News Items

  • news

    Visible to the public "Azov Ransomware Is a Wiper, Destroying Data 666 Bytes at a Time"

    The Azov Ransomware is still widely distributed worldwide, and it has now been proven to be a data wiper that destroys victims' data and infects other programs. A threat actor began distributing 'Azov Ransomware,' which pretended to encrypt victims' files, via cracks and pirated software. Instead of providing contact information to negotiate a ransom, the ransom note instructed victims to contact security researchers and journalists in order to frame them as the ransomware's developers. Ji Vinopal, a Checkpoint security researcher, examined the Azov Ransomware and confirmed that the malware was specifically designed to corrupt data. The malware included a timer that would cause it to remain dormant on the victim's devices until October 27th, 2022, at 10:14:30 AM UTC, after which it would corrupt all data on the device. Vinopal stated that it would overwrite a file's contents and corrupt data in 666-byte chunks. Vinopal explained that for every cycle, exactly 666 bytes are overwritten with random (uninitialized data), and the next 666 bytes are left unchanged. Other 64-bit executables on the Windows device with a file path that does not contain certain strings will be infected, or 'backdoored,' by the data wiper. When malware backdoors an executable, it injects code, causing the data wiper to launch when a seemingly harmless executable is launched. This article continues to discuss recent findings surrounding the Azov Ransomware.

    Bleeping Computer reports "Azov Ransomware Is a Wiper, Destroying Data 666 Bytes at a Time"

  • news

    Visible to the public "Cybersecurity May Fail Without Nudge in the Right Direction"

    New research conducted in collaboration with Duke University psychologists has linked employee security behavior to attitudes and emotions. Cybersecurity research has revealed that most employees would try to avoid security controls put in place to prevent access to unapproved applications at work, but a more positive experience could help. According to new Nudge Security research, undesirable security behaviors may be due to basic human emotions rather than a lack of awareness. The company's new report titled, "Debunking The 'Stupid User' Myth in Security," provides insight into how employees' attitudes and emotions impact security behaviors. Nudge says the report confirms that employees are more likely to comply with security controls if they find the experience positive and reasonable, based on research conducted in consultation with leading psychologists at Duke University. According to Russell Spitler, CEO and co-founder of Nudge Security, the study found evidence that improving employee security experiences can lead to better security outcomes. The study put 900 people through a scenario in which they had to use a Software-as-a-Service (SaaS) application for work. Participants were assigned at random to one of three "security interventions," which either blocked access to the application, revoked access punitively, or nudged participants to justify why they needed access. They were then asked to rate how reasonable they thought the intervention was, how they felt about it, and how likely they were to comply with it. Participants' attitudes and emotions were found to be highly correlated with their likelihood of compliance. Sixty-seven percent of the participants said they would not comply with the blocking intervention and would instead seek a workaround. According to Nudge, they perceived "nudging" as the most positive and reasonable intervention and were three times more likely to feel negative about blocking and punitive interventions. Seventy-eight percent of the participants said they would comply with a nudge, which was more than double the compliance rate of the blocking intervention. This article continues to discuss the study exploring the influence of employees' perceptions and emotions on security behaviors.

    AI Magazine reports "Cybersecurity May Fail Without Nudge in the Right Direction"

  • news

    Visible to the public "Cybersecurity Breaches Call for Rental Data Collection Overhaul"

    Recent data breaches have further raised concerns about the security of personal information handled by corporations. However, one industry where a large-scale cybersecurity breach would be disastrous is real estate. Renters are increasingly concerned about data breaches in the rental sector, as they provide large amounts of personal information when applying for rental housing. Transparency regarding how this information is used, shared, and secured is often found to be lacking and unclear. According to Dr. Chris Martin, Senior Research Fellow at the University of New South Wales (UNSW) City Futures Research Centre, the ability of real estate agents and landlords to collect vast amounts of sensitive information is a major concern. The tenancy law expert calls on governments to regulate data collection in the rental sector. Real estate agents and landlords are gathering a lot more personal information, with arguably not much of a purpose, according to Dr. Martin. As a result, there is a significant risk that all of that information will fall into the wrong hands. Multiple identification documents, bank statements, utility bills, employment information, and rental history are common requests, but they are more than enough to falsify an identity. In addition, social media accounts, pet profiles, and self-funded background checks are becoming more prevalent. The types of questions asked in tenancy applications are becoming more intense, and applicants may not want to provide that level of information due to privacy concerns, but they little choice. According to Dr. Martin, the problem stems from a lack of regulation regarding the amount and type of information that property managers can request from tenants. Most states and territories have few restrictions on what agents can collect. Only recent amendments to the Victorian Residential Tenancies Act prohibit landlords and agents from asking tenants about previous disputes with renter providers, bond history, bank statements with daily transactions, or information about protected characteristics under discrimination law. This article continues to discuss the limitations of existing tenancy and privacy laws and the need for governments to regulate data collection in the rental sector.

    UNSW reports "Cybersecurity Breaches Call for Rental Data Collection Overhaul"

  • news

    Visible to the public "Global Supply Chains Threatened by the Rise of Ransomware"

    Mark Atwood, Gartner's Global Research and Advisory leader points out that cyberattacks continue to pose an ongoing, evolving threat to businesses across all industries, citing NCC Group's Annual Threat Monitor report, which found that ransomware attacks nearly doubled in 2021, rising 92.7 percent from the previous year. According to the Gartner report titled, "Combating Enterprise and Ecosystem Cybersecurity Threats," published in September, 63 percent of respondents expected a 5 percent increase in spending on supply chain cybersecurity. In addition, the most popular technique for combating supply chain cyberattacks is an audit of suppliers, manufacturers, and logistics partners. However, this is insufficient. Research has shown that businesses overestimate the cybersecurity of their supply chain. On a scale of one to seven, with one being not at all secure and seven being completely protected, respondents were asked how secure they thought their supply chains were, and 83 percent rated themselves a four or higher. According to Geert van der Linden, Cybersecurity Business Lead at Capgemini, this false sense of security is dangerous given the state of global industry, as manufacturing surpassed financial services last year for being the sector most targeted by cybercriminals. Legacy technology from a time when cybersecurity was not even a thought has created opportunities for attackers to exploit. The industry's transition to smart factories has also raised complex cybersecurity issues that organizations must address. Forty percent of organizations have been victims of a cyberattack on their smart factories in the last year, and this will only become more common if organizations do not respond. Improved visibility of networked devices is critical for detecting when they have been compromised, and regular system-risk assessments help prevent attacks, but much more needs to be done if global businesses are to combat the threats of rampant ransomware and other cyberattacks. This article continues to discuss experts' key points on the rise in cyberattacks and the threat that such attacks pose to global supply chains.

    Technology Magazine reports "Global Supply Chains Threatened by the Rise of Ransomware"

  • news

    Visible to the public "Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge"

    Microsoft is warning that China-based nation state threat actors are taking advantage of a one-year-old law to "stockpile" zero-days for use in sustained malware attacks. According to Microsoft, China's government hacking groups have become "particularly proficient at discovering and developing zero-day exploits" after strict mandates around early vulnerability disclosure went into effect. Microsoft was able to make a direct connection between China's vulnerability reporting regulation that went into effect in September 2021 and a surge in zero-day attacks documented over the last two years. Microsoft stated that the increased use of zero days over the last year from China-based actors likely reflects the first full year of China's vulnerability disclosure requirements for the Chinese security community and a significant step in using zero-day exploits as a state priority. Microsoft noted that the Chinese regulation requires the reporting of vulnerabilities to a government authority for review prior to the vulnerability being shared with the product or service owner, providing a zero-day window for malicious exploitation. Microsoft stated that this new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities and weaponize them. Microsoft was able to document multiple in-the-wild zero-day attacks linked to China's state-backed hackers and noted that the time between the availability of security patches and exploitation continues to shrink rapidly. Microsoft is urging defenders to prioritize patching zero-day vulnerabilities as soon as fixes are available and invest in tools to document and inventory all enterprise hardware and software assets to determine risk and to quickly determine when to act on patches.

    SecurityWeek reports: "Microsoft: China Flaw Disclosure Law Part of Zero-Day Exploit Surge"

  • news

    Visible to the public "Partners Team Up to Fight Cybercrime"

    The Calgary Police Service, the University of Calgary, and the cybersecurity firm ENFOCOM Corporation have formed a new public-private partnership to develop the infrastructure and processes required to pursue cybercriminals. The collaboration, which began in early October to coincide with Cyber Awareness Month, builds on the University of Calgary's growing expertise and capability in information security. This includes the on-campus Canadian Cyber Assessment Training and Experimentation Center (CATE). CATE is a comprehensive resource for law enforcement, academia, innovators, and cybersecurity professionals that allows for safe experimentation and research. The center is led by a consortium comprised of the University of Calgary, Calgary-based Raytheon Canada, and ENFOCOM. CATE has a cutting-edge, highly automated "cyber range," which is an interactive technology environment, as well as cyber assessment, experimentation, and integration labs. The modular and scalable architecture of the center can simulate complex real-world digital enterprises. CATE can be structured as a virtual environment to simulate cyberattacks that appear convincingly real. Being able to carry out cyberattacks builds credibility among cybercriminals on the dark web. Developing such credibility allows police to move up the criminal food chain, allowing them to identify and collect evidence on those behind cyberattacks. Sgt. Kevin Paul, head of the Calgary Police Service's cybercrime team, says cybercrimes frequently result in complex investigations requiring the participation of multiple external agencies, which is why partnerships are critical to the advancement of investigations. ENFOCOM CEO Herbert Fensury says his company has collaborated with public, academic, and corporate entities to address the skills gap among cyber professionals and provide a safe super-lab to test current and future incident responses. This article continues to discuss the new partnership formed to combat cybercrime.

    University of Calgary reports "Partners Team Up to Fight Cybercrime"

  • news

    Visible to the public "Zurich and Mondelez Reach NotPetya Settlement, but Cyber-Risk May Increase"

    Zurich American Insurance and Mondelez International have recently settled their dispute over the confectionary giant's $100m claim related to the 2017 NotPetya cyberattack. The lawsuit has been widely considered a test case for property war exclusions concerning cyberattacks. Julia O'Toole, CEO of MyCena Security Solutions, stated that this widely publicized case between Zurich and Mondelez International has paved the way for how future insurance claims relating to nation-state breaches will be handled. According to court documents seen by Law360, the parties have mutually resolved the matter, but details of the settlement were not provided. Mondelez initially tried to claim roughly $100m in losses related to the 2017 NotPetya events under its "all-risk" property insurance. The malware reportedly damaged 1700 of its servers and 24,000 laptops, disrupting distribution and customers. Zurich, in turn, invoked the policy's war exclusion, which excluded loss or damage caused by or resulting from hostile or warlike action by any government or sovereign power or their agents (since NotPetya threat actors were associated with Russia). Because of the insurance claim made by Mondelez, it triggered action by insurers to eliminate silent cyber coverage within traditional insurance policies. According to O'Toole, insurers can no longer afford to cover cyber negligence, and a big focus for them in the coming months will be around network access and network segmentation. O'Toole noted that insurers will want to see organizations getting better control over their user access credentials, so they are not so easy for attackers to steal. O'Toole stated that when organizations are not following good cybersecurity practices in the future, they may struggle to get insurance or find their current policies are no longer valid. According to a new report by Marsh, many organizations will miss out on cyber insurance in 2023.

    Infosecurity reports: "Zurich and Mondelez Reach NotPetya Settlement, but Cyber-Risk May Increase"

  • news

    Visible to the public "SolarWinds Agrees to Pay $26 Million to Settle Shareholder Lawsuit Over Data Breach"

    Texas-based IT management solutions provider SolarWinds has recently agreed to pay $26 million to settle a shareholder lawsuit over the data breach disclosed by the company in 2020. The cyberattack involved Russia-linked threat actors breaching SolarWinds systems in 2019 or possibly even earlier. The adversaries compromised the automated build environment for the company's Orion monitoring software, and in the spring of 2020, they pushed out malicious Orion updates to SolarWinds customers. The malicious updates were sent out to thousands of SolarWinds customers, but only approximately 100 organizations were of interest to the attackers and received additional malware. This included private and government organizations. In December 2020, the breach came to light. In January 2021, SolarWinds investors filed a class action lawsuit against the company, unhappy with the impact the breach and its disclosure had on the value of their shares. The settlement, which has been authorized and approved by insurers, still needs to be approved by a court. According to a SEC filing, the SEC might be taking action against the company over its "cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures." SolarWinds' latest financial report shows that the cybersecurity incident has cost it tens of millions of dollars to date, and the company expects to continue to incur significant expenses associated with the breach.

    SecurityWeek reports: "SolarWinds Agrees to Pay $26 Million to Settle Shareholder Lawsuit Over Data Breach"

  • news

    Visible to the public "6 Election Security Threats to Watch for on Election Day"

    The midterm elections face digital threats, ranging from stolen Twitter accounts to hacked election websites, which could confusion and unrest long after the polls close. There is a risk that hackers could infiltrate voting machines and other election infrastructure in order to undermine votes. Because the US has many safeguards in place to protect voting equipment, any actual hack would most likely be localized, quickly detected, and unlikely to affect final results. Regardless, even the attempt to change votes or the mere allegation of tampering could erode trust in the outcome. The US officials responsible for election security say they are on the lookout for threats from various groups and countries. In addition, social media companies and cybersecurity researchers have identified Chinese influence operations aimed at the elections in recent months. According to Matthew Weil, executive director of the Bipartisan Policy Center's Democracy Program, increased attention to voting system security has not eliminated critical technical and human threats to elections. Since 2016, the federal government has worked to improve coordination with state and local officials on addressing digital vulnerabilities, promoting trusted information sources, and more. Officials in the Biden administration say this is one reason they have seen less foreign interference than in 2016. However, as Certified Information Systems Auditor (CISA) Director Jen Easterly, whose agency oversees federal election security efforts, recently told reporters, the current election threat environment is more complex than it has ever been. She cited how cyberattacks, disinformation, the harassment of election officials, and other different threats are overlapping. This article continues to discuss the threats to keep an eye out for as votes of the midterms are cast, including mis- and disinformation, election office and campaign website crashes, campaign social media account hijacking, cyberattacks on voter registration databases, targeted voter harassment, and wireless modems enabling hacks of voting machines or vote tallies.

    Politico reports "6 Election Security Threats to Watch for on Election Day"

  • news

    Visible to the public "FCC Proposes to Strengthen Cybersecurity of Emergency Alert Systems"

    The Federal Communications Commission (FCC) recently voted to approve a notice of proposed rulemaking aimed at improving the cybersecurity of the nation's public warning system, in part by requiring Emergency Alert System (EAS) operators to report any breaches of their equipment to the agency within 72 hours. The proposal would require system participants to report any incident of unauthorized access to their EAS equipment to the commission within three days of learning or should have known that an incident had occurred. Participants would be required to notify the agency within that timeframe and provide information about the breach, regardless of whether or not the compromise resulted in the transmission of a false alert. The EAS and Wireless Emergency Alert (WEA) systems are used to communicate emergency information to the public, most often due to severe weather, disasters, or missing children. Local, state, and federal authorities issue the alerts, which are delivered via radio broadcasts, television, and mobile text messages. The proposed rule is believed to be justified given recent instances of false EAS alerts caused by compromised EAS equipment transmitting a false message, according to the FCC's notice of proposed rulemaking. The vote follows the Federal Emergency Management Agency's advisory on August 1 warning of certain vulnerabilities in EAS encoder/decoder devices that, if not updated to the most recent software versions, could enable a threat actor to issue EAS alerts over the host infrastructure (i.e., TV, radio, cable network). Previous incidents, both deliberate and unintentional, have highlighted the panic that false emergency alerts can cause. For example, in January 2018, a Hawaii emergency management employee sent out an alert incorrectly warning residents to seek shelter from an incoming ballistic missile. In 2020, a hacker breached a local cable TV emergency alert system in Washington state, sending out false warnings about a radiological emergency. This article continues to discuss the FCC's efforts to strengthen the security of the nation's alerting systems.

    NextGov reports "FCC Proposes to Strengthen Cybersecurity of Emergency Alert Systems"

  • news

    Visible to the public "Apple Rolls Out Xcode Update Patching Git Vulnerabilities"

    Apple recently announced a security update for the Xcode macOS development environment to resolve three Git vulnerabilities, including one leading to arbitrary code execution. The first of the issues, CVE-2022-29187, is a variant of CVE-2022-24765, a bug impacting users on multi-user machines, where "a malicious actor could create a .git directory in a shared location above a victim's current working directory." Apple noted that an attacker could exploit the flaw to create configuration files in the malicious .git directory and, by using specific variables, could achieve arbitrary command execution on the shared machine. Apple stated that the bug impacted all Git versions prior to 2.37.1, 2.36.2, 2.35.4, 2.34.4, 2.33.4, 2.32.3, 2.31.4, and 2.30.5. With the latest version of Xcode, Apple updated Git to version 2.32.3, which resolves "multiple issues." Apple noted that now rolling out to macOS Monterey 12.5 and later as version 14.1, the latest Xcode iteration also resolves CVE-2022-39253, a security defect that could lead to information leaks. Tracked as CVE-2022-39260, the third Git vulnerability resolved in Xcode this week could lead to arbitrary code execution. A fourth vulnerability addressed in Xcode 14.1 impacts the IDE Xcode server. Tracked as CVE-2022-42797, the issue could allow malicious applications to gain root privileges.

    SecurityWeek reports: "Apple Rolls Out Xcode Update Patching Git Vulnerabilities"

  • news

    Visible to the public "Japan Joins Key NATO Cyber Agency"

    Japan recently has become the latest US ally to join NATO's Cooperative Cyber Defence Centre of Excellence (CCDCOE), in a move likely to anger Moscow. Defense Minister Seiichi Hamada stated that Japan's Ministry of Defense (JMOD) will formally join the NATO Cooperative Cyber Defence Centre of Excellence's activities following the completion of participation procedures. JMOD will continue collaborating with international partners to respond to threats in the cyber domain. Japan will join other non-NATO members, such as Australia and South Korea, as contributing participants. The CCDCOE is based in Estonia and is involved in a range of activities in cyber-defense research, training, and exercises that span four focus areas: technology, strategy, operations, and law. As such, it plays a key role in shaping NATO responses in the cyber domain, now officially recognized as a legitimate military domain and part of Article 5. The CCDCOE was founded in 2008 after a series of massive cyberattacks in Estonia the year before crippled the country for weeks. The attacks were blamed on Russian hackers.

    Infosecurity reports: "Japan Joins Key NATO Cyber Agency"

  • news

    Visible to the public "Crimson Kingsnake Threat Actors Impersonate Global Law Firms in BEC Attacks"

    Researchers have discovered a new Business Email Compromise (BEC) group that has impersonated legitimate attorneys, law firms, and debt collection services to con accounting employees into paying fake invoices. The group, dubbed Crimson Kingsnake by Abnormal Security researchers, targets businesses in the US, Europe, the Middle East, and Australia. Since March, researchers have identified 92 domains linked to Crimson Kingsnake that have mimicked the domains of 19 law firms and debt collection agencies in the US, the UK, and Australia, including major global practices such as Deloitte. According to Crane Hassold, director of threat intelligence at Abnormal Security, researchers were able to associate multiple non-proxy IP addresses to members of the group, indicating that at least some of the actors are based in the UK. Although Nigeria remains the main epicenter for BEC actors, other countries such as South Africa, the United Arab Emirates, Turkey, and the UK are slowly emerging. BEC continues to cost businesses millions of dollars, with the Internet Crime Complaint Center (IC3) reporting that BEC and email account compromise victims lost nearly $2.4 billion in 2021, and a recent Abnormal Security report highlighting that BEC attacks increased by 84 percent. The profitability of these types of attacks stems from various tactics relying on social engineering and emotional manipulation to instill fear in victims. Crimson Kingsnake attackers first send an email impersonating real-life attorneys from legitimate law firms, referencing an allegedly overdue payment owed by the target to the firm they represent. Then, to add legitimacy to the scam, the BEC group employs email spoofing. When a victim responds, the threat actor responds with payment account information in the form of a PDF invoice, which includes a bill number, bank account information, and the company's actual VAT ID. According to the researchers, the BEC group may even be using altered versions of legitimate invoices used by impersonated firms. This article continues to discuss findings surrounding the new Crimson Kingsnake BEC group.

    Decipher reports "Crimson Kingsnake Threat Actors Impersonate Global Law Firms in BEC Attacks"

  • news

    Visible to the public "Medibank Admits Ransomware Attack Is Far Worse Than Previously Thought"

    Medibank revealed that a cyberattack on the company's systems in October impacted 9.7 million current and former customers, with the number of those affected being significantly higher than previously thought. The company, one of Australia's largest health insurance providers, disclosed on October 19 that it had been the victim of a cyberattack and was negotiating with the perpetrators. A week later, Medibank said the attacker had access to its 3.9 million customer records and hinted that the number of customers affected by the attack could grow significantly. Following an investigation, the company has revealed that the attacker obtained access to 9.7 million current and former customers' data, stating that it is required by law to keep certain customer information, including former customers, for specific periods of time, typically seven years from the date a customer leaves the company, but sometimes longer. The 9.7 million figure includes approximately 5.1 million Medibank customers, 2.8 million Ahm customers, and about 1.8 million international customers. The attacker also gained access to Ahm customers' Medicare numbers, as well as passport numbers and visa information for international student customers. Health claims data for roughly 160,000 Medibank customers, 300,000 Ahm customers, and 20,000 international customers were also accessed. This included the name and location of the service provider, where customers received medical services, and codes associated with the diagnosis and procedures administered. The company has also decided not to pay a ransom to the attacker responsible for the data theft. It stated that this decision is consistent with the Australian government's position. This article continues to discuss the Medibank cyberattack having a greater impact than previously thought.

    ITPro reports "Medibank Admits Ransomware Attack Is Far Worse Than Previously Thought"

  • news

    Visible to the public "False Sense of Safety Undermines Good Password Hygiene"

    LastPass published the findings of its fifth annual Psychology of Password report, which revealed that, despite increased cybersecurity education, password hygiene has not improved. Regardless of generational differences between Boomers, Millennials, and Generation Z, the research reveals a false sense of password security based on current behaviors. Furthermore, LastPass discovered that while 65 percent of all respondents have received some form of cybersecurity education through school, work, social media, books, or courses via Coursera or edX, 62 percent almost always or mostly use the same or a variation of a password. The survey, which examined the password security behaviors of 3,750 professionals from seven countries, gathered information about respondents' mindsets and behaviors related to online security. The findings revealed a clear disconnect between their high confidence in password management and their risky behavior. While most professionals polled expressed confidence in their current password management, this does not translate to safer online behavior and can create a harmful false sense of security. Regarding password management, Generation Z is confident, but they are also the worst offenders of poor password hygiene. As the generation that has spent most of their lives online, Generation Z (1997-2012) believes their password methods are "very safe." When compared to other generations, they are the most likely to create stronger passwords for social media and entertainment accounts. However, while Generation Z is more likely to recognize that using the same or similar password for multiple logins is risky, they use a variation of a single password 69 percent of the time, compared to 66 percent of Millennials (1981-1996). Generation Z is the generation most likely to use memorization to keep track of their passwords (51 percent), with Boomers (1946 - 1964) the least likely to do so (38 percent). This article continues to discuss key findings from LastPass' fifth annual Psychology of Password report.

    Help Net Security reports "False Sense of Safety Undermines Good Password Hygiene"

  • news

    Visible to the public "RomCom Malware Woos Victims With 'Wrapped' SolarWinds, KeePass Software"

    The RomCom threat group is actively targeting various English-speaking countries, especially the UK, with a Remote Access Trojan (RAT) using trojanized versions of popular software products such as SolarWinds Network Performance Monitor, KeePass Open-Source Password Manager, and PDF Reader Pro. The threat research and intelligence team at BlackBerry discovered additional, more widespread campaigns being waged in other geolocations while analyzing a previous RomCom RAT campaign against the Ukrainian military that used fake Advanced IP Scanner software to deliver malware. Based on an analysis of the terms of service and Secure Sockets Layer (SSL) certificates of a new command-and-control (C2) server registered in the UK, the researchers determined that the UK and other English-speaking countries were new RomCom targets. According to Dmitry Bestuzhev, threat researcher at BlackBerry, the UK is now one of the most important RomCom targets, based on Blackberry's analysis. The RomCom RAT is designed to exfiltrate any sensitive data or passwords once it is dropped. Bestuzhev adds that information is valuable, and when it is strategic, it helps the attacker build better offensive strategies and gain an advantage in any domain. Geopolitics will set new objectives. Since RomCom has been widely publicized, the group behind it was expected to change their tactics, techniques, and procedures (TTPs). This is not the group's first strategy shift, as RomCom was publicly associated with ransomware when it was discovered. The most recent campaigns demonstrate that this threat actor's motivation is not monetary. The new targets are defined by a geopolitical agenda. This article continues to discuss the RomCom Advanced Persistent Threat (APT) group expanding its efforts beyond the Ukrainian military into the UK and other English-speaking countries.

    Dark Reading reports "RomCom Malware Woos Victims With 'Wrapped' SolarWinds, KeePass Software"

  • news

    Visible to the public "FBI: Hacktivist DDoS Attacks Had Minor Impact on Critical Orgs"

    According to the FBI, Distributed Denial-of-Service (DDoS) attacks orchestrated by hacktivist groups have a minor impact on the services they target. As explained by the law enforcement agency in a private industry notification recently issued, this occurs because they target public-facing infrastructure such as websites rather than actual services, resulting in limited disruption. The FBI is aware of pro-Russian hacktivist groups using DDoS attacks to target critical infrastructure companies, which coincides with Russia's invasion of Ukraine, the agency said. These attacks are typically opportunistic and have little operational impact on victims. However, hacktivists frequently publicize and exaggerate the severity of the attacks on social media. As a result, the psychological impact of DDoS attacks is often greater than the service disruption. These groups commonly target high-profile or critical infrastructure organizations, such as financial institutions, emergency services, airports, government, health, and medical facilities. The hacktivists hope to increase their credibility by claiming greater impact or disruption than what actually occurred. In one recent example, the pro-Russian hacktivist group KillNet claimed responsibility for an attack on the websites of several major airports across the US. The DDoS attacks overwhelmed the servers that hosted these sites, making it impossible for travelers to book airport services or get flight updates. Although these DDoS attacks had no effect on flights, they did have a negative impact on a critical economic sector, causing delays in associated services. This article continues to discuss the FBI's private industry notification on the impact of hacktivist DDoS attacks.

    Bleeping Computer reports "FBI: Hacktivist DDoS Attacks Had Minor Impact on Critical Orgs"

  • news

    Visible to the public "Experts Find Urlscan Security Scanner Inadvertently Leaks Sensitive URLs and Data"

    The website urlscan[.]io, which scans websites for suspicious and malicious URLs, is leaking "a trove of sensitive information," according to security researchers. Positive Security co-founder Fabian Braunlein stated that sensitive URLs to shared documents, password reset pages, team invites, payment invoices, and more are publicly listed and searchable. The cybersecurity firm noted that it began an investigation following a notification sent by GitHub in February 2022 to an unknown number of users about sharing their usernames and private repository names (i.e., GitHub Pages URLs) to the website for metadata analysis as part of an automated process. Urlscan[.]io, which is considered a web sandbox, is integrated into several security solutions via its Application Programming Interface (API). With the type of integration of this API and the amount of data in the database, an anonymous user can search for and retrieve a wide range of sensitive data. Password reset links, email unsubscribe links, account creation URLs, API keys, Telegram bot information, DocuSign signing requests, shared Google Drive links, Dropbox file transfers, invite links to services like SharePoint, Discord, Zoom, PayPal invoices, Cisco Webex meeting recordings, and even package tracking URLs were included. This article continues to discuss the Urlscan security scanner leaking sensitive URLs and data.

    THN reports "Experts Find Urlscan Security Scanner Inadvertently Leaks Sensitive URLs and Data"

  • news

    Visible to the public "CyLab Members Present Research at Annual FTC PrivacyCon"

    Carnegie Mellon University's (CMU) CyLab Security and Privacy Institute faculty, postdocs, and students presented their research at the Federal Trade Commission's (FTC) seventh annual PrivacyCon on November 1. The event gathered various stakeholders, including industry representatives, consumer advocates, government regulators, and academics, to discuss the latest consumer privacy and data security trends and research. Consumer surveillance, automated decision-making systems, children's privacy, Internet of Things (IoT) device privacy, augmented and virtual reality, dark patterns, and advertisement technology were among the topics covered by presentations and panel discussions. One of the studies presented at the event titled, "Does Privacy Regulation Harm Content Providers? A Longitudinal Analysis of the Impact of the GDPR," demonstrates evidence of websites' reactions to the European General Data Protection Regulation (GDPR) in both the US and the EU, such as an initial decrease in the number of third-party cookies and the intensity of visitor tracking. According to the study, reactions differ between EU and US websites, as tracking among EU websites bounced back several months after the regulation was enacted. The findings show a slight decrease in average page views per visitor on EU websites relative to US websites near the end of the study's observation period in November 2019, but no significant impact of the regulation on EU websites' delivery of new content, social media engagement with new content, and ranking in both the short and long term. Researchers also discovered no evidence of differences in survival between EU and US content providers. Although the industry predicted serious consequences for content providers as a result of the GDPR, the authors of the paper discovered that websites that responded more strongly to the GDPR were less likely to be impacted by such a response. In comparison, websites that rely heavily on EU visitors found ways to avoid being negatively impacted by the regulation over time. This article continues to discuss the studies presented by CyLab members during FTC's seventh annual PrivacyCon.

    CyLab reports "CyLab Members Present Research at Annual FTC PrivacyCon"

  • news

    Visible to the public "Memory-Based Cyberattacks Become More Complex, Difficult To Detect"

    Malicious actors increasingly use memories as entry points for cyberattacks, thus igniting concerns about system-level security since memories are nearly found everywhere in electronics, and breaches are hard to detect. Hackers continue targeting almost every consumer, industrial, and commercial segment. In addition, there has been an increase in the number of devices connected to the Internet, providing more opportunities for attackers to strike. According to a Splunk survey, 54 percent of enterprises experienced at least monthly system/network outages caused by cyberattacks. Reports have also revealed that memory safety issues account for about 70 percent of the vulnerabilities in Microsoft products. In a remote attack, malware enters the network or systems, including memories. Generally, hackers look for design flaws and system/memory flaws. In almost any system, bad actors may attempt to attack the memory. It could be something as simple as installing a new operating system on an attacker-owned device, or it could have serious consequences in the case of computers handling financial, infrastructure, military, or transportation functions. Attackers are interested in all types of memory. Memory attacks are broadly classified into two types, with the first involving attacks on storage devices used to boot or load a machine's operating system or software. Physical access to the machine is, but not always, required to mount an effective attack on the storage. However, an already compromised machine may further corrupt the storage, so the machine remains permanently compromised until it is completely erased and restarted. Encryption can help in the security of these storage devices. The second type of memory attack involves Random Access Memory (RAM) devices, which are used to store temporary data. These devices are more likely to be attacked directly through the machine, including via Internet-connected attacks. Physical RAM attacks are also possible. This article continues to discuss the growing complexity of memory-based cyberattacks and the difficulty in detecting them.

    SemiEng reports "Memory-Based Cyberattacks Become More Complex, Difficult To Detect"

  • news

    Visible to the public  "In the Wake of Recent Data Breaches, Here's Why You Need to Check Your Credit Score. It Could Even Help Track Down Criminals"

    Millions of Australians' privacy has been violated due to recent cyberattacks on Optus, Medibank, and other companies. Cybercriminals stole sensitive health and financial information that could be used to demand a ransom from victims, commit fraud, and more. Although law enforcement agencies are still investigating the source of these attacks, two things are already clear to cyber and national security experts. According to researchers Sascha-Dominik (Dov) Bachmann and Mohiuddin Ahmed, those who have been impacted by such attacks should check their credit records. They also say that Australia's international cyber engagement strategy, which outlines collaboration with other countries to maintain national cybersecurity, desperately needs an update. Making money is said to be the most common motivation for cybercrime, as the return on investment can be significant. A recent estimate found that a low-end attack that costs about $34 could bring in $25,000, while a few thousand dollars spent on a more sophisticated attack could bring in $1 million for cybercriminals. Hackers could demand a ransom in return for the stolen information, and if that fails, they can make money from it in other ways. For example, names, birth dates, email addresses, driver's license numbers, and Medicare and passport information were stolen in the September Optus attack. Applying for credit cards is a quick way to turn this data into money. Many credit card companies have simple and streamlined identity verification processes. Along with stolen information such as a name, address, and driver's license number, cybercriminals will require an email address, a phone number, and paystubs. Phone numbers and email addresses are simple to provide, and it is possible to generate fake payslips using free websites. In some cases, cybercriminals can use the credit cards immediately if they are approved. Unless the victim's credit report is checked as part of a subsequent mortgage or credit application, the victim will be unaware of the existence of this credit card. Although cybercriminals take steps to stay anonymous, applying for a credit card leaves traces that can be used to track them down. This article continues to discuss how cybercriminals can turn data into credit, how to track cybercriminals, and the need for stronger data protection rules.

    The Conversation reports "In the Wake of Recent Data Breaches, Here's Why You Need to Check Your Credit Score. It Could Even Help Track Down Criminals"

  • news

    Visible to the public "Cybersecurity Workforce Is Growing, But Worldwide Workforce Gap of 3.4 Million Continues to Present Problems"

    According to the annual (ISC)2 Cybersecurity Workforce Study, more cybersecurity professionals are working than ever, but the field is still far from being fully staffed. Despite a record 4.7 million cybersecurity professionals working worldwide, there is still a 3.4 million cybersecurity workforce gap that growth will not close in the next few years. Over 11,700 industry employees and hiring decision-makers worldwide participated in the Cybersecurity Workforce Study. Since last year, the cybersecurity workforce has grown by slightly more than 11 percent, with 464,000 more positions filled. Most regions experienced 12 percent to 15 percent hiring growth, with Asia-Pacific leading the way at 15.6 percent. North America followed with only 6.2 percent growth. Australia and South Korea struggled to keep up. Individual countries have outperformed, with the Netherlands (64.3 percent) and Japan (40.4 percent) experiencing significant growth. Only Germany and Singapore saw an increase in the number of vacant positions. At first glance, this appears to be good news for employers, but demand is still outpacing growth, causing the international workforce gap to grow at a little more than double the rate at which positions have been filled (a 26.2 percent year-over-year increase). Asia-Pacific was again a leader among regions, offsetting the hiring rush with a 52 percent increase in demand. Latin America was the only region where demand fell. In just one year, demand in India has increased by 630 percent, while demand in France has increased by 120.6 percent, and in numerous other countries, there have been increases from 55 percent to 75 percent. Individual industries are experiencing unique challenges in attracting enough cybersecurity workers, with government agencies, aerospace, education, insurance, and transportation reporting the greatest shortages. In addition, 70 percent of respondents across all industries believe that their organization's cybersecurity program is understaffed. Due to a lack of personnel, 50 percent of those polled believed their organization was at "moderate" or "extreme" risk of a cyberattack. This article continues to discuss key findings from the 2022 (ISC)2 Cybersecurity Workforce Study.

    CPO Magazine reports "Cybersecurity Workforce Is Growing, But Worldwide Workforce Gap of 3.4 Million Continues to Present Problems"

  • news

    Visible to the public  "Australia Sees Rise in Cybercrimes on Back of 'Destructive' Ransomware, State Actors"

    In the past year, Australia had one cybercrime report every 7 minutes, with ransomware being the most destructive threat faced by the country. State actors continue to pose a persistent threat to the Australian Bureau of Statistics and other agencies whose personal data on the local population makes it an appealing target. According to the Australian Cyber Security Centre's (ACSC) 2021-2022 Annual Cyber Threat Report, the country saw a nearly 13 percent increase in the number of reported cybercrime cases to more than 76,000 last year, equating to one reported case every 7 minutes, up from every 8 minutes in the previous fiscal year. The Australian Federal Police, the Australian Criminal Intelligence Commission, the Australian Security Intelligence Organization, the Defense Intelligence Organization, and the Department of Home Affairs all contributed to the annual report. The ACSC identified ransomware as the most dangerous, with all sectors of the local economy directly impacted by such attacks last year, when 447 ransomware cases were reported. This was a 10 percent decrease from the previous year, but the report concluded that ransomware was still significantly underreported, particularly among victims who chose to pay a ransom. The education and training sector recorded the most ransomware incidents, moving up from fourth place the previous year, and accounted for 47 percent of all reported ransomware attacks, along with four other sectors in the top five. Top-tier ransomware groups are still targeting major Australian organizations, but global trends show a decline in "big game" targeting and a shift toward targeting small and medium-sized businesses (SMBs). However, this shift has yet to be observed in Australia. This article continues to discuss key findings from ACSC's 2021-2022 Annual Cyber Threat Report.

    ZDNet reports "Australia Sees Rise in Cybercrimes on Back of 'Destructive' Ransomware, State Actors"

  • news

    Visible to the public "Analysts Track Gift Cards to See How Scammers Use Them in BEC Attacks"

    Cofense analysts recently conducted a five-week experiment to gain insight into how scammers use gift cards in Business Email Compromise attacks (BEC). The email security firm bought $500 worth of trackable gift cards to see what scammers did with them. The analysts used the gift cards to participate in 54 live BEC attacks in a five-week evaluation period to see what they could learn. According to Cofense, gift card scams operate similarly to other types of BEC scams in which a company executive is impersonated in order to persuade an employee to make wire transfers or help commit other financial fraud. The scam has since been expanded to include payroll diversion, invoice fraud, check fraud, and gift cards. If the unsuspecting victim has taken the bait and responded to the scammer, they will be directed to a nearby store to purchase gift cards, usually in $100 or $500 denominations. According to an FBI alert issued in May, global losses in BEC scams increased by 65 percent between July 2019 and December 2021, totaling $43 billion. The speed with which scammers moved funds surprised the analysts. Each gift card was stolen, resold, and used for purchase within 24 hours. The analysts also discovered that scammers preferred brand-specific cards such as Apple, Steam, or Google Play and were reluctant to accept Cofense's trackable cards, but many did. In one notable entry, a scammer impersonated Cofense's CEO in an attempt to steal money from a senior researcher who has been working to raise BEC awareness. This article continues to discuss the study on how scammers use gift cards in BEC attacks.

    SC Media reports "Analysts Track Gift Cards to See How Scammers Use Them in BEC Attacks"

  • news

    Visible to the public "W4SP Stealer Stings Python Developers in Supply Chain Attack"

    Attackers are still attempting to infect developers' systems with the W4SP Stealer, a Trojan designed to steal cryptocurrency information, exfiltrate sensitive data, and collect credentials from developers' systems. According to a Phylum advisory, a threat actor has created 29 clones of popular software packages on the Python Package Index (PyPI), giving them benign-sounding names or purposefully giving them names that are similar to legitimate packages, a practice known as typosquatting. When a developer downloads and loads the malicious packages, the setup script also installs the W4SP Stealer Trojan through a series of obfuscated steps. According to the researchers, the packages have received 5,700 downloads. Although W4SP Stealer targets cryptocurrency wallets and financial accounts, the current campaigns appear to be focused on developer secrets, according to Louis Lang, co-founder and CTO at Phylum. The attacks on PyPI by an unknown actor or group are only the most recent threats to the software supply chain. As the number of dependencies imported into software has grown dramatically, open-source software components distributed through repository services such as PyPI and the Node Package Manager (npm) have become a popular vector of attack. As in a 2020 attack on the Ruby Gems ecosystem and attacks on the Docker Hub image ecosystem, attackers attempt to use ecosystems to distribute malware to unsuspecting developers' systems. In addition, security researchers at Check Point Software Technologies discovered ten PyPI packages that contained information-stealing malware in August. According to Phylum researchers, this latest campaign's packages are a more sophisticated attempt to deliver the W4SP Stealer onto Python developers' machines. They went on to say that this is an ongoing attack with constantly changing tactics from a determined attacker, and that more malware like this is expected to appear in the near future. This article continues to discuss attackers creating fake Python packages and using rudimentary obfuscation techniques to infect developers' systems with the W4SP Stealer.

    Dark Reading reports "W4SP Stealer Stings Python Developers in Supply Chain Attack"

  • news

    Visible to the public "Google Proposes List of Five Principles for IoT Security Labeling"

    Google has proposed a set of five principles for Internet of Things (IoT) device security labeling, with the goal of increasing security and transparency for Internet-connected electronic devices. While acknowledging that there has been increased focus among policymakers, partners, developers, and public interest advocates in the last year, Google points out that IoT product labeling has been lacking, including in the definition of labeling. Other areas of concern and debate include what labeling should convey to consumers regarding security and privacy, where the label should be located, and how to achieve consumer acceptance. Under Google's proposed standards, a label or a digital representation of the product's security or privacy status must be printed to inform consumers. A labeling scheme should define, manage, and monitor label use, whereas an evaluation scheme should publish, manage, and monitor digital product security claims against security requirements and related standards. According to Google, the five principles, which begin with a printed label, should not imply trust. Digital security labels must be "live" labels conveying security and privacy status on a centrally maintained website, ideally on the same site that hosts the evaluation scheme. Google says a physical label should only be used if it encourages users to visit a website to get real-time status. Labels must also reference strong international evaluation schemes, ensuring that the level references security, privacy status, and posture maintained by a trustworthy security and privacy evaluation scheme. In order to establish an important minimum bar for digital security, a minimum security baseline must be combined with security transparency. Google's fourth proposed principle is that broad-based transparency is as important as a minimum bar. The final principle is that without adoption incentives, labeling schemes are useless. Google proposes national labeling schemes, with mandates capable of driving improved behavior at scale when they reference broadly acceptable, high-quality standards and schemes developed by nongovernmental organizations. This article continues to discuss Google's proposed list of five principles for IoT security labeling.

    SiliconANGLE reports "Google Proposes List of Five Principles for IoT Security Labeling"

  • news

    Visible to the public "CISA, FBI, MS-ISAC Provide Guidelines For DDoS Incident Response"

    The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) released a joint guide containing recommended procedures to reduce the likelihood and impact of Distributed Denial-of-Service (DDoS) incidents. A standard Denial-of-Service (DoS) cyberattack occurs when threat actors exhaust the network server of a system, rendering the system unavailable to the intended users. DDoS attacks are becoming more common as more Internet of Things (IoT) devices continue to grow in use. IoT devices are often found to have unstable IT security postures, making them easily compromised by attackers. Threat actors commonly use botnets to carry out large-scale attacks that appear to originate from multiple networks. A DDoS attack may prevent access to critical healthcare services such as bed capacity, data sharing services, and appointment scheduling services. Although a DDoS attack is unlikely to compromise the confidentiality or integrity of a system or its associated data, malicious actors can use it as a mask for more malicious attacks, such as malware. Maintaining the availability of business-critical external-facing resources in an interconnected world with additional post-pandemic remote connectivity requirements can be challenging for even the most mature IT and incident response teams, according to the CISA, FBI, and MS-ISAC. The agencies acknowledge that it is impossible to avoid becoming a victim of a DDoS attack entirely. However, organizations can take proactive steps to reduce the impact of an attack on the availability of their resources. The "Understanding and Responding to Distributed Denial-of-Service Attacks" guide can help network defenders and leaders in understanding, preventing, and resolving DDoS attacks, which can cause organizations to lose time, money, and reputation. This article continues to discuss guidance provided by CISA, the FBI, and MS-ISAC to federal and private agencies to prevent and remediate DDoS attacks.

    HealthITSecurity reports "CISA, FBI, MS-ISAC Provide Guidelines For DDoS Incident Response"

  • news

    Visible to the public "Disturbing Rise in Nation State Activity, Microsoft Reports"

    According to new research by Microsoft, there has been a "disturbing" increase in aggressive nation state cyber activity in the past year. The findings were published in the 2022 Microsoft Digital Defence Report (MDDR). The report showcases trends Microsoft observed in the cyber-threat landscape between July 2021 and June 2022. The researchers found that the proportion of cyberattacks perpetrated by nation states targeting critical infrastructure jumped from 20% to 40%. The researchers noted that this was largely due to Russia's heavy attacks on Ukraine's critical infrastructure, as well as aggressive espionage targeting of Ukraine's allies, including the US. The researchers also found that nation state actors have become increasingly aggressive in cyberspace, even beyond the Russia-Ukraine conflict. These actions were primarily for espionage and surveillance purposes, but the researchers also saw an "increasing willingness of nation state actors to use cyber weapons for destructive purposes." The researchers stated that attacks perpetrated by cyber-criminals seeking financial gain also grew in volume and sophistication from July 2021 to June 2022. The researchers noted that the two most impactful vectors were ransomware and business email compromise. The main evolution in ransomware attacks was adapting techniques used to evade detection, a trend the researchers believe will continue in 2023. Another concerning trend the researchers observed is a surge in cybercrime-as-a-service across all threat vectors, especially ransomware.

    Infosecurity reports: "Disturbing Rise in Nation State Activity, Microsoft Reports"

  • news

    Visible to the public "Cyber Incident at Boeing Subsidiary Causes Flight Planning Disruptions"

    Jeppesen, a subsidiary of Boeing that provides navigation and flight planning tools, has confirmed that it is dealing with a cybersecurity incident, which has resulted in some flight disruptions. A red banner was added to the company's website, alerting visitors that the Colorado-based company was having technical difficulties with some of its products, services, and communication channels. According to a Boeing spokesperson, the problem was a cybersecurity incident, and the company is still working to restore services. Although the scope of the disruptions is unknown, the incident is affecting the receipt and processing of current and new Notice to Air Missions (NOTAMs), which are notices filed with aviation authorities to alert pilots of potential hazards along a flight route. Cyberattacks, such as ransomware, are common in the aviation industry. In May, India's SpiceJet airline reported being infected with ransomware, stranding hundreds of passengers at airports due to flight cancellations. Accelya, a technology provider for many large airlines, reported a ransomware attack linked to the BlackCat group in August. Bangkok Airways announced in August that hackers stole passenger information during a security breach caused by a ransomware incident. This article continues to discuss the cyber incident faced by the Boeing subsidiary Jeppesen and the targeting of the aviation industry by cyberattacks.

    The Record reports "Cyber Incident at Boeing Subsidiary Causes Flight Planning Disruptions"

  • news

    Visible to the public "Cyberattack Causes Trains to Stop in Denmark"

    Trains stopped in Denmark recently as a result of a cyberattack. The incident shows how an attack on a third-party IT service provider could result in significant disruption in the physical world. According to a Danish broadcaster, all trains operated by DSB, the largest train operating company in the country, came to a standstill on Saturday morning and could not resume their journey for several hours. It was noted that while this may sound like the work of a sophisticated threat actor that targeted operational technology (OT) systems in an effort to cause disruption, it was actually the result of a security incident at Supeo, a Danish company that provides enterprise asset management solutions to railway companies, transportation infrastructure operators, and public passenger authorities. A DSB representative stated that Supeo might have been targeted in a ransomware attack. The company noted that the disruption to trains came after Supeo decided to shut down its servers due to the cyberattack. This led to a piece of software used by train drivers no longer working. Threat actors attacking railways are not uncommon, with recent targets including Belarus, Italy, the UK, Israel, and Iran.

    SecurityWeek reports: "Cyberattack Causes Trains to Stop in Denmark"

  • news

    Visible to the public "Hackers Just Took Down One of the World's Most Advanced Telescopes"

    Chile's Atacama Large Millimeter Array (ALMA) Observatory has suffered a cyberattack that has taken its website offline and forced it to suspend all observations. In the aftermath, email services were also restricted, demonstrating the hack's broad impact. ALMA, located at over 16,000 feet above sea level on a plateau in the Chilean Andes, is one of the world's most powerful and advanced radio telescopes. ALMA contributed to the first image of a black hole in 2019, as part of a collaborative effort that linked radio observatories around the world to form the Event Horizon Telescope. According to the observatory, ALMA's arsenal of 66 high-precision antennas, each nearly 40 feet in diameter, was not compromised by the hackers, nor was any of the scientific data collected by those instruments. The temporary loss of ALMA is a concerning development, especially for the thousands of astronomers worldwide who rely on its observations and the 300 experts who work onsite. Getting it up and running is a top priority, but the observatory announced that it is not yet possible to predict when it will resume regular operations. This article continues to discuss the hackers' takedown of the ALMA Observatory.

    Futurism reports "Hackers Just Took Down One of the World's Most Advanced Telescopes"

  • news

    Visible to the public "Cisco Addressed Several High-Severity Flaws in Its Products"

    Cisco has patched several vulnerabilities in some of its products, including critical flaws in identity, email, and web security products. The most severe flaw addressed by Cisco is a Cross-Site Request Forgery (CSRF) flaw, tracked as CVE-2022-20961 (CVSS score: 8.8), which affects the Identity Services Engine (ISE). The exploitation of this flaw enables an unauthenticated, remote attacker to perform arbitrary actions on a vulnerable device. The root cause of the problem is insufficient CSRF protections for an affected device's web-based management interface. In addition, Cisco addressed an insufficient access control vulnerability in its ISE product, which is tracked as CVE-2022-20956 (CVSS score: 7.1). The flaw stems from improper access control in the web-based management interface, and it can be exploited by sending specially crafted HTTP requests to impacted devices. In addition, the company patched a SQL injection vulnerability (CVE-2022-20867) and a privilege escalation vulnerability (CVE-2022-20868) in the Cisco Email Security Appliance (ESA) and Cisco Secure Email and Web Manager Next Generation Management. The IT giant is also looking into the potential impact of the OpenSSL vulnerabilities CVE-2022-3602 and CVE-2022-3786. This article continues to discuss the high-severity issues in Cisco's products that have now been addressed.

    Security Affairs reports "Cisco Addressed Several High-Severity Flaws in Its Products"

  • news

    Visible to the public "Attackers Leverage Microsoft Dynamics 365 to Phish Users"

    According to Avanan researchers, attackers are using Microsoft Dynamics 365 Customer Voice to circumvent email filters and deliver phishing emails into Microsoft users' inboxes. Microsoft Dynamics 365 is an Enterprise Resource Planning (ERP) and Customer Relationship Management (CRM) application suite. Customer Voice is one of the applications, and it collects data and feedback from customers through surveys, phone calls, and other means. The attackers have set up Microsoft Dynamics 365 Customer Voice accounts and are using them to send phishing emails claiming that recipients have received a voicemail. To the end user, this appears to be a voicemail from a customer that should be given attention. According to Avanan cybersecurity researcher Jeremy Fuchs, clicking on it is the natural next step. The link in the email is a legitimate Microsoft Customer Voice link leading to a standard Microsoft page, which is enough to convince email filters and security scanners that the email is legitimate and allow it to reach users' inboxes. Users who click the "Play Voicemail" button on this page are redirected to a spoofed Microsoft login page. However, in this case, careful users will notice that the URL of the phishing page is not related to Microsoft. This article continues to discuss attackers' abuse of Microsoft Dynamics 365 Customer Voice to carry out phishing attacks, as well as the continued exploitation of trusted services by hackers.

    Help Net Security reports "Attackers Leverage Microsoft Dynamics 365 to Phish Users"

  • news

    Visible to the public "LockBit Ransomware Claims Attack on Continental Automotive Giant"

    The LockBit ransomware gang has claimed responsibility for a cyberattack on Continental, a German multinational automobile group. LockBit also claims to have stolen data from Continental's systems and threatens to publish it on their data leak website if the company does not comply with their demands within the next 22 hours. However, the gang has not yet provided any information about what data it stole from Continental's network or when the breach occurred. Ransomware gangs often publish data on their leak sites in order to scare their victims into agreeing to a deal or returning to the negotiating table. LockBit says it will publish "all available" data, suggesting that Continental is either still negotiating with the ransomware operation or has already refused to comply with the demands. When Bleeping Computer contacted Continental's VP of Communications & Marketing, Kathryn Blackwell, she did not confirm LockBit's claims or share any details about the attack, instead linking to an August 24 press release about a cyberattack that resulted in a breach of Continental's systems. The company discovered a security breach in early August after attackers infiltrated parts of its IT systems, according to the press release. This article continues to discuss the LockBit ransomware gang claiming responsibility for a cyberattack against Continental and the history of LockBit.

    Bleeping Computer reports "LockBit Ransomware Claims Attack on Continental Automotive Giant"

  • news

    Visible to the public "CISA Warns of Critical Vulnerabilities in 3 Industrial Control System Software"

    The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued three Industrial Control Systems (ICS) advisories regarding multiple vulnerabilities in software from ETIC Telecom, Nokia, and Delta Industrial Automation. CISA highlighted three flaws in ETIC Telecom's Remote Access Server (RAS) that could allow attackers to obtain sensitive information and compromise the vulnerable device and other connected machines. This includes CVE-2022-3703 (CVSS score: 9.0), a critical flaw caused by the RAS web portal's inability to verify the authenticity of firmware, allowing an adversary to slip in a rogue package that grants backdoor access. Two other flaws concern a directory traversal bug in the RAS Application Programming Interface (API) (CVE-2022-41607, CVSS score: 8.6) and a file upload flaw (CVE-2022-40981, CVSS score: 8.3), both of which can be exploited to read arbitrary files and upload malicious files that can compromise the device. All versions of ETIC Telecom RAS 4.5.0 and earlier are vulnerable, with the French company addressing the issues in version 4.7.3. This article continues to discuss CISA's warning of critical vulnerabilities in ETIC Telecom, Nokia, and Delta Industrial Automation.

    THN reports "CISA Warns of Critical Vulnerabilities in 3 Industrial Control System Software"

  • news

    Visible to the public "GitHub Flaw Underscores Risks of Open Source, RepoJacking"

    A GitHub vulnerability was discovered to enable attackers to take control of a GitHub repository and infect all applications and code that rely on it with malicious code. This vulnerability serves as a warning to those who rely on open-source packages, which are now vulnerable. It is now a common attack vector, so companies using open-source software repositories must take extra precautions to ensure they understand what they are deploying and are inventorying it in a Software Bill of Materials (SBOM) that will allow them to more easily identify and remediate when malicious or suspicious payloads are identified, according to Jim Kelly, RVP, endpoint security at Tanium. All renamed usernames on GitHub were vulnerable to the flaw if not explicitly tended to, including more than 10,000 packages on the Go, Swift, and Packagist package managers. According to researchers from the Checkmarx Supply Chain Security (SCS) team, thousands of packages could have been hijacked immediately to serve malicious code to millions of users. Since GitHub repositories are associated with usernames, when users rename their accounts, GitHub accepts the rename, issues a warning, and redirects traffic from the previous repository's URL to the new one. According to Checkmarx, redirect rules are automatically set up from the old repository URLs to the new URLs to keep things running for users who are unaware of the username change. A GitHub repository is vulnerable to RepoJacking when its creator decides to rename their username while the old username is still available for registration. The researchers discovered a link between the repository name and the creator username in the repository URLs, which means attackers can create a new GitHub account with the same combination to match the old repository URL used by existing users. When an attacker does this, the default redirect is disabled, and all existing traffic is routed to the attacker's malicious GitHub repository. This latest vulnerability, which GitHub has now fixed, should remind businesses that they should take extensive security precautions when using open-source solutions. The prevalence of open-source solutions in enterprise tooling, such as shared libraries, dependencies, and integrations, as well as custom-built projects, can lead to RepoJacking attacks, which can scale quickly if successful. This article continues to discuss the latest findings regarding the recently discovered GitHub vulnerability.

    Security Boulevard reports "GitHub Flaw Underscores Risks of Open Source, RepoJacking"

  • news

    Visible to the public "Waterloo Researchers Discover Security Loophole Allowing Attackers to Use Wi-Fi to See Through Walls"

    A team of researchers from the University of Waterloo has created a drone-powered device that can see through walls using Wi-Fi networks. The Wi-Peep device can fly close to a building and then use the Wi-Fi network to identify and locate all Wi-Fi-enabled devices within seconds. The device takes advantage of what researchers call polite Wi-Fi. Even if a network is password protected, smart devices will respond to contact attempts from any device within range automatically. The Wi-Peep device sends several messages to a device while flying, then measures the response time on each, allowing it to pinpoint the device's location. According to Dr. Ali Abedi, an adjunct professor of computer science at Waterloo, the Wi-Peep devices are like visible spectrum lights, and the walls are like glass. Using similar technology, one could track security guards' movements inside a bank by tracking the location of their phones or smartwatches. A thief could also identify the location and type of smart devices in a home, such as security cameras, laptops, and smart TVs, to find a suitable candidate for a break-in. Furthermore, because the device is operated by a drone, it can be used quickly and remotely without the user being detected. Although scientists have previously investigated Wi-Fi security vulnerabilities using bulky, expensive devices, the Wi-Peep stands out due to its accessibility and ease of transportation. Abedi's team assembled it with a store-bought drone and $20 in readily available hardware. This article continues to discuss the University of Waterloo team's Drone-powered device exposing vulnerabilities in Wi-Fi security.

    UWaterloo reports "Waterloo Researchers Discover Security Loophole Allowing Attackers to Use Wi-Fi to See Through Walls"

  • news

    Visible to the public "Post-Quantum And Pre-Quantum Security Issues Grow"

    General-purpose quantum computers will be capable of cracking the codes that protect much of the world's information. Although these machines do not fully exist yet, governments and businesses are already planning for post-quantum encryption. The task is made more difficult because it is unknown how future quantum machines will work or even which materials will be used. In contrast to traditional computers, the unit of information in a quantum computer is a quantum bit or qubit. Qubits can have a value of 0 or 1, or a superposition of both values. A useful computer will require qubits that are more reliable, error-corrected, long-lasting, and numerous than what is currently available. The power of these machines could be used to accelerate research in fields such as Artificial Intelligence (AI), pharmaceuticals, security, and more. As experts investigate Quantum Key Distribution (QKD) and other methods of cryptography based on quantum mechanics, the mainstreaming of quantum cryptography is expected to bring in a new era of data security. However, certain encryption methods based on classical computing principles will be rendered obsolete in a post-quantum world. As a result, countless systems will be vulnerable to attacks. However, there are more immediate concerns as security experts prepare for "Harvest Now, Decrypt Later" (HDNL) attacks. HNDL threats involve hackers collecting encrypted data now with the expectation that future advances in quantum computing will allow them to decrypt that data. According to a recent Deloitte survey, half of professionals at organizations considering quantum computing benefits believe their organizations are vulnerable to such attacks. This article continues to discuss pre-quantum and post-quantum challenges.

    Semiconductor Engineering reports "Post-Quantum And Pre-Quantum Security Issues Grow"

  • news

    Visible to the public "Ransomware: Not Enough Victims Are Reporting Attacks, and That's a Problem for Everyone"

    Ransomware remains a significant cyber threat to businesses and the general public, but it is difficult to determine the true scope of attacks because many victims are not reporting them. The warning came from the National Cyber Security Centre's (NCSC) Annual Review for 2022, which examines key developments and cybercrime incidents over the last year, with ransomware described as an ever-present threat and a significant challenge for businesses and public services. The review details how there were 18 ransomware incidents that required a "nationally coordinated" response during the 12-month period between September 1, 2021, and August 31, 2022. These included attacks on a National Health Service (NHS) supplier and a ransomware attack on South Staffordshire Water. However, the true impact of ransomware remains unknown because, according to the NCSC, many organizations that are victims of ransomware attacks do not report them. This is despite the significant and disruptive consequences ransomware attacks can have, not only for organizations but for society as a whole, which is why cybersecurity must be taken seriously, and incidents must be reported. These attacks have genuine real-world consequences and serve as a reminder to all organizations of the critical mitigation measures outlined in NCSC's guidance. Organizations must treat cyber security as a genuine, board-level risk that must be managed. This article continues to discuss the lack of disclosures by ransomware victims, the potential impact of ransomware attacks, and the remaining threat of phishing attacks.

    ZDNet reports "Ransomware: Not Enough Victims Are Reporting Attacks, and That's a Problem for Everyone"

  • news

    Visible to the public "UK Health System Email Accounts Hijacked to Steal Microsoft Logins"

    According to the email security firm INKY, 139 employees of the National Health Service (NHS) in the UK were victims of account takeover in the previous year. The attack began with the threat actors gaining access to legitimate NHS email accounts. They then used the accounts to launch phishing campaigns in order to steal Microsoft login credentials. The takeovers likely occurred in October 2021, and the phishing schemes continued at least until April 2022. The attackers sent 1,157 phishing emails from NHS accounts. The attackers included the NHS email footer disclaimer at the bottom of the emails to make them appear more legitimate. They also pretended to be from Microsoft and Adobe by using their logos on emails. According to INKY, the attackers sent phishing emails through two NHS IP addresses, which serve as relays for processing large volumes of email. Furthermore, all of the phishing emails sent from the compromised accounts passed the NHS outbound email authentication. For account takeovers, many cyber criminals use brute force attacks. The attackers used an automated system to cast a wide net of commonly used passwords. They could then gain access to accounts, mostly email accounts. This article continues to discuss the takeover of NHS accounts to steal Microsoft logins.

    Security Intelligence reports "UK Health System Email Accounts Hijacked to Steal Microsoft Logins"

  • news

    Visible to the public "International Counter Ransomware Initiative 2022 Joint Statement"

    The International Counter Ransomware Initiative (CRI), which includes the UK, US, Ukraine, Australia, Austria, Belgium, Brazil, Bulgaria, Canada, and others, met in Washington, DC, from October 31 to November 1, 2022. Members reaffirmed their commitment to building their collective resilience to ransomware, cooperating to disrupt ransomware and pursue the actors responsible, combating illicit finance supporting the ransomware ecosystem, collaborating with the private sector to defend against ransomware attacks, and continuing to work together internationally across all elements of the ransomware threat at the Second CRI Summit. The CRI's work contributes to implementing the UN-endorsed framework for responsible state behavior in cyberspace, which is the voluntary norm that states should cooperate in exchanging information, assisting one another, and prosecuting terrorist and criminal use of Information and Communication Technologies (ICTs). Members should also implement other cooperative measures to address such threats. The CRI partners' collaborative efforts are also directly contributing to the implementation of the consensus conclusions and recommendations of the UN Expert Group to complete a comprehensive study on cybercrime. The CRI intends to hold ransomware actors accountable for their crimes, disrupt and bring to justice ransomware actors and their enablers to the fullest extent permitted by each partner's applicable laws and relevant authorities, collaborate in disrupting ransomware through sharing information, and much more. Resilience to ransomware attacks calls for effective policies and collaboration with trusted partners. In order to increase collective resilience to ransomware attacks, CRI members are establishing a network of trusted partners to share ransomware-related threat information. The CRI intends to form a voluntary International Counter Ransomware Task Force (ICRTF) to create cross-sectoral tools and exchange cyber threat intelligence to improve early warning capabilities, prevent attacks, and consolidate policy and best practice frameworks. This article continues to discuss the CRI's commitments.

    HSToday reports "International Counter Ransomware Initiative 2022 Joint Statement"

  • news

    Visible to the public "The Surprising Relationship Between Bitcoin and Ransomware Is Investigated in White House Summit"

    Bitcoin has brought many advantages, including accessibility, liquidity, anonymity, independence from central authority, and high-return potential. However, these are benefits to cybercriminals as well, particularly those operating across national borders. According to a senior administration official at a press briefing prior to the International Cybersecurity Summit in Washington, as Bitcoin became more widely used, there was a significant increase in ransomware because it was the way to move money across borders. The official stressed that it is a borderless threat, and that defenders have yet to address it in a borderless manner. The threat has clearly evolved, particularly in terms of illicit cryptocurrency use. The Biden administration recently brought together leaders from 36 countries and the European Union to coordinate and strengthen partnerships, and more effectively counter ransomware threats on critical infrastructure. According to a senior White House official, ransomware is a global problem that affects Counter Ransomware Initiative (CRI) countries, businesses, critical infrastructure, and citizens. With ransomware gangs targeting sectors such as hospitals, which could result in fatalities, the need to find a solution to the problem is only increasing. Until a solution is found, organizations must focus on educating employees to spot and report phishing attacks quickly and accurately, as well as securing remote access portals with multifactor authentication (MFA). They must also ensure that software vulnerabilities are patched, networks are segmented, and strong data-loss prevention (DLP) controls are in place. In addition, the growing number of zero-day attacks and Common Vulnerabilities and Exposures (CVEs) should be kept in mind, according to Jeff Williams, cofounder and CTO at Contrast Security. This article continues to discuss the key findings and suggestions shared by leaders at the International Cybersecurity Summit.

    VB reports "The Surprising Relationship Between Bitcoin and Ransomware Is Investigated in White House Summit"

  • news

    Visible to the public "$28 Million Stolen From Cryptocurrency Platform Deribit"

    Deribit, a cryptocurrency derivatives platform, has confirmed that a hacker stole $28 million from the company, forcing it to suspend withdrawals while investigating the incident. Deribit is a Panama City-based cryptocurrency futures and options exchange that allows customers to trade perpetual, futures, and options contracts. The company stated that its reserves will cover the losses and that 99 percent of user funds are kept in "cold storage" to protect against this type of attack. Hot wallets for cryptocurrency are connected to the Internet via a phone or computer, whereas cold wallets are assets stored in hardware devices that are not connected to the Internet. The company did not respond to inquiries about how the hack occurred or whether they are in contact with the hacker. However, Deribit posted a link to the location of the stolen funds on Twitter. According to the blockchain security firm PeckShield, the hack involved the theft of about 9,080 ETH worth nearly $14.2 million, as well as around 691 BTC worth another $14.1 million. A Deribit spokesperson stated that withdrawals will be reopened eventually but that all Deribit deposit addresses for BTC, ETH, and USDC will need to be regenerated. According to Peckshield, October was a particularly difficult month for cryptocurrency platforms, with 53 protocols suffering losses totaling $760.2 million. So far, in 2022, an estimated $3 billion has been siphoned from cryptocurrency firms, with losses doubling from the previous year. As the ecosystem grows in value and complexity, technical and operational solutions are needed to scale with it. Alex Zinder, global head of blockchain security company Ledger Enterprise, also emphasized that October was one of the busiest months for cryptocurrency hacking, with around $718 million lost in the first week alone. It is critical to educate the market on security best practices at scale, but collective support from the ecosystem is also required to help raise the bar as hackers become increasingly sophisticated. This article continues to discuss the hacking incident faced by Deribit that resulted in the theft of $28 million.

    The Record reports "$28 Million Stolen From Cryptocurrency Platform Deribit"

  • news

    Visible to the public "Label Giant Multi-Color Corporation Discloses Data Breach"

    Label printing giant Multi-Color Corporation (MCC) has recently started informing employees that their personal information might have been compromised in a recent cyberattack. MCC, a global supplier of premium label solutions, operates roughly 100 label producing operations and has approximately 10,000 employees. MCC provides label solutions to organizations in the automotive, beverage, chemicals, food, healthcare, technical, and other industries. In a data breach notice, the company announced that on September 29, 2022, it discovered unauthorized access to its network. An investigation launched into the incident revealed that sensitive HR data might have been compromised, including personnel files and information on enrollment in their benefits programs." The company noted that it is collecting and retaining "personal information to administer their health and wellness program, facilitate payroll, and complete other routine business functions." Both current and former MCC employees are impacted. In addition to employees' personal information, the data breach might have also impacted the information of a limited number of employee spouses, partners, and/or dependents who are enrolled in the benefits programs. The company stated that the incident does not impact its customers and suppliers, as it does not collect or retain their personal information. MCC has not provided details on the type of cyberattack it fell victim to, but it appears that the company might have been in contact with the attackers, likely paying a ransom to ensure that any stolen data has been destroyed.

    SecurityWeek reports: "Label Giant Multi-Color Corporation Discloses Data Breach"

  • news

    Visible to the public "UK Security Agency to Scan the Country for Bugs"

    The National Cyber Security Centre (NCSC) has recently launched a new scheme designed to help it better understand how vulnerable UK systems are to cyberattacks to enhance resilience. The agency's new internet scanning capability is designed to build a data-driven view of "the vulnerability of the UK." The NCSC stated that it will do this by probing any internet-accessible systems hosted in the country for known vulnerabilities, allowing them to understand how exposed these assets are and track remediation over time. The NCSC noted that they design their requests to collect the smallest amount of technical information required to validate the presence/version and/or vulnerability of a piece of software. They also designed requests to limit the amount of personal data within the response. The agency hopes that the data collected will help to: better understand the vulnerability and security of the UK as a whole, advise system owners about their security posture on a day-to-day basis, and respond faster to incidents like a widely exploited zero-day vulnerability

    Infosecurity reports: "UK Security Agency to Scan the Country for Bugs"

  • news

    Visible to the public "Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product"

    Splunk recently released patches for Splunk Enterprise, which include fixes for nine high-severity vulnerabilities. The most severe of these security defects have a CVSS score of 8.8 and are described as remote code execution (RCE), XML external entity (XXE) injection, and reflected cross-site scripting (XSS) bugs. The company stated that tracked as CVE-2022-43571 and CVE-2022-43567, the RCE vulnerabilities can be exploited by authenticated attackers to execute code via the dashboard PDF generation component or via crafted requests sent to the mobile alerts feature of the Splunk Secure Gateway app. The company noted that the XXE injection vulnerability, CVE-2022-43570, can be exploited to cause Splunk Web to embed incorrect documents into an error. The company noted that Splunk Enterprise versions with Splunk Web enabled are vulnerable to a reflected XSS (CVE-2022-43568). Disabling Splunk Web mitigates this vulnerability. With a CVSS score of 8.1, the next two high-severity vulnerabilities are described as risky command protection bypasses that can be exploited if the attacker phishes the victim by tricking them into initiating a request in the browser. The first flaw is CVE-2022-43563, and the second issue is CVE-2022-43565. The company also resolved a persistent XSS in the object name of a Data Model (CVE-2022-43569), a risky command safeguards bypass in the Analytics Workspace (CVE-2022-43566), and an indexing blockage or denial-of-service (DoS) condition in Splunk-to-Splunk (S2S) and HTTP Event Collector (HEC) protocols (CVE-2022-43572). Additionally, Splunk resolved two medium-severity issues. The company noted that all vulnerabilities have been resolved with the release of Splunk Enterprise versions 8.1.12, 8.2.9, and 9.0.2.

    SecurityWeek reports: "Splunk Patches 9 High-Severity Vulnerabilities in Enterprise Product"

  • news

    Visible to the public "Bot Warning for Retailers Ahead of Busy Shopping Season"

    Security researchers at Imperva stated that retailers can expect a surge in bot-driven account takeovers (ATOs), DDoS attacks, card fraud, and more as they prepare for the busiest shopping period of the year. The researchers found that 40% of traffic on retailers' websites over the past 12 months came from bots, automated software that's often malicious in intent. The researchers noted that automated threats caused 62% of security incidents in the period. Bot-related attacks on retail sites surged 10% in October and another 34% in November 2021, suggesting that bot operators will again increase their activity around the peak shopping period this year. This includes ATO attacks, 64% of which were linked to bad bots last year, using techniques such as credential stuffing, where previously breached passwords and usernames are tried against different accounts across the web. Another popular tactic is using bots to buy up in-demand inventory and then selling it at a profit. The researchers noted that DDoS attacks are a perennial threat for retailers, who could lose millions during busy shopping periods if their websites and apps are taken offline. The researchers revealed that the number of attacks greater than 100 Gbps doubled year-on-year in 2021, and attacks larger than 500 Gbps increased by 287%. The researchers noted that organizations targeted by an attack are often hit again within 24 hours. The researchers stated that 55% of sites targeted by an application-layer DDoS and 80% by a network-layer DDoS were attacked multiple times.

    Infosecurity reports: "Bot Warning for Retailers Ahead of Busy Shopping Season"

  • news

    Visible to the public "Smooth 'Opera1er': French-Speaking Gang Steals $11 Million"

    A French-speaking gang has been linked with stealing at least $11 million from African banks. According to a new report from the cybersecurity firm Group-IB and the CERT Coordination Center at the French multinational telecommunications giant Orange, the criminal syndicate codenamed "Opera1er" is still "active and dangerous." Group-IB researchers codenamed the gang Opera1er after an email account frequently used by the gang to register domains, while the Society for Worldwide Interbank Financial Telecommunication, also known as SWIFT, dubbed it Common Raven in 2020. According to Group-IB, the gang stole at least $11 million between 2018 and 2022, and the actual amount of damage could be as high as $30 million. Financial services and telecommunications firms in Argentina, Bangladesh, Burkina Faso, Cameroon, Gabon, Ivory Coast, Mali, Niger, Nigeria, Paraguay, Senegal, Sierra Leone, Togo, and Uganda have been victims. The group prefers to target victims on weekends or during public holidays. Group-IB and Orange CERT-CC are releasing their findings, including tactics, techniques, procedures (TTPs), and indicators of compromise, to assist organizations, particularly banks, in detecting attacks associated with this group. In addition, they say that a number of other security researchers, including the Polish cyber threat intelligence expert Przemysaw Skowron, as well as researchers in Belgium, France, and Switzerland, and the Russian hosting provider Internet Hosting Center, have assisted in tracking the group. Their plans to detail the group's activities were paused after the attackers appeared to notice that they were being tracked and deleted a number of accounts as well as changed their TTPs. This article continues to discuss findings surrounding the Opera1er French-speaking gang.

    GovInfoSecurity reports "Smooth 'Opera1er': French-Speaking Gang Steals $11 Million"

  • news

    Visible to the public "More Than 250 Newspaper Sites Across the US Access Malicious JavaScript in Malware Supply Chain Attack"

    Due to the compromised infrastructure of an unnamed media firm, a large number of US news sites have been infected with the SocGholish JavaScript malware framework known as FakeUpdates. According to security experts at enterprise security firm Proofpoint, the malware has infected more than 250 US regional and national newspaper sites in the US. The threat actor behind the supply chain attacks, tracked as TA569 by Proofpoint, injected malicious code into a benign JavaScript file, which was then loaded by the news outlets' websites. According to Threat Insight, the media company that served as the host for this malicious code served content to its partners via JavaScript. The affected media organizations served Boston, New York, Chicago, Miami, Washington DC, Cincinnati, and Palm Beach. Sherrod DeGrippo, VP of threat research and detection at Proofpoint, says the affected media company is a firm that provides video and advertising content to major news outlets. TA569 has historically rotated between removing and reinstating these malicious JavaScript injects. As a result, the presence of the payload and malicious content varies from hour to hour and should not be regarded as a false positive. SocGholish, according to Red Canary, is an initial access threat that uses drive-by downloads disguised as software updates. It gains execution through social engineering, tricking unsuspecting users into running a malicious JavaScript payload stored within a downloaded ZIP file. Visitors to compromised websites may become infected with malware payloads disguised as fake browser updates delivered as ZIP archives. This article continues to discuss the installation of malware on sites belonging to more than 250 US news outlets.

    Tech News reports "More Than 250 Newspaper Sites Across the US Access Malicious JavaScript in Malware Supply Chain Attack"

  • news

    Visible to the public "Businesses Want Technologies That Allow for Passwordless Workflows"

    The results of Bitwarden's 2023 Password Decisions Survey, which polled 800 IT decision-makers from various industries, show that passwordless technology is here to stay, with businesses expressing enthusiasm about its perceived security benefits and improved user experience. According to the survey, about half of those surveyed use or plan to use passwordless technology. Of the respondents, 66 percent have 1-2 user groups or multiple teams using passwordless technology, while 13 percent have deployed it across their entire organization. Businesses are facing many post-pandemic security challenges, including increased employee turnover, a hybrid workforce that relies on multiple devices in multiple locations, and a seemingly endless threat from cybercriminals. Given these challenges, 79 percent of IT decision-makers prefer that employees use the same enterprise-wide password manager. Security is cited as the most important feature of a good password manager by 60 percent, followed by Two-Factor Authentication (2FA) integration (56 percent), and ease-of-use (40 percent). If their company offered it, 71 percent of employees would use a password manager with a complementary family account to give their family added security at home. Sixty percent of respondents say their company has been the victim of a cyberattack, up from 54 percent last year. As a result, 80 percent of organizations now have a ransomware mitigation strategy in place, up from 75 percent last year. Cyber insurance is also becoming more common, with 75 percent of organizations having it. Of those who do, 65 percent must demonstrate that they provide employee cyber awareness training. When asked why their organization has not made the switch to passwordless technology, 39 percent say end users are hesitant, and 49 percent say the applications they are using are not designed to be passwordless. This article continues to discuss key findings from Bitwarden's 2023 Password Decisions Survey.

    Help Net Security reports "Businesses Want Technologies That Allow for Passwordless Workflows"