News Items

  • news

    Visible to the public Paper on One-Way-Functions Wins NSA Paper Competition

    "On One-way Functions and Kolmogorov Complexity" wins the 9th Annual Best Scientific Cybersecurity Paper Competition. This paper was written by Yanyi Liu from Cornell University and Rafael Pass from Cornell Tech.

    An honorable mention award was given to "Retrofitting Fine Grain Isolation in the Firefox Renderer” written by Shravan Narayan, Craig Disselhoen, Tal Garfinkel, Nathan Froyd, Sorin Lerner Hovav Shacham and Deian Stefan.

  • news

    Visible to the public HoTSoS 2022 Call for Papers! Deadline December 17th!

    HoTSoS 2022 Call for Papers! Deadline December 17th!

    The HoT Topics in the Science of Security (HoTSoS) Symposium is now soliciting submissions for the 2022 program. Following the success of the virtual HoTSoS Symposium in 2021, HoTSoS`22 will be a virtual event held the week of April 4th, 2022. In addition to research paper discussions and presentations, the symposium program will also include invited talks and panels.

    We are accepting submissions in the following three categories:

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist


    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage:

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing:

  • news

    Visible to the public "Spyware Blitzes Compromise, Cannibalize ICS Networks"

    Researchers have discovered attackers targeting industrial enterprises with spyware campaigns aiming to steal corporate credentials for financial gain and cannibalizing compromised networks to launch additional attacks. Although the campaigns use off-the-shelf spyware, they are unique because they limit each malicious sample's scope and lifetime. The researchers consider the attacks anomalous because they are not typical spyware attacks. One researcher explained that the attackers use spearphishing emails sent from compromised corporate mailboxes. These emails contain malicious attachments that deliver the spyware. The attackers use industrial enterprises' SMTP services to send spearphishing emails and collect data stolen by the spyware as a command-and-control (C2), which allows them to launch future attacks. The initially stolen data is believed to be used by the threat operators to spread the attack inside the local network of the compromised organization and to attack additional organizations. The researchers noted that the malware used in the attacks was typically found to belong to AgentTesla/Origin Logger, Snake Keylogger, Azorult, Noon/Formbook, and other well-known commodity spyware families. Nearly 45 percent of the computers targeted in the campaigns are Industrial Control System (ICS)-related and have access to their respective company's corporate email service. Over 2,000 corporate email accounts belonging to industrial companies have been stolen and leveraged as next-attack C2 in the malicious campaigns. However, the researchers estimate that more than 7,000 corporate email accounts have been stolen, sold, or used in other ways. This article continues to discuss findings regarding the spyware campaigns aimed at collecting corporate credentials.

    Threatpost reports "Spyware Blitzes Compromise, Cannibalize ICS Networks"

  • news

    Visible to the public "FBI Officially Linked the Diavol Ransomware Operation to the Infamous TrickBot Gang"

    The Federal Bureau of Investigation (FBI) has linked the Diavol ransomware operation to the TrickBot group, who are behind the TrickBot banking Trojan. The developers of the TrickBot banking Trojan, which has been active since October 2016, have continuously updated it with new capabilities. The botnet continues to be offered through a multi-purpose malware-as-a-service (MaaS) model. Over a million computers have been infected by the TrickBot botnet. Findings from an analysis conducted by IBM X-Force researchers further suggested a link between Diavol ransomware and the TrickBot malware. The Bot ID generated by Diavol is almost the same as the format used by TrickBot and the Anchor DNS malware, also linked to the TrickBot gang. This article continues to discuss the Diavol ransomware operation and its link to the notorious TrickBot gang.

    Security Affairs reports "FBI Officially Linked the Diavol Ransomware Operation to the Infamous TrickBot Gang"

  • news

    Visible to the public "#COVID19 Phishing Emails Surge 500% on Omicron Concerns"

    Researchers at Barracuda Networks observed a 667% month-on-month surge in COVID-19 phishing emails from February to March 2020. The security vendor also observed another significant increase when new vaccines were released at the start of 2021. Now public concern over the highly transmissible Omicron variant is catching the eye of phishers. The researchers discovered that the latest COVID-19 variant has led to a 521% increase in phishing attacks using the virus as a lure to trick users into clicking. The researchers stated that among the tactics used to trick users into clicking on malicious links and/or entering personal details are offers of counterfeit or unauthorized COVID-19 tests and protective equipment such as masks or gloves. The researchers noted that some adversaries are impersonating testing labs and providers or even employees sharing their results. In other phishing emails, the user may receive a fake notification for an unpaid order of tests and is urged to provide their PayPal details to complete the delivery of the kit.

    Infosecurity reports: "#COVID19 Phishing Emails Surge 500% on Omicron Concerns"

  • news

    Visible to the public "Two-Fifths of Ransomware Victims Still Paying Up"

    Security researchers at Anomali Research have discovered that two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of the victims spending at least $100,000. The security researchers interviewed 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico, and Brazil. Most respondents (87%) said their organization had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they'd experienced more attacks since the start of the pandemic. Over half of the participants (52%) were ransomware victims, and 39% paid the ransom. Of the participants that paid the ransom, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.

    Infosecurity reports: "Two-Fifths of Ransomware Victims Still Paying Up"

  • news

    Visible to the public "Red Cross Implores Hackers Not To Leak Data for 515k 'Highly Vulnerable People'"

    The International Committee for the Red Cross (ICRC) has revealed that hackers stole personal data on nearly 515,000 "highly vulnerable people" who received aid from a program aimed at reuniting family members separated because of conflict, disaster, or migration. Robert Mardini, the ICRC's director-general, released a statement directly pleading with the hackers to not leak, sell, or use the data. According to the ICRC, the data was stolen through the hack of a Switzerland-based subcontractor that stores data for the Red Cross. The data comes from at least 60 different Red Cross and Red Crescent National Societies globally. The perpetrators behind the cyberattack remain unknown, and the ICRC is still unaware as to whether any of the compromised information has already been leaked or shared publicly. This article continues to discuss the cyberattack on the Red Cross that left sensitive data of millions of people exposed.

    Ars Technica reports "Red Cross Implores Hackers Not To Leak Data for 515k 'Highly Vulnerable People'"

  • news

    Visible to the public "More Than Half of Medical Devices Found To Have Critical Vulnerabilities"

    Cynerio's 2022 State of Healthcare IoT Device Security Report highlights the results from the analysis of 10 million medical devices at over 300 global hospitals and medical facilities, revealing that over 50 percent of the examined Internet-connected devices contain a known vulnerability. Infusion pumps were found to be the most common healthcare IoT device, with 73 percent of them containing a vulnerability that poses a threat to patient safety, data confidentiality, or service availability if exploited by a malicious actor. Some of these vulnerabilities stem from outdated programs and weak default credentials. This article continues to discuss discoveries made from the analysis of 10 million medical devices and recommended solutions for mitigating the discovered vulnerabilities.

    ZDNet reports "More Than Half of Medical Devices Found To Have Critical Vulnerabilities"

  • news

    Visible to the public "Top Public Sector Cybersecurity Threat No Longer is Employees"

    According to the Public Sector Cybersecurity Survey Report released by SolarWinds, the public sector is more concerned about external threats than internal ones. The report gives insight into how state and local government professionals perceive IT challenges and the sources of IT security threats. One of the key findings in the report is that hackers are the primary source of security threats faced by public sector organizations, followed by negligent or untrained employees and foreign governments. Careless insiders were not cited as the top security threat for the first time in five years. Another finding is that state and local governments are more likely to be concerned about hackers than other public sector groups. Concerns surrounding ransomware, malware, and phishing have increased the most over the last year. Government respondents have suggested improving investigation and remediation capabilities as well as increasing threat information sharing between public and private sectors. This article continues to discuss key findings from SolarWinds' seventh Public Sector Cybersecurity Survey Report.

    GCN reports "Top Public Sector Cybersecurity Threat No Longer is Employees"

  • news

    Visible to the public "Third Firmware Bootkit Discovered"

    Cybersecurity researchers at Kaspersky have discovered a third known case of a firmware bootkit in the wild. The kit, which made its first appearance in the wild in the spring of 2021, has been named MoonBounce. The security researchers stated that the campaign is the work of well-known Chinese-speaking advanced persistent threat (APT) actor APT41. The researchers noted that MoonBounce demonstrates a more complicated attack flow and greater technical sophistication than previously discovered bootkits LoJax and MosaicRegressor. The researchers found the malicious implant hiding inside the CORE_DXE component of the Unified Extensible Firmware Interface (UEFI) firmware. UEFI firmware is critical because its code is responsible for booting up a device and passing control to the software that loads the operating system (OS). Once MoonBounce's components have made their way into the operating system, they reach out to a command & control server to retrieve further malicious payloads, which Kaspersky researchers could not retrieve. The code to boot the device is stored in a non-volatile component external to the hard drive called the Serial Peripheral Interface (SPI) flash. The researchers noted that bootkits of this kind are extremely hard to detect because the code they target is located outside of the device's hard drive in an area that most security solutions do not scan as standard. The researchers also stated that firmware bootkits are also tricky to delete. They can't be removed simply by reformatting a hard drive or reinstalling an OS because the code is launched before the operating system.

    Infosecurity reports: "Third Firmware Bootkit Discovered"

  • news

    Visible to the public "Research: Why Employees Violate Cybersecurity Policies"

    Security researchers asked more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the course of two weeks. The security researchers also conducted a series of in-depth interviews with 36 professionals who were forced to work remotely due to the Covid-19 pandemic to better understand how the transition to work-from-home has impacted cybersecurity. The researchers found that adherence to security conventions was intermittent. During the 10 workdays they studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks. When asked why they failed to follow security policies, the participants' top three responses were, "to better accomplish tasks for my job," "to get something I needed," and "to help others get their work done." These three responses accounted for 85% of the cases in which employees knowingly broke the rules. In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches, making non-malicious breaches 28 times more common than retaliatory ones. The researchers also found that people were substantially more likely to knowingly break security protocols on days when they reported experiencing more stress, suggesting that being more stressed out reduced their tolerance for following rules that got in the way of doing their jobs.

    Harvard Business Review reports: "Research: Why Employees Violate Cybersecurity Policies"

  • news

    Visible to the public "Researchers Explore Hacking VirusTotal to Find Stolen Credentials"

    The SafeBreach research team discovered a way to collect vast amounts of stolen user credentials through the execution of searches on the online service used to analyze suspicious files and URLs called VirusTotal. The team was able to collect over a million credentials with a VirusTotal license and a few tools. They wanted to identify data that could be gathered by a criminal using a VirusTotal license. A licensed VirusTotal user can query the service's dataset with a combination of queries for file type, file name, submitted data, country, file content, and more. The team introduced the idea of VirusTotal hacking, which is based on the method of Google hacking where criminals look for vulnerable websites, Internet of Things (IoT) devices, web shells, and sensitive data leaks. Many who steal information collect credentials from various forums, mail accounts, browsers, and other sources, and then write them to a fixed hard-coded file name such as "all_credentials.txt." The information stealers will then exfiltrate this file from the victim's device and send it to a command-and-control (C2) server. With this method, the team took VirusTotal tools and Application Programming Interfaces (APIs) such as search, VirusTotal Graph, and Retrohunt, and used them to find files containing stolen data. They conducted their research using known malware, including RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye, along with known forums such as DrDark and Snatch_Cloud to steal sensitive data, finding that their method works at scale. The researchers emphasized that criminals could apply this method to collect a nearly unlimited number of credentials and other user-sensitive data with significantly low effort in a short time using an infection-free approach. They disclosed their findings to Google, which owns VirusTotal, and advised the company to periodically search for and remove files containing sensitive user data. The team also suggested that Google ban API keys that upload those files and implement an algorithm for disallowing uploading files with sensitive data. This article continues to discuss the VirusTotal hacking method and how Google can prevent this technique from being successful.

    Dark Reading reports "Researchers Explore Hacking VirusTotal to Find Stolen Credentials"

  • news

    Visible to the public "Researchers Find Way to Bypass SMS Codes on Box Accounts"

    Researchers with Varonis Threat Labs have discovered a way to circumvent the multi-factor authentication for Box accounts in which SMS text code is used for log-in verification. With this method, an attacker could use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without having to access the victim's phone. The team found that if the user does not navigate to the SMS verification form from Box, an SMS message does not get sent, but a session cookie still gets generated. They said an attacker would only need to enter the user's email address and password, stolen from a password leak or phishing attack, in order to get a valid session cookie. Therefore, an SMS message code is not required. Following the disclosure of the issue to Box via HackerOne on November 2, 2021, Box issued a cloud-based update. The Varonis research is considered significant because 97,000 companies and 68 percent of Fortune 500 companies rely on Box for collaboration and access to information from anywhere. Although multi-factor authentication is known to prevent account takeover, it is not a silver bullet solution because there are ways to bypass it, and not everyone can use it. Varonis has highlighted that malicious actors could make additional authentication tools less effective through compromised user credentials. Organizations are encouraged to implement coverage for mobile phishing attacks to protect against compromised credentials. Doing this will protect users from socially engineered phishing campaigns that give threat actors access to corporate infrastructure, apps, and data. This article continues to discuss the Box multi-factor authentication bypass that leaves accounts open to attack and why this type of authentication is not the ultimate solution.

    SC Magazine reports "Researchers Find Way to Bypass SMS Codes on Box Accounts"

  • news

    Visible to the public "QR Codes Can Eat Your Lunch, FBI Warns"

    Since the pandemic, QR codes have been used much more in restaurants and other businesses. Many users like to use them, but the FBI is warning that scammers love them as well. The FBI noted that cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use. The bureau urges consumers to double-check any URL generated by a QR code and be cautious about using them in general, especially for making payments. The FBI's warning is the latest in a long string of advisories from cybersecurity researchers or government agencies about the threat posed by QR codes. Last week, Ars Technica reported on fake QR codes that were stuck on parking meters in Texas cities, with the goal of intercepting payments.

    Cyberscoop reports: "QR Codes Can Eat Your Lunch, FBI Warns"

  • news

    Visible to the public "International Effort Takes Down VPN Service, VPNLab, Used for Criminal Activity"

    Law enforcement officials from almost a dozen countries teamed up to take down a virtual private service used by threat actors to distribute malware, carry out ransomware operations, and commit other cybercriminal activities. According to the European law enforcement agency Europol, investigations into malware distribution and other criminal activities led authorities to the VPNLab website. As a result, they seized and disrupted 15 servers that hosted the website's infrastructure. A screenshot of the VPNLab website's front page following its takedown shows a message saying the service provided a platform for the anonymous commission of high-value cybercrime cases and was used in multiple major international cyberattacks. The takedown operation was led by German police and included the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US, and the UK. This article continues to discuss the shutdown of the VPNLab website and why this service was a popular choice for cybercriminals.

    CyberScoop reports "International Effort Takes Down VPN Service, VPNLab, Used for Criminal Activity"

  • news

    Visible to the public "Doxbin Leak Includes Criminals' Data, Could Boost Hacking"

    According to security experts, threat actors using the data-sharing website, Doxbin, have had highly sensitive information leaked online. Doxbin is often used by hackers to dump their victims' Personally Identifiable Information (PII). According to the threat intelligence firm, Cyble, and independent researcher and threat hunter, Troy Hunt, the leaked data includes PII belonging to an undisclosed number of Doxbin users, including hackers and their victims. This data contains plaintext passwords, multi-factor authentication codes, stealer logs, and chat history. On January 8, Hunt revealed that Doxbin had 380,000 email addresses across user accounts and doxes shared online. Cyble estimates that over 700,00 email addresses were leaked, based on a recent count. A report released by Cyble also reveals that the leaked information includes the identities of the threat actors' family members, IP addresses, and geolocation. Cyble says the doxed information contains work-related information that could be used to perform phishing attacks. The firm warns of an increase in identity theft and other malicious activities because of the Doxbin leak. Based on discussions on the dark web observed by Cyble, the leaked doxed information can augment or verify law enforcement agencies' investigative work. Dhanalakshmi PK, senior director of malware and intelligence research at Cyble, says that the leaked information could be aliases used by threat actors, and therefore, may not be real. However, she adds that it could help authorities verify information about the threat actors. This article continues to discuss the source and potential impact of the Doxbin leak.

    BankInfoSecurity reports "Doxbin Leak Includes Criminals' Data, Could Boost Hacking"

  • news

    Visible to the public "'White Rabbit' Ransomware May Be FIN8 Tool"

    A new ransomware family dubbed "White Rabbit," which hit a US bank last month, is suspected to be connected to FIN8, the financially-motivated Advanced Persistent Threat (APT) group. According to Trend Micro researchers, the operators behind the White Rabbit ransomware appear to be using the same tactics as the more established ransomware family, Egregor, in regard to hiding malicious activity. The White Rabbit ransomware was first detected on December 14, 2021, by the Lodestone Forensic Investigations team, but the earliest strings go as far back as July 10, 2021. The ransom note displayed by the ransomware includes bunny ASCII art and a message warning victims of the compromise of their network infrastructure, leakage of their critical data, and encryption of their files. The operators are using the same double-extortion tactic applied by the increasing number of Ransomware-as-a-Service (RaaS) players, threatening to leak or sell encrypted data to the public. This article continues to discuss the discovery, tactics, techniques, and procedures of the White Rabbit ransomware group, as well as the group's possible affiliation with FIN8.

    Threatpost reports "'White Rabbit' Ransomware May Be FIN8 Tool"

  • news

    Visible to the public "Rise in School Cybercrime Attacks Sparks NCA Education Drive"

    A new initiative has been launched in the UK to divert young people from cybercrime after cyberattacks designed to block access to school networks and websites more than doubled during the COVID-19 pandemic. Data from the National Crime Agency's National Cyber Crime Unit (NCCU) revealed a 107 percent increase in reports from the police cyber prevent network on young students executing distributed denial-of-service (DDoS) attacks from 2019 to 2020. Students as young as nine have been performing such attacks. The National Crime Agency (NCA), in collaboration with Schools Broadband, part of the Talk Straight Group, launched a new initiative aimed at educating students who search for terms related to cybercrime on school computers. When a student searches for specific terms associated with cybercrime, they will see a warning message and suggestion to visit the Cyber Choices website, where they can learn about the Computer Misuse Act, cybercrime, and the consequences of committing such crime. This article continues to discuss the increase in the deployment of cyberattacks by young students and the new initiative designed to prevent young people from getting involved in cybercrime.

    NCA reports "Rise in School Cybercrime Attacks Sparks NCA Education Drive"

  • news

    Visible to the public "NATO, Ukraine Sign Deal to 'Deepen' Cyber Cooperation"

    NATO on Monday agreed to bolster its cyber support for Ukraine after a cyberattack against Kyiv heightened tensions amid fears that Russia could be plotting an invasion of Ukraine. NATO Secretary General Jens Stoltenberg stated that experts from NATO and its members were already on the ground, working with Ukraine to tackle the latest cyberattack. He also said the new agreement would involve "enhanced cyber cooperation, including Ukrainian access to NATO's malware information sharing platform." Stoltenberg also stated that under this renewed agreement, NATO will deepen their collaboration with Ukraine to support them in modernizing their information technology and communications services while identifying areas where training may be required for their personnel. Ukraine's ambassador to NATO, Natalia Galibarenko, stated that with NATO's support Ukraine plans to further introduce modern information technologies and services into the command and control system of the Armed Forces of Ukraine.

    SecurityWeek reports: "NATO, Ukraine Sign Deal to 'Deepen' Cyber Cooperation"

  • news

    Visible to the public "Zoho Patches Critical Vulnerability in Endpoint Management Solutions"

    Zoho Corp has released patches for a critical vulnerability affecting Desktop Central and Desktop Central MSP, the endpoint management solutions from ManageEngine. Tracked as CVE-2021-44757 and rated critical severity, the newly addressed security error is an authentication bypass issue that could allow a remote attacker to perform various actions on the server. When exploited, Zoho stated that the authentication bypass vulnerability can allow an attacker to read unauthorized data or write an arbitrary zip file. Zoho also noted that anyone with access to the internal network can exploit the vulnerability, even if a security gateway is in use for access to the central server. The vulnerability can be exploited from the Internet as well, provided that UI Access is enabled via Secure Gateway. Users of Desktop Central and Desktop Central MSP should upgrade to build 10.1.2137.9 to address the issue. Customers are advised to log into their Desktop Central console and check the current build number on the top right corner. Those in the build range 10.1.2140.X to 10.1.2149.X should contact the ManageEngine team.

    SecurityWeek reports: "Zoho Patches Critical Vulnerability in Endpoint Management Solutions"

  • news

    Visible to the public "Safari 15 Bug Can Leak Your Recent Browsing Activity and Personal Identifiers"

    Researchers at the browser fingerprinting and fraud detection service, FingerprintJS, discovered a vulnerability in Apple's implementation of IndexedDB in Safari 15 that can leak a user's browsing activity and reveal some of the user's personal information attached to their Google account. IndexedDB is a low-level browser Application Programming Interface (API) that stores client data. According to FingerprintJS, IndexedDB follows the same-origin policy for restricting one origin from interacting with data collected on other origins, meaning only the website that generates data can access it. For example, if a user opens their email account in one tab and then opens a malicious webpage in another tab, the same-origin policy stops the webpage from viewing and tampering with the user's email. However, FingerprintJS found that Apple's implementation of the IndexedDB API in Safari 15 violates the same-origin policy. The researchers discovered that a new empty database with the same name is created in all other active frames, tabs, and windows within the same browser session when a website interacts with a database in Safari. Therefore, other websites can see the name of other databases created on different websites, which could reveal specific details about a user's identity. FingerprintJS developed a proof-of-concept (POC) demo that uses the browser's IndexedDB vulnerability to identify the sites currently open or opened recently. The demo also shows how sites that exploit the bug can scrape information from a Google User ID. It currently detects 30 popular sites affected by the bug, including Instagram, Netflix, Twitter, and Xbox. This article continues to discuss findings surrounding the Safari 15 bug.

    The Verge reports "Safari 15 Bug Can Leak Your Recent Browsing Activity and Personal Identifiers"

  • news

    Visible to the public "UTSA Researcher Part of Team Protecting EV Charging Stations From Cyberattacks"

    The need for electric vehicle (EV) charging stations and Internet-based managing systems grows as the number of electric cars on the road increases. However, these managing systems are vulnerable to cyberattacks. A team of researchers from the UTSA Cyber Center for Security and Analytics, University of Dubai, and Concordia University, are bringing further attention to the vulnerabilities of these cyber systems and recommending measures for protecting them. The systems implemented into electric cars as well as the Internet-enabled EV charging stations perform critical duties over the Internet such as remote monitoring, customer billing, and more. The team delved into the real-life implications of cyberattacks on EV charging stations and how to mitigate them with cybersecurity measures. They also assessed how compromised systems could be used to attack critical infrastructure such as the power grid. The researchers categorized 16 EV charging managing systems into groups, including firmware, mobile, and web apps, then conducted an in-depth security analysis of each one. The team discovered a range of vulnerabilities contained by the systems but highlighted only 13 flaws as the most severe, which include missing authentication and cross-site scripting. Attackers can manipulate the firmware, disguise themselves as actual users, and access user data by exploiting these vulnerabilities. Although it is possible to execute different attacks on various entities in the EV ecosystem, the team's study focuses on exploring large-scale attacks that could severely impact the compromised charging station, its user, and the connected power grid. This article continues to discuss the study on protecting EV charging stations from cyberattacks.

    UTSA reports "UTSA Researcher Part of Team Protecting EV Charging Stations From Cyberattacks"

  • news

    Visible to the public "Many Users Don't Know How to Protect Their Broadband Wi-Fi Routers"

    Broadband Genie surveyed 1,320 broadband users, finding that many of them do not take basic security precautions to protect themselves from online threats. Findings of the survey revealed that 88 percent have never updated their router firmware, and 84 percent have never updated the admin password for their router. A home network will typically have ten connected devices. However, 72 percent said they had never verified what devices are linked to their router. Overall, 48 percent said they had never taken any of the security precautions listed in the survey. When asked why they had not carried out any of the security actions, 73 percent said that they did not know why they would need to change their router's settings, while 20 percent said they did not know how to make these modifications. This article continues to discuss the key findings from the survey of broadband users that further highlight the vulnerability of broadband Wi-Fi routers to attacks.

    Help Net Security reports "Many Users Don't Know How to Protect Their Broadband Wi-Fi Routers"

  • news

    Visible to the public "Personal Information Compromised in Goodwill Website Hack"

    Nonprofit organization Goodwill has started notifying users of its e-commerce platform that their personal information was compromised due to a cybersecurity breach. The company has informed users that an "unauthorized third party" accessed buyer contact information, including name, email address, phone number, and mailing address. Goodwill noted that no payment card information was exposed. The organization said the website vulnerability exploited in the incident has been addressed. The ShopGoodwill website is currently offline "for maintenance," but it's unclear if it's related to the breach. This appears to be the second data breach disclosed by the nonprofit in the past decade. In 2014, Goodwill informed customers that more than 800,000 payment cards had been compromised due to a breach at a third-party vendor. The affected payment processor confirmed at the time that hackers had access to its systems for more than a year.

    SecurityWeek reports: "Personal Information Compromised in Goodwill Website Hack"

  • news

    Visible to the public "Flaw Found in Biometric ID Devices"

    Security researchers at Positive Technologies have discovered a critical vulnerability in more than ten devices that use biometric identification to control access to protected areas. The flaw can be exploited to unlock doors and open turnstiles, giving attackers a way to bypass biometric ID checks and physically enter controlled spaces. Acting remotely, threat actors could use the vulnerability to run commands without authentication to unlock a door or turnstile or trigger a terminal reboot to cause a denial of service. The critical vulnerability impacts 11 biometric identification devices made by IDEMIA. The researchers stated that the impacted devices are used in the "world's largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities." The critical vulnerability (VU-2021-004) has received a score of 9.1 out of 10 on the CVSS v3 scale, with ten being the most severe. The IDEMIA devices affected by the vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all versions), SIGMA Lite+ (all versions), SIGMA Wide (all versions), SIGMA Extreme and MA VP MD. The researchers stated that enabling and correctly configuring the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines will eliminate the vulnerability. IDEMIA, after learning about the vulnerability, has said it will make TLS activation mandatory by default in future firmware versions.

    Infosecurity reports: "Flaw Found in Biometric ID Devices"

  • news

    Visible to the public "New Vulnerabilities Highlight Risks of Trust in Public Cloud"

    Amazon Web Services (AWS) has fixed two vulnerabilities contained by its core services. According to Orca Security, the exploitation of one of the flaws could have allowed any user to access and take over any company's infrastructure. Although the vulnerabilities have now been fixed, the attack chain involving compromising a core service, escalating privileges, and using those privileges to attack other users, also affects users on different cloud services. Yoav Alon, chief technology officer at Orca Security, says the method impacts many other cloud vendors. The root of the problem is that there is a lack of isolation between services and little granularity in the permissions of different services and users. The most critical of the two vulnerabilities was discovered in AWS Glue, a serverless integration service that lets AWS users manage, clean, and transform data. Attackers could have used this flaw to compromise the service and gain administrative privileges. Since the AWS Glue service is trusted, the attackers could have used their role to access other users' environments. Orca's researchers were able to escalate privileges to the point where they had unrestricted access to all the service's resources in the region, including complete administrative privileges. The second vulnerability was found in AWS CloudFormation (CF), a service that enables users to provision resources and cloud assets. This flaw allowed the researchers to compromise a CF server and run as an AWS infrastructure service. It is an XML External Entity (XXE) issue that could have allowed attackers to penetrate protections implemented to isolate different AWS users. These vulnerabilities highlight the advantages and weaknesses of the cloud model. Cloud providers are encouraged to improve isolation between their services to prevent malicious actors from abusing flaws in a core service to compromise the security model of the overall cloud. This article continues to discuss the two major AWS security flaws and how these vulnerabilities highlight the risk of trust in the public cloud.

    Dark Reading reports "New Vulnerabilities Highlight Risks of Trust in Public Cloud"

  • news

    Visible to the public "Modelling the Spread of Viruses"

    A new study published in the International Journal of Mathematics in Operational Research explores a new path for the propagation of viruses in a computer network. Anis Rezgui of Ecole Polytechnique de Tunisie and Carthage University in Tunisia introduces a novel approach that offers a rigorous way of modelling viral propagation mathematically. Researchers could use it to understand a network's global behavior when exposed to malware infection. The proposed approach focuses on the dynamics of each node in the network. This type of modelling aims to help researchers understand how a virus spreads so that they can develop more effective strategies for stopping it through network analysis. Implementing such a model into an antivirus system could halt zero-day infection. This article continues to discuss the study and introduction of a novel approach to modelling the spread of a virus in a computer network.

    Science Spot reports "Modelling the Spread of Viruses"

  • news

    Visible to the public "DoD Launches University Consortium for Cybersecurity"

    The Department of Defense (DoD) has launched the DoD University Consortium for Cybersecurity (UC2), which aims to foster better communication between the Secretary of Defense and academia, and meet a requirement set by the 2020 National Authorization Act. The National Defense University's College of Information and Cyberspace (CIC) will operate as the UC2 Coordination Center, with Jim Chen, a CIC faculty member, being the center's director. The University of Idaho's Center for Secure and Dependable Systems (CSDS) will serve as a support center for UC2. This article continues to discuss the purpose and support behind UC2.

    MeriTalk reports "DoD Launches University Consortium for Cybersecurity"

  • news

    Visible to the public "Phishers Take Over FIFA 22 Accounts"

    Cybercriminals are using social engineering attacks to take over accounts belonging to players of the Electronic Arts video game FIFA 22. While the gaming giant's investigation into the attacks remains ongoing, Electronics Arts estimates that fewer than 50 accounts have been taken over through a combination of phishing techniques and mistakes made by its customer experience team. Electronic Arts Sports FIFA team stated that adversaries were able to exploit human error within their customer experience team and bypass two-factor authentication to gain access to player accounts. Since discovering the cybercriminal activity, Electronic Arts has put all its advisors and individuals who assist with the service of EA accounts through individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used by the adversaries. The company said it is also implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests. In addition, Electronic Arts said it would be updating the software used by its customer experience to better identify suspicious activity, flag at-risk accounts, and slash the risk of human error in the account update process.

    Infosecurity reports: "Phishers Take Over FIFA 22 Accounts"

  • news

    Visible to the public "Ukraine’s Official Websites Hit by Massive Cyberattack Amid High Tensions With Russia"

    Unknown hackers launched a cyberattack on Ukrainian government websites early Friday, blocking access and warning internet users to "expect the worst." Officials say it is too early to tell who was behind the attacks. Viktor Zhora, deputy head of Ukraine's state agency of special communication and information protection, said that "close to 70" federal and local government websites were attacked, and a "substantial portion" is up and working again. Viktor Zhora also stated that Ukrain is seeing increased cyber intrusions that appear to be intelligence collection for potential execution of a kinetic operation by the Russians. Earlier this month, Ukraine's state security services said that they had blocked in December close to 60 cyberattacks "against information systems of state institutions." These included malware and "web app attacks." Officials stated that the hackers did not obtain the personal information of Ukrainians during the cyberattack. The cyberattack came immediately after a flurry of diplomatic efforts in Europe failed to resolve the mounting crisis over Russian demands for sweeping new security arrangements by the United States and NATO.

    The Washington Post reports: "Ukraine's Official Websites Hit by Massive Cyberattack Amid High Tensions With Russia"

  • news

    Visible to the public "NIST Updates Cybersecurity Engineering Guidelines"

    The National Institute of Standards and Technology (NIST) has updated its cybersecurity guidance for system engineers. The document titled "Engineering Trustworthy Secure Systems" resulted from President Joe Biden's 2021 executive order aimed at strengthening the federal government's defenses against large-scale attacks on critical infrastructure. Computer engineers and other professionals on the programming side of cybersecurity are encouraged to use NIST's publication as a resource. It covers actions needed to develop more defensible and resilient systems. The publication addresses machine, physical, and human components that make up systems, as well as the capabilities and services provided by those systems. In the publication, NIST researchers highlight the objectives and concepts of modern security systems, especially the protection of a system's digital assets. One of the key updates made in the document is the emphasis on security assurances. In the realm of software systems engineering, assurance refers to proof that a system's security procedures can adequately mitigate asset loss and thwart cyberattacks. Ron Ross, a NIST fellow and one of the document's authors, emphasized the importance of gathering evidence during the system life cycle to build assurance cases for systems that are used in critical infrastructure. This article continues to discuss NIST's newest draft of "Engineering Trustworthy Secure Systems" and other similar guidelines published by the agency in recent years.

    GCN reports "NIST Updates Cybersecurity Engineering Guidelines"

  • news

    Visible to the public "Dozens of El Salvador Journalists, Activists Hacked"

    According to the University of Toronto's Citizen Lab, cellphones belonging to dozens of journalists and human rights defenders in El Salvador were repeatedly hacked with the Israeli firm NSO Group's sophisticated Pegasus spyware over the past year and a half. The Internet watchdog had identified the operator working almost exclusively in El Salvador in early 2020. El Salvador's government is currently investigating the use of Pegasus to hack phones in the country. NSO has claimed that it only sells its spyware to legitimate government law enforcement and intelligence agencies screened by Israel's Defense Ministry for use against terrorists and criminals. The US government blacklisted NSO last year. NSO said it does not operate the technology when it is given to a client, and therefore, cannot know its customers' targets. However, it said the use of its technology for monitoring activities, dissidents, or journalists goes against the intended use of such tools. Citizen Lab has been identifying Pegasus victims since 2015, finding the use of the spyware against journalists and human rights activists in Mexico and autocratic Middle Eastern countries, including Saudi Arabia. Many other cases have since been found, including some involving US State Department employees in Uganda, British lawyers, and a Polish senator. This article continues to discuss the hacking of El Salvador journalists and activists with Pegasus spyware and other victims of the spyware that have been identified since 2015.

    AP reports "Dozens of El Salvador Journalists, Activists Hacked"

  • news

    Visible to the public "Sabbath Ransomware Gang Targets Critical Infrastructure, Backups"

    The ransomware gang known as Sabbath is targeting critical infrastructure groups in North America. Sabbath has targeted US and Canadian critical infrastructure, including education, national resources, and health sectors. For example, the threat group extorted a US school district on social media in October 2021, demanding the payment of a multi-million dollar ransom. The Sabbath ransomware group also steals data in bulk and destroys backups in targeted attacks. Organizations are encouraged to limit access to legacy systems, improve visibility over network assets, and use threat intelligence to defend against Sabbath ransomware attacks. This article continues to discuss notable Sabbath ransomware incidents, the increased targeting of data backups by ransomware groups, and how organizations could defend themselves against Sabbath ransomware attacks.

    SecurityIntelligence reports "Sabbath Ransomware Gang Targets Critical Infrastructure, Backups"

  • news

    Visible to the public “Phishers Are Targeting Office 365 Users by Exploiting Adobe Cloud”

    Jeremy Fuchs, a security researcher with Avanan, warns of the creation and use of Adobe Creative Cloud accounts by malicious actors to send phishing emails that can evade traditional checks and some advanced threat protection solutions. These attacks emerged in December 2021, exploiting the design of Adobe's apps to support collaboration by sharing documents. The attack involves creating, importing, and hosting a legitimate-looking PDF on Adobe Cloud that points to a fake Office 365-themed login page hosted on Weebly. This article continues to discuss phishers' exploitation of Adobe Cloud to target Office 365 users.

    Help Net Security reports "Phishers Are Targeting Office 365 Users by Exploiting Adobe Cloud"

  • news

    Visible to the public "Bad News for Hackers! Patchwork Group Expose Themselves in Malware Campaign"

    However sophisticated and resourceful cybercriminals can be, they still make mistakes. The India-based threat actor group called Patchwork, which has targeted users and government organizations in Pakistan, accidentally left its hacking strategies exposed online. Since 2015, Patchwork has affected various entities in Pakistan through the performance of spearphishing attacks. According to Malwarebytes, the attackers inadvertently exposed their malware details, captured keystrokes, and screenshots. Patchwork was found to have used malicious RTF files to drop a new variant of the BADNEWS Trojan dubbed Ragnatela in a campaign that lasted from late November to early December 2021. This article continues to discuss the Patchwork group's accidental exposure of its own hacking strategies, the group's use of Ragnatela in its recent campaign, the capabilities of this Trojan, and those that have fallen victim to it.

    CISO MAG reports "Bad News for Hackers! Patchwork Group Expose Themselves in Malware Campaign"

  • news

    Visible to the public "Teenage Hacker Gains Remote Control of 25 Teslas in 13 Countries"

    A young hacker named David Colombo claimed to have found a way to gain remote control over 25 Tesla electric vehicles in 13 countries. According to Colombo, the flaw used to trigger different actions remotely was not a vulnerability in Tesla's infrastructure but an error made on the owners' end. He claimed to have been able to disable a car's remote camera system, unlock doors, determine the vehicle's exact location, and more. However, Colombo clarified that he could not control steering, acceleration, or breaking. He is currently talking to the not-for-profit organization MITRE about how to properly report the hack as a CVE. The hack is also under investigation by Tesla's security team.

    PCMag reports "Teenage Hacker Gains Remote Control of 25 Teslas in 13 Countries"

  • news

    Visible to the public "Clinical Review Vendor Reports Data Breach"

    A cyberattack on the Medical Review Institute of America (MRIoA) may have exposed the personal data of 134,571 individuals. MRIoA provides clinical reviews and virtual medical opinions. MRIoA is based in Salt Lake City, Utah. MRIoA stated that it was "the victim of a sophisticated cyber incident" discovered on November 9, 2021, that resulted in an adversary gaining unauthorized access to its network and exfiltrating data. MRIoA stated that the attackers broke into its computer system by exploiting an alleged vulnerability in a product made by SonicWall. The firewall maker confirmed that an intruder had accessed MRIoA's environment through a SonicWall vulnerability on November 2, 2021. Information affected by the incident may have included first and last name, gender, home address, phone number, email address, date of birth, and social security number. Additionally, information affected may have included clinical information, such as medical history/diagnosis/treatment, dates of service, lab test results, prescription information, provider name, and medical account number. Other information that may have been breached includes financial information, including health insurance policy and group plan number, group plan provider, and claim information. In the wake of the attack, MRIoA said it had new servers "built from the ground up to ensure all threat remnants were removed."

    Infosecurity reports: "Clinical Review Vendor Reports Data Breach"

  • news

    Visible to the public "Cisco Patches Critical Vulnerability in Contact Center Products"

    Cisco on Wednesday announced patches for a critical vulnerability in Unified Contact Center Management Portal (Unified CCMP) and Unified Contact Center Domain Manager (Unified CCDM). Tracked as CVE-2022-20658 (CVSS score of 9.6), the issue exists because there was no server-side validation of user permissions, which allowed an attacker to submit a crafted HTTP request to exploit the bug on a vulnerable system. Cisco stated that a successful exploit could allow the attacker to create Administrator accounts. With these accounts, the attacker could access and modify telephony and user resources across all the Unified platforms that are associated with the vulnerable Cisco Unified CCMP. Cisco also noted that an attacker would need to have valid Advanced User credentials to successfully exploit the vulnerability. The security flaw was addressed with the release of Unified CCMP/ Unified CCDM versions 11.6.1 ES17, 12.0.1 ES5, and 12.5.1 ES5. Version 12.6.1 of the software is not affected. Cisco says it is unaware of the vulnerability being exploited in malicious attacks.

    SecurityWeek reports: "Cisco Patches Critical Vulnerability in Contact Center Products"

  • news

    Visible to the public "Cyber-Thieves Raid Grass Valley"

    A cyberattack on a city in California has resulted in the exfiltration of personal and financial data belonging to vendors, city employees, and their spouses. A notice published by Grass Valley states that an unknown attacker was able to access some of the city's IT systems for four months last year. The city said that the attacker exploited the unauthorized access they enjoyed between April 13 and July 1, 2021, to steal data belonging to an unspecified number of individuals. Victims affected by the data breach include Grass Valley employees, former employees, spouses, dependents, and individual vendors hired by the city. Other victims include individuals whose information may have been provided to the Grass Valley Police Department and individuals whose information was provided to the Grass Valley Community Development Department in loan application documents. The information exposed during the attack was found to include social security numbers, driver's license numbers, vendor names, and limited medical or health insurance information. For individuals whose information may have been provided to the Grass Valley Police Department, the impacted data included the name and one or more of the following: social security number, driver's license number, financial account information, payment card information, limited medical or health insurance information, passport number and username and password credentials to an online account. Individuals who had applied for a community development loan may have had names and social security numbers, driver's license numbers, financial account numbers, and payment card numbers compromised. Grass Valley started notifying victims of the data breach on January 7, 2022.

    Infosecurity reports: "Cyber-Thieves Raid Grass Valley"

  • news

    Visible to the public "Hackers Hit Healthcare Data Management Company"

    The protected health information (PHI) of thousands of individuals may have been exposed in a hacking incident at a healthcare information management company based in Georgia. Ciox Health, headquartered in Alpharetta, provides various services, including information release, medical record retrieval, and health information management to more than 30 healthcare providers. According to a notice recently issued by Ciox Health, an unauthorized person accessed the email account of a Ciox employee between June 24, 2021 and July 2, 2021. The company warned that the threat actor may have used that access to download emails and attachments associated with the compromised account. Information that the adversary may have accessed included patient names, provider names, dates of birth and/or dates of service. Social security numbers or driver's license numbers, health insurance information and/or clinical or treatment information were also exposed in what Ciox described as "very limited instances." The data breach was reported to the US Department of Health and Human Services' Office for Civil Rights on December 30 as a hacking/IT incident impacting 12,493 individuals.

    Infosecurity reports: "Hackers Hit Healthcare Data Management Company"

  • news

    Visible to the public "KCodes NetUSB Kernel Remote Code Execution Flaw Impacts Millions of Devices"

    Researchers at the cybersecurity firm SentinelOne have shared findings from their analysis of a flaw in the KCodes NetUSB kernel module that puts millions of end-user router devices from Netgear, TP-Link, Tenda, EDIMAX, D-Link, Western Digital, and more, at risk of Remote Code Execution (RCE). KCodes NetUSB is proprietary software that allows devices such as routers, printers, and flash storage devices to provide USB-based services over IP. The bug was discovered during the examination of a Netgear device by the SentinelOne vulnerability researcher, Max Van Amerongen. The kernel module, NetUSB, was found improperly validating the size of packets fetched through remote connections, potentially resulting in a heap buffer overflow. This article continues to discuss the discovery, potential exploitation, severity, and disclosure of the KCodes NetUSB flaw.

    ZDNet reports "KCodes NetUSB Kernel Remote Code Execution Flaw Impacts Millions of Devices"

  • news

    Visible to the public "Industrial Firms Advised Not to Ignore Security Risks Posed by URL Parsing Confusion"

    A team of researchers from the industrial cybersecurity firm Claroty and the developer security company Snyk analyzed 16 URL parsing libraries. Findings from the analysis further highlighted how inconsistencies could lead to different types of vulnerabilities. The analysis revealed five types of inconsistencies, including backslash confusion (URLs containing backslashes), scheme confusion (URLs with a malformed or missing scheme), slash confusion (URL with an irregular number of slashes), URL encoded data confusion (URLs containing URL encoded data), and scheme mixup (a URL belonging to a particular scheme without a scheme-specific parser). These inconsistencies could lead to Server-Side Request Forgery (SSRF), open redirect, Cross-Site Scripting (XSS), Denial-of-Service (DoS), and filter bypass issues. Eight CVE identifiers have been assigned to the vulnerabilities discovered by the researchers. They were privately disclosed to developers and patched before research findings were shared with the public. One vulnerability related to URL parsing confusion is the Log4Shell flaw in Log4j, an open-source Apache Java-based logging framework used by developers to record activity within software applications and online services. This article continues to discuss key findings from the analysis of 16 URL parsing libraries and the implications of URL parsing confusion for industrial systems.

    Security Week reports "Industrial Firms Advised Not to Ignore Security Risks Posed by URL Parsing Confusion"

  • news

    Visible to the public "Fully Undetected SysJoker Backdoor Malware Targets Windows, Linux & macOS"

    Security researchers at Intezer have discovered a new malware dubbed SysJoker. The brand-new multiplatform malware, likely distributed via malicious npm packages, is spreading under the radar, with Linux and Mac versions going fully undetected in VirusTotal. The Windows version, according to the researchers, has only six detections. These were uploaded to VirusTotal with the suffix ".ts," which is used for TypeScript files. SysJoker is used to establish initial access on a target machine. Once installed, it can execute follow-on code as well as additional commands, through which malicious actors can carry out follow-on attacks or pivot to move further into a corporate network. This kind of initial access is also a hot commodity on underground cyberforums, where ransomware groups and others can purchase it. The researchers stated that SysJoker was first seen in December during a cyberattack on a Linux-based web server of a "leading educational institution." Its command-and-control (C2) domain registration and other sample data show that this malware appears to have been created in the second half of 2021.

    Threatpost reports: "Fully Undetected SysJoker Backdoor Malware Targets Windows, Linux & macOS"