their data collection and use practices. However, this choice is hard to find as it is often hidden in long, difficult-to-read privacy policies. A new study by researchers from Carnegie Mellon University's CyLab shows that it is possible to automatically extract and classify some of these opt-out options through Machine Learning (ML) techniques. This study introduces a novel browser extension called Opt-Out Easy that can automatically extract opt-out choices from privacy policies. The plug-in is said to be user-friendly and easy to use. CyLab's Norman Sadeh, the principal investigator on the study, highlighted the existence of different privacy regulations that grant users the right to control how companies use their data, in addition to the difficulty in accessing these choices on most websites. Sadeh's team trained an ML algorithm to scan policies for language and links regarding the option to opt-out of a website's data collection practices. The Opt-Out Easy plug-in, developed in collaboration with researchers at the University of Michigan School of Information, is now available to Google Chrome users. This article continues to discuss the study, development, capabilities, and goal of the Opt-Out Easy browser extension.

    CyLab reports "What if Opting Out of Data Collection Were Easy?"

  • news

    Visible to the public "DarkSide Decryptor Unlocks Systems Without Ransom Payment – for Now"

    The antivirus company Bitdefender released a free decryptor for DarkSide ransomware to allow victims to unlock their systems and recover their files without having to pay a ransom. According to Bitdefender, their tool can automatically scan and search for file extensions related to the files encrypted by DarkSide ransomware and then decrypt them. The DarkSide ransomware group is relatively new in that it first emerged in August 2020. DarkSide operates under a ransomware-as-a-service business model as it sells or leases customized versions of their malware to other partners to use in their own ransomware operations. The group uses a highly targeted approach in its selection of victims. Digital Shadows revealed that the group carefully crafts custom code for each of its targets and applies corporate-like communications methods. This article continues to discuss the DarkSide decryptor released by Bitdefender, observations surrounding this ransomware gang, DarkSide's response to the decryptor, and the growing sophistication of ransomware groups.

    SC Media reports "DarkSide Decryptor Unlocks Systems Without Ransom Payment - for Now"

  • news

    Visible to the public "Healthcare Hit by 187 Million Monthly Web App Attacks in 2020"

    Researchers at Imperva, a security vendor, have discovered that web application attacks in the healthcare sector surged in December. Attacks jumped 51% last month from detected volumes in November. Four specific attack types saw the largest increases: cross-site scripting (XSS) detections jumped 43%; SQL injection attacks surged 44%; protocol manipulation attacks soared 76%; and remote code execution/remote file inclusion detections increased 68% in December. The researchers also found that global healthcare organizations (HCO) experienced 187 million attacks per month on average, which amounts to nearly 500 attacks per HCO each month, a 10% increase year-on-year. The UK, Canada, Brazil, and the US were the top countries targeted in 2020. In just the first three days of 2021, Imperva saw a 43% increase in data leakage.

    Infosecurity reports: "Healthcare Hit by 187 Million Monthly Web App Attacks in 2020"

  • news

    Visible to the public "Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover"

    Researchers at Wordfence, have discovered two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox. Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder, and Gutenberg site-building utilities. It allows site administrators to add features such as registration forms and widgets. The plugin, from a developer called ThemeIsle, has been installed by 400,000+ sites. The first flaw found is an authenticated privilege-escalation flaw that carries a CVSS bug-severity score of 9.9, making it critical. Authenticated attackers with contributor level access or above can elevate themselves to administrator status and potentially take over a WordPress site. The second bug found by researchers is an authenticated stored cross-site scripting (XSS) issue that allows attackers with contributor or author level access to inject JavaScript into posts. This injection could be used to redirect visitors to malvertising sites or create new administrative users, among other actions. The second bug is rated 6.4 on the CVSS scale, making it medium severity.

    Threatpost reports: "Critical WordPress-Plugin Bug Found in 'Orbit Fox' Allows Site Takeover"

  • news

    Visible to the public "'Rogue' Android RAT Can Take Control of Devices, Steal Data"

    Security researchers at Check Point recently discovered a Mobile Remote Access Trojan (MRAT). According to the researchers, the MRAT dubbed Rogue was developed by known Android malware authors Triangulum and HeXaGoN Dev, who have been selling their malicious products on cybercriminal underground markets for a number of years. The Rogue RAT can hide its icon from the user once it successfully compromises their device and gains all of the required permissions. The user is repeatedly asked for permissions by the malware until they grant them. In addition, the malware registers as a device administrator and threatens to erase all data on the device if the user tries to revoke the malware's administrator permissions. Rogue uses the Firebase platform, a Google service for apps, to hide its malicious intentions and masquerade as a legitimate Google service. This article continues to discuss the development, distribution, and capabilities of the Rogue Android RAT.

    Security Week reports "'Rogue' Android RAT Can Take Control of Devices, Steal Data"

  • news

    Visible to the public "Updated macOS Cryptominer Uses Fresh Evasion Techniques"

    Researchers at Sentinel Labs have identified an updated version of OSAMiner, the cryptominer that targets the Mac operating system to mine Monero. According to Sentinel Labs, OSAMiner has been active since 2015, spreading through compromised video games like League of Legends, and hacked versions of software packages such as Microsoft Office for macOS. The latest version of OSAMiner uses new techniques to evade detection. This malware now uses multiple versions of AppleScript, a scripting language used to automate macOS actions, to improve obfuscation. OSAMiner uses run-only AppleScripts to make it more difficult for its code to be reverse-engineered. In order to decompile the malware scripts, the researchers used a lesser-known AppleScript-dissembler project and a custom tool developed by Sentinel labs. The researchers discovered that the malware uses multiple methods to execute the run-only AppleScript. These methods include a script to ensure the parent script's persistence, a parent script to kill running processes in a device, an anti-analysis AppleScript to perform tasks in support of evasion, a script that downloads the XMR-STAK-RX RandomX miner, and more. This article continues to discuss new techniques used by the updated version of OSAMiner to prevent detection and other reports of attacks targeting macOS devices to plant cryptominers.

    GovInfoSecurity reports "Updated macOS Cryptominer Uses Fresh Evasion Techniques"

  • news

    Visible to the public "Google Reveals Sophisticated Windows and Android Hacking Operation"

    Google has released a six-part report, providing details about a complex hacking operation discovered in early 2020. The hacking operation targeted Android and Windows devices. According to Google, the attacks were launched via two exploit servers. Each server delivered a different exploit chain through watering hole attacks, which are performed by gathering information about a targeted group regarding what websites they frequently visit and installing malware on those sites to infect that group's systems. One server targeted Windows users, while the other targeted Android users. Both exploit servers abused vulnerabilities contained by Google Chrome to gain initial access into victims' devices. The attackers used an OS-level exploit to gain more control over a victim's device once they successfully established an initial entry point in the victim's browser. The exploit chains included zero-day and n-day vulnerabilities. These servers contained four render bugs in Google Chrome, two sandbox escape exploits that abuse zero-day flaws in the Windows OS, and a privilege escalation kit consisting of n-day exploits for older versions of the Android OS. This article continues to discuss the findings shared by Google surrounding the sophisticated Windows and Android hacking operation.

    ZDNet reports "Google Reveals Sophisticated Windows and Android Hacking Operation"

  • news


    held JANUARY 25-27, 2021