News Items

  • news

    Visible to the public "CISA Launches Insider Threat Self-Assessment Tool"

    The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released the Insider Threat Risk Mitigation Self-Assessment Tool, which aims to help public and private sector organizations assess their vulnerability to insider threats. According to the agency, the tool prompts users to answer a set of questions and then provides feedback based on given answers. The tool is intended to help users increase their understanding of insider threats so that they can take the proper steps to create their own programs for prevention and mitigation. David Mussington, CISA's executive assistant director for infrastructure security, emphasizes that although much security efforts are focused on external threats, the biggest threat can come from inside the organization. CISA urges all its partners, including small and medium businesses that may have limited resources, to utilize the new tool to develop a plan for preventing insider threats. In a recent announcement, the agency noted that insider threats could pose significant risks to organizations because of the internal perpetrators' institutional knowledge and the trust put in them. CISA officials say these threats can derive from current or former employees, contractors, and others with inside knowledge. Insider threats can lead to the compromise of sensitive information, reputational damage for an organization, loss of revenue, intellectual property theft, and more. This article continues to discuss CISA's Insider Threat Risk Mitigation Self-Assessment Tool and how insider threats pose risks to organizations.

    GovInfoSecurity reports "CISA Launches Insider Threat Self-Assessment Tool"

  • news

    Visible to the public "Combating Vulnerability Fatigue With Automated Security Validation"

    Log monitoring, firewall, and antivirus technologies have been valuable tools for alerting IT teams about suspicious network behavior, but the underlying technologies that support security teams in their day-to-day operations have remained the same as digital transformation continues. It has become more difficult to differentiate between benign and malicious behavior as attacks grow in sophistication. Threat actors behind such attacks often now use legitimate operating systems and are harder to detect within regular network behavior. Not all suspicious behavior is malicious, making what was intended to provide useful insight into network activity a challenge for many security professionals. Using the wrong toolset to deal with a problem leads to reverse evolution, as seen in the vulnerability management market, where tools increasingly become a distraction to security professionals. Security teams are flooded with long lists of community-prioritized vulnerabilities because of legacy vulnerability management tools. There were over 15,000 vulnerabilities discovered only in 2020, 8 percent of which were exploited by attackers. This problem is described as a cat and mouse game, with security teams chasing a continuously growing list of vulnerabilities without knowing whether they fixed the ones that attackers actually want to abuse, exposed the most critical vulnerabilities, checked if an active exploit exists for a specific flaw, or analyzed the potential impact of the vulnerability. Security and IT teams need all that context to effectively reduce risk, maintain business continuity, and stay ahead of adversaries. Automated security validation can allow security teams to get ahead of the vulnerability curve by pinpointing the most critical vulnerabilities, which would help combat vulnerability fatigue and more. This article continues to discuss vulnerability management challenges faced by security teams and how automated security validation differs from legacy vulnerability management.

    Help Net Security reports "Combating Vulnerability Fatigue With Automated Security Validation"

  • news

    Visible to the public "A Simple Bug Is Leaving AirTag Users Vulnerable to an Attack"

    Bobby Rauch, a security consultant and penetration tester, has discovered that Apple's AirTags do not sanitize user input. These AirTags are attached to laptops, phones, and other frequently lost items. The lack of user input sanitization leaves AirTags susceptible to being used in attacks in which a malicious actor drops a maliciously prepared AirTag. This would be an alternative to dropping USB drives infected with malware in a target's parking lot. A drop attack using AirTags only requires the threat actor to type valid XSS into the AirTag's phone number field, put the AirTag in Lost Mode, and drop it where the potential victim is likely to find it. Theoretically, scanning a lost AirTag is a safe activity as it is only supposed to bring up, but the problem is that the webpage embeds the contents of the phone number field as shown on the victim's browser, unsanitized. According to Rauch, the vulnerability is exploited by using simple XSS to pop up a fake iCloud login dialog on the victim's phone. This article continues to discuss the AirTag vulnerability that could be exploited by attackers to redirect users to malicious websites.

    Wired reports "A Simple Bug Is Leaving AirTag Users Vulnerable to an Attack"

  • news

    Visible to the public "Cybercrime Awareness Heightened, Yet People Still Engage in Risky Online Behaviors"

    Researchers at Aura recently conducted a new survey of 2,000 U.S. adults. They found that 76% of Americans recognize that data breaches are serious, showing a high awareness that may be driven by news of significant consumer, enterprise, and infrastructure breaches over the past year alone. The researchers also found that Americans are torn on whether things will improve by 2030. Almost half of the respondents (45%) expect to feel more secure online in 2030 compared to today, either due to fewer cybercriminals (11%) or more products/solutions to combat them (34%). However, many people believe they will feel about the same (26%) or even less secure (22%) in 2030 than they feel online today. The researchers stated that although awareness of cybercrime has clearly heightened, there's a correlation between adults who are engaging in risky online behaviors and those who have experienced digital crime. The survey found that about 1 in 2 Americans who have experienced digital crime have opened emails from unknown senders (51%) and have downloaded software/files from unknown origins (50%). Of those who experienced digital crime, 74% of them used the same passwords across multiple accounts. During the survey, 80% of the respondents believed that the U.S. government has an obligation to protect consumers' personal information. Even more of the participants believe the protection of personal data and information should be a right that everyone is given for free (84%), and 83% believe that data protection should be provided, for free, by schools and employers.

    Help Net Security reports: "Cybercrime Awareness Heightened, Yet People Still Engage in Risky Online Behaviors"

  • news

    Visible to the public "Major Data Breach Hits Neiman Marcus"

    The owner of two chains of American luxury department stores has warned 4.6 million Neiman Marcus customers that their personal data may have been exposed in a security incident that happened 17 months ago. Neiman Marcus Group, which owns the Neiman Marcus and Bergdorf Goodman department stores and the high-end home goods line Horchow, said the incident may have exposed information, including names, contact details, and payment card information. While the investigation into the incident is ongoing, the Group said that the breach occurred in May 2020. The ongoing investigation has revealed that an unauthorized attacker may have accessed usernames, passwords, and security questions and answers linked to Neiman Marcus online accounts. Also, approximately 3.1 million payment cards and virtual gift cards were affected by the security incident. The company stated that only 15% of the impacted cards were valid or unexpired. The Group noted that the breach impacted no active Neiman Marcus-branded credit cards. No evidence has been found so far to suggest that Bergdorf Goodman or Horchow online customer accounts were affected by the breach. Since learning of the incident, the Group has required an online account password reset for affected customers who had not changed their password since May 2020.

    Infosecurity reports: "Major Data Breach Hits Neiman Marcus"

  • news

    Visible to the public "Hackers Rob Thousands of Coinbase Customers Using MFA Flaw"

    Hackers stole from 6,000 customers of Coinbase, which is the world's second-largest cryptocurrency exchange with nearly 68 million users worldwide. The hackers exploited a vulnerability to circumvent the company's SMS multi-factor authentication security feature. According to Coinbase, the hacking campaign aimed at breaching its customers' accounts and stealing cryptocurrency was conducted between March and May 20, 2021. The company says the attack required the actors to know the customer's email address, password, and phone number associated with their account and have access to the victim's email account. The way in which the threat actors gained access to this information remains unknown. However, Coinbase believes the attackers accessed the information through phishing attacks against Coinbase customers. Banking trojans are also known to have been used to steal funds from Coinbase accounts. Coinbase disclosed that the attackers took advantage of a vulnerability in its SMS Account Recovery process to obtain the SMS two-factor authentication token needed to access a customer's account. Once the company became aware of the attack, actions were taken to fix the SMS Account Recovery protocols to prevent malicious actors from circumventing SMS multi-factor authentication. Since the hackers had full access to a Coinbase account, customers' personal information, including their full name, email address, home address, date of birth, transaction history, and more, were exposed. Coinbase customers are urged to change their passwords immediately. They are also encouraged to watch out for future targeted phishing emails or SMS texts attempting to steal credentials using the information exposed in the Coinbase breach. This article continues to discuss the theft of cryptocurrency from Coinbase customers, the flaw exploited by the hackers behind this incident, the company's response to the breach, and other security incidents faced by Coinbase.

    Bleeping Computer reports "Hackers Rob Thousands of Coinbase Customers Using MFA Flaw"

  • news

    Visible to the public "Widely Used Bitcoin ATMs Have Major Security Flaws, Researchers Warn"

    According to a new report from security researchers with the crypto exchange Kraken, many of the Bitcoin ATMs placed at gas stations, bars, malls, and more, across the U.S. contain security vulnerabilities, leaving them open to hacking. The number of active Bitcoin ATMs in the U.S. is estimated to be more than 42,000, which is a significant increase from January 2021, when it was reported that there were 28,000. These ATMs allow users to purchase cryptocurrency with cash or credit, as well as process sensitive financial data. The researchers found several software and hardware flaws in the General Bytes BATMtwo (GBBATM2) model of Bitcoin ATMs. It is estimated that the manufacturer has provided almost 23 percent of all Bitcoin ATMs globally. Many GBBATM2 units were installed without the owners changing the default admin QR code that serves as a password. Therefore, anyone who obtains the code could take control of the ATM. Kraken's researchers have stressed the seriousness of the QR code issue since they discovered that the default code is shared across units. They purchased multiple ATMs from different sources and found that each had the same default key configuration. No fleet management was found for admin QR codes, emphasizing the need to manually update those critical passwords on each unit. The Android OS running on the GBBATM2 was also found to lack basic security features, such as locking down the full Android UI. They discovered that it is possible to gain access to the full Android UI by attaching a USB keyboard to the BATM, thus potentially allowing malicious actors to install applications, copy files, and more. Other serious flaws reported by the researchers include a failure to enable the secure-boot functionality or lock the bootloader. This article continues to discuss the security flaws found in the GBBATM2 model of Bitcoin ATMs.

    Gizmodo reports "Widely Used Bitcoin ATMs Have Major Security Flaws, Researchers Warn"

  • news

    Visible to the public "CISA Kicks Off Cybersecurity Awareness Month"

    The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has kicked off Cybersecurity Awareness Month. President Biden proclaimed October as Cybersecurity Awareness Month, calling on public and private sectors to work together to raise awareness about the importance of cybersecurity and ensure that the public has the resources they need to be more secure online. During the month of October, CISA, in partnership with the National Cyber Security Alliance (NCSA), will participate in several events, social media engagements, and other efforts to encourage people to take more control over their cybersecurity and take steps to be safe online. This month, CISA will focus on making sure the public is following good cyber hygiene behavior. The agency urges everyone to implement multi-factor authentication on accounts, update software, think before clicking, and use strong passwords. This article continues to discuss the kick-off, purpose, and themes of Cybersecurity Awareness Month 2021.

    HSToday reports "CISA Kicks Off Cybersecurity Awareness Month"

  • news

    Visible to the public "New APT ChamelGang Targets Russian Energy, Aviation Orgs"

    A new APT group has emerged that is specifically targeting the fuel and energy complex and aviation industry in Russia, exploiting known vulnerabilities like Microsoft Exchange Server's ProxyShell and leveraging both new and existing malware to compromise networks. Since March, researchers at security firm Positive Technologies have been tracking the group, dubbed ChamelGang, for its chameleon-like capabilities. Though the attackers mainly have been seen targeting Russian organizations, they have attacked targets in 10 countries so far. To avoid detection, ChamelGang hides its malware and network infrastructure under legitimate services of established companies like Microsoft, TrendMicro, McAfee, IBM, and Google in a couple of unique ways, researchers observed. One is to acquire domains that imitate their legitimate counterparts, such as,,,, and The other is to place SSL certificates that also mimic legitimate ones, such as,,,, on its servers. ChamelGang, like Nobelium and REvil before it has hopped on the bandwagon of attacking the supply chain first to gain access to its ultimate target. In one of the cases analyzed by Positive Technologies, the group compromised a subsidiary and penetrated the target company's network through it. The researchers stated that the attackers also appear malware-agnostic when it comes to tactics, using both known malicious programs such as FRP, Cobalt Strike Beacon, and Tiny Shell, as well as previously unknown malware ProxyT, BeaconLoader, and the DoorMe backdoor.

    Threatpost reports: "New APT ChamelGang Targets Russian Energy, Aviation Orgs"

  • news

    Visible to the public "Scammers Capitalize on Release of New Bond Movie"

    Researchers from Kaspersky have found that cybercriminals are exploiting the long-awaited release of the new James Bond movie No Time to Die. Adversaries are taking advantage of the bigger than usual buzz around this particular Bond title by operating malicious pop-ups, digital adverts, and phishing websites dedicated to the new release. To lure victims, scammers and criminals have been dressing up malicious movie files so that they appear to be a leaked copy of No Time to Die. In reality, the files contain unwanted software or malware. Kaspersky researchers found and analyzed malicious files disguised as the new movie and movie-related phishing websites in the lead-up to the film's premiere. They found Trojans, malicious programs that can give cybercriminals backdoor access to a victim's sensitive data. The researchers also encountered adware, ransomware, and Trojan-PSW, which are stealers capable of gathering login credentials. Also, the researchers discovered phishing websites set up to steal victims' bank details. The sites play only part of the movie before asking the viewer to register and enter their credit card information. However, after registration is complete, the user can't continue watching. Money is debited from their card, and the payment data ends up in the fraudster's hands. The researchers stated that users should be alert to the pages they visit, should not download files from unverified sites, and should be careful with whom they share personal information.

    Infosecurity reports: "Scammers Capitalize on Release of New Bond Movie"

  • news

    Visible to the public NSA Cybersecurity Speaker Series - Embracing a Zero Trust Mindset

    Dr. Josiah Dykstra, host of NSA’s Cybersecurity Speaker Series, speaks with Randy Resnick, the NSA Zero Trust Strategic Lead about the principles of the Zero Trust cybersecurity model for securing enterprise networks.

    For more on cybersecurity at NSA, and to find out when the next episode in our speaker series will be posted, follow us on Twitter @NSACyber.

  • news

    Visible to the public "Researchers Discover Vulnerability in Widely-Used Method for Securing Phone Data"

    Researchers at the Georgia Institute of Technology demonstrated an attack on two different types of low-end Android phones, a ZTE Zfive and an Alcatel Ideal. These attacks showed that one of the measures put in place to secure data on a low-end phone could be misused by attackers to steal it. The attack involves placing a radio sensor close enough to a device to detect weak radio waves inadvertently emitted by a phone's processor. An attacker can figure out a user's secret key by looking at a single secure web transaction transmitted in the signals. Milos Prvulovic, professor of Computer Science at Georgia Tech and co-author of the study, said it proves that a significantly powerful attack, capable of stealing secret keys, can be performed under realistic conditions. The attack targets a standard encryption process used in various online activities during which two endpoints on a network exchange a series of messages to verify each other's identity. If they are unable to verify their identities, then they will know not to send private data. Verifying one's identity amounts to executing a specific type of encryption algorithm involving a series of operations on a secret key called a nonce, which can be represented as a binary number. A phone's processor emits a weak radio signal for each operation that it carries out. That signal is thousands of times weaker than the signal of a Wi-Fi transmitter. These signals are considered side-channel emissions because they do not come from the phone's primary channels of communication. The constant-time algorithm meant to countermeasure side-channel attacks is what allows the researchers' attack to work. If the researchers can make the attack work on high-end phones, the same vulnerability could impact billions of widely-used modern devices. This article continues to discuss the flaw found in the widely-used method for securing phone data.

    Georgia Tech reports "Researchers Discover Vulnerability in Widely-Used Method for Securing Phone Data"

  • news

    Visible to the public "Facebook Open-Sources 'Mariana Trench' Code Analysis Tool"

    Facebook has open-sourced Mariana Trench, a tool that has been used to find potentially dangerous security and privacy flaws in the company's Android and Java applications. The tool has already been trained by Facebook's security and software engineers. It can scan large mobile codebases to spot flaws on pull requests. According to Facebook, users can customize the tool to look for specific vulnerabilities, even in large codebases. Users can do this by defining rules telling the tool where data comes from and where it should not go. For example, a user could set a rule specifying that they want to find intent redirections, which allow the interception of sensitive data by attackers if exploited. In this case, the user would define the rule to show traces from user-controlled sources to an intent redirection sink. This article continues to discuss the purpose, capabilities, and potential use of the Mariana Trench tool.

    Security Week reports "Facebook Open-Sources 'Mariana Trench' Code Analysis Tool"

  • news

    Visible to the public "The Simple, Yet Complex Nature of Social Engineering"

    According to the 2021 Cybersecurity Statistics report from Purplesec, nearly 100 percent of cyberattacks have relied on the performance of social engineering to manipulate employees within an organization to hand over passwords and other sensitive information to threat actors. Cybercriminals now conduct thorough analyses of targets using social media or other online sources. Phishing remains the most common social engineering scam as Proofpoint reported that 75 percent of organizations globally experienced a phishing attack in 2020. In addition, Verizon discovered that 96 percent of social engineering attacks are delivered via email. In comparison, only 3 percent are performed through a website, and just 1 percent are associated with phone or SMS communications. This article continues to discuss why social engineering attacks are effective, phishing as the most common social engineering scam, and other types of social engineering attacks that are growing in popularity among fraudsters.

    SC Magazine reports "The Simple, Yet Complex Nature of Social Engineering"

  • news

    Visible to the public "Canadian Vaccine Passport App Exposes Data"

    Canadian vaccine passport app PORTpass may have exposed personal information belonging to hundreds of thousands of users. According to a report by CBC News, the app's operators left data, including names, identification documents, and email addresses, on an unsecured website. The personal information was allegedly stored in plain text and could be accessed by the public. Following a tipoff, the news source investigated the security of the PORTpass website. CBC News stated that it was able to verify that app user's information, among others: "Email addresses, names, blood types, phone numbers, birthdays, as well as photos of identification like driver's licenses and passports can easily be viewed by reviewing dozens of users' profiles." The team behind the app is based in Calgary and is led by Chief Executive Officer Zakir Hussein. In response to concerns over the app's security, Hussein reportedly denied that PORTpass was experiencing any verification or security issues. However, the app's website has been taken offline, and visitors to the site are currently met with the message, "We are updating. Stay tuned." PORTpass is described on Google Play as "a secure and contactless way for a member of the public to gain access to a building, site, or ticketed event using their secure MapleCode." Hussein reportedly said the app has more than 650,000 registered users across Canada.

    Infosecurity reports: "Canadian Vaccine Passport App Exposes Data"

  • news

    Visible to the public "Vulnerability Exposes iPhone Users to Payment Fraud"

    New research from the University of Birmingham and the University of Surrey has found that many iPhone users are vulnerable to payment fraud due to Apple Pay and Visa vulnerabilities. The researchers stated that they could bypass an iPhone's Apple Pay lock screen to perform contactless payments when the Visa card is set up in 'Express Transit mode' in an iPhone's wallet. Transit mode allows users to make a quick contactless mobile payment without fingerprint or facial recognition authentication. The team used simple radio equipment to uncover a unique code broadcast by the transit gates, or turnstiles, which unlocks Apple Pay. This code, dubbed 'magic bytes,' was used to interfere with the signals going between the iPhone and a shop card reader. The researchers could then trick the iPhone into believing it was interacting with a transit gate rather than a shop card reader by broadcasting the magic bytes and changing other fields in the protocol. Therefore, this weakness could potentially be exploited by hackers to make transactions from an iPhone inside someone's bag without their knowledge. The technique even enabled the experts to bypass the contactless limit, enabling any amount to be taken without the iPhone user's knowledge. This is because the shop reader believed the iPhone had successfully completed its user authorization. The researchers stated that the vulnerability only applies to Apple Pay and Visa systems working together and does not affect other combinations, such as Mastercard in iPhones.

    Infosecurity reports: "Vulnerability Exposes iPhone Users to Payment Fraud"

  • news

    Visible to the public Pub Crawl #54

    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "The GriftHorse Mobile Trojan Has Stolen a Fortune From Over 10 Million Victims"

    Evidence suggests that the new "GriftHorse" Android Trojan has stolen millions of dollars from more than 10 million victims globally. According to Zimperium zLabs, the new malware has been embedded in nearly 200 malicious applications, which have been distributed through the Google Play Store and third-party application platforms. GriftHorse has generated millions in revenue for its operators each month as it has infected so many devices. The GriftHorse campaign, believed to have been in operation since November 2020, tricks victims into handing over their phone number, which is then used to subscribe them to premium SMS messaging services without their knowledge and consent. The categories of Android apps through which the malware has been distributed include communication, dating, lifestyle, music, health, education, personalization, productivity, simulation, finance, and more. This article continues to discuss the distribution, capabilities, and impact of the GriftHorse Trojan.

    "The GriftHorse Mobile Trojan Has Stolen a Fortune From Over 10 Million Victims"

  • news

    Visible to the public "Most Third-Party Cloud Containers Have Vulnerabilities"

    Researchers at Palo Alto Networks have discovered that the vast majority of third-party code used in cloud infrastructure contains vulnerabilities and misconfigurations, which could leave organizations exposed to attack. The researchers found that 63% of third-party code templates used to build cloud infrastructure contain insecure configurations, while 96% of third-party container applications deployed in cloud infrastructure contain known vulnerabilities. Researchers stated unvetted third-party code can introduce vulnerabilities and malware inserted on purpose by threat actors. The researchers analyzed public Terraform modules and found that over 2500 were misconfigured in encryption, logging, networking, backup and recovery, and identity and access management. The researchers stated that teams continue to neglect DevOps security partly because of the lack of attention that is given to supply chain threats.

    Infosecurity reports: "Most Third-Party Cloud Containers Have Vulnerabilities"

  • news

    Visible to the public SoS Musings #53 - True Randomness Boosts Security

    SoS Musings #53 -

    True Randomness Boosts Security

  • news

    Visible to the public Cyber Scene #60 - From All Foreign and Domestic Cyber Enemies and Their Minions

    Cyber Scene #60 -

    From All Foreign and Domestic Cyber Enemies and Their Minions

  • news

    Visible to the public Cybersecurity Snapshots #22 - BlackMatter: The DarkSide Ransomware Group Rebranded?

    Cybersecurity Snapshots #22 -

    BlackMatter: The DarkSide Ransomware Group Rebranded?

  • news

    Visible to the public Spotlight on Lablet Research #22 - Obsidian: A Language for Secure-by-Construction Blockchain Programs

    Spotlight on Lablet Research #22 -

    Obsidian: A Language for Secure-by-Construction Blockchain Programs

  • news

    Visible to the public "SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor"

    Researchers have found that the threat actors behind the notorious SolarWinds supply-chain attacks have dispatched new malware to steal data and maintain persistence on victims' networks. Researchers from the Microsoft Threat Intelligence Center (MSTIC) have observed the APT it calls Nobelium using a post-exploitation backdoor dubbed FoggyWeb, to attack Active Directory Federation Services (AD FS) servers. AD FS enables single sign-on (SSO) across cloud-based apps in a Microsoft environment by sharing digital identity and entitlements rights. The researchers stated that the attacks started as far back as April. The researchers noted that Nobelium is employing "multiple tactics to pursue credential theft" to gain admin privileges to AD FS servers. Once a server is compromised, the threat group deploys FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificates, and token-decryption certificates, which can be used to penetrate into users' cloud accounts. The researchers also noted that in addition to remotely exfiltrating sensitive data, FoggyWeb also achieves persistence and communicates with a command-and-control (C2) server to receive additional malicious components and execute them.

    Threatpost reports: "SolarWinds Attackers Hit Active Directory Servers with FoggyWeb Backdoor"

  • news

    Visible to the public "Half of Regulated Firms See Pandemic Spike in Financial Crime"

    During a new survey conducted by SmartSearch, researchers found that around half of firms in the financial services, property, and legal sectors have reported rising levels of financial crime over the past 12 months. During the study, researchers polled 500 regulated businesses in the UK to better understand the levels of risk facing players in each vertical. Overall, 48% of respondents said they'd seen a rise in financial crime, and a quarter (26%) admitted they'd been victims of attacks. Legal firms, including conveyancers, experienced the most significant number of compromises, with a third (33%) saying they had been a victim of financial crime. The researchers stated that the legal sector is an increasingly attractive target for state-backed and financially motivated cyber-criminals, given the wealth of sensitive client information that legal practices typically hold. The SmartSearch study also revealed variations across different regions of the UK. For example, almost two-thirds (64%) of regulated businesses in the East Midlands reported a rise in fraud attempts versus 55% in London.

    Infosecurity reports: "Half of Regulated Firms See Pandemic Spike in Financial Crime"

  • news

    Visible to the public "New Azure Active Directory Password Brute-Forcing Flaw Has No Fix"

    A bug recently discovered in the implementation of Azure Active Directory (AD) enables single-factor brute-forcing of a user's AD credentials. An attacker can have unlimited attempts at guessing a user's username and password as these attempts are not logged on to the server. The Secureworks Counter Threat Unit (CTU) research team discovered the flaw in the protocol used by the Azure AD Seamless Single Sign-On (SSO) service. According to the team, threat actors can use this flaw to perform single-factor brute-force attacks against Azure AD without the generation of sign-in events in the targeted organization's tenant. The lack of visibility into failed sign-in attempts is a problem as most security tools and countermeasures implemented to detect brute-force or password spraying attacks rely on sign-in event logs and look for specific error codes. This article continues to discuss findings surrounding the Azure AD password brute-forcing flaw.

    Ars Technica reports "New Azure Active Directory Password Brute-Forcing Flaw Has No Fix"

  • news

    Visible to the public "picoCTF Impresses at the Women in Cybersecurity Conference"

    Security and privacy experts at Carnegie Mellon University (CMU) created an educational program called picoCTF, which is aimed at bringing more people into the cybersecurity field. The picoCTF team hosted a workshop at this year's conference for Women in Cybersecurity (WiCyS), a global community dedicated to bringing talented women together to cultivate their passion and drive for cybersecurity. The goal is to increase female participation in Capture-the-Flag (CTF) events as these events help strengthen cybersecurity skills. Those who attended the workshop hosted by the picoCTF team learned about participating in CTFs and creating challenges for such security competitions. The team also ran a mini-competition using the picoCTF platform in which more than 200 women at the conference participated. This article continues to discuss the lack of representation of women in the cybersecurity field, the WiCyS community dedicated to the advancement of women in cybersecurity, and the picoCTF team's work at this year's WiCyS conference.

    CyLab reports "picoCTF Impresses at the Women in Cybersecurity Conference"

  • news

    Visible to the public "TangleBot Malware Reaches Deep into Android Device Functions"

    Researchers at Cloudmark have discovered a new Android malware called TangleBot. According to the researchers, the newly discovered mobile malware is spreading via SMS messaging in the U.S. and Canada, using lures about COVID-19 boosters and regulations. The goal is to social-engineer targets into clicking on an embedded link, which takes them to a website. The site tells users they need an "Adobe Flash update." If they click on the subsequent dialog boxes, TangleBot malware installs. The malware has been given the moniker TangleBot because of its many levels of obfuscation and control over a myriad of entangled device functions, including contacts, SMS and phone capabilities, call logs, internet access, GPS, and camera and microphone. TangleBot grants itself privileges to access and control all of the above. The researchers stated that attackers can manipulate the incoming voice call function to block calls and can also silently make calls in the background, with users none the wiser. The researchers also noted that TangleBot can also send, obtain and process text messages for SMS fraud, two-factor authentication interception, self-propagation to contacts, and more. The malware also has deep spyware capabilities, with the ability to record or directly stream the camera, screen, or microphone audio directly to the attacker, along with "other device observation capabilities," according to Cloudmark. Gaining access to the GPS functionality, for example, creates the potential for location-tracking. The researchers also noted that the malware can take stock of installed applications and interact with them and place overlay screens on top of them to harvest credentials in the style of a banking trojan.

    Threatpost reports: "TangleBot Malware Reaches Deep into Android Device Functions"

  • news

    Visible to the public "Attackers Target Critical VMware Bug"

    The remote code execution vulnerability, tracked as CVE-2021-22005 and contained by VMware's vCenter Server, is being targeted by malicious actors. Security researchers have seen different actors running mass scans for vulnerable instances. According to the security firm Censys, over 3,200 potentially vulnerable vCenter Server instances exposed to the Internet have been identified. The exploitation of the vulnerability could allow a remote attacker to upload an arbitrary file without authentication. It impacts versions 6.7 and 7.0 of vCenter Server, and versions 3.x and 4.x of Cloud Foundation. VMware released information on a workaround to mitigate the vulnerability. Attacks involving this vulnerability have also prompted the U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) to issue an advisory urging organizations to update immediately. As exploit code is publicly available, CISA expects this vulnerability to be widely exploited. This article continues to discuss the exploitation of the VMware bug and other key findings from the analysis of the flaw.

    Decipher reports "Attackers Target Critical VMware Bug"

  • news

    Visible to the public "A Multi-Party Data Breach Creates 26x the Financial Damage of Single-Party Breach"

    New research by Cyentia Institute and RiskRecon explores how a multi-party data breach affects many organizations. The study delved into 897 multi-party breaches that involved three or more interrelated companies. According to the study, 897 multi-party breach incidents, also called ripple events, have been observed since 2008. The data set showed that 108 ripple events occurred in the last three years. A medium ripple event is said to cause 10 times more the financial damage of a single-party breach. The worst multi-party breaches cause 26 times the financial damage of the worst single-party breach. The increasingly interconnected digital world has led to an increasing number of security exposures that cause a ripple effect across multiple organizations. For example, the breach of a technology service provider could expose the records of hundreds of businesses. This article continues to discuss the study on the impact of multi-party data breaches.

    Help Net Security reports "A Multi-Party Data Breach Creates 26x the Financial Damage of Single-Party Breach"

  • news

    Visible to the public "Apps for Popular Smart Home Devices Contain Security Flaws, New Research Finds"

    A new study conducted by cybersecurity researchers at Florida Tech found that the smartphone companion applications of 16 popular smart home devices have critical cryptographic flaws. The exploitation of these flaws allows attackers to intercept and modify traffic. The growing use of Internet of Things (IoT) devices such as connected locks, motion sensors, security cameras, and smart speakers has put more people are at risk for cyber intrusions. Through the demonstration of man-in-the-middle (MITM) attacks against 20 devices, the researchers discovered that 16 device vendors failed to implement security measures. According to the researchers, the distributed communications architecture of IoT devices introduces vulnerabilities that attackers could use to intercept and manipulate the communications channel, and impact the user-level perception of an IoT device. They disclosed the vulnerabilities to affected vendors before they released the results of their study. IoT devices found to be vulnerable to MITM attacks include Amazon Echo, Google Home camera, Roku TV, and more. Many of the vendors have started implementing the researchers' recommendations for preventing such attacks. This article continues to discuss the discovery, disclosure, and potential impact of security flaws contained by popular smart home devices.

    Florida Institute of Technology reports "Apps for Popular Smart Home Devices Contain Security Flaws, New Research Finds"

  • news

    Visible to the public "Google Says Threat Actors Using New Code Signing Tricks to Evade Detection"

    Google's Threat Analysis Group found that threat actors have recently used a new trick of code signing to avoid detection on Windows systems and have notified Microsoft of their findings. OpenSUpdater operations had used legitimate code-signing certificates. The hackers used invalid signature--edited with an End of Content marker replacing a NULL tag. While some security products detect this as invalid--Windows operating systems treated the signatures as valid.

    Security Week reports "Google Says Threat Actors Using New Code Signing Tricks to Evade Detection"

  • news

    Visible to the public "You Can Now Sign-in to Your Microsoft Accounts Without a Password"

    In an effort to strengthen security for Microsoft users, the company is now rolling out a way to access Microsoft accounts such as Microsoft 365, Teams, Outlook, OneDrive, and Family Safety without passwords. The feature is available after linking users' accounts to an authenticator app and turning on the Passwordless Account setting under Advanced Security Options-Additional Security Options. They can use Microsoft Authenticator, Windows Hello, a security key, or a verification code sent via SMS or Email.

    The Hacker News reports "You Can Now Sign-in to Your Microsoft Accounts Without a Password"

  • news

    Visible to the public "Inside Genesis: The Market Created by Cybercriminals To Make Millions Selling Your Digital Identity"

    Cyber criminals are flocking to the GENESIS marketplace, a one-stop shop for login credentials, cookies, device fingerprints, website vulnerabilities and other sensitive data on Hackers' wish list. The invite-only market has become an important tool for hackers to carry out their attacks. The site offers personal data stolen from breaches to world-wide companies and organizations. Genesis is easy to use, hosted on the regular internet and has a modern interface unlike the dark web markets that require special software and payment in obscure cryptocurrencies. Genesis's professional operators are anonymous and highly skilled and have so far been able to evade law enforcement. Look for more and more criminals to come on board on their platform.

    CBS News reports "Inside Genesis: The Market Created by Cybercriminals To Make Millions Selling Your Digital Identity"

  • news

    Visible to the public "FBI and CISA Issue Conti Warning"

    An alert has been issued by the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) over Conti ransomware. In the warning, posted on September 22, the agencies observed the increased use of Conti in more than 400 attacks against organizations in the United States and internationally. Conti actors often get network access via spearphishing campaigns, stolen or weak remote desktop protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, common vulnerabilities in external assets, and other malware distribution networks. In the execution phase, the actors run a getuid payload, then use a more aggressive payload to lower the risk of triggering antivirus engines. Cobalt CISO Andrew Obadiaru recommends that business leaders deploy the following security safeguards: invest in email filtering and phishing detection capabilities, protect and properly secure your remote desktop platform connectivity, perform regular backup testing, and ensure your backups are offline.

    Infosecurity reports: "FBI and CISA Issue Conti Warning"

  • news

    Visible to the public "Exchange/Outlook Autodiscover Bug Spills 100K+ Email Passwords"

    Guardicore security researchers have discovered a severe design bug in Microsoft Exchange's autodiscover. This protocol lets users easily configure applications such as Microsoft Outlook with just email addresses and passwords. The researchers stated that the flaw has caused the Autodiscover service to leak nearly 100,000 unique login names and passwords for Windows domains worldwide. The design flaw causes the protocol to leak web requests to Autodiscover domains outside of the user's own domain if they're in the same TLD, i.e., Guardicore picked up a slew of those domains and found that researchers could set them up to intercept clear-text account credentials for hapless users experiencing network difficulties or whose admins goofed on configuring DNS. The researchers noted that this flaw is a severe security issue. If an attacker can control such domains or sniff' traffic in the same network, they can capture domain credentials in plain text (HTTP basic authentication) that are being transferred over the wire. The researchers also stated that if the attacker has DNS-poisoning capabilities on a large scale (such as a nation-state attacker), they could systematically siphon out leaky passwords through a large-scale DNS poisoning campaign based on these Autodiscover TLDs (top-level domains). The flaw has not been patched, and Microsoft Senior Director Jeff Jones stated that Guardicore disclosed the flaw publicly before reporting it to the company. This is not the first time that the flaw has been publicly reported.

    Threatpost reports: "Exchange/Outlook Autodiscover Bug Spills 100K+ Email Passwords"

  • news

    Visible to the public Google identifies Threat Actors using new tricks with Code Signing

    Google’s Threat Analysis Group found that threat actors have recently used a new trick of code signing to avoid detection on Windows systems and have notified Microsoft of their findings. OpenSUpdater operations had used legitimate code-signing certificates. The hackers used invalid signature—edited with an End of Content marker replacing a NULL tag. While some security products detect this as invalid—Windows operating systems treated the signatures as valid.
  • news

    Visible to the public  "Preventing Abuse in Encrypted Communication"

    It remains a significant challenge to mitigate the abuse of encrypted social media communication on WhatsApp, Signal, and other platforms while ensuring user privacy. This challenge is present across technological, legal, and social realms. A multidisciplinary team of Cornell researchers received a five-year, $3 million National Science Foundation (NSF) grant to make significant steps toward safe and secure online communication. The project, "Privacy-Preserving Abuse Prevention for Encrypted Communications Platforms," aims to prevent abuse in encrypted communication by going beyond just technical aspects. Using a multidisciplinary approach in this project is expected to help delve deeper into the design of systems, understanding their use by different communities, legal frameworks, and questions regarding social norms and expectations. The team has been working on this challenge for some time as they just released a new paper on arXiv titled "Increasing Adversarial Uncertainty to Scale Private Similarity Testing," which addresses the difficulty of enabling privacy-preserving client-side warnings of potential abuse in encrypted communication. The NSF-funded research is organized based on two overlapping approaches, which are algorithm-driven and community-driven. The algorithm-driven approach focuses on developing better cryptographic tools for privacy-aware abuse detection in encrypted settings. For example, it is important to detect viral, fast-spreading content. A human-centered approach to understanding people's privacy expectations will inform the design of these tools. Legal analyses will also support the tools to ensure that they are in compliance with applicable privacy and content-moderation laws. The community-driven approach will focus on providing tools to online communities that address abuse challenges in encrypted settings. The researchers will explore the development of distributed moderation capabilities to support communities on these platforms. This article continues to discuss the project aimed at mitigating the abuse of encrypted social media communication while also preserving user privacy.

    Homeland Security News Wire reports "Preventing Abuse in Encrypted Communication"

  • news

    Visible to the public "US Eye-Care Providers Report Data Breaches"

    The protected health information of hundreds of thousands of Americans has been exposed in two separate security incidents at eye-care providers in the United States. Simon Eye Management reported a data breach to the Department of Health and Human Services' Office for Civil Rights on September 14. An email hacking incident at the Delaware-based eye-care group exposed the data of 144,000 individuals. Suspicious activity was observed on June 8th. An investigation carried out with the help of third-party computer forensic specialists found that unauthorized access to some employee email accounts had occurred from May 12, 2021, to May 18, 2021. Information impacted by the incident may have included names, medical histories, treatment or diagnosis information, and health insurance information. In addition, Simon Eye said that "a smaller number of individuals" may also have had their Social Security numbers, birth dates, and/or financial account information exposed. The eye-care provider said that it had not discovered any evidence of data misuse linked to the incident. On May 12, USV Optical, Inc., a subsidiary of U.S. Vision, Inc., noticed suspicious activity on its network. A forensic investigation confirmed that hackers could access specific USV Optical servers and systems for nearly a month. It was determined that data belonging to 180,000 individuals (employees and patients) might have been accessed and possibly exfiltrated by an unauthorized individual from April 20, 2021, to May 17, 2021. Information that could have been compromised included names, eye-care insurance information, and insurance claims information. In a security notice, USV Optical said that addresses, dates of birth, and/or "other individual identifiers" may also have been exposed for some individuals. USV Optical stated that they have no evidence of any identity theft or fraud occurring due to this incident.

    Infosecurity reports: "US Eye-Care Providers Report Data Breaches"

  • news

    Visible to the public "Cybersecurity Vulnerability Could Affect Millions of Hikvision Cameras"

    On Sunday, video surveillance giant Hikvision posted a security advisory on its website warning customers of a cyber vulnerability that could impact millions of cameras and NVRs deployed globally. Security researchers at Watchful IP discovered the vulnerability back in June. The researchers stated that the "command injection vulnerability" could allow threat actors to control compromised devices completely. The vulnerability received a base score of 9.8 out of 10 per the Common Vulnerability Scoring System (CVSS), which Watchful IP called "the highest level of critical vulnerability." Although the video surveillance giant has not disclosed how many products are likely impacted, posting only product names and firmware versions, it is estimated that more than 100 million devices could be affected. Hikvision worked with Watchful IP to patch the vulnerability, and the company has patched all vulnerabilities reported to the company in its latest firmware version.

    Infosecurity reports: "Cybersecurity Vulnerability Could Affect Millions of Hikvision Cameras"

  • news

    Visible to the public "FamousSparrow Hacking Group Targets Governments, Engineers Worldwide"

    A new hacking group, dubbed FamousSparrow by ESET researchers, has targeted entities worldwide to spy on them. The group is believed to have been active since at least 2019, with links to attacks against governments, international organizations, engineering firms, legal companies, and the hospitality sector. Its victims are in the U.K., Israel, Saudi Arabia, Taiwan, Burkina Faso in West Africa, Brazil, Canada, and Guatemala. According to ESET, current threat data suggests that FamousSparrow is a separate group from other active Advanced Persistent Threats (APTs), but there seem to be some overlaps. For example, exploit tools used by FamousSparrow threat actors were set up using a command-and-control (C2) server associated with the DRDControl APT. In another case, the FamousSparrow group appeared to have been using a variant of a loader employed by SparklingGoblin. This new APT joined at least ten other APT groups that have exploited ProxyLogon vulnerabilities, which were disclosed in March and used to compromise Microsoft Exchange servers. This article continues to discuss findings surrounding the new APT group FamousSparrow regarding its targets, tools, and tactics.

    ZDNet reports "FamousSparrow Hacking Group Targets Governments, Engineers Worldwide"

  • news

    Visible to the public "100M IoT Devices Exposed By Zero-Day Bug"

    Researchers at Guardara have discovered a flaw in a widely used internet-of-things (IoT) infrastructure code that left more than 100 million devices across 10,000 enterprises vulnerable to attacks. Researchers at Guardara used their technology to find a zero-day vulnerability in NanoMQ, an open-source platform from EMQ that monitors IoT devices in real-time, then acts as a "message broker" to deliver alerts that a typical activity has been detected. EMQ's products are used to monitor the health of patients leaving a hospital, detect fires, monitor car systems, in smartwatches, in smart-city applications, and more. The researchers stated that their technology discovered multiple issues that caused EMQ's NanoMQ product to crash during testing. The researchers also noted that the existence of these vulnerabilities means that any NanoMQ reliant system could be brought down completely. The vulnerability (no CVE) was assigned a CVSS score of 7.1, making it high-severity. How dangerous it is depends on what setting NanoMQ is used in the researchers stated.

    Threatpost reports: "100M IoT Devices Exposed By Zero-Day Bug"

  • news

    Visible to the public "Cybercriminals Use Pandemic to Attack Schools and Colleges"

    Schools and colleges have been hit significantly hard by cyberattacks during the COVID-19 pandemic. In 2020, the average ransomware attack cost educational institutions $2.73 million, including costs of downtime, repairs, and lost opportunities. From August 14 to September 12, 2021, educational organizations were targeted in more than 5.8 million malware attacks, or 63 percent of all malware attacks. Globally, 44 percent of educational institutions were targeted by ransomware attacks. Nir Kshetri, a professor of management at the University of North Carolina-Greensboro who studies cybercrime and cybersecurity, looked at how the shift to remote learning during the pandemic has introduced new cybersecurity challenges. He pointed out six ways in which the pandemic has created more opportunities for cybercriminals to attack schools and colleges, which involves unsafe devices, distracted cybersecurity staff, the increased willingness of victims to comply with criminals' demands, vulnerable platforms, social engineering attacks, and the creation of new targets by COVID-19 resources. During the pandemic, devices loaned to students often lack security updates, posing a serious issue since 1,268 vulnerabilities were discovered in Microsoft products in 2020 alone. Such vulnerabilities can allow hackers to gain higher-level privileges on a system or network, leading to data theft and malware installation. Persons responsible for cybersecurity at schools and universities have been distracted from more important security issues due to the shift to remote learning. For example, cybersecurity professionals have become increasingly assigned to investigate bad online behavior. The political and social pressure on schools to ensure students have access to learning opportunities during the pandemic has increased educational institutes' willingness to pay ransomware attackers to quickly restore networks. The increased use of online platforms such as Zoom and Microsoft Teams to conduct classes has also created new entry points for cybercriminals. This article continues to discuss how the pandemic has provided more opportunities for cybercriminals to attack schools and colleges.

    NextGov reports "Cybercriminals Use Pandemic to Attack Schools and Colleges"

  • news

    Visible to the public "An Email 'Autodiscover' Bug Is Helping to Leak Thousands of Windows Passwords"

    New research shows that shipping companies, power plants, and investment banks are inadvertently leaking thousands of their employees' email passwords due to a design flaw in the Microsoft Autodiscover protocol. Autodiscover is a protocol used to authenticate to Microsoft Exchange servers and to configure client access. This protocol allows the setup of apps on a phone or computer using just an employee's email address and password. It makes it easier to set up an email or calendar app by offloading the work to the server, thus doing away with configuring the app manually. Guardicore researchers acquired Autodiscover domains for some of the most common top-level domains and then set them to listen to leaky requests as they arrive. They were able to identify 340,000 exposed Exchange mailbox credentials hitting those domains. Some companies allow those same credentials to be used for logging onto that domain, posing a risk if abused by a threat actor. According to Guardicore, the credentials were sent over the Internet in plaintext. Another 96,000 Exchange credentials were sent using protocols that are significantly stronger and cannot be decrypted but could still be tricked into sending the same credentials in cleartext. Amit Serper, Guardicore Labs' AVP of security research, developed an attack in which encrypted credentials are bounced back with a request to the app to use weaker security to send the email address and password again, making the app resend the credentials in cleartext. This article continues to discuss the Microsoft Autodiscover vulnerability.

    TechCrunch reports "An Email 'Autodiscover' Bug Is Helping to Leak Thousands of Windows Passwords"

  • news

    Visible to the public "Who Is BlackMatter?"

    Researchers have been piecing together information surrounding BlackMatter, the group behind the recent ransomware attack that targeted the Iowa-based farm services provider New Cooperative. The group claims to use the best tools and methods of DarkSide, REvil, and LockBit 2.0 groups. Researchers have been analyzing BlackMatter since it emerged in July 2021. Several reports have found connections between these groups. For example, McAfee researchers found BlackMatter's coding style to be similar to DarkSide, suggesting that the people behind it are the same or have a close relationship. Their analysis focused on version 1.2 of BlackMatter, but they noted that version 1.9 has a compile date of August 12, 2021, and the latest version, 2.0, has a compile date of August 16, 2021, showing that the malware developers are actively improving the code and making detection and analysis more difficult. According to a researcher at Sophos, when BlackMatter ransomware hits a victim's machine and encrypts files on the drives, it sets a wallpaper similar to the one DarkSide sets. BlackMatter is also similar to DarkSide and REvil in that it uses a runtime Application Programming Interface (API) that can prevent static analysis. The Sophos researcher pointed out that these techniques are common across recent malware, but BlackMatter's runtime API and string decryption functionality is similar to that of DarkSide and REvil. BlackMatter has published stolen data from 10 organizations on its leak site. The group appears to primarily target large and well-resourced organizations in the U.S., U.K., Canada, Australia, India, Brazil, Chile, and Thailand. This article continues to discuss key findings regarding the BlackMatter ransomware group.

    Dark Reading reports "Who Is BlackMatter?"

  • news

    Visible to the public "85% of UK's Top Universities at Risk of Email Fraud"

    During a new study, security researchers at Proofpoint found that more than four-fifths (85%) of the UK's top 20 universities are putting their students, staff, and suppliers at risk of email fraud. The researchers found that just 15% of the universities have implemented the recommended and strictest level of domain-based message authentication, reporting, and conformance (DMARC). DMARC is an email validation protocol that verifies that the domain of the sender has not been impersonated. Encouragingly, 70% of the universities included in the analysis have published a DMARC record, representing a 100% increase since 2019. Therefore, more than two-thirds of these institutions have recognized the need to implement DMARC protocols. Six universities out of the 20 had no DMARC record. The researchers stated that organizations in all sectors should deploy authentication protocols, such as DMARC, to shore up their email fraud defenses.

    Infosecurity reports: "85% of UK's Top Universities at Risk of Email Fraud"

  • news

    Visible to the public "Healthcare Ransomware Attacks Lead to Increased Patient Mortality"

    A study commissioned by Censinet and conducted by the Ponemon Institute surveyed 597 healthcare organizations, including regional health systems, community hospitals, and integrated delivery networks. One in four of the respondents reported an increase in patient mortality rates after ransomware attacks. Ransomware attacks against healthcare organizations often result in financial strain, the disruption of patient care, and time-consuming recovery operations, but this new study brings attention to increased patient mortality as the aftermath of a cyberattack. There has been a drop in confidence regarding risk mitigation due to COVID-19. More than 60 percent of the respondents reported that they have little to no confidence that their organization could mitigate the risks of ransomware, compared to 55 percent prior to the pandemic. Previous research highlighted the significant increases in healthcare data breach costs since the start of the pandemic, with the average cost per incident being $9.23 million. However, little was known about how data security incidents can impact patient safety. Over 70 percent of the respondents revealed that healthcare ransomware attacks led to longer stays for patients as well as delays in medical procedures and tests. Nearly 65 percent of the respondents reported an increase in the number of patients being redirected to other facilities, while 36 percent revealed an increase in complications from medical procedures. This article continues to discuss the reported increase in patient mortality rates resulting from ransomware attacks and other key findings from the Ponemon Institute's new study, such as healthcare organizations' increased reliance on third-party business associates to digitize health information and supply medical devices.

    HealthITSecurity reports "Healthcare Ransomware Attacks Lead to Increased Patient Mortality"

  • news

    Visible to the public "Data of 106 Million Visitors to Thailand Breached"

    Security researchers at Comparitech found an unprotected Elasticsearch database on August 22, 2021. Inside the 200GB digital index were records dating back ten years containing the personal details of more than 106 million international travelers who visited Thailand. The information exposed in the publicly accessible database consisted of full names, arrival dates, gender, residency status, passport numbers, visa information, and Thai arrival card numbers. The researchers could not determine how long the data had been exposed before it was indexed by the search engine Censys on August 20, 2021. Thai authorities informed Comparitech that the exposed data was not accessed by any unauthorized parties. While the IP address of the database is still public, the index has been replaced with a digital booby trap. Visitors to the IP address who attempt to access the now secured database are presented with the message: "This is honeypot, all access were logged [sic]." Before the Covid-19 pandemic affected travel, Thailand was a popular tourist destination, drawing nearly 40 million visitors in 2019 alone.

    Infosecurity reports: "Data of 106 Million Visitors to Thailand Breached"

  • news

    Visible to the public "Flaws in Nagios Network Management Products Can Pose Risk to Many Companies"

    Researchers at the industrial cybersecurity firm Claroty found 11 vulnerabilities in widely-used network management products from Nagios during a research project on the use of network management systems in Information Technology (IT), Operational Technology (OT), and Internet of Things (IoT) networks. The discovered vulnerabilities pose a significant risk to many organizations as such products are attractive targets for malicious actors. These vulnerabilities can be exploited for Server-Side Request Forgery (SSRF), Remote Code Execution (RCE), spoofing, local privilege escalation, and more. Claroty developed a proof-of-concept (PoC) exploit demonstrating how an authenticated attacker could tie some of the vulnerabilities together to execute shell commands with root privileges. The security flaws were found to impact Nagios XI, XI Switch Wizard, XI Docker Wizard, and XI WatchGuard. In August, Nagios released patches for each of the affected products. According to the vendor, thousands of organizations globally use its software, including Verizon, IBM, and other major brands. This article continues to discuss the potential exploitation and impact of the vulnerabilities discovered in Nagios network management products.

    Security Week reports "Flaws in Nagios Network Management Products Can Pose Risk to Many Companies"

  • news

    Visible to the public "Half of Web Owners Don't Know if Their Site Has Been Attacked"

    Researchers at PermiterX discovered that nearly half of US website owners have so little insight into third-party code that they can't say definitively if their site has suffered a cyber breach. The web app security vendor polled 501 organizations across multiple verticals to compile its latest report, called Shadow Code: The Hidden Risk to Your Website. According to the researchers, the challenge for these firms is the extensive use of third-party sources for code, many of which obtain their code in turn from other third parties. The researchers claimed that 99% of firms use this extensive software supply chain for web functionality, including ad tracking, payments, customer reviews, chatbots, tag management, social media integration, and helper libraries that simplify common functions. Almost 80% of respondents said that these third-party scripts and open source libraries account for 50-70% of the capability in their website. Nearly half of the respondents (48%) could not say whether their site had been attacked, up from 40% in 2020. PerimeterX argued that shadow code scripts and libraries added without IT oversight or security vetting is a challenge that could introduce hidden risks to the organization. Although respondents claimed to understand shadow code, only a quarter (25%) said they perform a security review for every script modification, and only a third (33%) automatically detect potential problems.

    Infosecurity reports: "Half of Web Owners Don't Know if Their Site Has Been Attacked"