News Items

  • news

    Visible to the public Summer 2021 SoS Quarterly Lablet Meeting

    Summer 2021 SoS Quarterly Lablet Meeting


  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist

    BY LORRIE CRANOR, OPINION CONTRIBUTOR -- 11/10/20 09:30 AM EST

    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public "Sinclair Confirms Ransomware Attack That Disrupted TV Stations"

    Sinclair Broadcast Group, which owns hundreds of local television stations across the U.S., confirmed Monday that it had suffered a ransomware attack. The incident is disrupting its advertising operations, among other things, and spread to many of its owned TV affiliates over the weekend, knocking local broadcast feeds off the air. In a statement, the company noted that the cyberattack disrupted the company's general and office operations and resulted in data exfiltration. On October 16, 2021, the company identified and began to investigate and take steps to contain the potential security incident. On October 17, 2021, the company determined that specific servers and workstations in its environment were encrypted with ransomware and that particular office and operational networks were disrupted. According to reports, many stations had resumed operations as of Monday, but some are still dealing with some lingering issues such as trouble using weather graphics. Sinclair confirmed that data was taken, but it's not yet sure which information the attackers have.

    Threatpost reports: "Sinclair Confirms Ransomware Attack That Disrupted TV Stations"

  • news

    Visible to the public "Damages Escalate Rapidly in Multi-Party Data Breaches"

    New research from the Cyentia Institute explored the top 50 multi-party breaches, finding that the average large-sized breach involved 31 organizations and cost an average of $90 million, compared to the average loss of $200,000 due to a typical cybersecurity incident. Although system intrusions impacted the most organizations, ransomware and wiper incidents resulted in the greatest loss. Cyentia also found that attacks involving valid accounts and those that nation-state actors carried out, caused significantly greater damages per incident. These findings further emphasize the importance of companies increasing their efforts to ensure that their vendors and contractors are not opening their networks to attacks. The lesson learned from the largest multi-party breaches is that companies' cybersecurity and risk mitigation efforts must focus on attackers targeting business as well as those targeting third parties, which ripples down to vendors' clients. Wade Baker, the co-founder of Cyentia calls on organizations to approach risk management with more supply chain or third-party-centric thinking to help deal with nation-state actors or cybercriminal gangs. This article continues to discuss key findings from Cyentia's Information Risk Insights Study (IRIS).

    Dark Reading reports "Damages Escalate Rapidly in Multi-Party Data Breaches"

  • news

    Visible to the public "83% of Ransomware Victims Pay the Demand"

    Security researchers at ThycoticCentrify have found that more than four in five (83%) ransomware victims in the last 12 months felt they had no option but to pay the extortion demand to restore their data. The study, which was based on a survey of 300 US IT business decision-makers, also found that close to two-thirds (64%) of companies were victims of ransomware attacks in the last 12 months. The research further highlighted the substantial damage caused to organizations by ransomware attacks. Half (50%) of respondents said their company had experienced a loss of revenue and reputational damage from an attack, and 42% admitted they lost customers due to an attack. Additionally, around one-third attributed the ransomware attack as the cause for employee layoffs. The most vulnerable vectors for ransomware attacks are email (53%), applications (41%), and the cloud (38%), according to the IT business decision-makers surveyed. The researchers stated that encouragingly, there appears to be growing recognition of the need to improve cyber-defenses amid surging ransomware incidents. Nearly three-quarters of respondents have seen their cybersecurity budgets increase due to ransomware threats, while 93% of businesses are allocating a special budget to fight ransomware threats.

    Infosecurity reports: "83% of Ransomware Victims Pay the Demand"

  • news

    Visible to the public "Confidential Computing: A Game-Changing Way To Protect Data in Use"

    Advancements continue to be made in the encryption of data at rest and data in motion. However, it is also important to encrypt data while it is being analyzed in computer memory. Confidential computing is an emerging industry initiative aimed at protecting data in use, at scale, and in the cloud. It is enabled by implementing hardware technology that sets aside a section of a CPU as a secure enclave. The technology encrypts the memory in the enclave using an encryption key that is unique to the CPU and the application. An organization can apply this method to protect highly sensitive data and application code in the enclave. The data can only be decrypted in that enclave on that CPU, thus resulting in the data remaining protected while it is in use. For example, if attackers were to gain root access to a system while users are performing analytics on a database, the attackers still would not be able to read the data. In addition, the technology's attestation feature allows an organization to confirm to third parties that the data resides in an enclave. Enclave size was limited in earlier generations of this technology, but with the latest generation of computer processors allowing a server to have up to 1 TB of enclave memory, agencies can put an entire application, database, or transaction server inside the enclave. This article continues to discuss the technology that enables confidential computing, efforts to bring confidential computing to the government, and how the high-tech industry and public sector could benefit from the adoption of confidential computing.

    GCN reports "Confidential Computing: A Game-Changing Way To Protect Data in Use"

  • news

    Visible to the public "BEC Attacks: Scammers' Latest Tricks"

    A survey by GreatHorn revealed that 71 percent of organizations experienced at least one Business Email Compromise (BEC) attack within the past year. New research from Trend Micro has suggested that scammers are increasing their efforts in the performance of BEC attacks. Threat researchers and analysts at Trend Micro observed that BEC attacks not only target high-profile users such as executives but also any employees that can be found on LinkedIn and other social media networks with potentially valuable personal information published. Such information can be used to impersonate employees and partners, and lead to significant financial damage to targeted businesses. BEC scams have been among the top lucrative cybercriminal schemes for many years as they are often difficult to detect. Since BEC scam emails target specific recipients, do not include malicious attachments or links, and usually start with harmless requests, it is difficult for email security solutions to detect them. One trick used by BEC scammers is to register domain names containing keywords associated with the telecommunications industry and service provider names. Another trick employed by BEC scammers is to register domains with long names, common keywords, and new generic top-level domain (TLD) words. This article continues to discuss the difficulty in detecting BEC attacks and the latest tricks used by BEC scammers.

    Help Net Security reports "BEC Attacks: Scammers' Latest Tricks"

  • news

    Visible to the public "BlackByte Ransomware Decryptor Released"

    The Windows-based ransomware, dubbed BlackByte, discovered by researchers at the cybersecurity firm Trustwave, seems to have been inspired by other strains known to bring in significant financial rewards for their operators. BlackByte is described as odd because of the decisions made by its creators regarding design and functionality. According to a set of technical advisories recently published by Trustwave, the ransomware only targets systems that are not based on Russian or ex-USSR (Union of Soviet Socialist Republics) languages. BlackByte also employs the double-extortion tactic as it not only encrypts and locks systems, but also threatens to steal or sell stolen data in an effort to force victims to pay the demanded ransom. Like other modern ransomware operators, including Maze, REvil, Conti, and Babuk, BlackByte has launched a leak website. However, the researchers say BlackByte's threat of data exfiltration and leaks is baseless since the ransomware does not appear to have that capability. Despite the BlackByte ransomware having no exfiltration functionality, the threat will still push more victims to pay after their system has been infected. The ransomware's encryption process also suggests that it is likely operated by less-skilled threat actors since the malware downloads and executes the same key to encrypt files in the Advanced Encryption Standard (AES) instead of unique keys for each session. A free decryptor for BlackByte ransomware has been made available by Trustwave on GitHub. This article continues to discuss BlackByte's targets, double-extortion tactic, encryption process, and other capabilities, as well as the decryptor released for the ransomware.

    ZDNet reports "BlackByte Ransomware Decryptor Released"

  • news

    Visible to the public "Cyberattack Response Takes More than Two Working Days"

    Researchers at Deep Instinct have found that organizations worldwide take on average more than two business days to respond to cyberattacks. The finding was published in the company's second bi-annual Voice of SecOps Report, which was based on a survey of 1,500 senior cybersecurity professionals in 11 countries who work for businesses with more than 1,000 employees and annual revenue of more than $500m. The survey revealed the average global response time to a cyberattack to be 20.09 hours. Companies within the financial sector were faster to respond, taking on average 16 hours to react. The researchers also found that larger companies answered threats more quickly, clocking up an average response time of 15 hours. Smaller companies were slower at responding, taking an average of 25 hours to make their move. The researchers also discovered that only 1% of those surveyed believed that every single one of their endpoints was installed with at least one security agent. Just over a quarter (26%) cited "complexity" as the main thing impeding their ability to install more endpoint security agents. Other key concerns include the time it takes to investigate threats (39%) and a shortage of qualified SecOps staff (35%). Nearly one-third of survey respondents believe that the biggest challenge regarding deploying endpoint agents is the cloud. Files stored in the cloud were an unchecked vulnerability for 80% of respondents, while 68% were worried that their colleagues would accidentally upload malicious files.

    Infosecurity reports: "Cyberattack Response Takes More than Two Working Days"

  • news

    Visible to the public "Mitigating Cloud Risks Starts With Full Visibility of Shadow IT"

    Netskope and GovLoop conducted a survey to which 230 public sector agency managers and employees responded and provided insight into their understanding of cloud security risks. About 42 percent of the respondents cited good awareness of cloud security risks, while 26 percent cited low or no awareness, and about 32 percent cited somewhere in the middle. Different factors intensify cloud security risks in the public sector. One factor is the ever-changing threat landscape, with state-sponsored cyber actors and other malicious actors continuing to strengthen or develop new attack capabilities. Human error is another factor, with misconfigurations remaining one of the main elements involved in cyber incidents. Another factor is the overreliance on various technology vendors, which are often found to be limited in regard to the capability of their specific tools to prevent sensitive data from being leaked, control risk behavior, and more. Visibility and control are common denominators among these factors that heighten cloud security risks faced by the public sector. One of the biggest visibility gaps is in shadow IT usage. Shadow IT refers to the use of devices, applications, or services without explicit approval from the agency's IT department. Shadow IT has been found to make up as much as 97 percent of all cloud applications used by organizations. Over 50 percent of the survey respondents reported that their organization lacked visibility into the use of shadow IT. A lack of visibility and control leaves agencies open to data loss and other security vulnerabilities. A data-centric approach to cybersecurity is recommended to improve visibility and control of the IT environment, which involves verifying that a user's device is authorized to access the organization's network resources, limiting the resources users can access, and other practices. This article continues to discuss key findings from the survey regarding cloud security risk awareness and organizations' lack of visibility into the use of shadow IT, as well as the need for a data-centric approach to cybersecurity.

    NextGov reports "Mitigating Cloud Risks Starts With Full Visibility of Shadow IT"

  • news

    Visible to the public "Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs"

    Researchers from the Graz University of Technology and the CISPA Helmholtz Center for Information Security have disclosed new timing and power-based side-channel attacks, which affect all CPUs made by AMD. The researchers were among those who discovered the original Meltdown and Spectre vulnerabilities. These side-channel attacks enable malicious applications installed on a targeted machine to exploit CPU weaknesses to gather sensitive information from memory associated with other applications, including passwords and encryption keys. Many of the previously disclosed side-channel attacks targeted Intel processors, but newly presented research shows that systems powered by AMD processors are also impacted. The new attacks exploit time and power measurements of prefetch instructions. According to the researchers, prefetch attacks on AMD processors leak more information than prefetch attacks on Intel processors. They demonstrated multiple attack scenarios, including one in which they executed a Spectre attack to leak sensitive data from the operating system, and found a new technique for establishing a covert channel to exfiltrate data. They also claim to have identified the first full microarchitectural KASLR (Kernel Address Space Layout Randomization) break on AMD that can work on all major operating systems. The exploit mitigation technique, KASLR, has been shown to be breakable on laptops, desktop PCs, and virtual machines in the cloud. This article continues to discuss key findings surrounding the new side-channel attacks affecting all AMD CPUs and the chipmaker's response to these discoveries.

    Security Week reports "Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs"

  • news

    Visible to the public "US Treasury Tracks $5.2bn of Ransomware Transactions in Six Months"

    The US Treasury has tracked $5.2bn worth of Bitcoin transactions likely to have been ransomware payments in the first half of 2021. Its Financial Crimes Enforcement Network (FinCEN) bureau hinted in a new report that even this amount might only be the tip of the iceberg. FinCEN said it identified 68 ransomware families in total. The most frequently reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos. The $5.2bn figure is associated with 177 wallet addresses mentioned in the suspicious activity reports (SARs) sent by banks to the authorities to combat financial crime and money laundering. The number of those SARs related to ransomware has soared over the first half of 2021, FinCEN said. Some 635 were filed during the reporting period of January 1 and June 30, 2021, up 30% from the total of 487 SARs filed for the entire 2020 calendar year. There were 458 transactions reported in these SARs and a total value of suspicious activity of $590m, which is more than the value reported for all of 2020 ($416m). FinCEN found that the average value of reported ransomware transactions per month in the first half of 2021 at around $100m. FinCEN couldn't say with complete certainty that all of the $5bn+ transactions it identified through blockchain analysis were ransomware related. Still, the figures certainly re-emphasize the enormous financial impact of ransomware. FinCEN revealed that threat actors are increasingly demanding payments in currencies that are harder to track, like Monero.

    Infosecurity reports: "US Treasury Tracks $5.2bn of Ransomware Transactions in Six Months"

  • news

    Visible to the public "Olympus Investigates Potential Cyber-Attack"

    Olympus has launched an investigation after detecting a potential cybersecurity incident in part of its IT system. The Japanese manufacturer of optics and reprography products said that suspicious activity was spotted on October 10. The possible threat affects the company's systems in the United States, Canada, and Latin America. The company is working with digital forensics experts at the moment. The company has not confirmed the specific nature of the cybersecurity incident but stated that they were working to contain the threat. Part of the company's response has been to shut down the systems that were affected. Olympus has noted that the current results of their investigation indicate the incident was contained to the Americas with no known impact to other regions. Security researchers said that the company should focus on understanding the root-cause and bolster data recovery capabilities once containment and eradication is complete.

    Infosecurity reports: "Olympus Investigates Potential Cyber-Attack"

  • news

    Visible to the public "US Government Warns of Insider and Ransomware Threat to Water Plants"

    The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) have issued an alert warning of ongoing malicious cyber-activity targeting the country's water and wastewater systems (WWS) sector. The U.S. authorities highlighted multiple tactics, techniques, and procedures (TTPs) being used by a range of actors in an attempt to compromise IT and OT systems. These include spear-phishing, exploitation of insecure RDP, targeting of unsupported or outdated operating systems and software, and exploitation of control system devices with vulnerable firmware. The alert refers to multiple incidents over the past two years, mainly ransomware attacks, including a September 2020 attack on a New Jersey-based WWS facility, a March 2021 compromise at a Nevadan plant, and an August 2021 attack on a Californian WWS site. The alert stated that attacks threaten the ability of WWS facilities to provide clean, potable water and effectively manage the wastewater of their communities. The agencies pointed out that the alert does not mean the WWS sector is being targeted more than other industries, merely that plant owners should be aware of ongoing cyber risks to their operations.

    Infosecurity reports: "US Government Warns of Insider and Ransomware Threat to Water Plants"

  • news

    Visible to the public "Crypto Romance Scam Drains $1.4M"

    Researchers at Sophos Labs have unearthed a fraudulent scam that exploits iPhone users looking for love via dating apps. Under the CryptoRom scam, victims are contacted through their dating app account, and the scammer gains the victim's trust by exchanging direct messages with them. The researchers noted that once the victim becomes familiar with the adversary, they then ask the victim to install fake trading applications with legitimate-looking domains and customer support. The adversaries move the conversation to investment and ask them to invest a small amount, and even let them withdraw that money with profit as bait. Victims are then instructed to buy various financial products or invest in special "profitable" trading events. To lure them into making a significant investment, the scammer will offer an in-app loan. When the victim wants their money back or gets suspicious, they get locked out of the account. The adversaries are scamming iPhone users based in the United States and Europe. Dating apps used to dangle the bait include Bumble, Grindr, Tinder, and Facebook Dating. Victims have been defrauded of at least $1.4m by CryptoRom.

    Infosecurity reports: "Crypto Romance Scam Drains $1.4M"

  • news

    Visible to the public "New "Yanluowang" Ransomware Variant Discovered"

    Security researchers at Symantec are warning of a newly discovered ransomware variant currently being used in targeted attacks. The new ransomware is dubbed "Yanluowang" after the .yanluowang extension it adds to encrypted files. The researchers stated that it appears that the group using the variant first deployed the legitimate command-line Active Directory query tool AdFind for reconnaissance and to help with lateral movement. Before Yanluowang is downloaded, the researchers noted that an additional tool creates a .txt file with the number of remote machines to check in the command line and uses WMI to get a list of processes running on these machines. It also logs all the processes and remote machine names, the researchers said. Then, following deployment, the malware stops all hypervisor machines running on the targeted machine, ends the processes listed in the .txt file, encrypts the files, and drops a ransom note named README.txt. The researchers stated that the ransom note says that if the attackers' rules are broken, the ransomware operators will conduct distributed denial of service (DDoS) attacks against the victim and make calls to employees and business partners. The adversaries also threaten to repeat the attack in a few weeks and delete the victim's data. The researcher stated that this ransomware appears to be still under development but should not be underestimated.

    Infosecurity reports: "New "Yanluowang" Ransomware Variant Discovered"

  • news

    Visible to the public "AI Fake-Face Generators Can Be Rewound To Reveal the Real Faces They Trained On"

    Several studies call into doubt the notion that neural networks are black boxes that do not reveal anything about what is happening inside. Researchers at the University of Caen Normandy in France performed a membership attack to expose hidden training data. This attack can be used to determine what data was used to train a neural network model. These attacks use subtle differences in the way in which a model treats the data on which it was trained. Membership attacks can result in significant security leaks. For example, discovering that an individual's medical data was used to train a model associated with a specific disease might reveal that the person has that disease. A Generative Adversarial Network (GAN) is a type of Artificial Intelligence (AI) that learns to generate realistic but fake examples of the data it used to train. Instead of identifying the actual photos used to train a GAN, the researchers identified photos in a GAN's training set that are not identical but appear to depict the same individual (i.e., faces with the same identity). They did this by generating faces with the GAN and then using a separate facial-recognition AI to detect if the identity of the generated faces matched the identity of the faces seen in the training data. In many instances, they found multiple photos of real people in the training data that appeared to match the fake faces produced by the GAN, thus exposing the identity of individuals used to train the AI. These results raise serious privacy concerns. Theoretically, this kind of attack could be applied to biometric data, medical data, and other data tied to an individual. The team also came up with a different way to expose private data that does not require access to the training data. They developed an algorithm that can re-create the data exposed to a trained model by reversing the steps taken by the model to process that data. This article continues to discuss the study in which AI-based fake-face generators were rewound to reveal the real faces on which they were trained, and other ways private data in deep-learning models could be exposed.

    MIT Technology Review reports "AI Fake-Face Generators Can Be Rewound To Reveal the Real Faces They Trained On"

  • news

    Visible to the public "Hackers Can Fake Signed Documents Because of a Flaw in LibreOffice and OpenOffice"

    OpenOffice and LibreOffice have pushed updates to address a vulnerability that could allow an attacker to spoof signed documents. The vulnerability is classified as mild in severity, but its exploitation could lead to severe consequences. The digital signatures used in document macros are supposed to help the user verify that the document has not been altered and can be trusted. The method of enabling anyone to sign macro-infested papers and make them appear trustworthy is effective at tricking unsuspecting users into running malicious code. The flaw, which is tracked as CVE-2021-41832 for OpenOffice, was discovered by four researchers at the Ruhr University Bochum. The same flaw is tracked as CVE-2021-25635 for LibreOffice, a branch of OpenOffice created more than a decade ago from the main project. This article continues to discuss the security flaw discovered in OpenOffice and LibreOffice that hackers can exploit to fake signed documents as well as the updates released to address it.

    Cyber Intel Mag reports "Hackers Can Fake Signed Documents Because Of a Flaw in LibreOffice and OpenOffice"

  • news

    Visible to the public "Applying Behavioral Psychology to Strengthen Your Incident Response Team"

    A team of researchers from George Mason University (GMU), Dartmouth College, and HP did a study on the inner workings of cybersecurity incident response teams (CSIRTs), which led to the development of a framework that applies behavioral psychology principles to strengthen such teams. From 2012 to 2017, the team interviewed over 200 people and led 80 focus groups across 17 international organizations, identifying the drivers of teamwork within and between teams. They spent more than 56,000 hours on interviewing, data gathering, and analysis to gain greater insight into what an individual does on a team, the team they represent, or the multiteam system they represent. Collaboration issues emerge when security professionals are trained individually as they learn how to hack, investigate, and conduct testing. When they are put into a situation in which they face complex problems and challenges that require collaboration, they will most likely not have the background and habits that stem from collaborative work in a multiteam system. The prominent focus on technical tools and skills adds to CSIRTs' collaboration issues, with incident response teams often becoming overwhelmed by tools when trying to address technical problems in security and incident response. There is a lack of tools to address some of the social and collaboration challenges faced by CSIRTs when operating in a multigroup, multiteam system. This article continues to discuss the challenges faced by CSIRTs when operating within the context of a multiteam system and the framework developed to address this challenge by applying behavioral psychology principles.

    Dark Reading reports "Applying Behavioral Psychology to Strengthen Your Incident Response Team"

  • news

    Visible to the public "Microsoft Says It Mitigated Largest-Ever DDoS Attack"

    Technology giant Microsoft has disclosed that it mitigated a DDoS attack of 2.4 terabytes per second, which targeted an undisclosed European customer using its cloud computing service Microsoft Azure. According to Microsoft, the attack, observed in the last week of August, was 140% higher in scale than any previously recorded network volumetric event on Azure. The DDoS attack traffic originated from nearly 70,000 sources in countries including Malaysia, Vietnam, Taiwan, Japan, China, and the U.S. The researchers stated that the attack vector was a user datagram protocol or UDP, reflection that lasted over 10 minutes with "very short-lived bursts, each ramping up in seconds to terabit volumes." The 2.4 Tbps attack occurred on an undisclosed date in August and was followed by a smaller spike measuring 0.55 Tbps, and a third spike scaling 1.7 Tbps. Before the August attack, the March-April 2020 1.6 Tbps DDoS attack was the highest bandwidth volume Microsoft had ever recorded. The researchers stated that the magnitude of the latest attack demonstrates the ability of bad actors to "wreak havoc" by flooding targets with huge traffic volumes that bottleneck network capacity.

    Healthcare Info Security reports: "Microsoft Says It Mitigated Largest-Ever DDoS Attack"

  • news

    Visible to the public "Brewer's Token Gaffe Causes Massive PII Breach"

    An authentication error left the personal data of hundreds of thousands of BrewDog customers and Equity for Punks shareholders exposed for a year and a half. Researchers at security consulting and testing company Pen Test Partners discovered the gaffe involving an API bearer token. The researchers stated that every mobile app user was given the same hard-coded API Bearer Token, rendering request authorization useless. The researchers noted that the mistake allowed any user to access the personally identifiable information (PII) belonging to another user. Other information exposed in the incident included users' shareholding details and bar discounts. Researchers said that the details of over 200,000 shareholders "plus many more customers" were exposed for over 18 months. The researchers criticized BrewDog's handling of the cybersecurity issue, claiming that "disclosure was rather fraught." BrewDog declined to inform their shareholders, asked not to be named, and it took four failed fixes to resolve the problem correctly.

    Infosecurity reports: "Brewer's Token Gaffe Causes Massive PII Breach"

  • news

    Visible to the public "Mobile Malware Campaign Uses Lures Tied to COVID-19, HHS Warns"

    A recent alert from the Health Sector Cybersecurity Coordination Center (HC3) of the Department of Health and Human Services (HHS) brings attention to Medusa, also known as TangleBot, which is a malware variant spreading via SMS and targeting Android devices in the U.S. and Canada by taking advantage of the COVID-19 pandemic. Medusa has a wide range of access to mobile devices, allowing it to collect data and install additional malware. An analysis of the malware showed that it compromises the security of the victim's Android device and configures the system to move sensitive data to attacker-controlled systems. The malware has several levels of obfuscation and control over functions such as contacts, call logs, Internet access, the camera, microphone, and more. This article continues to discuss the Medusa malware variant and how the threat actors are using the pandemic to spread it.

    SC Magazine reports "Mobile Malware Campaign Uses Lures Tied to COVID-19, HHS Warns"

  • news

    Visible to the public "Over 90% of Firms Suffered Supply Chain Breaches Last Year"

    Researchers at BlueVoyant discovered that 93% of global organizations have suffered a direct breach due to weaknesses in their supply chains over the past year. The cybersecurity services company polled 1200 IT and procurement leaders responsible for supply chain and cyber-risk management from global companies with 1,000+ employees to compile its report: Managing Cyber Risk Across the Extended Vendor Ecosystem. The researchers also found that the average number of breaches experienced in the past 12 months grew from 2.7 in 2020 to 3.7 in 2021, which is a 37% year-on-year increase. The researchers stated that although the percentage of companies that don't consider third-party risk a priority has fallen from 31% last year to 13% in 2021, the number who admit they have no way of knowing if an incident has occurred in their supply chain rose from 31% to 38%. In addition, while 91% of respondents said budgets were increasing this year to help tackle the risk, investments don't seem to be making an impact.

    Infosecurity reports: "Over 90% of Firms Suffered Supply Chain Breaches Last Year"

  • news

    Visible to the public "FDA Recalls Medtronic Insulin Pump Controller, Cites Cybersecurity Risks"

    The U.S. Food and Drug Administration (FDA) issued a notice regarding the recall of all Medtronic MiniMed remote controllers used with the Medtronic MiniMed 508 insulin pump or the MiniMed Paradigm family of insulin pumps because of potential cybersecurity risks. Medtronic urges users to stop using and disconnect the remote controller, disable the remote feature, and return it. The remote controller uses wireless radio frequency (RF) to communicate with the insulin pump and helps program a specific amount of insulin into the pump without requiring the user to press any insulin pump buttons. According to the FDA, an unauthorized person could record and replay the wireless communication between the remote and the MiniMed insulin pump. Using specialized equipment, the pump could be instructed to deliver extra insulin to a patient or stop insulin delivery, potentially leading to death. The recall brings further attention to the need to improve medical device security. This article continues to discuss the recall of remote controllers used with Medtronic's MiniMed Paradigm and MiniMed 508 insulin pumps for potential cybersecurity risks and previous discoveries surrounding the potential weaponization of medical devices by hackers.

    HealthITSecurity reports "FDA Recalls Medtronic Insulin Pump Controller, Cites Cybersecurity Risks"

  • news

    Visible to the public "NSA Warns of Risks Posed by Wildcard Certificates, ALPACA Attacks"

    The National Security Agency (NSA) recently issued guidance regarding risks associated with wildcard TLS certificates and Application Layer Protocols Allowing Cross-Protocol Attack (ALPACA) techniques. The new guidance calls on network administrators to make sure that the use of wildcard certificates does not create risks and that enterprise environments are not open to ALPACA attacks, which are described as application layer protocol content confusion attacks. Wildcard certificates help simplify the management of an organization's credentials. They are typically used to authenticate multiple servers, but using them to validate unrelated servers across an organization poses a risk. Through the use of ALPACA techniques, threat actors could perform arbitrary actions and access sensitive data. This article continues to discuss the guidance issued by the NSA on avoiding the dangers of wildcard TLS certificates and ALPACA techniques.

    Security Week reports "NSA Warns of Risks Posed by Wildcard Certificates, ALPACA Attacks"

  • news

    Visible to the public "AWS Ransomware Attacks: Not A Question Of If, But When"

    Researchers at Ermetic announced the results of a study about the security posture of AWS environments and their vulnerability to ransomware attacks. For the study, researchers mapped out scenarios in which the right combination of permissions would allow an identity to perform a ransomware attack on a bucket. In virtually all of the participating organizations, identities were found that, if compromised, would place at least 90% of the S3 buckets in an AWS account at risk. Over 70% of the environments studied had machines that were publicly exposed to the internet and identities whose permissions allowed the exposed devices to perform ransomware. The researchers also found that over 45% of the environments had third-party identities with the ability to perform ransomware by elevating their privileges to admin level (an astounding finding with far-reaching implications beyond the ransomware focus of this research). Almost 80% of the environments contained IAM Users with enabled access keys that had not been used for 180 days or more, and had the ability to perform ransomware. The researchers stated that it is important to monitor three things in the cloud. Firstly, organizations should monitor the runtime activity of identities in terms of what they are doing and from where. Secondly, organizations should monitor cloud storage (S3) in terms of not just the permissions and configurations but actually the read/write pattern and what is actually being stored in there. And Lastly, organizations should monitor network activity.

    Help Net Security reports: "AWS Ransomware Attacks: Not A Question Of If, But When"

  • news

    Visible to the public "Study Reveals Scale of Data-Sharing from Android Mobile Phones"

    Researchers from Trinity College Dublin and the University of Edinburgh analyzed six variants of the Android OS developed by Samsung, Xiaomi, Huawei, /e/OS, Realme, and LineageOS to gain further insight into data collection and sharing by Android mobile phones. With the exception of /e/OS, these vendor-customized Android OS variants share significant amounts of information with the OS developer and third parties, including Google, Microsoft, LinkedIn, and Facebook with pre-installed system apps. The study highlighted the lack of an opt-out option for this data collection. Although some communication with OS servers is expected, the study points out that the observed data transmission goes beyond this, raising many privacy concerns. The study found that all of the examined handset manufacturers, except /e/OS, collect a list of all the apps installed on a handset, which could be sensitive information as it can reveal a lot about a user, such as their religion, political affiliation, and sexual orientation. Samsung, Xiaomi, Realme, and Google collect long-lived device identifiers and user-resettable advertising identifiers, meaning that when a user resets an advertising identifier, the new identifier value can be re-linked back to the same device, thus weakening the use of user-resettable advertising identifiers. Most of the handsets come with pre-installed third-party system apps from Google, Microsoft, LinkedIn, and Facebook that silently collect data with no opt-out option. This article continues to discuss key findings from the study on the scale of data collection and sharing by Android mobile phones.

    Trinity College Dublin reports "Study Reveals Scale of Data-Sharing from Android Mobile Phones"

  • news

    Visible to the public "A Cryptography Game-Changer for Biomedical Research at Scale"

    The P4 approach, which encompasses predictive, personalized, participatory, precision, and preventive medicine, is the future of healthcare. In order to increase its adoption and effectiveness, it is essential for clinical data on large numbers of individuals to be shared efficiently among all shareholders. However, gathering data is a challenge as it is isolated between individual hospitals, medical practices, and clinics globally. There are also privacy risks that come from the disclosure of medical data. Without effective privacy-preserving technologies, these risks present a barrier to enhancing P4 medicine. Existing methods either provide only limited protection for patients' privacy by requiring institutions to share intermediate results or do away with the accuracy of results by adding noise to the data to prevent possible data leakage. Therefore, researchers at EPFL's (Ecole Polytechnique Federale de Lausanne) Laboratory for Data Security, in collaboration with colleagues at Lausanne University Hospital, MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL), and the Broad Institute of MIT and Harvard, developed a novel federated analytics system called FAMHE. This system allows different healthcare providers to collaboratively conduct statistical analyses and develop Machine Learning (ML) models without having to exchange the underlying datasets. FAMHE balances data protection, the accuracy or research results, and practical computational time. According to the team, FAMHE differs from other approaches in that it works at scale and has been mathematically proven to be secure. This article continues to discuss the importance of patient data privacy and the proposed FAMHE system, based on Multiparty Homomorphic Encryption (MHE), that enables privacy-preserving analyses of distributed datasets by producing accurate results without revealing intermediate data.

    Science Daily reports "A Cryptography Game-Changer for Biomedical Research at Scale"

  • news

    Visible to the public "BlackTech Espionage Gang Adds to Malware Toolset"

    BlackTech is an espionage group linked to China, which is said to be more than a decade old. The group has updated its malware arsenal with new tools. According to researchers with PwC's threat intelligence team, BlackTech has been using a downloader called Flagpro and a backdoor called BTSDoor in recent spearphishing email attacks, suggesting the continued development of the threat group's toolset. The group previously relied on malware such as the TSCookie and PLEAD Remote Access Trojans (RATs) to carry out espionage. It has been around since 2010, but researchers have observed that since 2018, it has been developing new tools, including the Consock malware, Waterbear loader, different ELF variants of the TSCookie malware. BlackTech's main targets have been companies in Taiwan, but its targeting has expanded to organizations in Japan, Hong Kong, China, and the U.S. This article continues to discuss findings surrounding BackTech's history, targets, attack chain, infrastructure, and exploits.

    Duo Security reports "BlackTech Espionage Gang Adds to Malware Toolset"

  • news

    Visible to the public "Why Facebook and Instagram Went Down for Hours"

    This week's massive Facebook outage that was felt across all it's platforms including Instagram and WhatsApp and lasted over six hours was likely caused by a faulty configuration change on the backbone routers that coordinate network traffic between data centers. It took so long to revive the service because the outage also disabled Facebook's internal tools and systems used for daily operations. Many business found that they lost almost a day of work and revenue with the downtime--showing how dependent they have become on social media for commerce.

    NPR reports "Why Facebook and Instagram Went Down for Hours"

  • news

    Visible to the public "REvil/Sodinokibi Accounting For 73% of Ransomware Detections in Q2 2021"

    Researchers at McAfee released a report which examines cybercriminal activity related to ransomware and cloud threats in the second quarter of 2021. According to the researchers, in Q2 2021, Financial Services were targeted the most among reported cloud incidents, followed by Healthcare, Manufacturing, Retail, and Professional Services. The most cloud incidents targeting countries were reported in the United States, followed by India, Australia, Canada, and Brazil. Cloud incidents targeting the United States accounted for 52% of incidents recorded by the researchers. The researchers also found that the most targeted sector by ransomware in Q2 of 2021 was Government, followed by Telecom, Energy, and Media & Communications. In Q2 2021, malware was the technique used most often in reported incidents. Spam showed the highest increase of reported incidents, 250%, from Q1 to Q2 2021, followed by Malicious Script with 125% and Malware with 47%. REvil/Sodinokibi topped ransomware detections in Q2 2021, accounting for 73% of McAfee's top-10 ransomware detections. During the study, the researchers also found that there was a 64% increase in publicly reported cyber incidents targeting the Public sector during the second quarter of 2021.

    Help Net Security reports: "REvil/Sodinokibi Accounting For 73% of Ransomware Detections in Q2 2021"

  • news

    Visible to the public "Ransomware Intrusion Group FIN12 Ramps-Up in Europe"

    Researchers at Mandiant have found that a long-running threat group with a track record of rapid ransomware deployment and healthcare sector victims is ramping up its operations in Europe and APAC. The researchers claimed that the prolific threat group FIN12 had focused mainly on North American targets since its activities were first recorded in 2018. Around 85% were from this region, and 20% thus far have been healthcare sector organizations, which many ransomware groups promised to steer clear of during the pandemic. The bad news for organizations elsewhere in the world is that FIN12 appears to be changing its geographical focus. The researchers stated that they observed twice as many victim organizations based outside of North America in the first half of 2021 than they observed in 2019 and 2020 combined. These organizations were based in Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the United Arab Emirates, and the UK. The researchers noted that this shift could be due to various factors such as FIN12 working with more diverse partners to obtain initial access and increasingly elevated and unwanted attention from the US government.

    Infosecurity reports: "Ransomware Intrusion Group FIN12 Ramps-Up in Europe"

  • news

    Visible to the public "Purdue Researchers Create 'Self-Aware' Algorithm to Ward off Hacking Attempts"

    The computer models and data analytics that use Artificial Intelligence (AI) to ensure the proper operation of today's electric grids, manufacturing facilities, and power plants could be turned against themselves through false data injection strikes. Researchers at Purdue University developed a new self-cognizant and self-healing technology for Industrial Control Systems (ICS) to protect them against both internal and external threats. The team behind the project uses the background noise within cyberphysical systems' data streams to embed invisible, continuously changing one-time-use signals that can turn passive components into active watchers. Therefore, any attempt by a hacker to introduce falsified data will be immediately detected and rejected by the system itself, even if the attacker has an exact duplicate of the system's model. The detection and rejection of these attempts do not require any human response. This article continues to discuss the research and development behind the novel technology that equips computer models with covert cognizance to protect electric grids, manufacturing facilities, nucelear plants, and more from hackers.

    Purdue University reports "Purdue Researchers Create 'Self-Aware' Algorithm to Ward off Hacking Attempts"

  • news

    Visible to the public "Google Announces New Efforts to Protect Journalists and High-Risk Users From Cyberattacks"

    Google has announced new efforts to protect elected officials, human rights activists, journalists, and other high-risk users from cyberattacks. The announcement comes one day after Google's Threat Analysis Group alerted more than 14,000 users that they were targeted in a state-sponsored phishing campaign launched by APT28, which is said to be composed of operatives of Russia's GRU intelligence agency. Google pointed out that the growing number of cyberattacks targeting high-profile individuals and groups prompted them to take extra measures and establish a team that would be dedicated to detecting and stopping the most sophisticated cybercriminals. In addition to highlighting the Advanced Protection Program (APP) that users can enable to strengthen their protection against certain attacks, Google said it partnered with organizations across the globe to provide free security keys to more than 10,000 high-risk users this year. This article continues to discuss Google's recent announcement about new efforts to protect high-risk users and organizations against cyberattacks following the warning sent by Google's Threat Analysis Group about attempts by Russian government-backed groups to attack thousands of high-profile users.

    ZDNet reports "Google Announces New Efforts to Protect Journalists and High-Risk Users From Cyberattacks"

  • news

    Visible to the public "FIN12 Hits Healthcare With Quick and Focused Ransomware Attacks"

    The FIN12 group has been executing ransomware attacks since October 2018 and is said to be the TrickBot gang's close partner. FIN12 targets high-revenue victims in various sectors and regions globally. It is characterized by its skipping of the data exfiltration step, which most ransomware gangs have adopted to increase their chances of financial gain. By doing away with this attribute, the group can carry out attacks significantly faster than other ransomware operations. For example, it takes the group less than two days from the initial compromise to the file encryption stage. Data collected from investigations reveal that most ransomware gangs that steal data have a median dwell time of five days, with the average value being 12.4 days. FIN12's average time spent on a victim network decreased each year, reaching less than three days in the first half of this year. The cybersecurity company Mandiant published a profile of the FIN12 group, revealing that many of its victims are in the healthcare sector. In 2019 and 2020, 71 percent of the group's victims were in the U.S., while 12 percent were located in Canada. In 2021, the group appears to have shifted its focus to organizations in Australia, Colombia, France, Indonesia, Ireland, the Philippines, South Korea, Spain, the United Arab Emirates, and the U.K. Nearly 20 percent of the attacks launched by this group have been against organizations in the healthcare sector, even during the COVID-19 pandemic. This article continues to discuss key findings surrounding FIN12 regarding its targets, operations, and partners.

    Bleeping Computer reports "FIN12 Hits Healthcare With Quick and Focused Ransomware Attacks"

  • news

    Visible to the public "US Creates National Cryptocurrency Enforcement Team"

    The United States Department of Justice (DOJ) has formed a new task force to oversee complex investigations and prosecutions of criminal misuses of crypto-currency. The creation of a National Cryptocurrency Enforcement Team (NCET) was announced yesterday by Deputy Attorney General Lisa Monaco. She stated that the DOJ was "poised to root out abuse on these platforms and ensure user confidence in these systems." The DOJ's Office of Public Affairs said that the team's focus would be on criminal acts committed by virtual currency exchanges, money laundering infrastructure actors, and mixing and tumbling services. NCET will also assist in tracing, and recovering assets lost to fraud and extortion, including crypto-currency payments to ransomware gangs. NCET will also train and advise federal prosecutors and law enforcement agencies in developing investigative and prosecutorial strategies and provide guidance on matters including search and seizure warrants, restraining orders, criminal and civil forfeiture allegations, and indictment.

    Infosecurity reports: "US Creates National Cryptocurrency Enforcement Team"

  • news

    Visible to the public "Smishing on the Rise"

    A new financial crime report by researchers at Feedzai has found an increase in phishing scams perpetrated via text message, a practice known as smishing. The researchers analyzed over 1.5 billion global transactions completed in the second quarter of 2021 to paint a picture of the state of financial crime, consumer spending habits, and the top fraud trends. Purchase scams, where consumers pay for products or services that never arrive, topped the list of fraud scams, followed by scams involving social engineering, impersonation, and account takeover (ATO). Smishing, where scammers send text messages to trick consumers into clicking on dangerous links and sharing personal information, made it onto Feedzai's top five list for the very first time as the fifth most common fraud scam. Analysis of the data also revealed a continuous move to cashless transactions, with a 146% increase in peer-to-peer (P2P) payments and a 44% decrease in cash transactions. Online transactions grew by 109% to nearly double the number of in-person or card-present transactions. The researchers stated that financial criminals have exploited the shift and that the number of online card fraud attempts increased by 23% between April and July 2021. The researchers warned that the convenience of cashless transactions comes with a cost. The researchers noted that financial institutions and retailers need to address the financial risk and higher complexity attacks that arise with the digital evolution. In their report, the researchers also revealed the cities with the highest increase in fraud over the past year. Las Vegas, Nevada, which has seen a fraud increase of 411%, topped the list, with New York (up 396%) and Charleston, South Carolina (up 251%) in second and third place, respectively.

    Infosecurity reports: "Smishing on the Rise"

  • news

    Visible to the public "New Proposal Requires Ransomware Victims To Report Payments Within 48 Hours"

    The recently proposed Ransom Disclosure Act would require ransomware victims to report ransom payments within 48 hours of the payment. In compliance with the Ransom Disclosure Act, victims would have to provide information to the Department of Homeland Security (DHS) regarding the ransom demanded and paid, the currency used to pay the ransom, and the entity that demanded the ransom. The bill would require DHS to make the information disclosed in the previous year public without identifying the organizations that paid ransoms. DHS would also be required to set up a website where individuals can voluntarily report ransomware payments. Under the proposed bill, the DHS secretary would be directed to do a study on ransomware attacks and provide recommendations on how to protect organizations from such attacks. This article continues to discuss the goals and requirements of the proposed Ransom Disclosure Act, as well as some concerns surrounding the suggested legislation.

    SC Media reports "New Proposal Requires Ransomware Victims To Report Payments Within 48 Hours"

  • news

    Visible to the public "U. Missouri To Develop Cyber Brain for 'Smart' Devices"

    A team of researchers at the University of Missouri will develop an add-on cybersecurity solution for smart devices through the use of Machine Learning (ML) to adapt to cyber threats. The National Security Agency (NSA) awarded a $500,000 grant to Missouri's College of Engineering for the project. The team will work on developing a solution that addresses threats at a smart device's gateway where it connects to the cloud. Prasad Calyam, the director of the university's Center for Cyber Education, Research and Infrastructure, pointed out the failure by many vendors to build in regular updates for such devices to adapt to new threats. The researchers plan to add a blockchain-based system to log threats as well as apply ML to customize how devices respond to future threats. They will also design a sharing platform for smart device-producing companies to increase feedback and assess risk. This article continues to discuss the project aimed at improving security for smart devices.

    EdScoop reports "U. Missouri To Develop Cyber Brain for 'Smart' Devices"

  • news

    Visible to the public "Russia Launched 58% of State-Backed Hacks Observed by Microsoft, Company Says"

    Microsoft has stated that Russia's relentless hacking efforts accounted for 58% of all state-sponsored cyberattacks observed by Microsoft over the past year. Microsoft said that the top three foreign targets of Russian state actors were the U.S., Ukraine, and Britain and that the hackers saw their success rate on hacks increase from 21% to 32% year-over-year. The company also observed a newly intense Russian focus on government agencies, particularly those entwined with foreign policy. The researchers stated that the percentage of government organizations among Russian targets exploded from roughly 3% last period to 53% since July 2020. Microsoft's report covered a period spanning from July 2020 to June 2021. The researchers said that outside of Russia, the largest share of state-backed hacks was observed from North Korea, Iran, and China. China's attacks were effective 44% of the time, according to the report.

    MSN News reports: "Russia Launched 58% of State-Backed Hacks Observed by Microsoft, Company Says"

  • news

    Visible to the public "Hackers Could Disrupt Industrial Processes via Flaws in Widely Used Honeywell DCS"

    Researchers at the industrial cybersecurity firm Claroty have discovered Honeywell's Experion Process Knowledge System (PKS) product to be affected by vulnerabilities that could result in the disruption of industrial processes if exploited by malicious actors. There are three types of vulnerabilities impacting the product, two of which have been rated critical as they can allow an attacker to remotely execute arbitrary code on the system or cause a denial-of-service (DoS) condition. The third flaw, which has been given a high severity rating, is a path traversal issue that can allow a malicious actor to access folders and files. These vulnerabilities could be exploited by an attacker to cause significant disruptions or to abuse the system for further attacks against a targeted organization's network. However, the researchers emphasized that the attacker would need to figure out a way to access the organization's Operational Technology (OT) network because the ports required to be accessed in order to exploit the vulnerabilities are typically not exposed to the Internet. According to Honeywell, the vulnerabilities impact its C200, C200E, C300, and ACE controllers. This article continues to discuss the potential exploitation and impact of the three vulnerabilities discovered in the widely used Honeywell distributed control system (DCS).

    Security Week reports "Hackers Could Disrupt Industrial Processes via Flaws in Widely Used Honeywell DCS"

  • news

    Visible to the public "TSA to Issue Cybersecurity Requirements For US Rail, Aviation Sectors"

    After issuing cybersecurity requirements for pipeline companies via two directives earlier this year, the Transportation Safety Administration (TSA) will also issue cybersecurity requirements for rail systems and airport operators. First, TSA will issue a new directive to cover high-risk railroads and rail transit entities. Reports suggest that at the minimum, Amtrak and significant subway systems such as those in Washington, DC, and New York would fall under the regulations. The new directive would require covered entities to identify a cybersecurity point person, report cyber incidents to DHS's Cybersecurity and Infrastructure Security Agency (CISA), and create a contingency and recovery plan to follow if they become victims of malicious cyber activity. For "lower-risk surface entities," TSA will issue separate guidance that encourages, rather than requires, these entities to follow the same measures. In terms of aviation security, TSA will require that critical US airport operators, passenger aircraft operators, and all-cargo aircraft operators designate a cybersecurity coordinator and report cyber incidents to CISA. In addition, TSA will gradually expand the directive's reach to cover other relevant entities and consider additional measures over time. TSA is also initiating a rulemaking process to develop a longer-term regime to strengthen cybersecurity and resilience in the transportation sector. To help transportation organizations better prepare for that process, the agency will issue an information circular recommending the completion of a cybersecurity self-assessment.

    CSO reports: "TSA to Issue Cybersecurity Requirements For US Rail, Aviation Sectors"

  • news

    Visible to the public "Misconfigured Apache Airflow Platforms Threaten Organizations"

    The security vendor Intezer has discovered that many organizations using the open-source Apache Airflow platform may be exposing credentials and other sensitive data to the Internet due to the way in which they use the technology. Many organizations use the Apache Airflow platform for workflow scheduling and management. Intezer's security researchers found several misconfigured Airflow instances exposing sensitive information belonging to organizations in manufacturing, media, financial services, information technology, health, and other industries. This information includes user credentials for cloud hosting services, payment processors, and social media platforms, such as Slack, AWS, and PayPal. According to Intezer, some of the data exposed via misconfigured Airflow instances could be used by threat actors to gain access to enterprise networks or launch malware in production environments and on the Apache Airflow platform itself. One of the Intezer researchers pointed out how easy it is to find exposed instances, saying that all a threat actor has to do is scan IP addresses and check them for the expected HTML file. However, the act of exploitation to run code is difficult and requires the threat actor to have a more in-depth understanding of each platform. Although Airflow provides multiple options for using it securely, organizations can put data at risk by how they use the platform. For example, the researchers found that the most common cause for credential leaks in Airflow is insecure coding. They discovered multiple Airflow instances where passwords had been hardcoded in the Python code for organizing tasks or in a feature that lets a user define a variable value. This article continues to discuss the discovery of misconfigured Airflow instances, the use of Apache Airflow by organizations, and other ways in which users can put enterprise data at risk via the insecure use of this platform.

    Dark Reading reports "Misconfigured Apache Airflow Platforms Threaten Organizations"

  • news

    Visible to the public "New ESPecter UEFI Bootkit Discovered"

    Researchers at ESET have discovered a new Unified Extensible Firmware Interface (UEFI) bootkit that can infect machines running Windows 7 through Windows 10, and maintain persistence on the EFI System Partition through the installation of a malicious Windows Boot Manager. The new malware dubbed ESPecter is similar to the recently disclosed UEFI bootkit named FinSpy. ESPecter's initial infection is still unclear, but it is believed to be mainly used to steal information and carry out espionage. Most UEFI bootkits discovered in the wild have been SPI flash implants rather than ESP implants, both of which aim to gain control of the lowest level of the machine's boot process as well as remain hidden and persistent without any apparent signs of compromise. In regard to ESPecter, this is achieved by patching the Windows Boot Manager that controls the boot process from the time the machine starts up. Attackers can achieve execution early in the system boot process before the operating system is fully loaded by patching the Windows Boot Manager. This allows ESPecter to circumvent Windows Driver Signature Enforcement (DSE) to launch its unsigned driver at the system startup. The unsigned driver then injects other user-mode components into specific processes to begin communication with the malware's command-and-control (C&C) server and enable the threat actor to take over the compromised machine by downloading additional malware or executing C&C commands. This article continues to discuss the history and key findings surrounding ESPecter.

    Decipher reports "New ESPecter UEFI Bootkit Discovered"