Cybersecurity and Infosec News Headlines Update on June 30, 2022

Mitel VoIP appliances used in ransomware attack

Mitel have not been very lucky lately with the security news. The latest involves abuse of a zero-day exploit – CVE-2022-29499 – in a ransomware attack as detailed by Crowdstrike. Essentially, the vulnerable VoIP applications are MiVoice Connect appliances (SA 100, SA 400 and Virtual SA). The blog post by Crowdstrike does a very good job detailing the results of their forensics investigation and indicates that the vulnerable MiVoice Connect appliance in question was used as the entry-point into an organisation’s network.

The vulnerabilities exploited in the Mitel appliance were related to the web interface and problematic PHP application code.

Syniverse (Vodafone supplier) compromised since May 2016

This one seems like a big deal considering the sort of access that is required to provide services provided by the allegedly compromised company, Syniverse. They are essentially a CPaaS, providing connectivity to mobile operators globally.

Call forwarding “trick” allows for Whatsapp account hijack

This article is about a trick posted by Rahul Sasi (of CloudSEK) which can be used to hijack Whatsapp accounts. Summarized, it goes like this:

Adversary social engineers victim into calling the MMI codes to forward all calls to a phone number controlled by adversary
Adversary starts Whatsapp registration process to register as victim’s phone number
Adversary chooses voice as verification method (instead of SMS)
Adversary hijacks victim’s Whatsapp account

This is one of those few times where security people are highlighting the problems of voice calls for authentication, instead of SMS OTP (see the Syniverse coverage). Also, this seems to be a very old-school attack that is being applied to Whatsapp authentication. But really, being able to cause all calls to be forwarded to a different number introduces many other problems for the victims. MMI codes are relatively obscure to most people these days, yet still there.

It got me thinking, would anyone miss them if they were gone?

Discord as a financial messenger – what could go wrong?

Vice published an interesting article which talks about privacy issues within Discord and how its threat model focuses on gamers and certainly not crypto-trading and crypto related projects. However, it seems that the crypto people have a soft spot for Discord and are making the wrong assumptions as to its security and privacy features.

One of the main claims that the Discord API appears to leak the name, description, members list and activity data of every private channel on every server. The article mentions a number of other issues and caveats and is worth a read if you’re interested in large platforms of the sort.

Metasploit 6.2 released which adds a SIP capture module

In the Metasploit 6.2 announcement, there was mention of a new capture plugin that has support to capture SIP authentication. The same plugin captures many other protocols too, most typically NTLM, and SMTP, Telnet, FTP, and so on.

Here’s the description of the module:

This module provides a fake SIP service that is designed to capture authentication credentials. It captures challenge and response pairs that can be supplied to Cain or JtR for cracking.

Nessus adds a Cisco IOS-XE destination pattern bypass module

The vulnerability scanner, Nessus has a new module that detects a Cisco IOS vulnerability that leads to toll fraud when abused. Description of the module:

A vulnerability in the Voice Telephony Service Provider (VTSP) service of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to bypass configured destination patterns and dial arbitrary numbers.

This vulnerability is due to insufficient validation of dial strings at Foreign Exchange Office (FXO) interfaces. An attacker could exploit this vulnerability by sending a malformed dial string to an affected device via either the ISDN protocol or SIP. A successful exploit could allow the attacker to conduct toll fraud, resulting in unexpected financial impact to affected customers.

The check from Nessus relies on detecting the version of the Cisco IOS-XE so it does not seem to be actually demonstrating the vulnerability. The patch has been available since September 2021.

Mitel phones had a backdoor when booted into special mode

Researchers from the security firm Syss have reported vulnerabilities in Mitel phones (6900 Series) that allow attackers with physical access to gain root access to the phone. This is related to the phone starting a telnet backdoor when booting up while pressing the * and # keys on the phone. It is tracked as two CVEs:

CVE-2022-29854
CVE-2022-29855

VitalPBX missing access control vulnerability

This one is tracked as CVE-2022-29330 with the following description:

Missing access control in the backup system of Telesoft VitalPBX before 3.2.1 allows attackers to access the PJSIP and SIP extension credentials, cryptographic keys and voicemails files via unspecified vectors.

Blog post by Corinne Henin & Thibaut Henin of Arsouyes about the vulnerability: CVE-2022-29330 – vulnerability in VitalPBX < 3.2.1

Gallium APT uses new PingPull malware for espionage campaigns

A China-based APT called “Gallium” is using a new trojan to target companies operating in Southeast Asia, Europe and Africa. Called “PingPull,” the backdoor uses ICMP for C2 communications and has never been seen before in the wild. PingPull is a Visual C++-based malware that provides actors with the ability to access a reverse shell and run arbitrary commands on a compromised host. The actor could then move files, enumerate storage devices and timestomp files. Gallium traditionally targets telecommunications, finance and government organizations.

Oracle Took Six Months to Fix Critical Flaw in Fusion Middleware

Researchers say that six months elapsed between the time they notified Oracle of a critical vulnerability in Fusion Middleware and the day Oracle released a fix for the issue. The deserialization of untrusted data vulnerability can be exploited remotely without authentication to allow arbitrary code execution. The researchers notified Oracle of the flaw in October 2021; Oracle fixed the issue in its April 2021 Critical Patch Update.

Note

Deserialization issues are all too common in middleware, and can be difficult to patch right. The usual fix employed by Oracle in the past is to establish blocklists to not allow the instantiation of very specific, deemed to be dangerous, objects. But these blocklists have been bypassed in the past if they were not defined well. A huge ecosystem of applications relies on this middleware and Oracle does need to pay attention to minimize the possibilities of breaking these applications.
As we’ve seen with Microsoft and many other vendors of large complex software, some software flaws can take several months to fix and test. But, Oracle has been silent on why this one took so long or in providing any guidance to customers in shielding or workaround actions to take while awaiting a real fix.
One exploit involves chaining two vulnerabilities, CVE-2022-21445 (deserialization of untrusted data) and CVE-2022-21497 (SSRF), to achieve pre-authentication RCE. The time to release a patch was likely due to interdependency and regression testing and resolution. You should have already deployed the April CPU. If not, the publishing of the exploit details should be seen as a call to act.
Having been on the inside of some of these decisions, one can testify that the vendors are often between a rock and a hard place, in a dilemma that cannot be recognized or appreciated from the outside. Moreover, the vendor may be aware of many vulnerabilities more severe than those reported from the outside and is fixing them in the most efficient order. One is inclined to cut the vendor some slack. That said, six months with no explanation or guidance to customers is a little much. One starts to question the vendors priorities.

CafePress Fined Over Data Breach and Cover-up

The US Federal Trade Commission (FTC) has finalized an order against CafePress over a 2019 breach that compromised data for nearly 23 million accounts. CafePress kept data longer that it needed to; stored sensitive information, like Social Security numbers (SSNs), in plaintext; did not secure its systems sufficiently; and covered up the breach, electing not to inform impacted customers. The complaint was filed against former CafePress parent company Residual Pumpkin, LLC, and current CafePress owner PlanetArt, LLC. The final order requires both companies to implement comprehensive cybersecurity programs, employ multi-factor authentication, store data for only the minimum amount of time necessary, and encrypt SSNs.

Note

This is a good report to use to convince management of the importance of cybersecurity review being part of Merger and Acquisition decisions. Planet Art acquired Café Press after the 2019 and may have adjusted the amount they paid downward. However, 3 years later Planet Art will be subject to the FTC action on their security program, even if the original parent company (Residual Pumpkin) has to pay the fine.
It’s not a bad idea to review where you’re storing PII and make sure you’re aligned with the relevant privacy laws, (CCPA, GDPR, etc.) to include retention and appropriate use restrictions. Be sure to check online services used, such as event registration services, for data collected and stored to ensure they also meet protection requirements. Leverage your legal team to understand how these laws apply to your business. Build awareness training for both developers and users as well as creating any needed supporting KB articles and/or policies.n

$100M Stolen from Blockchain Firm Harmony

Thieves have stolen more than $100M in cryptocurrency from blockchain company Harmony. Harmony provides bridge services for users who want to transfer cryptocurrency across different blockchains. The company’s Horizon Ethereum Bridge was compromised last week. Harmony is offering a $1M bounty for the return of the stolen funds.

Note

Of course, that $100M was only worth $30M a few days later… Hard to get real data on “cryptocurrency” use but it seems clear more of it is stolen each year than is used for actual business transactions.
Harmony transfers cryptocurrencies, stablecoins and non-fungible tokens between their blockchain and other networks. The Ethereum tokens were what was stolen. The attackers used 11 transactions which extracted the ETH tokens on the bridge. Moreover, these were doubly encrypted via passphrase and key management service. The pilfered keys were able to satisfy the multi-signature contract allowing the funds to be transferred. The point is you need to understand how your crypto is protected, how exchanges are authorized and what recourse you have if compromised.

Ransomware as a Distraction from IP Theft

Researchers from Secureworks say that Chinese state-sponsored threat actors may be using ransomware as a distraction while they plumb organizations’ networks for intellectual property and other sensitive data. Secureworks has provided a list of threat indicators to help detect malicious activity related to the threat actors.

Note

Same is often true of denial of service attacks that are often used as distractions from the main tactics, or are used simply to flood SIEM consoles with alerts that will slow the security team from handling the critical alerts.
View this as a twist to current ransomware + extortion techniques. The ransomware is used to obfuscate evidence, distract investigators and otherwise cover the indications relating to exfiltration of data. The attackers are using the HUI loader, which is a custom DLL loaded by legitimate programs subject to DLL search order hijacking. The loader then installs a RAT such as Cobalt Strike, PlugX, SodaMaster and QuasarRAT. The attack leverages weaknesses in your boundary control devices, taking us back to making sure they are patched, the configuration is verified as secure, and you’re using MFA for remote access. Leverage the IOCs in the Secureworks article.

GAO: Private Cyber Insurance, TRIP May Not be Enough to Cover Catastrophic Losses

The US Government Accountability Office (GAO) is concerned that currently available private cyber event insurance and the government’s Terrorism Risk Insurance Program (TRIP) may not be sufficient to cover catastrophic financial losses due to cyberattacks. GAO recommends that “CISA and the Department of the Treasury’s Federal Insurance Office (FIO) should jointly assess the extent to which risks to critical infrastructure from catastrophic cyber incidents and potential financial exposures warrant a federal insurance response, and inform Congress of the results of their assessment.”

Note

The key line in this 53 page report is “One option that has been proposed is to tie federal assistance for cyber-related losses to cybersecurity requirements.” Insurance can’t cover catastrophic losses that are due to lack of basic security hygiene. Like any form of insurance, to be useful to businesses, or for the government to step in when state-sponsored or terrorist-initiated attacks cause broad damage, cyberinsurance policies have to be based on proof of maintaining baseline standards. In this case, the government will likely point to the NIST framework.
Insurance companies have been revising language and criteria in response to trends in ransomware claims. Review your cyber insurance to understand what it covers and what are the triggers. For example, the GAO believes that incidents may not meet the criteria needed to be categorized as terrorism, resulting in a non-payment. Determine if there are new criteria, such as vulnerability assessments or MFA you are also now required to meet for your insurance to be valid, don’t delay closing any gaps here.

CISA: Assume VMware Products Not Patched Against Log4Shell are Compromised

In a joint cybersecurity advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the United States Coast Guard Cyber Command (CGCYBER) warn that threat actors are continuing to exploit Log4Shell in VMware Horizon® and Unified Access Gateway (UAG) servers. CISA and CGCYBER urge organizations with vulnerable systems to assume compromise and begin threat hunting action using the indicators of compromise included with the advisory.

Note

VMware released fixes for Log4J back in December. If you have any systems which are still not updated, you’re going to want to forensicate them fully before trusting them. Make sure that you’re minimizing the services exposed to the Internet, that accounts are audited, removing which are unused or no-longer-needed. Lastly, strong authentication is pretty important, don’t overlook it, keep an eye on excepted users, find a way to not have any exceptions.
Post SolarWinds, assuming persistent but covert compromise, might well be the appropriate default. In the face of such compromise, the efficient defensive strategy is strong process-to-process isolation. The goal should be so-called “zero trust.”

CISA Asks for Feedback on Trusted Internet Connections 3.0 Cloud Use Case

The US Cybersecurity and Infrastructure Security Agency (CISA) is seeking feedback and comments on its Trusted Internet Connections (TIC) 3.0 Cloud Use Case. This rounds out the series of TIC use cases: CISA released the Traditional TIC Use Case, Branch Office Use Case, and Remote User Use Case last year. “The goal of TIC 3.0 is to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications.” CISA is accepting public comment on the TIC 3.0 Cloud Use Case through July 22, 2022.

Note

TIC is a mixed bag. In some scenarios such as HPC, a non-starter for effective connectivity across the internet. The goal is to achieve a version of TIC which is aligned with Zero-Trust and a cloud based service architecture. Take a hard look at the draft and provide feedback to ensure the end model is usable.

Google: Hermit Spyware is Being Used in Italy and Kazakhstan

Google says that spyware from Italian company RCS Labs is being used to target people in Italy and Kazakhstan. The spyware, known as Hermit, targets both iOS and Android devices, and uses drive-by downloads to gain initial footholds on targeted devices. Hermit can steal data from infected phones and can also make and record calls.

Note

The malicious applications masquerade as account recovery applications. Consider carefully requests to install applications to support actions like this, verify, out-of-band that they are indeed part of the process. Make sure that your users understand the recovery processes for accounts associated with applications they use. Make sure that users only install applications from trusted app stores, including what to do when they are requested to install one from another source.

ToddyCat APT

Researchers at Kaspersky have discovered an advanced persistent threat (APT) actor that is exploiting the ProxyLogon vulnerability in targeted attacks against government and military organizations in Europe and Asia. Dubbed ToddyCat, the threat actor does not appear to have ties to other known threat actors. ToddyCat uses two tools, also not seen before, that Kaspersky is calling ”Samurai backdoor” and “Ninjas Trojan.” The tools are being used to exploit two backdoors in the Exchange Server environment. Targeting Exchange Servers.

Note

The China Chopper web shell is installed, which allows for svchost to load the malicious “iiswmi.dll” which then uses a .Net loader to execute the Samurai backdoor; which is hard to detect. The SecureList blog post includes IOCs for you to incorporate into your processes to discover this activity. Make sure your Exchange infrastructure is up to date. Given the low-profile of this attack group, proactively scanning for the IOCs is a good idea.

US critical infrastructure needs better cyber insurance coverage

A report published last week by the US Government Accountability Office (GAO) has found that critical infrastructure organizations may not receive full cyber insurance coverage, especially if incidents result in “catastrophic financial losses.”

GAO looked at cyber insurance provided by both the US private sector and the US government itself—through its Terrorism Risk Insurance Program (TRIP).

Officials said that while, in general, the cyber insurance sector provides good coverage for incidents like data breaches and ransomware attacks against most companies, critical infrastructure entities are in a sensitive spot.

First, the US government’s TRIP coverage may not kick in unless a cybersecurity incident is formally linked to an act of “terrorism,” which most likely is not going to happen since cyber-related outages must be violent or coercive in nature, to be certified as “acts of terrorism.”

Second, GAO notes that private cyber insurance providers may be able to weasel their way out of covering a particularly damaging (and expensive) attack if the incident is formally linked to an act of war, such as the acts of a state-backed threat actor.

The findings of the GAO report aren’t particularly “new” and, at this point, are common knowledge for most cybersecurity experts today. However, the report is an important step in the sometimes overly complex procedure of the US government.

In the report’s conclusion, GAO officials recommended that both Treasury and DHS officials update the US government’s response to incidents impacting critical infrastructure. This revamped response should provide better support for cybersecurity-related events and their typical fallout, such as expanding the government’s insurance coverage beyond just acts of “classic” terrorism.

Harmony mega-hack

Cryptocurrency bridge project Harmony said it was hacked for more than $100 million worth of cryptocurrency. The hack took place on Thursday and targeted the Harmony Protocol, a system used to interchange cryptocurrencies between different blockchains. The company is currently keeping an incident response blog post on Medium.

The @wormholecrypto, @Ronin_Network, and #Horizon bridge exploits lost $1.1B funds in user funds.

That's more than what @Meta paid for @Instagram's acquisition.

Unless #DeFi manages to create safer bridges, it may be impossible to achieve a truly #crosschain ecosystem. https://t.co/oNaFRmNDKs

— Uno Re (@unoreinsure) June 24, 2022

CafePress fine

The US FTC fined last week the CafePress t-shirt merchandise site $500,000 for trying to cover up the severity of its 2020 data breach. The FTC said CafePress had weak security measures in place, which eventually allowed a threat actor to break in and steal the personal data of 23 million customers.

Ransomware attacks in Japan

Two large Japanese companies—automotive component manufacturer TB Kawashima and automotive hose giant Nichirin—were hit by ransomware attacks last week.

XCarnival hack

XCarnival, a company that claims to be the first NFT assets management platform for the Metaverse, was hacked on Saturday by an unidentified threat actor who exploited its smart contracts to steal 3,087 ETH, estimated at roughly $3.8 million at the time of the heist. The company confirmed the incident in a statement on Twitter when it also paused its smart contracts. Additional details are available in this Twitter thread from blockchain security firm PeckShield, which was the one to stop the suspicious transactions:

1/ @XCarnival_Lab was exploited in a flurry of txs (one hack tx: https://t.co/LUcxSU9UQn),
leading to the gain of 3,087 ETH (~$3.8M) for the hacker (The protocol loss may be larger). pic.twitter.com/mmGw5PQfbt

— PeckShield Inc. (@peckshield) June 26, 2022

Hi @XCarnival_Lab: You may want to take a look: https://t.co/LUcxSU9UQn

— PeckShield Inc. (@peckshield) June 26, 2022

Currently our smart contract has been suspended, all deposit and borrowing actions are temporarily not supported, please stay tuned, we will confirm the situation as soon as possible.

— XCarnival | AMM Public Beta (@XCarnival_Lab) June 26, 2022

Abortion hacktivism

In the aftermath of the US Supreme Court’s overturning of the Roe v Wade abortion protections, a hacktivist group known as SiegedSec has leaked data claiming to be from government employees from states that support or have already enacted abortion bans. According to early reports of users who sifted through the data, the leaked files appear to contain info from Arkansas and Kentucky, although it’s unclear if it’s newly obtained information or just recycled old leaks.

https://twitter.com/PogoWasRight/status/1541067019382046726

Google Analytics banned in Italy

The Italian data protection agency has banned the use of Google Analytics on Italian websites. Italy has now become the third country to ban the use of Google Analytics after Austria and France.

Opera launches no-log VPN

Following in Mozilla’s footsteps, Opera Software has launched a VPN service for its users. Opera says the new VPN Pro service is complementary to its Free VPN offering, which the company has been providing to its browser users for half a decade. However, unlike its Free VPN service, which works more like a proxy, Opera says this new service is actually a “no-log” VPN with “3000+ private network servers in over 30 locations around the world.” Furthermore, VPN Pro will also be provided as a separate app and provide device-wide VPN connections and not only for the Opera browser’s traffic.

Supreme Court ruling bot activity

The US Supreme Court’s controversial ruling that rolled back Woe-vs-Wade abortion rights protections for US women has spurred a spike in bot and inauthentic activity on Twitter. According to Christopher Bouzy of BotSentinel, inauthentic accounts are trying to convince people angry about the decision not to vote in the upcoming US midterm elections.

⚠️We are observing inauthentic accounts replying to people angry about Roe v. Wade and trying to dissuade them from voting in November. These accounts use messaging like:

"Why bother voting now?"
"All is already lost."
"Voting won't change anything."

Stay alert. pic.twitter.com/MyddXLWmCP

— Christopher Bouzy (@cbouzy) June 24, 2022

Foreign influence actors are very likely to use todays abortion decision to amplify the emotions we all feel on both sides of this issue. Russia is more likely to covertly further the divide between Americans on this issue. China is more likely to amplify how F’d the US govt is.

— Charity Wright 雷倩 (@CharityW4CTI) June 24, 2022

More cash for CISA

US officials voted on Friday in favor of a $2.9 billion budget for the Cybersecurity and Infrastructure Security Agency (CISA). The amount allocated for CISA is $417 million more than the Biden administration requested for the DHS cyber wing, The Record reported.

New Air Force cyber chief

The Senate on Thursday confirmed Air Force Maj. Gen. Kevin Kennedy, the current US Cyber Command director of operations, as the new head of the US Air Force’s information warfare branch, the 16th Air Force (Air Forces Cyber).

Russia’s IT balkanization continues

Russian government agencies are ditching foreign video conferencing software, such as Zoom, Webex, and WhatsApp, in favor of Russian-made video conferencing tools from VK and TrueConf, Kommersant reported last week. The move comes after Russian government agencies also abandoned foreign IM apps earlier this month as well, also in favor of local alternatives.

Mitel zero-day

Crowdstrike said in a report on Friday that it observed threat actors using a zero-day in Mitel MiVoice VOIP appliances as a way to gain initial access inside corporate networks for supposed ransomware attacks. The company said it reported the vulnerability (CVE-2022-29499) to Mitel, which released patches here.

https://twitter.com/GossiTheDog/status/1540354721931841537

Malicious Python packages

Sonatype said it discovered five malicious Python packages that contained functionality to steal AWS credentials and environment variables.

Cobalt Strike update

The Cobalt Strike adversary emulation framework received an update last week with the addition of “thread stack spoofing capabilities.” This new feature allows CS tools to bypass some AVs and EDRs that rely on thread stack inspection to determine the legitimacy of a process that is calling a function or an API.

Social engineering report

Proofpoint has an interesting report out on the most common techniques that threat actors used in social engineering attacks throughout 2021. This includes holding extended conversations with victims to build trust, using existing conversation threads between colleagues, and the use of telephone calls, since victims generally tend to believe that cyber scams usually take place via web-based communication channels only.

LockBit 3.0

The operators of the LockBit ransomware have apparently launched the 3.0 version of their malware over the weekend. In addition, the group also launched a “bug bounty program” where they plan to pay for information on bugs in their encryption code, vulnerabilities in their public infrastructure, or PII data on the members of other ransomware groups.

Lockbit ransomware group announced today Lockbit 3.0 is officially released with the message: "Make Ransomware Great Again!"

Additionally, Lockbit has launched their own Bug Bounty program paying for PII on high-profile individuals, web security exploits, and more… pic.twitter.com/ByNFdWe4Ys

— vx-underground (@vxunderground) June 26, 2022

Snake Keylogger

Malware researcher Mohamed Ashraf has published a deep analysis of the Snake Keylogger, a malware strain developed in .NET. The malware includes functions to steal sensitive information from an infected device, including browser credentials, keystrokes, screenshots of a victim’s screen, and clipboard data.

API hammering

Palo Alto Networks detailed on Friday the use of “API hammering” as a sandbox evasion technique. API hammering is currently used by malware strains such as Zloader and BazarLoader.

Ransomware TTPs

Kaspersky has published a report on the TTPs of the most common eight ransomware families, including Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte, and BlackCat.

aspersky has published a report on the TTPs of the most common eight ransomware families

Agent Saitama

Malware researcher Mohamed Ashraf has published an analysis of APT34’s Saitama Agent, a backdoor trojan that uses DNS tunneling and a finite state machine.

Vulnerabilities get patched slower and slower

DevSecOps firm Snyk has published its yearly State of Open Source Security report, and one of the company’s main findings this year was that the time it took companies to fix vulnerabilities in FOSS projects has more than doubled from 49 days in 2018 to 110 days in 2021.

Miracle exploit

Two security researchers have published a technical write-up on a vulnerability in the Oracle Fusion middleware tracked as CVE-2022–21445 but also known as the Miracle exploit. The vulnerability allows pre-auth RCE, and the researchers said that it took Oracle roughly six months to patch the issue.

Codesys bugs

A security researcher from NSFocus has published details about 11 vulnerabilities in CODESYS v2 runtime, used in many industrial products.

Zena RCE

Phoenix Security has published a technical write-up about an XSS-to-RCE vulnerability in the Zena IT orchestration toolkit. A PoC has also been published on GitHub.

The NYTimes Analyzes China’s Surveillance State Plans

The NYTimes spent a year going through over 100,000 government bidding documents, and they’ve constructed a clear vision of what the government is trying to build. The plans include the combined use of cameras, DNA databases, mobile phone access, and microphones to match people’s race, ethnicities, voiceprints, clothing, vehicles, friends, social contacts, etc.—to make most public places into capture zones where they can identify and track people in multiple dimensions. Now add that to the various social credit system plans and you have tremendous leverage over the population. The only upside I see here is that these plans are so draconian, and so transparent, that it could cause many of the most talented to leave the country, and the rest of the world to ostracise China’s government. Hopefully that happens before China fully builds and implements this stuff, and starts exporting it to other would-be authoritarian regimes.

BEC Attackers Starting to Impersonate Third-party Vendors

Abnormal Security says BEC attackers are more frequently switching tactics to impersonating third-party vendors and suppliers. This is a switch from mostly impersonating internal executives and other VIPs. They say third-party impersonation made up over half of attacks in May of 2022.

Attacker Selling Access to Networks via Atlassian Vuln

An attacker is selling access to 50 different networks that he got access to via the recent Atlassian Confluence vulnerability. The actor said they were also selling access to 10,000 additional hosts that were compromised using the flaw.

Chinese Attackers Using Ransomware to Hide Espionage

SecureWorks says Chinese attackers are more frequently using ransomware to make it appear they’re lower-level attackers going after financial gain, when their real goals are likely intellectual property. They estimated that 75% of the targets they looked at are likely interesting to China based on their location and business verticals, e.g., pharmaceutials.

2 New Cybersecurity Bills Signed Into Law

The Biden administration signed two new bills into law. The first removes red tape that will allow federal workers to share knowledge with multiple agencies. The second improves coordination between DHS and state and local governments.

CISA’s Cloud Security Technical Reference Architecture

CISA has released its Cloud Security Technical Reference Architecture, which clarifies considerations for shared services, cloud migration, and cloud security posture management as it fulfills a key mandate in delivering on Executive Order 14028, Improving the Nation’s Cybersecurity.

Automatic CAPTCHA With iOS

iOS 16 is looking to solve some of the annoyance of CAPTCHAs by transparently proving to the website that you are a real person. Yes, please. This is also within the theme of “passwordless” with its FIDO2 support of WebAuthN. I love all of it. Super happy to see the mobile phone take more of a dominant role in proving things about ourselves. I mean they know if we’re logged in with our finger or face, right? So why couldn’t they securely pass that on to a given website?

U.S. abortion ruling reversal sparks calls for privacy laws

This week saw the U.S. Supreme Court overturn Roe v. Wade, ending guarantees that protect a person’s constitutional right to have an abortion. The ramifications are huge — economically, socially, medically, and in terms of human rights alone — for over a hundred million people living in the United States. That’s made the need for a privacy law more urgent; the U.S. is left far behind most other Western democracies, since there are reasonable fears that data — including from period trackers — can be now used as evidence against people. Tech companies have been left scrambling to figure out what the overturning of Wade means for their employees, which matters because in the U.S. healthcare is tied (inexplicably) to employment, though much of Big Tech has remained largely silent about the ruling itself (even Apple, which says “Privacy is a fundamental human right,” has said nothing.) And now there’s renewed focus on what data tech companies collect, especially in light of @motherboard’s reporting into the sale of location data that can identify people seeking abortions. As EFF’s director of cybersecurity @evacide notes, if companies don’t want their data turned into dragnets, “Don’t have it for sale. Don’t have it when a subpoena arrives.”

Russian hackers targeting U.S. and other Ukraine allies

A report by Microsoft out this week revealed Russian state-backed hackers have attempted to infiltrate networks of more than 100 organizations in the U.S. and 42 other countries allied with Ukraine since Russia invaded in February. The list of targets includes foreign ministries of NATO states but also think tanks, IT groups and energy suppliers. Worse, the hackers successfully broke in about 30% of the time, with data stolen in one-in-four successful intrusions. Estonia was an exception — Microsoft detected “no Russian cyber intrusions” since the start of the war, largely because of its heavy reliance on cloud computing.

Twitter apologizes for abusing user security information after $150M FTC settlement

If you saw a notice on Twitter this week about Twitter’s “use of your personal information for tailored advertising,” it’s thanks to an FTC settlement to the tune of $150 million, after Twitter was caught using information submitted by users for setting up two-factor authentication — email addresses and phone numbers — for targeted advertising. Twitter ceased the practice, and this week apologized in a blog post.

Google warns Hermit spyware is targeting iOS and Android users

An update on the recently discovered commercial-grade spyware by researchers at Lookout, dubbed Hermit, which I mentioned last week. Google has now confirmed Lookout’s findings — which were largely focused on Android. Google has also found an iOS version of the spyware, which packs in six exploits, including two zero-days. Google said that it’s notifying Android users who were targeted by the Hermit spyware, which is believed to be used by governments, and has been deployed in Kazakhstan and Italy. It’s a reminder that NSO isn’t the only spyware maker out there. Google said it’s tracking at least 30 vendors with “varying levels of sophistication and public exposure selling exploits or surveillance capabilities to government-backed actors.”

Mega says it can’t decrypt your files, a new exploit shows otherwise

Mega has long been billed as an end-to-end encrypted cloud storage provider, which claims that it can’t decrypt the data that it stores. But a new proof-of-concept exploit shows that claim isn’t exactly true. According to new research, “Mega uses to encrypt files is riddled with fundamental cryptography flaws that make it trivial for anyone with control of the platform to perform a full key recovery attack on users once they have logged in a sufficient number of times.” Mega says it’s fixed the security vulnerabilities.

Researcher hacks into backend for network of smart Jacuzzis

A security researcher found a network of thousands of smart Jacuzzis connected to the internet via an admin panel that was leaking user data, albeit briefly, including owner’s names and email addresses. A second admin panel was also discovered after a teardown of the Android app. It took the Jacuzzi-maker more than six months to fix. Gizmodo has more, and some choice words from @dcuthbert on Jacuzzi’s poor response.

Strava app flaw revealed runs of Israeli officials at secret bases

A security flaw in the fitness app Strava allowed a disinformation watchdog to identify and track security personnel working at secretive bases in Israel. By uploading fake running “segments,” a user could learn the identities and past routes of others who were active in that particular area, even with the strongest privacy protections on their accounts. Case in point, some 100 individuals who exercised at six secretive Israeli bases were visible. Haaretz ($) has the original report. These latest findings come years after similar security research found that Strava’s heatmaps could identify secret bases and sensitive military installations.

Are you a bot? Not with a PAT

A new feature in iOS 16 and macOS Ventura (out later this year) will allow Apple device owners to bypass CAPTCHAs by automatically telling apps and websites that you’re not a bot. Apple is partnering with two content delivery networks, Fastly and Cloudflare. The feature uses private access tokens — or PATs — which automatically work with any app or website that’s on Fastly and Cloudflare’s network — which is a lot of them. PATs are cross-platform, as Google, Apple, Cloudflare and Fastly all have contributed to developing this protocol. But so far, no love for Android users. Fastly’s blog post is here.

Delivery firm Yodel quiet over cyberattack

Yodel, one of the U.K.’s most widely used parcel delivery services, has been down for days, reports Bleeping Computer, after a reported “cyber incident.” No word from the company yet — ironic, for a company with that name — but later published a brief statement warning that its order tracking is unavailable and parcels “may arrive later than expected.” Not a good look for a company critical to the U.K. supply chain.

$100M looted after crypto weak-link exploited

An unknown hacker has exploited a vulnerability in U.S. crypto firm Harmony’s Horizon Bridge to steal $100 million in Ethereum. Crypto bridges allow users to send cryptocurrency and assets from one blockchain to the other, but are a weak link since they are rarely audited and often built in secrecy. Harmony identified the alleged hacker in a tweet. But Harmony hasn’t said exactly how the breach happened. But one investor warned of a potentially massive security flaw weeks earlier, identifying how the Horizon bridge hinged on a multi-signature wallet, which requires just two signatures to take the goods inside. In short, crypto startups need to be more transparent about how technology is built and who audits it.

US DoE’s National Cyber-Informed Engineering Strategy

The US Department of Energy (DOE) has released its Cyber-Informed Engineering (CIE) Strategy. DoE’s publication notes that “CIE is an emerging method to integrate cybersecurity considerations into the conception, design, development, and operation of any physical system that has digital connectivity, monitoring, or control. CIE approaches use design decisions and engineering controls to mitigate or even eliminate avenues for cyber-enabled attack, or reduce the consequences when an attack occurs.” DoE’s CIE Strategy is supported by five pillars: awareness, education, development, current infrastructure, and future infrastructure.

Note

I’m not a big fan of the term “Cyber Informed Engineering” as it implies there is still some need for engineering that is NOT “cyber-informed.” The strategy is basically well known and proven “build security in” or “secure by design” concepts that should be integrated into all energy system operational, upgrade, and new system efforts. Given that the world’s energy systems will change quite a bit over the next 20 years, now is the time to do that.
This is the most hopeful thing that one has heard in this space. In most industries we know what to do; we simply lack the will to do it. The energy sector is an exception. Because of the interdependencies in the grid, securing it is more complex than simply securing all the operators in the grid. Here, we need a strategic approach that goes across enterprises.
This sprang from the 2019 National Defense Authorization Act for Fiscal Year 2020 which directed DOE to create this CIE strategy. Part of the idea is to engineer a system which is resistant to further attack once penetrated. The CIE in practice summary explains how this should be considered. Note that while this applies to critical infrastructure, there is applicability to important IT systems. Ask if system A is compromised, what could then be reached easily and how you could slow or stop the effectiveness of that lateral movement.

US, UK, New Zealand: Make Sure PowerShell is Securely Configured

Cybersecurity authorities in the UK, the US, and New Zealand have jointly released guidance urging organizations to ensure that they are using secure configurations of PowerShell, and recommending against disabling or removing the command-line tool. The guidance offers specific advice for using PowerShell to detect and reduce abuse.

Note

PowerShell has gotten a bit of a bad reputation. Many attackers use it to their advantage after they gain access to a system. But there are also many defensive opportunities, and this concise document does a great job in not only outlining how to restrict PowerShell but also showing how to detect malicious uses.
PowerShell 5 should be removed in favor of version 7 for windows 10/11 and Linux which adds needed security features such as SSH remoting and over-the-shoulder transcription. Leverage the AMSI integration as well as application control to enabler integration with anti-malware components on the endpoint and to restrict what PowerShell is permitted to do. Review the Defense document below for more on detection and properly securing PowerShell.
This is an excellent resource and one I encourage all cybersecurity professionals to read and implement. In many investigations we investigate we see PowerShell being abused by criminals.

Multiple Vulnerabilities in Operational Technology Devices

Researchers from Forescout’s Vedere Labs have published a report detailing 56 vulnerabilities affecting operational technology (OT) devices. The vulnerabilities affect products from 10 vendors, including Honeywell, Emerson, Motorola, Siemens, JTEKT, Bentley Nevada, Phoenix Contact, Omron, and Yogogawa. The vulnerabilities include remote code execution (RCE); denial-of-service (DoS); file/firmware/configuration manipulation; compromise of credentials; and authentication bypass.

Note

The sad part is not the number of the vulnerabilities, but the type of vulnerabilities. It shows how many of these OT devices controlling critical infrastructure suffer from vulnerabilities that home security systems fixed (for the most part) years ago.
Operational Technology (OT) covers an enormous range of devices and uses. The only real common denominator is they all started out without thinking at all about “build security in” or “secure by design.” The only hope of changing that is making sure those requirements/concepts are part of procurements of new equipment – any OT items in use today have to be segmented/shielded etc.
The guidance from Forescout, resulting from their OT:ICEFALL project, is to not wait for CVEs for your OT prior to taking actions to secure them. They have manufacturer-specific recommendations and segmentation, monitoring, patching, and identification of vulnerabilities are a good idea across the board. Make sure that your scanning and assessment teams know how to interact with OT/ICS systems without doing harm.

Malware Infects Networks at Two Texas Hospitals

Two Texas hospitals have notified patients that their personal health information (PHI) may have been compromised after the organizations’ networks were infected with malware. Baptist Medical Center and Resolute Health Hospital learned of the breach in April. The potentially compromised data include Social Security numbers, health insurance information, diagnoses, and billing information.

Note

Looks like attackers had over 3 weeks on target, including 4 days after the malware was first detected. Not a lot of data on this one, but looks like 1.2M individuals impacted, so this is an expensive one – just the costs of offering identity theft protection are likely to exceed the proactive cost that would have avoided or minimized the damage.
We’ve been noting the security of health devices, and focusing on segmentation, access control and updates; don’t forget the back-end systems. Ensure sufficient protections are in place not only from medical systems but also any public facing system. You say you have your IDS and WAF all set – have you verified they work? Nothing in learning mode? That someone is responding to configured alerts?

Cloudflare Outage Due to Network Configuration Issue

An outage affecting traffic in 19 Cloudflare data centers on Tuesday, June 21, was the result of a problematic network configuration change. The outage caused some websites and services to become unavailable. The issue was resolved within 90 minutes.

Note

It is becoming a buzzword to call information/cybersecurity “resiliency,” but this incident is an important reminder that security is really a subset of overall reliability/resilience. While Availability has been part of the Confidentiality/Integrity/Availability triad forever, security issues generally aren’t the top driver of downtime in most organizations. Important to plan for how IT admin code changes that crash systems or network admin config changes that cause self-inflicted denial of service storms impact your ability to continue to deliver security services.
Even the best of us get bit by BGP changes. Cloudflare is working to make their architecture more robust and less susceptible to network configuration errors. In so doing the configuration updates to that model resulted in the same outages they wish to avoid. When successful their architecture and lessons learned can be leveraged to help others become more resistant to these issues.

CISA Publishes Revised Version of Cloud Security Technical Reference Architecture

The US Cybersecurity and Infrastructure Security Agency (CISA) has released the second version of its Cloud Security Technical Reference Architecture (TRA), which provides guidance for federal agencies to securely migrate to cloud services. The first version of the Cloud Security TRA was published in September 2021.

Note

With many organisations engaging with the cloud over the past two years as a result of the pandemic, this is a good resource to use to review and ensure any migrations to the cloud your organization has undertaken is done so in a secure way.

New US Cybersecurity Laws

Two US cybersecurity-related bills have been signed into law. The Federal Rotational Cyber Workforce Program Act of 2021 paves the way for IT, cybersecurity, and related workers to use their skills across multiple agencies. The Local Government Cybersecurity Act “fosters cybersecurity coordination between the Department of Homeland Security and state and local actors.”

Note

This should make it easier to work cross-agency, and while DHS and CISA have the charter and authority, this removes many barriers to success.

Cyberattack May Have Set Off Israeli Air Raid Sirens

The Israeli National Cyber Directorate (INCD) suspects that a cyberattack may be responsible for air raid sirens sounding in Jerusalem and Eilat on Sunday, June 19. The affected sirens were municipal rather than military. INCD published suggested remediations for similar systems.

Note

While this is likely just Iran poking at Israel as part of their ongoing disputes, it’s still a good idea to make sure that you have properly secured your emergency communication systems, that access is regularly verified, to include new integrations or connections to ensure the level of security is not reduced over time. Excessive false positives, or even too much testing, will reduce their effectiveness in a true emergency.

CISA Warns of Hillrom Medical Device Vulnerabilities

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning about two vulnerabilities affecting Hillrom Medical heart monitors. Hillrom is releasing updates to fix the hard-coded password and improper access control issues.

Note

Hillrom is releasing more than one patch. Note the timelines for the fixes, some due in late 2023.

Bill Would Require Regular Medical Device Security Requirement Updates from FDA

US legislators are considering a bill that would require the Food and Drug Administration (FDA) to update medical device cybersecurity requirements regularly. The Strengthening Cybersecurity for Medical Devices Act would require the FDA to review and amend premarket medical device cybersecurity guidance every two years.

Guilty Verdict in 2019 Capital One Breach

Former Amazon software engineer Paige Thompson has been found guilty of wire fraud and computer intrusion in connection with the 2019 Capital One breach. The incident resulted in the theft of payment card application data belonging to 100 million individuals. Thompson scanned for misconfigured AWS accounts and stole data from at least 30 organizations.

Note

The key quote is “According to the US Attorney’s office, Thompson used a tool to scan AWS accounts in search of misconfigurations.” If Capital One, and the other 29 vulnerable AWS users Thompson found with vulnerabilities, had run that tool first, damage would have been avoided. Even better would be cloud service providers routinely scanning and notifying their customers of vulnerable configurations. Amazon, Google and Microsoft seem very good at targeting advertising (for free) to *potential* cloud service customers – seems like a no-brainer for them to be able to do targeted alerts (for free) to existing customers.

WordPress Ninja Forms Vulnerability Fixed

A critical code injection vulnerability in the Ninja Forms WordPress plug-in can be exploited to execute arbitrary code or delete arbitrary files. The plug-in has more than one million active installations. The flaw has been fixed in Ninja Forms versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.

Note

Do not patch this plugin. Uninstall it, and while you are at it either uninstall as many of these plugins as you can or move your WordPress site to a hosted/managed solution.
(This is me, not repeating my usual caution about WordPress plugins.)

Flagstar Bank Discloses Data Breach

Michigan-based Flagstar Bank has disclosed that a cyberattack against its network led to the compromise of personal information belonging to 1.5 million of its customers. Flagstar’s corporate network was breached in December 2021; the bank learned that customer data were exposed on June 2, 2022. Flagstar experienced a previous cyberattack; it was the victim of ransomware in January 2021.

Note

This is a very good cautionary tale to use with your management: in January 2021, Flagstar had a vulnerable Accellion server get exploited in a ransomware attack, customer information was exposed and Flagstar “…engaged a team of third-party forensic experts to investigate and determine the full scope of this incident.” Any expert engagement should have included recommendations to deal with overall security gaps, not just the Accellion issue. If that was acted on, Flagstar should have at least been much faster to detect this latest compromise – they state the attackers had 4-6 months on target (Date(s) Breach Occurred: 12/03-04/2021, Date Breach Discovered: 06/02/2022) – that is a bad metric for a small business, unacceptable for a bank as large as Flagstar that had over $500M in profits in 2021. Cost to avoid the second breach would have been a small fraction of that profit and likely would have been less than the direct costs Flagstar will see from this latest incident.

Proposed Legislation in US Senate Would Ban Sale of Health and Location Data

A bill introduced in the US Senate would prohibit data miners from selling location and health data. The Health and Location Data Protection Act would also require the Federal Trade Commission (FTC) to establish rules for implementing the law within 180 days of the bill’s passage.

Note

The real news here is that the sale of health and location data is a business in the first place. There are many legitimate reasons why applications collect health and location data, but selling the data shouldn’t be one of them.
Even politically neutral national data privacy legislation almost never gets passed by US legislators. The broader data privacy legislation that has been proposed should cover Personal Health Information, vs. have individual data types of privacy-sensitive information have different laws.

International Effort Disrupts Russian Botnet

The US Department of Justice (DoJ) and law enforcement agencies in the Netherlands, Germany, and the UK, have dismantled the infrastructure of a Russian botnet. The botnet, known as RSOCKS, comprised millions of devices around the world, including Internet of Things (IoT) devices, Android devices, and other computers. The botnet was operating as a proxy service, but was offering IP addresses from devices it had compromised rather than legitimately obtained IP addresses.

Rapid7 Report: Types of Data Most Often Targeted by Ransomware Operators

According to a report from Rapid7, ransomware operators seem to prefer certain types of data over others. According to the report, financial sector organizations more likely to experience ransomware attacks than organizations in other sectors. Ransomware operators target sensitive customer data, employees’ personally identifiable information (PII), and human resources data.

Note

Since protecting all data to the same level is either ineffective or inefficient, this information can be useful.

BRATA Malware Gains New Features

The BRATA banking trojan has recently added several new features to its capabilities. Analysts from Italian security company Cleafy have detected changes in the ways BRATA, which is an acronym for Brazilian Remote Access Tool Android, conducts its attacks. According to Cleafy, “the [malware’s] modus operandi now fits into an Advanced Persistent Threat (APT) activity pattern.” BRATA threat actors have begun to launch more narrowly targeted attacks, focusing on one financial institution at a time. It also uses new methods of obtaining permissions to access location data, and to send and receive SMS.

Vulnerability in Cisco Small Business Routers

Cisco will not release updates to address a flaw affecting several models of its small business routers because the devices “have entered the end-of-life process.” The vulnerability could be exploited to allow remote code execution or to create denial-of-service conditions. According to a Cisco security advisory, the “vulnerability is due to insufficient user input validation of incoming HTTP packets.” Users are urged to migrate to newer routers.

Note

One can usually replace these routers for less than the cost of the time to repair, were a patch even available.

Siemens Fixes Flaws in SINEC Network Management System

Researchers from Claroty’s Team82 found more than a dozen vulnerabilities in Siemens SINEC network management system (NMS). The flaws leave vulnerable systems open to denial-of-service attacks, credential leaks, and remote code execution. Siemens released an update that address the vulnerabilities in October 2021.

Google TAG says it tracks 30 surveillance vendors

There are three tech companies today that have a unique and comprehensive view of people’s online lives. These are Apple, Google, and Microsoft, all of which are behind today’s top operating systems, as well as some of the Internet’s most popular online services.

For Google, the signals it acquires from Gmail, Drive, Chrome, and Android allow the company remarkable insight into today’s threat landscape. For example, Google can see what types of threats are hitting your Android devices and your email inbox, even if those threats target other operating systems where Google doesn’t have great visibility into.

Over the years, Google has dedicated significant efforts and funds to boosting its security teams to take advantage of this unique position, and, once in a while, the company makes a statement that reveals the scope of a particular problem or topic.

One of those days was yesterday. In a blog post on Thursday, the Google Threat Analysis Group (TAG), the Google security team that tracks advanced threats, revealed that they are aware of and currently tracking more than 30 organizations selling surveillance capabilities to government-backed threat actors.

This quite large number highlights that while the public’s attention has been captured by a few vendors like Hacking Team, Gamma Group, NSO Group, and Candiru, there are far more entities that engage in similar operations in an industry that has been loosely regulated over the past decade.

The latest Google TAG report adds new information about RCS Lab, an Italian company that used to be a reseller for the old HackingTeam, but has now moved into creating and selling its own tools.

The company was at the center of a first report last week when mobile security firm Lookout published an analysis of Hermit, a piece of Android malware packed with different exploits, which Lookout said it initially found being deployed in Kazahstan in April this year. Further sleuthing also found the same malware being deployed in Syria, and in Italy, in both 2019 and 2021, as part of law enforcement anti-corruption investigations, according to documents released by the Italian government.

Google TAG’s report effectively confirms Lookout’s findings and adds more depth, especially on the Hermit’s malware use inside Italy, where Google said that the entity which deployed the malware appears to have worked with local ISPs to disable the target’s mobile connection before sending an SMS message telling the victim to install an ISP-themed mobile app to restore their connection.

Furthermore, Google also confirmed that RCS Lab also has iOS exploits in their arsenal, namely CVE-2021-30983 (aka Clicked2), which Google’s Project Zero team analyzed in a different blog post here, and which Apple patched last December. But this was just one of the six iOS exploits RCS Labs had packed into the malicious iOS app.

Now, Google says that while everyone has been fixated on taking down NSO Group, other vendors have been slowly growing in the Israeli company’s shadow.

“[T]he commercial spyware industry is thriving and growing at a significant rate,” Google TAG’s Benoit Sevens and Clement Lecigne said. “This trend should be concerning to all Internet users. ”

These vendors are enabling the proliferation of dangerous hacking tools and arming governments that would not be able to develop these capabilities in-house. While use of surveillance technologies may be legal under national or international laws, they are often found to be used by governments for purposes antithetical to democratic values: targeting dissidents, journalists, human rights workers and opposition party politicians.

Aside from these concerns, there are other reasons why this industry presents a risk to the Internet. While vulnerability research is an important contributor to online safety when that research is used to improve the security of products, vendors stockpiling zero-day vulnerabilities in secret poses a severe risk to the Internet especially if the vendor gets compromised. This has happened to multiple spyware vendors over the past ten years, raising the specter that their stockpiles can be released publicly without warning.

Carnival Cruise settlement

US cruise line Carnival Cruise has agreed to pay $1.25 million in a multi-state settlement over its 2019 data breach. The money will be divided between 46 states and residents impacted by the incident. Read more:

CS:GO skin heist

A hacker has stolen more than $2 million worth of Counter-Strike: Global Offensive skins from a collector’s private Steam inventory, including seven rare and highly-prized AWP Dragon Lore skins, considered some of the most expensive skins that CS:GO players can own. The hack is currently considered the largest theft in the game’s history. Read more: Hacker steals $2 million in CS:GO skins

$2,000,000+ in CS:GO skins have been hacked and stolen (some items getting moved/sold as we speak)

this is the most expensive inventory all-time, containing the most legendary items in CS:GO history (7x souvenir dragon lores, no-star karambit, #1 blue gems)@CSGO @Steam pic.twitter.com/d80miZorNh

— ohnePixel (@ohnePixel) June 21, 2022

New Instagram feature

Meta announced on Thursday that they are testing a new way for users to verify their age on the platform. “If someone attempts to edit their date of birth on Instagram from under the age of 18 to 18 or over, we’ll require them to verify their age using one of three options: upload their ID, record a video selfie or ask mutual friends to verify their age,” the company said. Read more: Introducing New Ways to Verify Age on Instagram

Chrome 103 is out

Google has released v103 of its Chrome web browser this week. While the usual security fixes and dev/API-related changes shipped with this release, there were also loads of new features that went live for the Chrome for iOS release. Among the most important new feature was the news that Google’s Enhanced Safe Browsing feature is now available for iPhone users, something that has been available for all the other Chrome users since last year.

7-Zip now supports MotW

7-Zip v22, released last week, supports Mark-of-the-Web, a Windows security feature that has been long requested by security firms and antivirus makers. 7-Zip now becomes the fifth major file archiving software on Windows to support this feature, after WinRAR, WinZip, Eplzh, and Bandizip. Read more: 7-zip now supports Windows ‘Mark-of-the-Web’ security feature

NSA and allies on PowerShell

Cybersecurity authorities from the US, the UK, and New Zealand have released a joint security advisory on the proper configuration and monitoring of PowerShell on Windows systems. A surprise to many, the three agencies didn’t universally recommend removing or disabling PowerShell entirely, as there are benefits to having it enabled on a local network. The US NSA, the UK NCSC, and the NZ GCSB said that their recommendations “will help defenders detect and prevent abuse by malicious cyber actors, while enabling legitimate use by administrators and defenders.” Read more: NSA, Partners Recommend Properly Configuring, Monitoring PowerShell in New Report

CISA wants a cybersecurity hotline

Members of the CISA Cybersecurity Advisory Committee proposed the creation of an emergency “311” cybersecurity call line for incidents affecting small and medium-sized businesses, The Record reported on Wednesday. The idea has received positive feedback and approval on social media, although there is a fear the hotline will turn into a tech support line if not implemented correctly. Details about how this will work are still unclear, though. Read more: CISA experts propose ‘311’ cybersecurity emergency call line for small businesses

Long CISA onboarding

The same CISA Cybersecurity Advisory Committee also recommended that the agency cut its onboarding process for new employees from the current 198 days to 90 days, Federal News Network reported. “The process is lengthy and difficult to navigate both internally and externally, and therefore places CISA at a tremendous disadvantage relative to private sector employers for this critical and highly sought-after talent pool,” the report [PDF] states. Read more: CISA advisors recommend agency cut onboarding time to 90 days

US spy agencies prepared to loosen hiring rules

US intelligence agencies will soon be given the green light to hire IT experts that have smoked or consumed marijuana products in the past, something that has been prohibited until now, the WSJ reported. The measure, approved unanimously by the Senate Intelligence Committee on Wednesday, comes as the CIA, NSA, and other cybersecurity agencies have been struggling to find IT talent as many are disqualified out of the blocks because they consumed marijuana in previous months or in previous stages of their life. As marijuana has become legal in 19 US states and the District of Columbia, this new loosened hiring policy was a long time coming, although active marijuana consumption during government employment is still prohibited. Read more: U.S. Spy Agencies Could Hire Former Marijuana Users Under Senate Bill

US bill on privacy and data transfers

A bipartisan group of US senators has proposed a new bill this week that would ban the sale or transfer of private information belonging to US citizens to foreign countries considered a national security risk, such as China or Russia. The new bill is named the Protecting Americans’ Data from Foreign Surveillance Act and was sponsored by Senator Ron Wyden (D-Ore), Senator Cynthia Lummis (R-Wyo), Senator Sheldon Whitehouse (D-RI), Senator Marco Rubio (R-Fla), and Senator Bill Hagerty (R-Tenn). Read more: Wyden, Lummis, Whitehouse, Rubio and Hagerty Introduce Bipartisan Legislation to Protect Americans’ Private Data from Hostile Foreign Governments

Lithuania DDoS alert

The Lithuanian National Cyber Security Center has issued an alert about an increase in DDoS attacks targeting local websites. According to the agency, most of the DDoS attacks are directed against public authorities, transport, and financial sectors, and the attacks have caused temporary disruptions to services. The attacks came as pro-Russian hacktivist groups announced plans to launch DDoS attacks against Lithuanian websites after the country said it wouldn’t allow trains carrying Russian sanctioned goods to pass through its territory to Russia’s Kaliningrad enclave. Read more: NKSC fiksuoja išaugusį paslaugų trikdymo kibernetinių atakų skaičių Lietuvoje

Other LT🇱🇹 targets by another group
Spotted first by @Cyberknow20
Source
↘️https://t.co/FlHAcIGsnM pic.twitter.com/2pwmB849av

— SwitHak (👁) (@SwitHak) June 21, 2022

Conti infrastructure goes down

After news that the Conti gang was preparing to disband into smaller operations last month, Conti infrastructure has finally gone down for good, confirming earlier reporting.

🌐 After 28 days without any new victims, most of Conti #Ransomware infrastructure is down 🚨

This is the end? or a new start? 🧐#Conti pic.twitter.com/29qJzKgmsh

— DarkFeed (@ido_cohen2) June 22, 2022

Vulnerabilities used by ransomware gangs

Tenable has a report out on the ransomware ecosystem. The report includes a list of 78 vulnerabilities exploited by ransomware groups for their attacks. Read more: A LOOK INSIDE THE RANSOMWARE ECOSYSTEM

Search Marquis

Broadcom’s Symantec team is reporting a rise in instances of Search Marquis, a browser hijacking malware strain that targets macOS users.

Safari is often hijacked by Search Marquis, so when one clicks on a hot link in an email message it does not go to that linked url page, but to a blank Search Marquis search box. Hard to get rid of too.

— kppotatoes (@kppotatoes) June 15, 2022

VMWare warning

CISA and the US Coast Guard Cyber Command said in an advisory on Thursday that VMWare Horizon and VMWare Unified Access Gateway (UAG) are still being actively attacked using the old Log4Shell vulnerability disclosed last year. CISA said attacks had been spotted from cybercrime and state-backed groups alike. The warning also comes as Cisco Talos issued a similar warning earlier this week about the AvosLocker ransomware gang using Log4Shell to compromise VMWare UAG systems. Read more: Avos ransomware group expands with new attack arsenal

Scalping bots hit Israeli government sites

In a report on Thursday, security firm Akamai said that it detected several scalping bots targeting MyVisit, the appointment scheduling platform used by many Israeli government offices. Akamai says that these bots have been filling government appointment slots at various agencies and then reselling the slots on the dark market for a profit, with some slots going as much as $100. Read more: Bots Are Scalping Israeli Government Services

RSocks gang

Brian Krebs has published an exposé on the people running the RSocks rent-a-proxy service, seized by the FBI and US DOJ earlier this week. Read more: Meet the Administrators of the RSOCKS Proxy Botnet

Conti report

Group-IB has a report on the activities of the Conti ransomware cartel based on their leaked chats. The research dives deep into the history and major milestones of one of the most aggressive and organized ransomware operations, which, according to Group-IB, has hit at least 850 organizations across the world. Read more: The Conti Enterprise: ransomware gang that published data belonging to 850 companies

SUAVEEYEFUL

Greek security researcher Anastasios Pingios has published an analysis of SUAVEEYEFUL, a CGI software implant for FreeBSD and Linux. The malware was developed by the Equation Group (believed to be the US NSA) and was used to spy on the email traffic of the Chinese MFA and the Japanese Waseda Research University in the early 2000s. The implant’s existence was revealed during the ShadowBrokers leak in 2017. The leaked version targeted MiraPoint email products specifically. Read more: The forgotten SUAVEEYEFUL FreeBSD software implant of the EQUATION GROUP

Chinese APT

Check Point has published a report on a Chinese APT, which they believe has possible ties to the Tropic Trooper (KeyBoy) threat actor. The CP report focuses on the group’s new malware strain, named Nimbda, a malware loader coded in the Nim programming language, as well as a new variant of the Yahoyah trojan, focused on collecting information about local wireless networks. Read more: Chinese actor takes aim, armed with Nim Language and Bizarro AES

Calisto

Sekoia has a report out on Calisto—the Russian threat actor that Google TAG tracks as Cold River—and which has been targeting Western NGOs, think tanks, and the defense sector. Sekoia reports on this group’s use of Evilginx, a tool that allows it to set up reverse proxies on phishing pages to intercept authentication cookies and bypass 2FA. Read more:

Russia’s cyber operations

Microsoft has published an updated version of its report [PDF] describing Russia’s cyber operations since its invasion of Ukraine. The report—an update to a previous version released in April—details destructive cyberattacks within Ukraine, network penetration and espionage outside Ukraine, and cyber influence operations targeting people around the world.

Russian government agencies linked by Microsoft to influence operations pic.twitter.com/ioMzEicQxH

— Catalin Cimpanu (@campuscodi) June 22, 2022

MEGA-awry

The MEGA file-sharing service has released fixes this week for a set of vulnerabilities that could have allowed threat actors to decrypt customer files. The issues, named MEGA-awry, wer discovered by academics from ETH Zurich and is a bug in the company’s implementation of the AES-ECB encryption cipher, which MEGA uses to encrypt customer files before syncing them to its servers. In a blog post on Wednesday, MEGA said it was not aware of any user accounts being compromised by this attack. Read more: MEGA Security Update

Chain-bench

Cloud security firm Aqua Security has open-sourced a supply chain auditing tool named Chain-bench. Read more: Aqua Security Ships Open Source Tool for Auditing Software Supply Chain

Ukraine DDoS protection

Radware has announced that it will provide pro-bono DDoS mitigation services to the Ukrainian government. Read more: Ukraine’s State Service of Special Communications and Information Protection Selects Radware for Cloud and Application Security Services

FLOSS v2.0

Mandiant has released v2 of FLOSS, a tool the company’s analysts have used to deobfuscate strings found inside malware binaries.

Millions Of Secrets Exposed Via Web Application Frontend

RedHunt Labs’ Pinaki describes a study they did scanning the Alexa Top 1M and 500M using a tool (HTTPLoot) that looks for secrets in HTML and client-side JavaScript, and can automatically crawl a site, fill out forms, and try to trigger error/debug pages, which can often leak secrets as well.

They found ~1.2M secrets: Stripe, reCAPTCHA, Google Cloud, AWS, Google OAuth, Facebook, and more.

US TikTok User Data Has Been Repeatedly Accessed From China, Leaked Audio Shows

In addition to the data accessed, what about being able to control the algorithm that influences what people see? What sort of influence could this have over Americans’ commercial, cultural, or political behavior? Much I imagine.

“I feel like with these tools, there’s some backdoor to access user data in almost all of them,” said an external auditor hired to help TikTok close off Chinese access to sensitive information, like Americans’ birthdays and phone numbers.

What It Means that the U.S. Is Conducting Offensive Cyber Operations Against Russia

Gen. Paul Nakasone’s remarks this month about offensive operations against Russia caused a stir. Kim Zetter goes into what that means. Read more: What It Means that the U.S. Is Conducting Offensive Cyber Operations Against Russia

When the head of US Cyber Command said recently that US conducted offensive cyber ops to support Ukraine, many assumed he meant destructive attacks that risk pulling US into war. So I spoke w/ 2 former lawyers for the command to see what he really meanthttps://t.co/yBReGiLDpM

— Kim Zetter (@KimZetter) June 17, 2022

Cisco patches critical, high-severity vulnerabilities in Email Security Appliance, home routers

Cisco patched several significant vulnerabilities last week, including some in end-of-life routers it will not fix. One critical vulnerability exists in the Email Security Appliance, Secure Email and Web Manager software. Any virtual or hardware appliances running a vulnerable version of AsyncOS are affected by this vulnerability, potentially allowing attackers to bypass security protections in place on the machine. There is also a fix out for a high-severity issue in the same products that could allow an adversary to obtain information from an LDAP external authentication sever connected to the vulnerable appliance. Another issue, CVE-2022-20825, could allow an unauthenticated attacker to execute remote code on several models of Cisco’s RV series of routers. However, the devices have reached their end-of-life periods and the vulnerability will not be patched. Read more: Cisco Patches Critical Vulnerability in Email Security Appliance

Misc

web3rekt database launched keeping track of blockchain incidents and scams dating as far back as 2012.
Cryptocurrency crime and anti-money laundering report by CipherTrace.
Solana DeFi platform votes to control whale account via ’emergency powers’ in bid to avoid liquidation ‘chaos’.
On June 13, 2022 FSwap lost $390K in a price manipulation attack taking advantage of its fee handling logic.
On June 16, 2022 Inverse Finance lost $1.26M in a price oracle manipulation exploit. Interestingly the exploit TX was almost frontran if not for a boost from an MEV bot.
On June 18, 2022 Tether’s web infrastructure came under DDoS attack following an unsuccessful ransom demand.

1/
This morning @Tether_to received a ransom request to avoid mass DDOSes.
They tried already once.
On a normal day we have around 2k reqs/5min
The attack brought us to 8M reqs/5min. pic.twitter.com/rWEan5VNFX

— Paolo Ardoino 🍐 (@paoloardoino) June 18, 2022

OpenSea patched a critical vulnerability which could allow theft of offered WETH from users’ wallets thanks to a responsible disclosure by Gus.
OpenSea patched a vulnerability which could allow sellers to receive payments for Shared Storefront items they did not own. The vulnerability was responsibly disclosed by MevRefund.

Sharing an update on an issue (now resolved) that briefly impacted the @OpenSea Shared Storefront contract.

TL;DR: a configuration issue made it possible in some instances for sellers to accept offers on Shared Storefront items and receive payment without owning the NFT.

— 0age (@z0age) June 16, 2022

Phantom wallet and Metamask patched a vulnerability which could expose secret recovery phrase after it was responsibly disclosed by Halborn.
MetaMask Clickjacking Vulnerability Analysis by SlowMist.
Hertzbleed is a new family of side-channel attacks which may allow attackers to extract cryptographic keys from remote servers.
Darknet Diaries – EP 119: Hot Wallets on the NiceHash hack by North Korea.

Top websites have sucky password policies

A team of academics from Princeton University analyzed the password policies of today’s top 120 of the most popular English-speaking websites and found that even after years of “recommendations” from security experts, the vast majority of these sites still had ridiculously bad rules for when users had to create an account password.

The team—led by the notorious privacy advocate and Princeton professor Arvind Narayanan—focused their research on three of the most basic industry best practices for when setting up a new password:

Check user passwords against lists of leaked and easily-guessed passwords;
Provide real-time password strength meters;
Do not require specific character classes in the password’s make-up.

But while these sound like very simple requirements, they are not widely implemented. The research team said that only 15 of the 120 websites they analyzed followed these recommendations.

In fact, their findings are absolutely astounding(ly bad):

More than half (71/120) of websites do not check passwords at all, allowing 40 of the most common passwords (e.g., “12345678”, “rockyou”) to be used as account credentials, with no warning to the user that they may be at risk of account hijacking.
Only 23 of the 120 websites used password strength meters, and ten of these sites misused meters in the sense of nudging users toward specific types of characters.
In addition, 54 out of the 120 websites still require specific character classes such as digits or special characters to be included in the password, a practice that has been shown to be dangerous, as users tend to select simpler and easier to-remember passwords as a result.

The research team gives Facebook as a good example of how many of these policies appear to be cobbled together with no actual thinking behind the process and how websites are stimulating users toward using weaker passwords.

We facepalmed a lot while researching the password policies of 120 websites, but this took the cake. Facebook tells users 20-char random pw’s are weak, but “Passw0rd” is strong, because hackers could never guess that pw’s might have uppercase or digits. https://t.co/LrWQ673Gl1 pic.twitter.com/MHVycHADeo

— Arvind Narayanan (@random_walker) June 15, 2022

The researchers also looked at some of the reasons why, in 2022, so many popular websites still haven’t learned anything from the hacks from the last decade.

One of the reasons they put forward was that companies are shifting their attention to multi-factor authentication, and many websites may not care to strengthen their password policies. Another was related to auditors.

“Websites need to pass security audits, and the firms who do these audits, such as Deloitte, recommend or mandate outdated practices,” researchers said.

BeanVPN leak

Romanian-based VPN provider BeanVPN appears to have leaked 25 million records. According to CyberNews, the leaked data included details such as user device IDs, Play Service IDs, internet protocol addresses (IPs), and connection timestamps, among other diagnostic information.

StoreHub leak

Elsewhere, an Elasticsearch server owned by PoS software vendor StoreHub also leaked the personal data of thousands of customers (companies) and more than one million of their staff, according to SafetyDetectives.

Rust Foundation grants

The Rust Foundation has announced its first-ever grants; funds the Foundation will be providing to open-source developers and programs for improving the Rust programming language and its integration with other projects. In total, $650,000 were dispensed to 41 recipients, including for projects for improving Rust’s documentation, the Crates package repository, its Windows library, and others.

Problematic bill

A bill proposed by Sen. Blumenthal (D-CT) meant to force companies like Apple and Google to open their in-store payment systems to other payment options is considered too broad, as it requires the tech companies to open all their APIs, including those used for sensitive operations, like encryption and backups. Even worse, as spotted by John Hopkins Prof. Matthew Green, the bill also contains a clause that can allow US law enforcement to close certain APIs to companies or entities that may be considered a “national security threat,” which Green argues could be used to go after apps of encrypted IM solutions.

While that part is fine, there is an amendment to the bill that may allow manufacturers to close their APIs to people who are “national security, intelligence or law enforcement risks”. I’m very worried this could be used to block out encryption app developers. pic.twitter.com/7202srp5QY

— Matthew Green (@matthew_d_green) June 15, 2022

Instagram sabotage

Around 25 Iranian Instagram accounts that shared stories of sexual violence and posted about the Iranian MeToo movement this spring were flooded with subscriptions from bot profiles. The Qurium Foundation, which investigated this harassment campaign, believes the attackers were trying to get the accounts banned for boosting.

Privacy legislation

Senator Elizabeth Warren (D-Mass.) introduced a bill on Wednesday to regulate the sale of Americans’ sensitive information. The bill—named the Health and Location Data Protection Act—would prohibit the sale or transfer of information about location and health data without valid authorization.

Alexa data used for ads

A new lawsuit filed this week claims that Amazon used audio recorded through the Alexa personal assistant to target users with personalized ads, a practice Amazon has long denied.

Google fined in Russia

A Russian court has fined Google 15 million rubles (~$260,000) after the company has refused to store the data of Russian citizens on servers within the Russian Federation.

RSocks seized

US authorities seized the website and infrastructure of RSocks, an online service selling access to proxy servers all over the world. Authorities said RSocks had been built on top of a botnet of hacked computers, smartphones, and IoT devices. The botnet, supposedly operated by Russian cybercriminals, had allegedly grown from 325,000 hacked devices in 2017 to millions of devices this year, the DOJ said in a press release on Thursday.

Call center and BEC arrests

Interpol said it detained more than 2,000 suspects as part of an international crackdown against BEC scammers, online fraudsters, romance scammers, money launderers, and scammy call center operators. The arrests were part of Operation First Light 2022, and authorities said they also froze more than 4,000 bank accounts and seized more than $50 million worth of stolen funds.

Netherlands arrest

Dutch police have detained a 22-year-old from the city of IJmuiden on suspicion of being part of an online cybercrime group specialized in phishing and money laundering. The suspect had been detained at the request of Belgian authorities.

icloudripper4you sentenced

A Florida judge sentenced a 41-year-old man to nine years in federal prison for hacking into iCloud accounts of more than 4,700 users, stealing sensitive images, and then sharing and trading the data on Anon-IB, a now-defunct website famous for hosting “revenge porn.” The man, Hao Kuo Chi, 41, of California, went on the forum as “icloudripper4you” and authorities said he obtained and shared sensitive images for more than 500 of his hacked victims.

Russian hacker arrested

Russian officials have detained a man named Oleg Rusakovich on accusations of hacking into the systems of the Russian Federal Customs Services and modifying entries in the system to make sure certain goods cleared customs procedures.

Telerik attacks

Sophos has a report out on a series of attacks against Telerik UI-based apps. The final payload in these attacks has been Cobalt Strike beacons and crypto-miners.

Houdini returns

ISC SANS is reporting on new campaigns distributing Houdini, a very old remote access trojan.

Initial access prices

Kaspersky’s threat intel team has a good report on the current prices on the initial access market for access to hacked corporate and government networks.

Panchan

In a report on Wednesday, Akamai detailed Panchan, a new peer-to-peer botnet and SSH worm that emerged in March 2022 and has been actively compromising Linux servers since. The botnet is written in Go, and its main purpose appears to be cryptocurrency mining.

MaliBot

F5 says that while it was tracking FluBot, they found a new Android banking trojan named MaliBot. Current versions of the malware can carry out web injection and overlay attacks, steal MFA codes, steal authentication cookies, steal wallet data, steal SMS messages, and provide VNC access to infected devices for remote access, among many other features.

Redline Stealer

Qualys has a report out on the Redline Stealer and a recent campaign where threat actors used ZIP archives with fake cracked software to distribute the malware.

Hermit

Security firm Lookout has published a report on Hermit, a piece of “enterprise-grade Android surveillanceware” that was used to spy on Kazakh government officials. The company said the malware was developed by Italian spyware vendor RCS Lab SpA and telecommunications company Tykelab Srl, and that previous instances where Hermit was also deployed included Italy (by law enforcement) and Syria.

Indian police framed reporters

Researchers at security firm SentinelOne and nonprofits Citizen Lab and Amnesty International told Wired that they found evidence to formally link the Pune Police Department to a case where fake evidence was planted on the laptops of two Indian activists (Rona Wilson and Varvara Rao) the same department detained in 2018 on terrorism-related charges. Previous reporting on their case had found that the evidence that led to their arrest was planted on their devices, but investigators could not identify who planted the evidence. The two activists, along with 16 other suspects, are still on trial in India.

DriftingCloud

Volexity said in a report on Wednesday that it spotted a new Chinese APT using zero-day in the Sophos XG firewall earlier this year in March. Named DriftingCloud, this threat actor used the Sophos XG zero-day (CVE-2022-1040) to install web shells on the firewall, create VPN accounts for future access, and then proceeded to intercept and tamper with DNS traffic in order to redirect the victim organization’s employees to malicious servers. These servers performed MitM attacks and collected credentials and authentication cookies for other internal apps, helping the attackers escalate their access to other internal company resources.

Legal threats

A Polish security researcher said they received a legal threat from Powertek after disclosing vulnerabilities in the company’s power distribution units. The company backed down on the threat a few hours later, calling it a miscommunication around the first-ever bug report they received.

Just an update: had a phone chat with their Swiss reseller. In general it's the same old story: Reasonable people mishandling the 1st ever vulnerability disclosure due to not knowing the industry accepted standard. They are interested in upping their security game, which is great

— Gynvael Coldwind @[email protected] (@gynvael) June 13, 2022

Demonic vulnerability

Security researchers from Halborn discovered a vulnerability affecting many major cryptocurrency wallets. Named Demonic, the vulnerability takes place in situations where certain cryptocurrency wallet browser extensions accidentally store the wallet owner’s secret recovery phrase on disk, in plaintext, allowing attackers to recover it in situations where they have access to the victim’s device. Impacted wallets include MetaMask, Brave, Phantom, and xDefi. The vulnerability is tracked as CVE-2022-32969, and all the wallet makers have released fixes, according to the researchers.

Ninja Forms vulnerability

WAF provider Wordfence disclosed a major vulnerability in Ninja Forms, one of the most popular WordPress plugins today. The vulnerability allows unauthenticated remote code injection, has a CVSS score of 9.8/10, and patches are already out.

SharePoint and OneDrive ransomware

Proofpoint published new research this week detailing a possible scenario where a threat actor who gained access to a customer’s SharePoint or OneDrive accounts could modify the file auto-saving versioning limit to “1” and then encrypt files with ransomware twice, and by doing so ensuring that the victim organization doesn’t have access to previous versions of the locked files. The good news is that while the attack is plausible, in the case of a ransomware attack, Microsoft support staff can restore a customer’s files to any previous point from the previous 14 days, according to this support page and Matt Swann, Chief Security Architect for OneDrive and SharePoint at Microsoft.

More Hertzbleed

After earlier this week, academics published details about the Hertzbleed attack a team of Intel researchers has published their own paper on the topic, along with more extensive and detailed mitigations to prevent possible attacks.

https://twitter.com/dangoodin001/status/1537139311044268032

RDP vulnerability finally patched

CyberArk has a write-up on the backstory of a vulnerability in the Windows Remote Desktop feature that was initially disclosed in January and needed a second patch in April to plug all the attack holes.

Patch Tuesday is not ending

Someone started some dumb rumor that Microsoft will stop providing security updates during Patch Tuesdays. That’s obviously false, Microsoft told SecurityWeek.

GitHub updates

GitHub said on Wednesday that every time it would detect a threat actor’s attempt to insert malware into open-source projects, it would also add an entry in its GitHub Advisory Database, a place the company previously logged only vulnerability-related issues.

BlackHat Arsenal

The schedule for this year’s Black Hat Arsenal edition has been made public. Black Hat Arsenal is the conference tracklist where security researchers present new infosec-related tooling.

Eclypsium

Firmware security firm Eclypsium has expanded its leadership team.

Follina tooling

Security researcher Marcus “MalwareTech” Hutchins has released a tool that can extract payloads from Office files weaponized with the Follina zero-day.

Big Phish

Security firm PIXM has released a report on a massive and successful Facebook phishing campaign. The campaign used legitimate services such as famous.co and glitch.me to redirect to phishing pages. Once phishing links on these services were detected and blocked, new ones were rapidly created at a new unique id. As these services were legitimate, Facebook wasn’t able to block them en masse, and the person(s) responsible would use compromised Facebook accounts to send phishing links to contacts on Facebook Messenger.

PIXM discovered the campaign had openly available traffic monitoring statistics and they extrapolate the phishing sites in aggregate may have received around 400m sessions, although they believe they have seen only a fraction of the campaign. Bring on passwordless login systems.

Ransomware is Underreported

At the RSA conference this week, FBI and Department of Justice officials reported that only a quarter of NetWalker ransomware victims reported incidents to law enforcement. Officials were able to get comprehensive information about attacks and even build a decryptor after seizing NetWalker servers in Bulgaria in 2020.

Good News, More BEC!

Wired covers the argument that as governments crack down on ransomware and illicit cryptocurrency payments criminals may migrate from ransomware to Business Email Compromise. This makes sense as BEC is already more profitable than ransomware and could well be good news as it causes less operational disruption.

Firefox upping privacy

Firefox is rolling out “Total Cookie Protection”, which limits cookies, even for third-party content, to only the website that assigned that cookie. Mozilla says “this approach strikes the balance between eliminating the worst privacy properties of third-party cookies — in particular the ability to track you — and allowing those cookies to fulfil their less invasive use cases (e.g. to provide accurate analytics)”. This is really the way it should have been all along.

Splunk Releases Critical Update

Splunk released an emergency patch this week, addressing a critical vulnerability that could lead to arbitrary code execution. The vulnerability, CVE-2022-32158, has a CVSS score of 9.0. An attacker taking advantage of the flaw could execute code on endpoints connected to a particular deployment server. Splunk released patches only for Splunk 9.0; users of older versions need to upgrade to 9.0 to patch.

Note

If you’re on Splunk 9.0, you will need to apply the patch. Due to the newness of the patch, you may wish to wait for any updates/issues to be squared away, If you’re doing that, you need to disable the deployment server unless you’re actively using it to deploy configuration updates. The ISC blog below has details on this approach. If you’re not on Splunk 9.0, time to roll up your sleeves and get that update going.
This does not impact Splunk Cloud users, so relevant to a bit more than half of Splunk customers. SaaS vendors have a simpler patching issue than IaaS vendors, but in procurement very important to ask about and evaluate the vendors patch time commitments, their use of external Cloud Service Providers and DoS protection as well as broader security processes and controls. Like many security software vendors, Splunk is seeing it cloud business grow more than twice as fast as on-premises deployments. But margins (profit on sales) are still lower for cloud sales vs. on-premise. Important to keep the pressure on all security vendors to make sure cloud security of their own offering is Job 1, even as they look to constrain costs to improve cloud profit.

Microsoft Patch Tuesday Updates Include Follina Fix

On Tuesday, June 14, Microsoft released updates that address 60 security issues in a range of products. The updates include a patch for the Follina flaw in Microsoft Support Diagnostic Tool (MSDT). Three of the vulnerabilities fixed in this patch of updates have been deemed critical; the three remote code execution vulnerabilities affect Windows Network File System, Windows Hyper-V, and Windows Lightweight Access Protocol.

Note

The Follina fix was issued with a release date of May 30th, which caused a bit of confusion as it wasn’t part of the June 14th set of patches. But it is included in the rollup patches. Please apply expeditiously. Also note the NFS patch. While not enabled by default, this is the third month in a row for NFS patches and this time, additional details regarding the vulnerability have been published by the discoverer making an exploit more likely.
The patches address both the MSDT flaw and the Windows Network File System flaws. The NFS 4.1 fix is for your servers, and while critical, you may wish to test prior to wide deployment. Also, in case you’re missing it, June 15 is the de-support date for IE – take care of your support and IT teams this month, it’s going to be busy.

Microsoft Called Out for Dragging its Feet on Azure Fixes

Orca Security and Tenable both say that Microsoft has taken too long to address critical flaws in Azure. Orca Security’s Tzah Pahima said that Microsoft took more than four months to adequately fix a critical vulnerability in Azure’s Synapse Analytics. Researchers from Tenable detected two vulnerabilities in Synapse Analytics and reported them to Microsoft in early March; the issues were not acknowledged for nearly three months.

Note

Using the cloud (aka “someone else’s computer”) requires trust. Delayed fixes and missing transparency about the risks your data is exposed to does not build trust. On the other hand: As long as it is cheap and easy enough, people will probably use it anyway.
I started Gartner’s coverage of cloud service security back in 2010 or so and a key issue was how cloud service providers would patch their underlying infrastructure. Testing patches to make sure a 10,000 user enterprise isn’t impacted is tough enough – Microsoft has over 700M users on Azure Active Directory. Obviously, Microsoft has the biggest problem since Windows vulnerabilities get outed the quickest, but Amazon AWS has the biggest market share (over 1M users). They have to walk the line between risk of customers being compromised by attackers exploiting the vulnerability and too-fast push out of patches that aren’t fully testing, leading to downtime at hundreds to thousands of customers. Right now, Microsoft is erring on the side of avoiding the latter, which is probably prudent since some recent MSFT patches have had to be recalled.
It took Microsoft three tries to fix the vulnerability; the full fix was released in May. We have seen multiple patch cycles previously. The risk is that with cloud services you’re not only dependent on the software provider for the fix, just as with on-prem, but also restricted to the mitigations they provide, which is unlike on-premise services. Make sure that you’re considering this risk, weighed against the providers track record of deploying updates and inclusion of possible compensating security measures.

US HHS Security Risk Assessment Tool Version 3.3

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and National Coordinator for Health Information Technology (ONC) have released the Security Risk Assessment (SRA) Tool version 3.3. SRA “is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program.”

Note

This is just a port of the paper version of the OCR Security Risk Assessment tool to electronic/spreadsheet format. So, if you were already using the paper version, much easier to use. But the questionnaire is heavy on policy and compliance, much lighter on actual security defenses/controls. A decent starting point if you are starting from scratch but will also need tailoring for most environments. There are 64 questions with “I don’t know” as possible answers. The spreadsheet logic will show those as yellow for if you use that answer, but a “Huh?” response should be high risk/red – if you answer “I don’t know” on more than a handful, time to stop and get a detailed security assessment performed.
Download the tool from the HealthIT.gov Security Risk Assessment Tool website (see link below). It is available as an application for windows 7/8/10/11 systems which stores data locally, or an Excel workbook. The questions include guidance for each of your possible answers, whether it is required, and the source for the question. Sections also include Threats and Vulnerabilities questions which you can leverage to see your risk score. Allow sufficient time to honestly assess yourself, resist the blame game. If you find yourself with a lot of critical or high-risk scores, or I-don’t-know answers, consider a professional engagement to help you both verify your assessment and devise a risk-based path forward.

Healthcare Entities Respond to HHS RFI on Cybersecurity Requirements

In April, the US Department of Health and Human Services (HHS) published a request for information (RFI) seeking public comment on current healthcare security practices and how HHS Office for Civil Rights (OCR) can help healthcare entities implement security measures. A common thread throughout comments from several healthcare-related organizations is that cybersecurity requirements need to be flexible rather than one size fits all.

Note

Most of the reaction has been because HHS OCR is asking many questions on how best to determine monetary penalties for failure to protect personal health information. HIPAA has been out since 1996, HITECH since 2009, OCR enforcement actions did not start until 2017 and have been mostly driven by complaints not by proactive assessments – since 2017, OCR has had 105,189 complaints and only 1,739 Compliance reviews and fines were assessed in only .06% of cases, roughly only 1 out of 1500. Bottom line: most likely outcome is language accepting use of widely accepted frameworks, followed by increase proactive assessment and higher occurrence of fines. Legislation moves slowly – earliest start is probably FY 24. So, develop a 2-3 year strategic gap closure plan to convince management to fund progress over that period to avoid future punitive actions (sounds scarier than just saying fines…)
Security frameworks need to be viewed from both a risk perspective and a as a minimum bar. Use them to identify potential gaps in your protections, document your decisions.

Cloudflare Says it Mitigated a 26M rps DDoS Attack

Cloudflare detected and thwarted a 26 million request per second (rps) distributed denial-of-service (DDoS) attack against one of its customers. The attack occurred last week. It was the work of a botnet comprising just over 5,000 devices, mostly servers and virtual machine belonging to cloud service providers. In a blog post, Cloudflare’s Omer Yoachimik writes that the botnet was “4,000 times stronger [than most other botnets] due to its use of virtual machines and servers.”

Note

Since extended DDoS attacks can cause cloud service providers to start failing to meet service level agreements, the larger CSPs generally have strong DDoS filtering in place, usually a mixture on in their data centers and used of services like Cloudflare or Akamai/Prolexic. Make sure the security group is involved in evaluating cloud service procurements to assure thatsuch hybrid DDoS protection is part of the bid – payoffs on SLA failure only give your company rebates on future bills, no level of business interruption costs are included.
Even though this thwarted attack was targeting services on the free tier Cloudflare plan, verify your CDN provides DDoS protections on the service you’re using. Cloudflare is comparing the relative impact for small device/IoT botnets (730,000 devices) versus smaller collections of server class nodes (5,067 devices). The larger botnet only generates 1.3 million rps, meaning while protecting your IoT devices is key, it’s still paramount to consider your physical and virtual servers as high value targets for acquisition. Pay particular attention to unexpected workload bursts, consistent with DDoS attack duration.

Hertzbleed Side-Channel Attack

A newly-detected side-channel attack affects Intel and AMD x86 processors. Dubbed Hertzbleed, the flaw can be exploited to steal cryptographic keys by observing CPU frequency variations in the dynamic voltage and frequency scaling (DVFS) CPU-throttling technology. The researchers who detected the vulnerability acknowledged that exploits would require complex attacks. Intel and AMD do not have plans to release fixes.

Citrix Fixes ADM Vulnerabilities

Citrix has released updates to address a pair of flaws affecting Citrix Application Delivery Management (ADM). An improper access control vulnerability could be exploited to allow a remote, unauthenticated user to corrupt the system and potentially reset the administrator password. An improper control of a resource through its lifetime issue could be exploited to temporarily disrupt the ADM license service. The flaws affect all supported versions of Citrix ADM server and Citrix ADM agent. Users are urged to upgrade to the most recent versions.

Latin American Government Face Serious Ransomware Risks

Latin American governments face a significant risk from ransomware attacks due to poor cyber hygiene, inadequate education, and immature infrastructure, according to researchers from Recorded Future’s Inskit Group. The researchers note that “If unaddressed, ransomware attacks on local, provincial, or federal government entities in LATAM could constitute a credible national and geopolitical security risk.”

Note

This is about cyber hygiene. Attackers are leveraging compromised credentials, which is best mitigated through the use of MFA. If you must hang on to reusable credentials, use services to check breach dumps for compromised credentials, to include rapid action for discovered compromised accounts.
We have witnessed successful ransomware attacks against public sector bodies throughout the United States and Europe. There is no reason not to expect similar types of victims in other regions such as Latin America.

Ukraine’s Internet Routed Through Russia

Ukrainian internet companies are reportedly being forced to reroute their traffic through Russia or shut down their connections. Russian troops are seizing Ukrainian Internet providers’ equipment and ordering employees to reroute traffic; if they refuse, the troops are able to make the changes themselves. In addition, a new mobile company in the city of Kherson appears to be selling SIM cards that connect to a network with numbers that uses the international prefix for Russia. Cloudflare’s head of data insight David Belson said, “Controlling internet access and being able to manipulate the internet access into an occupied area” is a “new front.”

Note

On the Internet, anything beyond the network jack in your system should be considered hostile anyway. Russia would be negligent not to reroute networks they physically control.
This is why end-to-end encryption is so important. Encryption is not just a tool to protect privacy, it is also a critical security tool which not only protects data but, as exemplified here, can protect people’s lives and their freedoms. Those looking for backdoors into encryption need to role play what would happen if a hostile and/or oppressive government had access to individuals’ internet traffic.
The Ukrainian ISPs don’t have a lot of choice here, as the Russians are able to make the changes if they refuse, and have physical access to the network equipment to obtain access. Watch to see if users can successfully use VPNs to bypass anticipated restrictions of access and attempted monitoring. If you are unsure of the network, wired/wireless or cellular you’re using, use a VPN to secure the connection to a trusted exit point. Note that some services filter connection methods some VPNs use, so be prepared to use alternate offerings.

SBOMs Need to be Mapped to Known Vulnerabilities

In a blog post, Google’s Open Source Security Team observes that a software bill of materials (SBOM) by itself is not useful for determining security risks. Instead, a SBOM “needs to be mapped onto a list of known vulnerabilities to know which components could pose a threat.” The blog goes on to describe the process of using an open source tool to identify vulnerabilities in components included in a SBOM.

Note

Short response is no single action is alone complete for determining, let alone mitigating, software supply chain risks or any risk. SBOMs will have to part of the solution, but the starting point is enterprises having accurate software inventories – the most likely apps to be compromised are the ones that are NOT in ITs configuration management database or spreadsheet of software license.
Information to make informed decisions is important. The usefulness of SBOMs will depend on how we consume/analyze them. It may become tricky to keep up with SBOM evaluation due to rate of update or complexity unless we have trusted automation to identify risks.

Cloud Security Alliance: Top Cloud Computing Risks

The Cloud Security Alliance has published a report identifying the top cloud computing security risks faced by cybersecurity experts. Among things they noticed – a shift in cloud security responsibility from the service provider to the cloud adopter. The number one risk CSA identified is insufficient identity, credentials, access, and key management, which are the responsibility of cloud adopters. Other top risks include insecure interfaces and APIs; misconfiguration and inadequate change control; lack of cloud security architecture and strategy; and unsecure software development.

Note

The report includes business impact, key takeaways, examples, and security guidance for each of these risks. Use this to develop processes to ensure minimum security practices are implemented for your current and future cloud services.
cloudsecurityalliance.org: Top Threats to Cloud Computing Pandemic Eleven

Prison Time for Selling DDoS Attack Services

A US district judge in California sentenced Matthew Gatrel to two years in prison for operating distributed-denial-of-service (DDoS) attack for hire websites. The sites Gatrel ran launched more than 200,00 DDoS attacks. In September 2021, Gatrel was found guilty of conspiracy to commit unauthorized impairment of a protected computer, conspiracy to commit wire fraud, and unauthorized impairment of a protected computer. A co-defendant pleaded guilty before the trial began.

Note

This is similar to moving from arresting and sentencing one person buying drugs or weapons to doing so to a dealer selling to dozens – obviously a good thing. The next step is going after the sketchy hosting/IaaS companies providing capacity to some “cybercrime as a service” criminals. Even better would be ISP ingress and egress filtering of obviously malicious traffic.
Having DDoS protection must become SOP for internet facing services. While court cases like this may provide some deterrence, having active technical countermeasures in place will provide a more rapid return, and possibly help your CISO sleep at night.

40 high-severity vulnerabilities included in June’s Patch Tuesday

Microsoft released its monthly security update Tuesday, disclosing 55 vulnerabilities in the company’s firmware and software. One of these vulnerabilities is considered critical, 40 are listed as high severity, and the remainder is considered “moderate.” The most serious issue is CVE-2022-30136, a remote code execution vulnerability in the Windows Network File System (NFS) service, version NFSv4.1, with a severity score of near-maximum 9.8. An attacker can exploit the vulnerability over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to execute remote code. To mitigate this vulnerability, users are advised to disable the vulnerable version NFSV4.1 and restart the NFS server or reboot the machine. Microsoft SharePoint server contains a remote code execution vulnerability, CVE-2022-30157, with a severity score of 8.8.

Symbiote malware can remain undetected on Linux machines

A new Linux malware that can go undetected on infected machines is being used to target the financial sector in Latin America. Once the “Symbiote” malware infects the machine, it hides itself, making infections hard to detect. If successful, the malware provides a backdoor for the threat actor and allows them to log in as any user on the machine with a hardcoded password. They can also execute arbitrary code on the infected machine with the highest privileges. Because of its stealth, security researchers are unaware how widespread the campaign currently is and are unsure if it can even be detected by conventional security software.

Microsoft accused of concealing Azure vulnerabilities

Amit Yoran, the CEO of vulnerability management platform Tenable, published a LinkedIn post on Monday accusing Microsoft of downplaying the severity of two Azure vulnerabilities his team reported to the company earlier this year, and only patching one of them.

Quoting from a blog post by James Sebree, Principal Research Engineer at Tenable:

“It took entirely too much effort to get any sort of meaningful response from our case agent. Despite numerous attempts at requesting status updates via emails and the researcher portal, it wasn’t until we reached out via Twitter that we would receive responses. During the disclosure process, Microsoft representatives initially seemed to agree that these were critical issues. A patch for the privilege escalation issue was developed and implemented without further information or clarification being required from Tenable Research. This patch was also made silently and no notification was provided to Tenable. We had to discover this information for ourselves.

During the final weeks of the disclosure process, MSRC began attempting to downplay this issue and classified it as a “best practice recommendation” rather than a security issue. […] It wasn’t until we notified MSRC of the intent to publish our findings that they acknowledged these issues as security-related. At the eleventh hour of the disclosure timeline, someone from MSRC was able to reach out and began rectifying the communication mishaps that had been occurring.

But while this looks like a bungled bug report, both Yoran and Sebree say this is part of a larger trend and “repeated pattern of behavior” where Microsoft intentionally tries to downplay or hide a security issue from its customers.

The two points to similar recent reports from companies like Wiz and Orca Security, both of which have had to deal with Microsoft botching patches and trying to hide the issue from its customers.

“For an IT infrastructure provider or a cloud service provider that is not being transparent, the stakes are raised exponentially,” Yoran said on Monday.

“Without timely and detailed disclosures, customers have no idea if they were, or are, vulnerable to attack…or if they fell victim to attack prior to a vulnerability being patched. And not notifying customers denies them the opportunity to look for evidence that they were or were not compromised, a grossly irresponsible policy,” he added.

“The fox is guarding the henhouse,” Yoran said.

But the reason we chose to highlight this issue goes far beyond how Microsoft deals with the disclosure of vulnerabilities in its Azure cloud service.

While the OS maker has gone through a period in recent years where it was far more open with security researchers and its patching process, they appear to be going back into their shell again and actively trying to hide the severity of certain security issues from its users.

One of the early indicators of this was the redesign of its Security Update Guide in September 2020. At the time, the company removed a lot of verbose information about security bugs, replacing bug descriptions with a soup of numbers and generic terms that even some of today’s most experienced security researchers can barely understand and put into context.

At the time, Bob Huber, Chief Security Officer at Tenable, called it “a bad move, plain and simple.”

“With this new format, end users are completely blind to how a particular CVE impacts them. What’s more, this makes it nearly impossible to determine the urgency of a given patch. It’s difficult to understand the benefits to end-users,” Huber told this reporter in an email back in 2020.

“However, it’s not too difficult to see how this new format benefits bad actors. They’ll reverse engineer the patches and, by Microsoft not being explicit about vulnerability details, the advantage goes to attackers, not defenders. Without the proper context for these CVEs, it becomes increasingly difficult for defenders to prioritize their remediation efforts. Context is king and it’s extremely disappointing to see Microsoft remove that from this equation.”

But since then, more voices also started speaking up about their bad experiences when reporting vulnerabilities to Microsoft’s bug bounty program, with many issues either being ignored, downplayed, misunderstood, intentionally left without a patch, or not even classified as security issues—adding to a general trend where Microsoft appears to be trying its best to downplay any security issue reported to its security engineers.

This has to be a joke. That path traversal 0day is a "wonfix" again. 🤦‍♂️

I think someone at @msftsecresponse didn't get this is not a chromium-based bug. It's a MSDT one, buddies! Someone at Redmond should review my Twitter timeline :-) Isn't a MSRC guy there reading this? 🫤 pic.twitter.com/jC02nzgnuV

— j00sean (@j00sean) June 7, 2022

For those looking for the Follina / CVE-2022-30190 update in the June 2022 Patch Tuesday updates, take note:
Despite the patches being released today, they're listed as being released in May. 🤷
With the update, msdt.exe is still automatically spawned. But without injection. pic.twitter.com/A0xl28eYhC

— Will Dormann (@wdormann) June 14, 2022

So Microsoft only patched the "ms-msdt" #zero-day bug in Windows this PT but keep leaving the attack surface wide open, which means the next "copycat" zero-day attack coming in .. pic.twitter.com/DaeymgWSsY

— Haifei Li (@HaifeiLi) June 14, 2022

Whatever is going on at the Microsoft Security Response Center, it appears that’s rubbing a lot of today’s top researchers the wrong way, but also creating a lot of frustration for those who have to deal with the company’s technology on a daily basis, especially from a security posture.

New Aadhaar leak

An Indian security researcher told TechCrunch that the website of PM-Kisan, an Indian government project aimed at providing Indian farmers with basic financial income, has leaked their Aadhaar numbers. The researcher said he found the issue in January, and it took the agency more than four months to fix it, with the website being patched in late May.

Firefox Total Cookie Protection

Mozilla has rolled out a new feature to Firefox users this week named Total Cookie Protection. The feature works by limiting access to cookies to the website where they were created, which has the side effect of preventing tracking companies from using the same cookies to track users browsing from across the web, from site to site. Mozilla described Total Cookie Protection as its “strongest privacy protection to date.”

Thunderbird comes to Android

The Thunderbird Foundation announced that the K-9 open-source Android email client has officially joined the Thunderbird project and will soon be rebranded and relaunched as Thunderbird for Android.

IE retirement

Starting June 15, 2022, Microsoft has retired its Internet Explorer web browser from some versions of Windows 10. On affected versions, when users try to open IE or an URL, they will be redirected to Microsoft’s newer Edge browser instead. IE did not ship with Microsoft’s newest Windows 11 OS at all. More in Microsoft’s IE retirement FAQ page.

is Internet Explorer ever truly dead? pic.twitter.com/KQGndprUxn

— Tom Warren (@tomwarren) June 14, 2022

Chrome’s Rust migration

In its quarterly security newsletter for Q1 2022, Google said that work has continued on moving some of the Chrome codebase from C++ to Rust, but the Chrome team does not know if they can ergonomically mix Rust with C++ in the Chromium code yet. In addition, the Chrome team said it is also continuing its efforts to put the browser’s networking service into its own sandbox process.

GhostDNS attacks

Avast said it detected new attacks in Brazil carried out by the GhostDNS threat actor. This group breaks into SOHO routers to modify DNS settings that resolve certain DNS queries to malicious sites.

A new #GhostDNS #DNShijack #RouterEK campaign was found in Brazil on hxxp://www.asamas.com[.]br/loja01
Malvertising node: hxxps://c.srvpcn[.]com/iclick?id=c
Rogue DNS servers: 66.70.155[.]224 (dead now), 167.114.43[.]24 (forwarding mode)

All avast users are already protected pic.twitter.com/XThCyWxgFP

— Avast Threat Labs (@AvastThreatLabs) June 13, 2022

NakedPages

Threat intel firm CloudSEK says it observed selling a “battle-tested” reverse proxy, PHP-based phishing app called NakedPages on a cybercrime forum. The threat actor claims the toolkit can be used to phish users of Google and Microsoft Office.

DownThem & AmpNode

The operator of the DownThem and the AmpNode DDoS-for-hire services was sentenced to two years in prison, according to the US DOJ. Investigators said that DownThem had more than 2,000 customers at the time of its owner’s arrest and had been used to launch more than 200,000 attacks. The owner, Matthew Gatrel, 33, of Illinois, ran the service with co-administrator Juan Martinez, 29, of Pasadena, who also pleaded guilty and was sentenced to five years of probation last year.

OpsPatuk

Hacktivist group DragonForce Malaysia announced last week a campaign of DDoS attacks against the Indian government and private sector entities as part of a new operation they’re calling OpsPatuk. DDoS mitigation provider Radware, which has been tracking the recent attacks, said the attacks are a direct result of a BJP politician attacking the Prophet Muhammad, comments that have outraged many Muslim communities last week.

Another record-breaking DDoS attack

Cloudflare said that it mitigated last week a 26 million request per second DDoS attack. According to the company, the attack is now the largest HTTPS DDoS attack on record, beating a previous 17.2M rps HTTPS DDoS attack recorded last year.

Syslogk

Avast has published a report on Syslogk, a new kernel rootkit found in the wild and targeting Linux systems. Researchers who analyzed the malware said Syslogk was based on Adore-Ng, a relatively old, open-source, well-known kernel rootkit for Linux, which initially targeted kernel 2.x but is currently updated to target kernel 3.x releases.

PureCrypter

Cybersecurity firm Zscaler has published a report on PureCrypter, a malware loader strain that has been for sale on underground forums since March 2021. According to the company, the malware is written in .NET and has been observed distributing a variety of remote access trojans and information stealers.

NFT scamming

Confiant is scheduled to release a report about a new tool advertised in cybercrime circles that can allow threat actors to create fake NFT minting pages that actually steal a victim’s NFT ownership and even Ethereum funds. We’ll update the web version of this newsletter once the report goes live, a few hours after the email version of this newsletter.

Gallium APT

Palo Alto Networks said on Monday that it observed the GALLIUM APT group conduct new attacks expanding from its usual targeting of telecommunication operators to also go after financial institutions and government entities. Targeted entities were located in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam, and researchers said the group also debuted a new remote access trojan for these attacks, named PingPull.

Iranian operation

Check Point has detailed a recent Iranian spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, and think tanks. According to the company, some of the high-profile targets of this operation included:

Tzipi Livni – former Foreign Minister and Deputy Prime Minister of Israel.
A former Major General who served in a highly sensitive position in the Israeli Defense Forces (IDF).
Chair of one of Israel’s leading security think tanks.
A former US Ambassador to Israel.
A former Chair of a well-known Middle East research center.
A senior executive in the Israeli defense industry.

Follina patches

The Microsoft Patch Tuesday security updates for June 2022 are out. The OS maker fixed 61 security vulnerabilities this month, including an official patch for the Follina Office zero-day vulnerability that is currently under mass exploitation by both nation-state and cybercrime groups. An analysis of this month’s patches is available on the ZDI blog.

Other Patch Tuesday fixes

Besides Microsoft, Adobe, Citrix, and Siemens have also released their own set of security updates on Tuesday.

Hertzbleed attack

A team of academics from US universities has published a research paper on Tuesday detailing a new side-channel attack they have named Hertzbleed. This new attack targets Dynamic Frequency Scaling, a feature in modern x86 processors that allows CPUs to lower their frequency to consume less power if they aren’t used to their full extent. According to the research team, “Hertzbleed is a real, and practical, threat to the security of cryptographic software,” compared to many other previous side-channel attacks disclosed in the past. In their tests, the team said it was able to extract cryptographic keys from remote servers. All Intel CPUs are impacted, and a vast majority of AMD’s top processors, as well.

SynLapse details

Orca Security has published in-depth technical details about a vulnerability known as SynLapse, a remote code execution impacting the Azure Synapse Analytics and Azure Data Factory services. The vulnerability allowed attackers to hijack Azure Synapse workspaces, obtain Synapse customer account credentials, and bypass tenant Azure tenant separation.

Zombie zero-days

Google’s Project Zero team has published a root-cause analysis of a zero-day first abused in the wild in 2013. P0’s Maddie Stone discovered that the zero-day, initially patched in 2013, had its fix regressed in 2016 and was re-exploited again in 2022.

"25% of all 0-days detected and disclosed as exploited in-the-wild in 2020 were variants of previously disclosed vulnerabilities… Attackers don’t need novel bugs to effectively exploit users… but instead can use vulnerabilities closely related to previously disclosed ones."👇 https://t.co/YDEFCTBY4S

— Tim Willis (@itswillis) June 14, 2022

GhostWriter news

GhostWriter, the project management tool for penetration testers developed by SpecterOps, has reached v3.

Microsoft buys Miburo

Microsoft announced this week plans to acquire cyber threat analysis and research company Miburo. The company is specialized in the detection of and response to foreign information operations.

Vulnerability: Credential leak in Travis CI log API

Team Nautilus at Aquasec has found an ongoing vulnerability affecting public instances of the Travis CI platform. The vulnerability exposes tens of thousands of user tokens (typically for GitHub, AWS, and DockerHub) in historical Travis CI logs that are accessible through an API. Similar issues have been reported in 2015 and 2019, and in this update we featured news of token leaks on Travis CI late last year.

Travis CI is a popular CI/CD platform that acts as a build orchestrator for software artifacts. As such, the platform requires access to various 3rd party platforms such, like source code repositories, container registries, and cloud platforms. Typically, the access credentials to these resources are stored as secrets in the CI/CD platform, only for internal use, and thus not accessible to the casual observer.

However, the researchers discovered that they could access historical logs of build jobs through a publicly accessible API. Using scripts to paginate through the log files, they determined that approximately 770 million logs were exposed. By examining the contents, they were able to identify secret values associated with various platforms:

The researchers did reveal that Travis CI did provide some mitigation against mass leakage: the API endpoint was rate limited, in many cases the secret values were masked in the log files, and they also recommend various techniques for masking secrets and deleting old log files.

Nonetheless, the sheer volume of logs available through the API endpoint pagination meant that tens of thousands of secrets may be accessible, representing a significant risk to assets on impacted 3rd party platforms. The researchers quoted Travis CI’s response that the issue is “by design” — Travis CI has also previously be found wanting in their response to a similar leak. Users are urged to be cautious with credentials stored on Travis CI, including deleting log files, revoking and reissuing credentials, and narrowing down the roles in credentials to the bare minimum required to lessen the impact.

There are several important lessons to be learned here:

Do not rely on security by obscurity — in this case, the platform stored old log files under an undisclosed endpoint but this could easily be reverse-engineered.
Rate limiting is important, but it is only one element of an API defense strategy.
Always have a plan for revoking and reissuing credentials, both in an emergency and as part of a security routine.

Article: Microsoft’s recommendations for mitigating against API threats

Microsoft has produced a high-quality set of recommendations for how to mitigate OWASP API security Top 10 threats with API management. Although primarily targeted at users of their Azure API tools (the balance of the recommendations focuses on using Azure platform features for secure configuration and monitoring), the recommendations are well-written and contain many excellent generic recommendations — I learned a lot here, and recommend bookmarking this as a checklist for hardening your APIs.

For me, some of the standout recommendations include:

For API1:2019 — Broken object level authorization, the correct place for mitigation is through comprehensive authorization in the backend API code. Gateways can only offer limited defense, mainly by obscuring internal object identifiers.
For API2:2019 — Broken authentication, leverage the power of the gateway to enforce uniform authentication across all endpoints by using standard methods, such as OAuth2 and JWT tokens.
For API3:2019 — Excessive data exposure, again the best way to mitigate against this vulnerability is the judicious design of the data storage objects in the API backend code. Gateways can offer content validation but users should be aware of performance impacts with this method.
For API4:2019 — Lack of resources and rate limiting, gateways can offer short-term and long-term rate limiting; use the OpenAPI definition to limit the amount of data that can be accessed by specifying length limits; use Cross-Origin Policy (CORS) but avoid wildcards; and revoke access for users who abuse resources.
For API5:2019 — Broken function level authorization, the obvious recommendation is to requiring subscription keys for all endpoints by default and to avoid the use of wildcard endpoints.
For API6:2019 — Mass assignment, the recommendations are similar to those for API3: manage the data transfer in the API backend code.

Thanks to Microsoft for the excellent set of recommendations.

Article: Views on why API security needs special attention

The Economic Times featured a thought-provoking read on why API security needs special attention — as the author astutely states “Web applications security is not API security”.

The most interesting observation for me was the benefits (and challenges) of the design-first approach for API development. On the upside, the use of a design-first approach through OpenAPI definitions allows for the enforcement of a very precise contract between the API and the client — quite different from web applications where the boundaries are very blurred. This is the essence of the positive security model that uses the OpenAPI definition as the contract and only allows known good and blocks everything else. The author notes the major caveat with this approach: time pressures on developers mean that a design-first approach might not always be feasible so they begin by coding the API, thereby losing the benefits of contract enforcement.

The author highlights additional factors that impact APIs security:

Lack of visibility into API inventory can inhibit security initiatives.
Traditional security mechanisms (like rate limiting and network security) are useful but not entirely sufficient at thwarting threats to modern APIs.
Due to time pressures on developers and testers, business logic flaws may be hard to detect.

Some great insight into the topic — leverage the power of your OpenAPI definitions.

Travis CI API Exposes User Tokens

Researchers from Aqua’s Team Nautilus discovered that Travis CI API clear-text logs are available to anyone. The logs contain “tokens, secrets, and other credentials associated with popular cloud service providers such as GitHub, AWS, and Docker Hub.”

Note

It appears that in CI/CD, exposing credentials is a feature, not a bug. Automate rotating your credentials and assume they are lost if you are using the free version of Travis CI. This is likely to affect many open source projects using Travis CI to manage code deployment. This particular issue has existed in some form for years.
This is described as the intended behavior for the Free Tier version of Travis CI. If you are going to continue to use the free tier version, the best mitigation, today, is to proactively rotate access tokens, minimizing the interval they are viable if discovered. Better still, investigate other options with a higher bar on protection of access tokens and related information, and properly fund key components such as your CI/CD tools.

PACMAN Hardware Attack Defeats Apple M1 Pointer Authentication

Researchers at MIT’s Computer Science & Artificial Intelligence Laboratory (CSAIL) have developed a new attack that defeats a security measure in Apple’s M1 CPU. Dubbed PACMAN, the hardware attack involves targeting the chip’s Pointer Authentication feature.

Note

This is a good example of needing to look at least two levels deep when thinking of vulnerabilities and risk. For this attack to succeed, among other things vulnerable software needs to be running on the processor. I can imagine the CPU test team running exhaustive tests when designing, sizing and testing the Pointer Authentication Code but not specifically trying enough combinations of unpatched/vulnerable OS and applications.
The exploitability and significance of this vulnerability outside of a lab demo has been disputed in part due to the limitations imposed on collecting high resolution timing data. At this point, this isn’t anything you should spend time worrying about. Skip this story.
This is essentially a proof of concept attack, and the Pac-Man write up is an interesting read. Expect Apple to continue to take steps to limit loading kernel modules to mitigate risks for this sort of attack.

Kaiser Permanente Breach Affects 70,000 Patients

Kaiser Permanente says that an employee’s email account was compromised in early April, putting personally medical information of close to 70,000 patients at risk of exposure. The compromised data include names, medical record numbers, and lab test results. The US Department of health and Human Services Office for Civil Rights is investigating the incident.

Note

Kaiser Permanente says its time-to-detect was a few hours, so the bigger question is why were medical records for 70,000 customers accessible in an employee’s email? The question is not why such sensitive data was in email – it almost always is, because quite often IT does not provide users with collaboration and analysis tools (or the users ignore them) and good old spreadsheets or .csv files are exchanged between users to meet immediate business needs. Not all that hard to detect (auditors find it all the time) but a regular process should be in place to detect PHI in user email queues.
Email mailboxes are a treasure trove for attackers as people often use their mailbox as a database for storing all types of data, including passwords, personal data, and other highly sensitive material. However, most companies do not apply appropriate security to their email systems thinking of it as being only a communications channel. Companies should ensure users have MFA deployed for all email users, monitor for unusual login patterns, apply DLP for sensitive content, and where possible restrict access to sensitive mailboxes or mailboxes of high value targets from known and trusted locations.
Kaiser has multiple regions with segmented data. This breach impacted Kaiser Foundation health plan of Washington. While we have been focused on security of patient facing devices in healthcare, don’t overlook back-end systems such as email which are also under attack and can also benefit from MFA and context driven access controls.
The compromise of an employee’s e-mail account should not be sufficient to compromise PPI. One notes that, again for reasons of convenience, strong authentication is rarely required on e-mail. E-mail, along with browsing, messaging, and social media, is a major source of credential compromise and must be effectively controlled (strong authentication) and isolated from mission critical applications.

The World Economic Forum’s Atlas Initiative Aims to Map Cybercrime Ecosystem

The World Economic Forum Atlas Initiative is a collaborative research project with the goal of mapping the cybercrime ecosystem. The project will trace relationships between criminal groups and their infrastructure. Derek Manky, chief security strategist at FortiGuard Labs, which is one of the participating organizations, said, “We’re looking at the non-traditional artifacts. Think: crypto addresses and bank accounts, phone numbers, emails, things that ultimately help to build the challenge of attribution, which we always say is the holy grail.”

Note

Hopefully this interesting initiative will provide additional information and data on how we can tackle criminal gangs not just at the technical level but perhaps in other ways, such as financial measures and sanctions.

Ransomware Attacks Targeting Costa Rica are Among First Targeting a Country’s Government

The ransomware attacks that have plagued Costa Rica since April are unusual in that the group responsible for the attacks has openly called for the overthrow of the country’s government. Costa Rica has declared a national emergency due to the attacks. The first attack began in April targeted systems of government ministries. The second attack began on May 31 and targeted the Costa Rican Social Security Fund (CCSS) which oversees most of the country’s public healthcare system.

Note

Think about having all your locations and affiliates under attack. Then consider how you would respond, contain, eradicate and prevent recurrence. Do you have the plan and supporting relationships, practice and training? How about your suppliers? Don’t forget to verify your NDAs cover these use cases.

Envoy Proxy DoS Vulnerability

Researchers from JFrog Security discovered a denial-of-service (DoS) vulnerability in Envoy Proxy. The flaw exists because “the code that is in charge of decompressing the user supplied data does not implement a size limit for the output buffer.” The vulnerability could be exploited to crash the proxy server; it has been fixed in Envoy versions 1.19.5, 1.20.4, 1.21.3 and 1.22.1. If upgrading is not possible, JFrog recommends that organizations ensure their configuration does not allow Brotli decompression.

Note

You need to update to the new firmware. Also, if you’re enabling decomposition of Brotli or GZip files. change the Brotli decompressor for GZip. Better still, disable that decompression.

Google Fixes Seven Vulnerabilities in Chrome for Desktop

Google has updated the stable channel for Chrome Desktop to version 102.0.5005.115 for Windows, Mac and Linux. The newest version of the browser includes fixes for seven security issues; four are rated high severity: a use-after-free vulnerability in WebGPU; an out-of-bounds memory access vulnerability in WebGL; an out-of-bounds read vulnerability in Chrome’s compositing component; and a use-after-free vulnerability in ANGLE.

Note

Don’t expect browser updates to settle into a patch Tuesday rhythm anytime soon. With the attention to finding and exploiting browser vulnerabilities, make sure you can readily and actively keep your browsers updated, including a defined process where the relaunch, required to activate the new version, is enforced. Be certain you’re actively tracking not just Chrome, but chromium-based browsers as well. Don’t ignore your other browsers, they are also being researched for vulnerabilities.

Gallium Hacking Group’s New Remote Access Trojan is Hard to Detect

Researchers from Palo Alto Networks’ Unit 42 have found that a known state-sponsored Chinese hacking group is now using a new remote access trojan (RAT). The RAT, dubbed “PingPull,” uses the Internet Control Message Protocol (ICMP) to hide communications with its command-and-control infrastructure. While this is not a new approach, many organizations still do not monitor ICMP traffic. The Gallium hacking group is known for targeting telecommunications companies, financial institutions, and government organizations.

Travel Companies Forced to Share Data

Recently unsealed court documents revealed that authorities compelled two travel companies – US-based Sabre and UK-based Travelport – to provide information regarding the movements of a Russian individual who was the subject of a hacking investigation. The target of the surveillance, Aleksei Burkov, was arrested in Israel in 2015 and extradited to the US in 2019.

Note

Another case of using the All Writs Act (which is very broad) to compel companies to release information relevant to an investigation. You may recall this was also used against Apple in the 2015 San Bernardino shooting case where the FBI wanted them to unlock the suspects phone. The trick is to make sure requests like this are not only specific to the active case, but also represent responses those served can actually provide.
Any data collected is accessible via a court order. Most privacy policies and related legislation have specific exemptions built in to allow this. Not sure why anybody is surprised that this is happening.
This action involved the courts, was narrowly crafted, and was disclosed on a timely basis. However, it involved the use of the ancient “All Writs Act” which the ACLU has found troubling and which has not been recently tested by appeals.

Goodbye, IE (Mostly)

Microsoft will stop supporting most versions of Internet Explorer (IE) as of Wednesday, June 15. The browser was launched in August 1995. The IE desktop application will be disabled. Users are encouraged to move to Microsoft Edge with IE mode, which will be supported through at least 2029.

Note

The market share of IE is below 1%, so not a big issue. Browser-specific applications should by now be anomalies – from a security perspective, Chrome-based browsers are the market share big dog that vulnerability management needs to focus on, but Safari, Firefox and Edge will stay in the mix.
Use Edge with the IE Mode if needed. Suggest rigorous testing without IE Mode to determine your reliance on backwards compatibility, possibly eliminating browser lock in.

Google shuts down YouTube Russian propaganda channels

In its quarterly disinformation report for Q2 2022, Google said last week that it suspended more than 190 YouTube channels and 12 Google Ads accounts linked to Russia’s disinformation efforts surrounding its invasion of Ukraine. Forty-four of these accounts were linked to the Internet Research Agency (IRA), the Russian internet troll farm based in Sankt Petersburg, an entity that has been active for years and still operates despite several US Treasury sanctions.

Google said these accounts published content that was supportive of Russia’s invasion of Ukraine and Russian President Vladimir Putin and critical of NATO, Ukraine, Ukrainian President Volodymyr Zelenskyy, and Russian opposition politician Alexei Navalny. Some accounts also tried to justify the activity of Russian private military contractor Wagner Group in Ukraine and Africa, where they have been accused of civilian killings and other atrocities.

Google’s crackdown comes as the company also suspended in the first quarter of the year more than 715 YouTube accounts used for the same purpose and after the company also delisted multiple Russian state-media news outlets from its Google News section in March.

“The information domain is a critical theater of war for the Kremlin,” said researchers from the Brookings Institution think tank earlier this year in March in a report analyzing news search results for Ukraine-related terms. The report—published before Google moved to remove Russian state media outlets from its News section—found that sites like TASS dominated Google’s search results, helping the Kremlin drive its message to huge audiences.

Companies like Google, Microsoft, Twitter, and Meta (formerly Facebook) have been trying to shut down Russia’s genocide-washing propaganda but with little results, especially on Twitter and Facebook, where copy-pasta bot networks and especially troll farms continue to dominate discussions.

While Twitter and Meta have intervened to limit the reach of official Russian state news outlets, tweets about Ukraine, Russia, and NATO are often flooded with bots and trolls. Similarly, on Facebook, bots and trolls also flood the comments sections in news stories from western media outlets, often driving the discussions toward Russian-friendly narratives.

In most cases, these disinformation and propaganda efforts often follow the same patterns, namely that Ukraine has committed genocide against its Russian-speaking minority and Russia is only trying to save them, narratives that have been thoroughly debunked by multiple sources ranging from Russian independent media to the EU itself.

Optimism hack happy ending

The threat actor who intercepted a transfer of nearly $19 million (at the time) between the Wintermute and Optimism cryptocurrency platforms last week has decided to return the stolen funds, according to blockchain security firm PeckShield.

#PeckShieldAlert Wintermute Exploiter has transferred 17 million $OP to @optimismPBC pic.twitter.com/5PpgeZXaId

— PeckShieldAlert (@PeckShieldAlert) June 10, 2022

German energy suppliers

German energy suppliers Entega and Mainzer Stadtwerke were hit by a cyber-attack over the weekend. The attacks, believed to be unrelated, blocked access to companies’ email servers and public websites, but industrial systems remained unaffected.

Cloud middleware

Wiz, the cloud security firm that discovered the OMIGOD vulnerability last year, has continued its research into the types of middleware products installed by default on cloud servers. The company has published a GitHub repo with cloud middleware (aka cloud agents) installed and used across the major cloud service providers (Azure, AWS, and GCP). These agents—13 right now— are usually installed without the customers’ awareness or explicit consent.

Firefox reducing sandbox escape attack surface

In its quarterly security newsletter for Q1 2022, Mozilla said it deployed a new security feature to Firefox in v96 that will reduce the attack surface for Firefox sandbox escapes (attack from the browser to the underlying OS).

Confluence exploitation

Microsoft’s security team said on Saturday that at least two nation-state groups—tracked as DEV-0401 and DEV-0234—are now exploiting the Atlassian Confluence RCE zero-day vulnerability CVE-2022-26134 that was disclosed last week. Microsoft researchers said that this vulnerability has also been used for device and domain discovery, but also for the deployment of payloads like Cobalt Strike, web shells, botnets like Mirai and Kinsing, coin miners, and even ransomware.

In particular, we observed the CVE-2022-26134 being exploited to download and deploy the Cerber2021 ransomware (SHA-256: f301501b4e2b8db73c73a604a6b67d21e24c05cb558396bc395dcb3f98de7ccf).

— Microsoft Security Intelligence (@MsftSecIntel) June 11, 2022

SeaFlower group

Confiant said in a report last week that it detected a new threat actor—that it named SeaFlower—targeting cryptocurrency users. Since at least March this year, the group has operated websites cloned after legitimate cryptocurrency wallets. These websites, which target Chinese-speaking audiences, host backdoored wallet apps that steal users’ private wallet seeds.

ASyncRAT stats

Malwarebytes reported this week that its telemetry indicated that ASyncRAT had become the most widespread malware payload delivered via email spam in the first half of 2022. ASyncRAT was ranked #3 throughout 2021, behind Dridex and TrickBot.

Finland arrest

An online scammer was detained in Finland last week after defrauding local car dealerships. Investigators said they were able to identify the suspect after they took a high-quality photo of a fake check where one of their fingertips was also visible, allowing them to identify them based on police records. (h/t @mikko)

Nigerian bank robbers

Nigerian police said they detained three suspects for a daring scheme to hack into the networks of at least 11 Nigerian banks and steal funds. According to authorities, the group had bribed an employee at one of the banks to leave critical network gateways open so they could gain access to the bank network and steal funds. Per data recovered from seized devices, the group was planning to use the same method on 10 other banks if this first intrusion went without a hitch. [Coverage in BankInfoSecurity]

Adconion execs plead guilty

Three of four Adconion executives pleaded guilty last week to fraud and misrepresentation via email. The three were charged in 2018 for hijacking IP address blocks from their inactive owners. Some of these IP addresses were later used to send email spam.

Few NetWalker victims complained

Speaking at the RSA security conference last week, FBI and DOJ officials said that only a quarter of all victims of the NetWalker ransomware filed complaints with authorities. Law enforcement seized NetWalker’s infrastructure in January 2021, and the gang ceased operations following the operation.

HelloXD ransomware

Palo Alto Networks has published a technical report on HelloXD, a ransomware strain that has been active since November 2021. The security firm also managed to link the ransomware to a threat actor active on underground cybercrime forums named “x4k.”

Android malware

Security firm McAfee said it found malicious functionality designed to steal Instagram account credentials in an Android app designed to allow users to modify the default Instagram app and in several apps designed to increase Instagram account followers and post likes.

Sandworm

CERT Ukraine said in a security alert on Friday that the Sandworm APT group was targeting Ukrainian news organizations with malicious emails. Officials said that more than 500 radio stations, newspapers, and news agencies were targeted.

Lyceum APT

Zscaler has published a report on a .NET-based backdoor used by the Lyceum APT that the group had been using to target Middle Eastern organizations in the energy and telecommunication sectors. According to researchers, the malware uses a technique called “DNS Hijacking” in which an attacker-controlled DNS server manipulates the responses of DNS queries to redirect targets to malicious sites.

PACMAN attack

Academics from MIT CSAIL have disclosed a novel attack against Apple M1 processors. The attack, named PACMAN, can elevate access from userland to kernel space by bypassing Pointer Authentication (PAC). The PACMAN attack can be executed via a network.

K8s vulnerability

Kubernetes servers are affected by a vulnerability (CVE-2021-25748) in their Nginx integration where “a user that can create or update ingress objects can use a newline character to bypass the sanitization” and “obtain the credentials of the ingress-nginx controller.” The Kubernetes team said that in default Kubernetes configurations, this credential has access to all secrets in the cluster.

Trendnet vulnerabilities

Trendnet TEW-831DR WiFi routers have been found to have multiple vulnerabilities exposing the owners of the router to potential intrusions of their local WiFi network and possible takeover of the device.

Drupal bugs

The Drupal CMS has released out-of-cycle security updates to fix bugs in third-party libraries.

Backdoor account in thermal cameras

IoT security company SEC-Consult disclosed last week that IRAY A8Z3 thermal cameras contain hardcoded credentials for their web application in one of its firmware binary, which can be extracted and used by attackers to modify camera settings. In addition, the same camera model also contains several other vulnerabilities. After 16 months, the vendor has yet to patch any of the reported issues.

Backdoor in Mitel VoIP phones

Mitel Networks has patched its 6900 IP Series VoIP phones and removed a backdoor functionality from the firmware that would have allowed remote attackers to run malicious commands on its devices[1, 2]. The vulnerability was found and reported by German pen-testing firm Syss.

U.S. ordered travel companies to spy on Russian hacker for years

Forbes ($): Solid reporting from @iblametom by way of a Forbes legal challenge that unsealed documents revealing how U.S. authorities obtained an court order to compel travel data companies — Sabre and Travelport — to continually turn over the travel records of notorious Russian hacker Aleksei Burkov to catch him while he traveled overseas outside of Russia. The feds used an obscure provision in U.S. law called the All Writs Act, which might ring a bell for those who lived through Crypto Wars 2.0 when the FBI tried to force Apple to backdoor its own iPhone software to break into a terrorist’s device. Great work here revealing the scope of this kind of underreported surveillance.

U.S. warns Chinese hackers are targeting ISPs and telecoms

The Record: Strong warnings from the U.S. government about how Chinese state-sponsored hackers have been targeting internet providers and major telecoms firms around the globe for the past two years by using known vulnerabilities — and what action network defenders can take to protect their organizations. It comes as new research dropped from Sentinel Labs about a new espionage group dubbed Aoqin Dragon, which uses poisoned Word documents to plant a backdoor and get access to the wider network.

RSA 2022: Cloud providers still using secret middleware

The Register: I didn’t need to go to RSA to still get COVID — but for those who braved the in-person event, The Register has your news rundown covered. Among the highlights includes Wiz research that found vulnerabilities in cloud middleware, and a renewed plea from the private sector for government help. Plus, word is getting around about the emerging threat of hacking-for-hire outfits targeting election officials. It’s a tactic seen most recently in Poland and Catalonia. And finally — bonus Enigma in the wild.

Inside ID.me’s torrid pandemic growth spurt: ill-equipped staff and data-security lapses

@caro1inehaskins back with a fresh inside look at ID.me, the digital identity verification company that caused a ruckus when it secured a deal with the IRS. The reporting shows a growth spurt during the pandemic that left the company unprepared to handle the massive influx of new business, which inevitably led to data security lapses. One former employee said: “It was disturbing to me that my background check wasn’t completed and that I was allowed to take home a computer with people’s information on it.” Yikes. And to think this company secured government contracts. ID.me also laid off employees this week after hiring nearly 1,500 new people during the pandemic.

How a saxophonist tricked the KGB by encrypting secrets in music

A brilliant story about how U.S. saxophonist Merryl Goldberg devised an encryption scheme that used musical notation to allow her to smuggle information into and out of the former USSR, defying the watchful eyes of the then-KGB. Another great story that came out of RSA. @kennwhite with the stan tweets.

How to open a locked Sentry Safe in seconds

A security researcher found a vulnerability that allows the opening of electronic safes from the Sentry Safe and Master Lock company without needing a PIN code. Great walkthrough, including a bonus sneaky method of delivery: a highlighter pen.

New Tesla hack gives thieves their own personal key

An apparent flaw in Tesla’s NFC card — used as a way of unlocking an owner’s Tesla — has a bug that allows a would-be attacker 130 seconds to enroll a new key and effectively take over the car. “If a vehicle owner normally uses the phone app to unlock the car—by far the most common unlocking method for Teslas — the attacker can force the use of the NFC card by using a signal jammer to block the BLE frequency used by Tesla’s phone-as-a-key app.”

OneTrust has ‘record’ quarters, still lays off 25% staff

Privacy unicorn OneTrust has been growing from strength to strength — if its statements are to be believed — with “record quarters and increasing customer demand,” reports Insider ($). But the Softbank-backed giant is cutting a quarter of its staff, some 950 employees, all the while splashing the cash at RSA. Cybereason also acknowledged layoffs despite a $3 billion valuation.

Feds shutter marketplace selling SSNs

SSNDOB, a series of websites that listed about 24 million Social Security numbers and other personal information, has been seized by U.S. and Cyprus authorities. The crime market netted some $19 million in sales over the past ten years — or more than $22 million in Bitcoin, per Chainalysis. SSNDOB has been active since at least 2013.

Microsoft mum on Follina exploit

Tech giant Microsoft is reportedly in “no hurry” to patch the Follina vulnerability under active attack, which exploits a bug in Office documents that crucially doesn’t require macros to work. Simply previewing a document will render a device compromised. The bug is already being exploited to infect devices with the Qbot malware and ransomware. But Microsoft has said very little since it declared the bug a vulnerability — at a 7.8 out of 10 rating — and hasn’t said anything about it since.

US Government Agencies with Legacy Systems Face Struggle to Implement MFA

Eric Goldstein, CISA executive assistant director for cybersecurity told Cyberscoop that US government agencies with legacy systems may have difficulty implementing multi-factor authentication (MFA). Agencies were required to have implemented MFA by November 2021 as per a May 2021 executive order. The Biden administration is seeking $300 million for FY 2023 for the Technology Modernization Fund, which will be used to help agencies upgrade outdated IT systems.

Note

Implementing MFA usually implies implementing some form of SSO/IAM. Many organizations struggle not only with legacy systems, but also new SAAS offerings that only offer integration with standards like SAML for a substantial additional fee. 100% MFA is (sadly) not always realistic and you will have to consider other controls for systems that do not support MFA. For example, you could require access via a VPN that uses MFA. For SaaS platforms: Pay up or find an alternative.
Over the years this has been the “the dog ate my homework” excuse for government agencies that are slow to make basic security hygiene improvements. History note: in 2001 a federal judge ordered the Bureau of Indian affairs to disconnect from the Internet because it could not protect Native American trust information. Some BIA offices were not allowed to reconnect until *2008*. We are at the point where failure to move away from reusable passwords on government networks (all networks, really) is a reason to say, “No Internet for you.”
Many initiatives which expect MFA implementations assume applications are modernized to support current authentication mechanisms, such as SAML and a federated IDP, where enforcing MFA is a configuration task. Legacy applications are sometimes fitted with new entry points which themselves support MFA; in so doing, care must be taken to not leave a path to the old less secure entry point. In the past we have raised the bar by implementing solutions which leveraged the password field for their one-time authenticator and then augmenting the password validation process. Note that current directives require phishing-resistant MFA, which means this too may need updating. When replacing legacy systems, plan carefully, not only for acquisition and implementation but also business process re-engineering. Avoid the trap of modification of the new solution to implement old business models which can result in an increased mortgage and make future updates challenging if not impossible.
Systems that are resistant to such a simple but powerful measure should be candidates for replacement rather than simply upgrade. While some argue that strong authentication is the most efficient security measure, it is unarguable that it is in the top three.

Android Updates for June 2022

Google has released its Android updates for June 2022. Of the 41 vulnerabilities addressed in the updates, five are rated critical. There are updates available for Android 10, 11, and 12. Among the vulnerabilities addressed are a remote code execution flaw in Android Media Framework and a denial of service/remote code execution vulnerability in Unisoc chip firmware.

Note

Some Android phones (such as Google Pixel models) will get these updates fast, others (in the past most Samsung phones) will not. Spot check a few different makes of phones across your security team and warn users of those phones they are at risk.
Note that the source code for the fixes is released to the ASOP repository 48 hours after the security bulletin is released, and your device manufacturers are notified a month before this is published. Which all means that attackers can now start reverse engineering the flaws and, more importantly, don’t wait on applying updates once published. If your OEM is not providing updates rapidly, you may want to assess the risk of their lagging behind and decide if another provider is appropriate.

Facebook Phishing Campaign

A phishing campaign targeting Facebook and Messenger users has stolen millions of account credentials and tens of millions of dollars. The phishing campaign operates by sending a malicious link in DMs from compromised accounts. The link redirects recipients through a series of pages containing ads, ultimately landing on a phony Facebook login page. The campaign has been ongoing since late 2021.

Note

Facebook Direct Messenger is kinda like the Red Dye #2 of Internet communications – it really ought to be banned and replaced with something that at least has the same level of filtering that all email and SMS messaging gets these days. A warning about Facebook Messenger should be part of your security awareness outreach, as all too often security awareness videos that users have to watch will just talk generically – in many cases, warnings about using specific products and services are justified and needed.
The attack includes about 400 unique Facebook phishing pages; analysis of 17 found an average of 985,228 visits. The attacker claims they net about $150 for every 1000 visits. Be careful with FB messenger: make sure that messages are really coming from your friends, particularly when one shows up from someone you’re not accustomed to using Messenger with. I suggest verifying their status through other mechanisms. The URLs shared are using common URL generators like litch.me, famouis.co, amaze.co and funnel-preview.com, which are also used by legitimate apps. That said, if you’re not used to getting links from these domains, don’t click them.
A key here is when training your workforce on “phishing,” emphasize that phishing is no longer just email attacks, but SMS, voice phishing or on social media. Focus less on the medium that is used and more on the most common indicators of a social engineering attack; they are often the same, tremendous sense of urgency being one of the most common.

New Microsoft Defender Feature Isolates Unmanaged Devices

A new feature in Microsoft Defender for Endpoint (MDE) allows administrators to “contain” unmanaged (not enrolled in MDE) devices and devices suspected of being compromised. The feature is designed to prevent threat actors from moving laterally within organizations. MDE will tell enrolled devices to block all communication with devices tagged as “contained.” The “contain” feature works only on enrolled devices running Windows 10 or later or Windows Server 2019 or later.

Note

This is essentially good old-fashioned NAC (Network Access Control) which is really the foundation for any form of “Zero Trust.” (History note: Microsoft called it Network Access Protection and Cisco called it Network Admission Control back in the day.) NAC got a bad name 15 years ago due to interoperability issues across vendors and because it was mainly used to keep unpatched PCs from connecting – which punished the users for an IT ops failure to patch. Prioritize a testbed network segment to try it out – you will likely need to do some upskilling to deal with false positives, defining “contain” to balance security with disruption, and in threat hunting skills to investigate the devices being contained.
Pay attention to how this works. If it fits your environment, you should definitely start piloting the capability. You can only use this capability on MDE devices, and the controls only work against other MDE devices. That said, this is an effective way of removing access to resources for devices which are compromised or otherwise don’t meet your acceptable level of risk. Also, containment is tied to machine identity rather than IP address, so access is blocked irrespective of connection location or IP.

Sophos Says Dwell Time Increased in 2021

Sophos has published its Active Adversary Playbook 2022, which “details the main adversaries, tools, and attack behaviors seen in the wild during 2021 by Sophos’ frontline incident responders.” The report found that average dwell time for cyber intruders increased from 11 days in 2020 to 15 days in 2021. Healthcare organizations had on average the shortest dwell time (8.5 days), which educational institutions had the longest (34 days). Average well time was higher (more than 50 days) for companies with 250 or fewer employees than for larger organizations.

Note

Make sure your detection and response capabilities are where they need to be. Talk to your defenders to find where they have gaps, then take steps to address them. Make sure that you’re leveraging all the tools and automation available from your services. If you’re too small to insource your defense, talk to your service provider to make sure you have sufficient coverage. Lastly, schedule regular assessments and tests to verify you’re where you should be. Don’t forget to leverage resources from your local CISA, ISAC etc.
While not a good statistic, it is better than in years past when average dwell time was measured in months, not weeks. However, the most recent DBIR report had a disturbing metric about dwell time: over 50% of breaches were self-reported by the cyber attacker. In other words, the victim found out about the breach from the attacker themselves (primarily ransomware).

Follina is Being Actively Exploited to Spread Malware

Threat actors continue to exploit the Follina vulnerability in Windows (CVE-2022-30190) to spread malware. In addition to the phishing attacks targeting European and US government entities with Qbot malware, as noted by Proofpoint, Symantec has detected threat actors exploiting the vulnerability to spread AsyncRAT.

Note

Remember we were holding off on disabling MSDT? It’s time to re-assess. Your endpoint and other protection services are updating their protections. The attacks are coming from multiple well-resourced organizations. You need defense in depth.

Joint Advisory: China Exploits Known Vulnerabilities to Target Telecoms

In a joint advisory, the US National Security Agency (NSA), the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) warn that Chinese “state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure.” The advisory lists 16 known vulnerabilities the hackers have been exploiting to infiltrate networking devices from 10 vendors.

Note

These are not new vulnerabilities. They range from 2017 to 2021, and most are in network equipment (firewalls, switches, access points, NAS.) It is paramount to make sure that your boundary protection and network devices are kept updated and secure, particularly as more segmentation and NAC solutions are implemented to support a more flexible service access model such as zero trust.

CISA’s Cyber Innovations Fellows Initiative

The US Cybersecurity and Infrastructure Security Agency’s (CISA’s) Cyber Innovations Fellows program will bring experts from the private sector to work at the agency part-time for up to four months. The fellows will bring “their expertise to some of our most critical teams.” CISA will hire the first group of up to eight fellows later this year.

Note

CISA has been working hard to raise the bar for both public and private sector cyber security. Even so, it has been noted that some of the CISA directives are not viable in the real world. This is an exciting opportunity to infuse real world experience and expertise into their processes as well as gain insight and understanding you can bring back. They are looking for a broad range of expertise including AI, ML, Cyber Risk, Remediation, Cloud, SBOM and Threat intel. If you’re interested read the CISA Prospective Cyber Fellow Candidates page for details: https://www.cisa.gov/prospective-cyber-fellow-candidates

CISA Adds 39 Flaws to Known Exploited Vulnerabilities Catalog

This week, the US Cybersecurity and Infrastructure Security Agency (CISA) has added 39 flaws to its Known Exploited Vulnerabilities Catalog, 36 on Wednesday, June 8 and three more on Thursday, June 9. The flaws have mitigation due dates between June 22 and June 30.

Note

Note that there are multiple vulnerabilities which can be resolved with a single update, such as pushing the latest Chromium, Acrobat and Microsoft updates. Note there are some Flash Player issues listed. It is past time to remove Flash with extreme prejudice. CISA has also updated their guidance and FAQs associated with the KEV catalog: https://www.cisa.gov/uscert/ncas/current-activity/2022/06/07/cisa-provides-criteria-and-process-updates-kev-catalog
This database is becoming quite large. It demonstrates how porous our environment is. Items in the catalog should get priority when patching.

Public exploit code worsens Atlassian Confluence vulnerability scenario

Threat actors continue to target unpatched versions of Atlassian Confluence with public exploits. The vulnerability, CVE-2022-26134, initially arrived as a zero-day last week that affects all versions of the popular collaboration tool. If exploited, the attacker could completely take over the host and execute remote code on the targeted machine. The vulnerability itself appears to be an OGNL injection vulnerability specifically impacting the web server and can be exploited via an HTTP request. It appears that all HTTP methods are vulnerable as well. The exploitation appears to be relatively straightforward and should be resolved immediately either through patching or other mitigations. Although a patch is publicly available, many instances of the software remain unpatched.

ChinaChopper web shell pops up again on backs of Atlassian bugs

The ChinaChopper web shell is being spread as part of the attacks exploiting the zero-day vulnerability in Atlassian Confluence. Attackers exploiting CVE-2022-26134 install ChinaChopper but rarely access it, leading researchers to believe that it’s being used as a source of backup access. The nearly 11-year-old malware allows attackers to retain access to an infected system using a client-side application that contains all the logic required to control the target. Cisco Talos has documented several instances of different threat groups using China Chopper. This web shell is widely available, so almost any threat actor can use. This also means it’s nearly impossible to attribute attacks to a particular group using only presence of China Chopper as an indicator.

Evil Corp’s Sanctions Evasion Attempts Fall Flat

With sanctions against Evil Corp proving effective, it’s tempting to suggest ramping them up against the wider ransomware ecosystem. However, these sanctions are best used as a stick to punish the worst actors, not as a catch-all tool.

On Monday, the LockBit ransomware group claimed to have breached cybersecurity firm Mandiant on its leak site.

Lockbit ransomware group claims to have ransomed Mandiant. pic.twitter.com/2rgTG72MmF

— vx-underground (@vxunderground) June 6, 2022

Rather than being a genuine breach, this looks to be retaliation for a Mandiant report released last week that linked Evil Corp to LockBit ransomware.

A follow-up tweet about this is visible on our Twitter timeline. It was a troll and/or publicity stunt to retaliate against Mandiant claiming EvilCorp had joined Lockbit.

You can stop commenting on this now.

Have a nice day.

— vx-underground (@vxunderground) June 7, 2022

Evil Corp was originally sanctioned by the US Treasury department in 2019 for crimes including the development and distribution of Dridex banking malware. Since these sanctions were announced, Evil Corp has cycled through a succession of homegrown ransomware variants in increasingly quick succession. Mandiant believes that sanctions made it difficult for the group to extract ransom payments and as each new variant was associated publicly with Evil Corp the subsequent payment difficulties forced it to develop and migrate to a new variant.

Mandiant speculates that Evil Corp has since given up on its own strains and migrated to using ransomware from other Ransomware-as-a-Service operators to muddy attribution. Rather than being identifiable because it uses exclusive homegrown ransomware, it could blend in with other affiliates.

This makes total sense for Evil Corp, but it appears that LockBit doesn’t want to be tarred by the same sanction brush. It’s a reasonable concern for them. Victims will be reluctant to pay up when they’re hit by LockBit because the affiliate who actually deployed the malware might be on a sanctions list. The penalties for breaking Treasury sanctions can be stiff, up to USD$1m in fines and 20 years in prison per violation, so groups involved in payments (such as insurers and ransomware recovery and negotiation firms) aren’t keen to accidentally break any of them.

Mandiant claims LockBit’s fake hack was an attempt to discredit its report, but we think it’s more a case of juvenile payback and an attempt to distinguish itself from Evil Corp.

Based on the data released, there are no indications that Mandiant data has been disclosed. Rather the actor appears to be trying to disprove our June 2nd, 2022 research on UNC2165 and LockBit. We stand behind the findings of this research. https://t.co/sYPUeEvrQc

— Mandiant (@Mandiant) June 7, 2022

When LockBit published the cache of files it claimed it stole from Mandiant, the files included a statement from LockBit distancing itself from Evil Corp and its leader Maxim Yakubets which boils down to “our group has nothing to do with Evil Corp”.

#Lockbit got all the attention to post this. TL;DR "We are not evil and not corp. You gotta believe us. For real" pic.twitter.com/DfiW9oATnL

— 𝕯𝖒𝖎𝖙𝖗𝖞 𝕾𝖒𝖎𝖑𝖞𝖆𝖓𝖊𝖙𝖘 (@ddd1ms) June 6, 2022

One might look at Evil Corp using other RaaS as evidence that sanctions against ransomware actors are ineffective, but this incident proves the opposite. Sanctioned groups work hard to avoid them, and other criminal gangs don’t want anything to do with the sanctioned entities.

If that is not compelling enough, at this week’s RSA conference Rob Joyce, NSA’s Director of Cybersecurity, confirmed that ransomware operators had changed their behaviour due to sanctions. “How do we know? Really? We’re NSA… we’ve heard them say it is hard to get funds out,” he said.

.@NSA_CSDirector on Qs he has received about his claiming Russian ransomware actors have changed their behavior due to sanctions:

"How did we know? Really …? We're NSA. We heard them, say money. We've heard them say that it's hard to get funds out."

— Martin Matishak (@martinmatishak) June 8, 2022

So, if sanctions are effective, why not sanction all the groups? Surely this would drive down payments to the ransomware ecosystem?

For a start, there is a certain baseline amount of public information that is needed to effectively levee sanctions, as explored in a ProPublica article we linked to some weeks ago. It’s far better to list named individuals rather than meaningless groups that are constantly being rebranded, but it can be hard for the Treasury office responsible to point to reliable public information.

Additionally, victims are already more reluctant to pay Russian ransomware crews, as sanctions against Russian entities have expanded since the invasion of Ukraine. Even groups such as Conti — that aren’t specifically listed — could be sanctioned because of possible ties to listed entities such as the FSB. In other words, payments are already generally being throttled, so doing the work to specifically name more groups might not be worth it.

There may also simply be better things for Treasury to focus on. Reuters this week reports on cryptocurrency exchange Binance’s laundering of USD$2.35bn of funds over time. Why go for amorphous ransomware groups when exchanges are easier to target and may offer a far bigger payoff in terms of effects across the ecosystem? (Obviously blanket sanctions on the world’s largest cryptocurrency exchange are a non-starter, but there are levers to pull.)

And although sanctions look to be effective at reducing payments to ransomware groups, this is probably not the best measure of success. If it were, governments should simply make ransomware payments illegal. Job done! Ransomware solved!

Using sanctions as a behavioural lever to reduce the amount of disruption that ransomware causes looks to be a better approach: apply sanctions to the most damaging ransomware groups to encourage ransomware crews to behave “better”.

So we should enjoy the schadenfreude in this LockBit and Evil Corp incident, but let’s keep sanctions for the most damaging groups.

Internet Anonymity Targeted in Authoritarian States and Democracies Alike

Both authoritarian states and democracies are clamping down on internet freedoms and anonymity, each for entirely different reasons.

Let’s start with the authoritarian countries. Roskomnadzor, the Russian telecommunications watchdog, has ordered that the Tor browser be removed from the Russian Google Play store and also cracked down on use of VPNs. Together these appear to form part of a concerted effort to limit Russian citizen’s access to anonymising and censorship evasion technologies.

Other internet restrictions occur for reasons that are plain odd. The Record reported the Syrian government shuts down internet access to prevent cheating in high school national exams. And it is not alone in this — according to an Access Now report released in May this occurs in several other countries including Bangladesh, Iran, Iraq and India.

However, Access Now’s report found that most internet shutdowns occur in response to political instability and that India, a democracy, was the biggest culprit with 106 shutdowns. These occurred mostly in Jammu and Kashmir rather than being nation-wide, but they are still worrying as some observers are concerned that India may be “set on a path to becoming an illiberal pseudo-democracy”.

In addition to liberal use of internet shutdowns, the Indian government is also imposing stringent cyber security regulations intended to make the Indian internet more “open, safe, trusted and accountable”.

Some of the regulations seem too broad to be useful and will capture too much of the internet’s background noise. For example, companies have just six hours to report a range of common (or vaguely defined) incidents to India’s Computer Emergency Response Team (CERT-In), including:

Targeted scanning/probing of critical networks/systems
Identity Theft, spoofing, and phishing attacks
Malicious mobile apps posing as legitimate apps
Unauthorised access to social media accounts
Attacks or malicious/suspicious activities affecting systems/ servers/networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones

This updatehttps://www.cyberscoop.com/belarusian-hacktivist-group-releases-purported-belarusian-wiretapped-audio-of-russian-embassy/ recently lamented the US government’s lack of granular data on ransomware incidents and we are a fan of robust disclosure requirements — governments need to know what is happening on the internet to respond effectively. But this will just overwhelm CERT-In with the dull roar of the everyday internet.

These regulations also essentially spell the end of ‘no-log‘ VPN services, with VPN service providers (and also data centres and cloud service providers) being required to keep subscribers’ validated names, addresses, and IP address allocation information for five years. These kinds of VPNs are used for criminal activity, so there are good reasons the Indian government would want these logs kept.

As a result of these regulations, both ExpressVPN and Surfshark announced over the last week they have decided to remove their Indian VPN servers to avoid being subject to the regulation. Both are keeping Indian IP addresses in Singapore and the UK, so they say they will be able to serve customers wanting to appear to be in India. Other VPN services told The Record they might also remove their servers from India.

One concerning gap in the Indian regulations as they are published is that they don’t make clear what thresholds must be met for access to subscriber information. For example, the FAQ associated with the regulation states access to logs is at the discretion of CERT-In: “The requisition for seeking information is [sic] respect of logs may be given by an officer of CERT-In not below the rank of Deputy Secretary to the Government of India”.

Subsequent press reporting in The Economic Times makes it clear that this type of data would only be used by law enforcement agencies after they had followed standard procedures and obtained court orders, as happens in other democracies.

When push comes to shove, government authorities in democracies are often able to get IP addresses when they need to after following proper procedures. French authorities, for example, got the IP address of a French activist using ProtonMail’s services via Europol after approval from Swiss authorities, despite ProtonMail’s reputation and the “privacy cred” that comes with being Swiss-based.

What’s the lesson here? Governments of all stripes are no longer treating the internet as a regulation no-go zone, but different types of governments will make different decisions about where to draw the lines between privacy, anonymity, and security. Often these lines are drawn in the types of checks and balances found in democracies and less in the regulations themselves. As in: A metadata retention regime in Australia will result in different outcomes to the same sort of regulations applying in Myanmar.

iOS Safety Check

Apple announced iOS 16 will include Safety Check, a new feature to protect people in abusive relationships. It allows users to audit who else has access to passwords and other sensitive information such as location data and cut them off in one clean sweep.

PII market seized

The US government announced the seizure of the SSNDOB marketplace, an online marketplace that sold personally identifiable information (PII) of (mostly) US citizens, including social security numbers, dates of birth and names. It’s good to see international collaboration with both the Latvian and Cyprus police involved. Cryptocurrency analysis company Chainalysis reports SSNDOB has received USD$22m in Bitcoin since 2015, which probably understates the market’s importance as the PII it sold was used to enable fraud and other cyber crime.

Children’s hospital attack thwarted

At a cyber security conference FBI Director Christopher Wray said the organisation managed to prevent an attack by state-sponsored Iranian hackers on a Boston children’s hospital. It’s good it was stopped, but, like, wtf.

Schulte is Still Unpleasant

The New Yorker has a great long read about Joshua Schulte, the former CIA employee accused of leaking the agency’s hacking tools in the so-called Vault 7 document dump. The piece illustrates CIA office culture (more “Office Space” than “The Bourne Identity”) and what the author describes as “the pageantry of overclassification”. After the stolen and now publicly available materials were downloaded from WikiLeaks, for example, the investigators stored the laptop containing them in a safe and investigators needed security clearances before they were allowed to view the material.

Schulte also comes across as a real piece of work. In addition to stealing and leaking secrets, Schulte is charged with child pornography offences (he claims he’s innocent, and that child pornography is a non-violent victimless crime anyway). How he ever got a job at the CIA is a mystery.

Chinese APT “Plumbing” Laid Bare

The US government has released a joint Cyber security Advisory detailing the techniques Chinese state-sponsored groups use “to exploit publicly known vulnerabilities in order to establish a broad network of compromised infrastructure” including by targeting “major telecommunications companies and network providers”.

The advisory includes a section on how PRC groups typically operate in telco networks. After gaining initial access via known vulnerabilities they target critical authentication systems to get network credentials. These credentials are then used to harvest router configuration information and subsequently to “surreptitiously route, capture and exfiltrate traffic out of the network”.

Rob Joyce, the NSA’s Director of Cybersecurity, told The Record that this advisory pulled together information about the top vulnerabilities Chinese actors are using to build foundational “plumbing”. By publishing this information the US government hopes companies will be able to identify and “stop the tradecraft”.

Cyber Command Did Something. We Have No Idea What.

US Cyber Command Director Paul Nakasone stated that the US had launched offensive cyber operations against Russia in support of Ukraine. White House Press Secretary Karine Jean-Pierre then confirmed that these operations did not violate the US policy of avoiding a direct military conflict. An offensive operation could be anything from popping a shell on an enemy C2 server to blowing up a building by fiddling with its HVAC system, so without further context, Nakasone’s statement is essentially an information-free zone. But at least they get to sound like they’re doing something important.

Offensive cyber abilities against #Russia don't violate the US policy of avoiding a direct military conflict with Moscow, according to @PressSec. pic.twitter.com/rEicMPLeXd

— Steve Herman (@W7VOA) June 1, 2022

Takedown

Microsoft’s Digital Crimes Unit (DCU) said on Friday that they disrupted infrastructure operated by Bohrium, a cyber-espionage group operating out of Iran.

Amy Hogan-Burney, DCU General Manager, said the DCU legal team successfully obtained a court order that granted Microsoft control over 41 domains used by the Bohrium group in spear-phishing operations.

Important work by the @Microsoft Digital Crimes Unit to share today. Our team has taken legal action to disrupt a spear-phishing operation linked to Bohrium, a threat actor from Iran. The court filings can be found here: https://t.co/jwZaRardcF

— Amy Hogan-Burney (@CyberAmyHB) June 2, 2022

“Our DCU investigation found Bohrium targeted customers in the US, Middle East, and India. Targets come from sectors including tech, transportation, government, and education,” Hogan-Burney said.

The Microsoft exec said the group’s members used fake social media profiles, often posing as recruiters, and lured employees at targeted organisations on one of the 41 malicious sites. Here, they tried to collect their personal information, which they later used in subsequent email attacks that sought to infect the victims with malware.

To date, Microsoft’s DCU team has used the US court system to seize domains and server infrastructure from more than two-dozen cybercrime and espionage groups alike.

Confluence exploitation

The Kinsing, Hezb, and Dark.IoT botnets have been spotted exploiting the recently-disclosed Confluence zero-day CVE-2022-26134 to install their payloads on unpatched servers.

Follina gets some love

After being disclosed last week, the Office zero-day vulnerability known as Follina (CVE-2022-30190) is seeing broader adoption by the cyber-criminal underground after being previously adopted by nation-state groups, Proofpoint’s threat intelligence team reported, with the latest to get on the exploitation train being the Qbot malware botnet.

Proofpoint saw #TA570 exploiting CVE-2022-30190 to deliver #Qbot malware. Actor uses thread hijacked messages with HTML attachments which, if opened, drop a zip archive.

— Threat Insight (@threatinsight) June 7, 2022

Proofpoint blocked a suspected state aligned phishing campaign targeting less than 10 Proofpoint customers (European gov & local US gov) attempting to exploit #Follina / #CVE_2022_30190.

— Threat Insight (@threatinsight) June 3, 2022

LockBit-Mandiant drama, explained

Standing as evidence that most ransomware gangs have the emotional intelligence of a petty 12-year-old online gamer, the group behind the LockBit ransomware pulled off one of the most cringe-worthy stunts in recent years after, on Monday, the group published an entry on its “leak site” claiming to have breached and encrypted the network of cybersecurity giant Mandiant (formerly FireEye).

The announcement made a huge initial wave through the cybersecurity community, but it didn’t take long for industry experts to regain their wits and realize how unrealistic such an intrusion would be.

Obviously, Mandiant dismissed the claims as untrue; a task made immensely easier by the LockBit gang itself, which failed to share any evidence of their successful attack.

But the reality is that there was no such intrusion and one had to read between the lines to understand what really happened over the weekend.

All of the Monday drama is actually related to a report Mandiant published last week on EvilCorp, a major Russian cybercrime cartel that previously operated the Dridex banking trojan and ransomware strains such as Locky, Hades, WastedLocker, and BitPaymer.

One of the report’s findings was that after getting sanctioned by the US Treasury in December 2019, the EvilCorp group has been having a harder and harder time receiving ransom payments following their intrusions, as victims and ransomware negotiators would not want to break sanctions, fearing fines and possible prosecution from US authorities.

Over the past two and a half years, EvilCorp tried to avoid the looming sanctions by developing new ransomware strains and constantly rebranding their Ransomware-as-a-Service (RaaS) portals, often posing as a new cybercrime group that just launched on the criminal underground.

However, security researchers kept findings clues linking these new services to the old EvilCorp gang. As this tactic appears to have become inefficient in recent months, Mandiant said last week that EvilCorp members began using the RaaS services of other gangs, hoping to disguise their real identity as a mere sub-group of another ransomware cartel.

But just by publishing its report last week, Mandiant indirectly nuked the profitability of the LockBit RaaS into the ground, six feet under, dead and buried.

Just by casually linking the EvilCorp brand with LockBit’s operation, Mandiant has (accidentally?/intentionally?) ensured that victims and ransomware negotiators would now be just as skittish in making or approving payments following a LockBit attack, fearing the legal hammer of US authorities. This means that LockBit’s profits are about to take a ginormous hit over the next few weeks—and LockBit knows it!

Hence, that’s why we had all that kindergarten-level drama on Monday, which was nothing else but LockBit trying to ruin Mandiant’s reputation in return, but with little success and only managing to make themselves look like fools in the process.

And LockBit also knows that nobody believed their wild claims since a few hours later, on Monday, the group also published a statement that is the definition of “damage control,” a statement where they tried to distance themselves from EvilCorp and their leader, Maksim Yakubets, claiming no association. Alas, good luck getting paid, LockBit!

Palermo

The IT infrastructure of the city of Palermo, Italy, has been down since last Friday following a cyber-attack.

Maiar hack

DeFi platform Maiar said on Monday that a threat actor exploited a vulnerability on its platform and stole more than $113 million worth of cryptocurrency from its wallets. In a YouTube video published on Tuesday, the platform’s CEO said they had already recovered 95% of the stolen funds.

Schulte profile

The New Yorker has a fantastic profile of Joshua Schulte, the former CIA agent behind the WikiLeaks Vault7 leak.

iOS gets separate security update mechanism

At the WWDC 2022 developer conference this week, Apple announced plans to add a new feature to iOS called Rapid Security Response that will allow the company to deploy security updates to its devices as separate patches without needing to update the entire operating system. The new feature will be added in iOS 16, scheduled to be released later this fall.

iOS to protect victims of domestic abuse

In addition, at the same WWDC 2022 conference, Apple also announced plans to add another feature in iOS 16 to protect people in or leaving abusive relationships. Called Safety Check, the new feature will help users manage app access and passwords and let them know who else has their passwords and personal information. But the best feature is something called an “emergency reset” that allows users to sign out of iCloud, lock down privacy settings and limit incoming messages to only “the device in their hand.”

Binance exposed

In an investigative piece published on Monday, Reuters has accused the Binance cryptocurrency platform of being ignorant of money laundering operations taking place on its platform. Reuters reporters said that Binance served as a conduit for the laundering of at least $2.35 billion in illicit funds, including from drug traffickers, online fraudsters, and North Korean hackers.

XLoader pauses Ukraine infections

The operators of the XLoader malware said in a post on a cybercrime forum that they will no longer infect Ukrainian systems due to the ongoing war.

operation xloader published today that will infect more devices in Ukraine due to the situation
@pancak3lullz @campuscodi @cyber_etc @3xp0rtblog pic.twitter.com/zWQULhLMM9

— new (@newransom12) June 6, 2022

Arrest in Vietnam

Vietnamese officials have detained a Taiwanese national on accusations of breaching the country’s financial system. According to a statement published over the weekend, the suspect engaged in “scanning for security holes, privilege escalation attacks, [and] unauthorized access to the management system of servers at banks to withdraw money in customers’ accounts.”

Passwordstate digital certificate

The Passwordstate password management company, which suffered a major security breach last year, said they revoked their digital certificate after they were informed by an Australian security firm that it had been used to sign malware payloads last week. More specifically, the malicious payloads were Office files weaponized with the recently disclosed Follina zero-day.

Skimmer detained in Ukraine

In the midst of its war with Russia, Ukrainian Cyber Police have detained a Bulgarian national on accusations of installing skimmers on ATM devices across the country.

CyberSpecial Forces

A new pro-Russian hacktivist group called “Киберспецназ” (CyberSpecial Forces) has been spotted active online, with the group vowing to attack NATO countries. The group becomes the 115th cyberspace threat actor known to be involved in the Ruso-Ukrainian conflict.

SSNDOB seized

US and Cyprus officials have seized this week four web domains that hosted SSNDOB, a cybercrime marketplace known for selling access to detailed PII data. The website, which has been operating for a few years now, was listing the personal details of approximately 24 million Americans and made at least $19 million from its operation, the DOJ said on Tuesday.

TaRRaK

Avast has released a decrypter for the TaRRaK ransomware, which has been infecting victims for almost a year since June 2021.

SVCReady

HP’s security team has published a report on SVCReady, a new malware loader strain delivered via malicious Office files. Researchers believe the malware may be linked to the TA551 threat actor.

Ruso-Ukrainian war

Trellix has a summary of the cyber-attacks and cyber-espionage operations that have taken place since the onset of the Ruso-Ukrainian war and all the threat actors involved.

Micropatch for another Microsoft zero-day

ACROS Security has released a micropatch for another zero-day vulnerability in the Windows operating system. This new zero-day is named DogWalk, was re-discovered last week after first being documented in 2020, resides in the Microsoft Diagnostic Tool’s sdiageng.dll library, and can be used to bypass Mark-Of-The-Web (MOTW) markings.

This is for sure an underrated 0day on Microsoft Support Diagnostics Tool. To summarize:

1) Persistence by startup folder.
2) MOTW bypass.
3) Not flagged by chromium-based file downloaders (Chrome, Edge or Opera).
4) Defender bypass.

All-in-one. Enjoy!https://t.co/lgTnDSxYGM pic.twitter.com/UyNyEYlH4c

— j00sean (@j00sean) June 2, 2022

Microsoft classified this bug as a “won’t fix” when it was initially reported to the company.

This is real. We've confirmed it to work on fully patched Windows. The attack scenario is similar to CVE-2020-1300: get the user to open a CAB file, and a malicious executable is silently copied to their StartUp folder, to be launched the next time they login. https://t.co/n7qjfeGZIg

— Mitja Kolsek (@mkolsek) June 3, 2022

Telegram denies vulnerability report

Instant messaging service Telegram denied claims made by a user on Twitter that its platform contained a vulnerability that could be used to obtain private and group chats. In a message sent to Reuters reporter Raphael Satter, the company called the claims “fantastic at best” and that they had “all the hallmarks of a hoax.”

https://twitter.com/adyingnobody/status/1534021154674966529

Android security patches

Google has released the Android Security Bulletin for June 2022.

IBM acquires Randori

IBM’s cybersecurity arm has acquired Randori, a provider of offensive cybersecurity and attack surface management (ASM) services.

Follina Vulnerability Remains Unpatched

Microsoft has not yet released a patch to address the vulnerability known as Follina. The flaw affects the company’s Support Diagnostic Tool and can be exploited to take control of vulnerable devices. Microsoft has acknowledged that the flaw is being actively exploited and has published guidance that include temporary mitigations. The vulnerability can be exploited through a maliciously-crafted Word document. The flaw affects all currently supported versions of Windows. Microsoft has not said whether or not plans to release a patch for the vulnerability.

Note

This vulnerability should still be at the top of the list of things to worry about. You must implement the workaround to prevent exploitation. While anti-malware vendors are quickly updating signatures, they are inadequate to protect against the wide range of exploits that may take advantage of this vulnerability.
The Microsoft guidance includes a workaround of disabling the MSDT service on each endpoint. Many endpoint protection tools are also now able to detect and block the attack, check to see if you’re covered there. Additionally verify your email security services are enabled, and are detecting and blocking this attack. While blocking externally sourced office documents is also an approach, use caution as this is likely impactful to the business and likely will be worked around by users.
Just a reminder that SANS had a webinar on Follina you can view at https://www.sans.org/webcasts/emergency-webcast-msdt-ms-word-0-day/ and published a Follina Q&A with SANS instructor Jake Williams at https://www.sans.org/blog/follina-msdt-zero-day-q-a/

Follina is Being Actively Exploited

Threat actors believed to be acting on behalf of an as-yet unidentified government have been exploiting the Follina vulnerability to target US and European government organizations. The threat actors sent at least 1,000 phishing messages that contained a maliciously-crafted document that pretended to be information about a salary increase.

Note

One set of Follina exploits sighted is taking advantage of a digital signature that was created using a key stolen from software company Clickstudio. More sophisticated exploits like this will often bypass defenses.
Make sure your shields are up, IOCs in place and you’ve implemented your plan to mitigate the risks of a Follina attack.

Audit Raises Questions About Federal Dam Cybersecurity Accountability

The Tennessee Valley Authority (TVA) Office of Inspector General’s audit of the TVA’s non-power dam control system cybersecurity “found no clear ownership of the non-power dam control system; vulnerable versions of operating systems and control system software; inappropriate logical and physical access; [and] internal information technology controls [that] were not operating effectively or had not been designed and implemented.”

Note

The deficiencies are mostly basic security hygiene issues – Implementation Group 1 of the Critical Security Controls. Most of IG1 are really related to shortcomings in IT (or in this case OT) operations and governance – updating applications and operating systems to current versions, having clear business ownership of systems, etc. The TVA has said it will remedy deficiencies by May 2023 but the OT operations and governance issues should be addressed ASAP.
This is foundational cyber hygiene. Make sure that you have a comprehensive inventory of systems and that ownership, particularly of the security, is well defined. Then make sure that you are verifying the security posture, remediating gaps when discovered. Verify you have policies and procedures to support systems being deployed as securely as possible with open lines of communication on not only how to approach that, but also how to remediate discovered issues without throwing anyone under the bus.

Windows Autopatch Now in Preview

Microsoft has made its Windows Autopatch service available for public preview. The service will be generally available in July to customers with Windows Enterprise/Microsoft 365 E3 or E5 licenses.

Note

Per earlier NewsBites comments on Windows Autopatch, if you have the right licenses, try it out across a controlled test environment. The security gain is a given and application issues due to the patches are very likely to be less than you anticipate.
Reducing the workload of keeping endpoints updated is a big win. This service is designed to work with enterprise devices, without necessitating a VPN connection. Note the prerequisites which include device management via Intune or Configuration Manager co-management, user accounts in Azure Active Directory or Hybrid Azure Active Directory Join. You may already meet these requirements for your enterprise systems.
This should be enabled by default across all enterprises and systems. Fear of breaking applications is overstated. The risk of unpatched systems is a demonstrable problem.

Atlassian Releases Patches for Critical Confluence Server and Data Center Vulnerability

Atlassian has released fixed to address a vulnerability affecting its Confluence Server and Data Center. The flaw can be exploited by an unauthenticated user to execute arbitrary code. The issue affects all supported versions of Confluence Server and Data Center; the updated versions are 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, and 7.18.1. Customers who access their Confluence sites through an Atlassian.net domain are not affected.

Note

The flaw dates to Confluence Server and Data Center products version 1.3.0. The long-term fix, if you’re continuing to host your Atlassian instance, is to update to the latest long term support release. If you’re in a cluster, make sure that you don’t forget to update all the nodes. Atlassian is pushing customers towards a hosted solution; after you apply the updates, this would be a good time to have those conversations, to include recording any show-stoppers to avoid re-hashing known issues.

US Draft Legislation Would Create National Data Privacy and Security Framework

US legislators on both the House of Representatives and the Senate have released a discussion draft of legislation described as “a comprehensive national data privacy and data security framework.” The draft bill would designate the Federal Trade Commission (FTC) as regulator for the proposed rules, which would pre-empt most state data privacy and security laws.

Note

The US Congress has failed to pass federal data privacy laws many times over the past 15 years, so hard to be optimistic that this will actually pass, but some of the thornier issuers (like the preemption issue) have been addressed in this draft. The FTC has a good track record in this area – SANS gave the agency a Difference Makers award back in 2013. If the law passes, the FTC will have a year to establish the new office and define squishy terms such as “reasonably necessary, proportionate, and limited…” The draft also attempts to address social media algorithms, a controversial area.
One hopes this time we get something enacted. Getting a common bar at the federal level should help raise the bar across the nation. One thing to keep an eye on is which state laws are preserved/not preempted. Generally, state laws to be preserved include consumer protection, civil rights, student and employee privacy, data breach notification, contract and tort, fraud, theft and identity theft, unauthorized access to electronic devices, and unauthorized use of personal information, cyber stalking, cyber bullying, sexual harassment, etc.

New York’s Right to Repair Bill for Electronics

The New York State legislature has passed an electronics right-to-repair bill. The Fair Repair Act. The bill would require electronics makers to share diagnostic and repair information with consumers and independent repair shops and make software, tools, and part available to them. The governor has not yet signed the bill into law.

Note

This is a big step forward for local electronics repair shops in New York State, and offers hope for less expensive repair options, rather than wholesale replacement of damaged electronic devices. Once signed into law, there will be a year for implementation. Note the bill applies only to electronics; medical devices, home appliances, agricultural and off-road equipment, public safety communication equipment or motor vehicles are not subject to the bill.
Note that for most enterprises, repairing mobile devices yourself will be significantly more expensive than even what Apple charges, but this may help drive repair prices down in the long run.

Security Flaws in BD Synapsis, BD Pyxis, and Illumina Medical Devices

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have warned of security vulnerabilities in several medical devices. Flaws in BD Pyxis automated medication dispensing systems could be exploited to gain access to protected health information (PHI). A vulnerability in the BD Synapsis microbiology informatics software platform could be exploited to modify data, which could result in incorrect or delayed treatment. A handful of vulnerabilities in Illumina in-vitro diagnostic devices and research use only instruments could be exploited to take control of unpatched devices.

Note

Illumina has released a patch that protects against remote exploitation as a stopgap until the permanent fix can be released, BD is releasing Synapsis v4.20 SR2 later this month to address the weakness. BD Pyxis is working to remove hard coded credentials and is piloting a credential management solution as a long-term fix. In the interim, you’re going to want to make sure the devices are properly segmented only allowing connections for authorized devices and users.

Palermo, Italy Suffers Cyberattack

Computer systems belonging to the city of Palermo, Italy were targeted in a cyberattack late last week. Palermo has a population of 1.3 million and is also a popular destination for tourists. As of Monday morning (June 6), all public services, websites, and portals are offline.

Note

Details are sparse, actions taken align with a ransomware versus DDoS attack. Some services are operating with fax rather than digital communication mechanisms. The city has engaged an IT service restoration company, SISPI, which is also helping to coordinate updates as well as service restoration.

GADOLINIUM (APT40)

Avast published a report last week on an email spear-phishing campaign that hit an Australian ISP and which weaponized the Follina Office zero-day (CVE-2022-30190). Microsoft linked this campaign to the GADOLINIUM (APT40) group.

GADOLINIUM/APT40 activity shown in a good writeup by Avast. GADOLINIUMs focus on the South Pacific continues… https://t.co/ONybDrtEsZ

— bk (Ben Koehl) (@bkMSFT) June 3, 2022

Google GCP VRP

Google has announced the winners of its Google Cloud Platform Vulnerability Research Program for 2021. The first-place prize ($133,337) went to Sebastian Lutz, who found a bug in Identity-Aware Proxy (IAP) that an attacker could have exploited to gain access to a user’s IAP-protected resources by making them visit an attacker-controlled URL and stealing their IAP authentication token.

U-boot vulnerabilities

NCC Group researchers have published a technical analysis of CVE-2022-30790 and CVE-2022-30552, two vulnerabilities in U-Boot, a boot loader popular in some Linux-based embedded systems such as ChromeOS and Android devices.

CodeSec is now free

Contrast Security has made its CodeSec code-scanning service free to use.

New tool

France’s ANSSI cybersecurity agency has open-sourced another tool for the security community. The tool is called AnoMark and can be used to detect anomalies in command-line arguments run on a system.

Microsoft disrupts Bohrium APT infrastructure

Microsoft’s Digital Crimes Unit (DCU) said on Friday that they disrupted infrastructure operated by Bohrium, a cyber-espionage group operating out of Iran.

Important work by the @Microsoft Digital Crimes Unit to share today. Our team has taken legal action to disrupt a spear-phishing operation linked to Bohrium, a threat actor from Iran. The court filings can be found here: https://t.co/jwZaRardcF

— Amy Hogan-Burney (@CyberAmyHB) June 2, 2022

“Our DCU investigation found Bohrium targeted customers in the US, Middle East, and India. Targets come from sectors including tech, transportation, government, and education,” Hogan-Burney said.

The Microsoft exec said the group’s members used fake social media profiles, often posing as recruiters, and lured employees at targeted organizations on one of the 41 malicious sites. Here, they tried to collect their personal information, which they later used in subsequent email attacks that sought to infect the victims with malware.

To date, Microsoft’s DCU team has used the US court system to seize domains and server infrastructure from more than two-dozen cybercrime and espionage groups alike.

The court filings can be found here.

Ukrainian TV station hack

Russian hackers have breached the systems of Ukrainian TV station OLL and have broadcast Russian propaganda during the Wales-Ukraine soccer match that decided which of the two teams will attend the World Cup later this year. OLL TV confirmed the incident in a Facebook post, took down its feed, and live-streamed the game on its YouTube channel. (via @cyber_etc)

The apes are gone, again

A threat actor stole 32 NFTs from the Bored Ape Yacht Club collection after they managed to compromise the Discord account of one of its community managers. The threat actor used this compromised account to share a phishing link through which they gained access to BAYC owners’ cryptocurrency wallets. From there, they misappropriated the NFTs and also allegedly stole an additional $145,000 worth of Ether. This is the second hack of BAYC NFTs over the past two months after hackers also stole 54 Bored Ape NFTs valued at more than $13.7 million in April.

🚨BAYC & OtherSide discords got compromised‼️

Seems because Community Manager @BorisVagner got his account breached, which let the scammers execute their phishing attack. Over 145E in was stolen

Proper permissions could prevent this pic.twitter.com/lCl2DfZQ0W

— OKHotshot (@NFTherder) June 4, 2022

Google privacy settlement

Illinois residents are eligible to receive part of a $100 million settlement after an Illinois judge found that Google broke the state’s Biometric Information Privacy Act after the tech giant used a face regrouping tool in the Google Photos app without users’ express permission. Claims can be submitted here.

Telegram privacy accusations

De Spiegel reported last week that instant messaging service Telegram shared the data of some of its users with the German Federal Criminal Police Office (BKA). The report is the first known instance where Telegram has collaborated with the BKA. The German newspaper said the cooperation was related to cases of child abuse and terrorism.

WhatsApp threatens to leave the Netherlands

Facebook has threatened to pull its WhatsApp service from the Netherlands if the local government continues with its plan to force the company to add a backdoor to its service, local media reported.

Microsoft Edge network service sandbox

Microsoft’s Edge web browser now ships with a separate sandbox system for the browser’s network component. The feature shipped with Edge v102 but is disabled by default while its performance is still being tested. The feature previously shipped with Chrome in April, in v100, where it caused some issues in its initial rollout.

New Firefox privacy feature

Mozilla plans to add a new privacy feature to Firefox v102, set to be released later this month. The new feature is named “Query Parameter Stripping,” and works by automatically removing tracking parameters from URLs to improve user privacy. The feature has been available since Firefox v96 but will be enabled by default for all users in the next v102 release. The Brave browser also has a similar feature.

1Password joins FIDO

The 1Password software company, maker of the eponymous password management utility, has formally joined the FIDO Alliance, the industry group behind the new WebAuthn standard.

Russia gets tough on privacy

The Russian Ministry of Digital Development is working on a new legislation draft that will make tech company execs personally liable for the improper collection and storage of the biometric data of Russian citizens. According to Kommersant, Execs risk fines of up to 300,000 rubles, a ban from holding certain positions, forced labor, and even up to 10 years in prison. The draft legislation comes after last month, in May, Russia also made execs personally liable for their companies’ lacking IT security, with similar prison sentences on the table for severe security breaches.

Australia’s new cyber minister

Australia now has a dedicated minister for cyber security after Australia’s new Prime Minister Anthony Albanese appointed Clare O’Neil as the Minister for Home Affairs and Minister for Cyber Security last week.

EternityGroup

CloudSEK has published a report on the timeline and evolution of Eternity, a financially motivated threat actor group selling worms, stealers, DDoS tools, and ransomware builders.

Pysa research

According to DataBreaches.net, the Pysa ransomware gang dumped the data of more than half-of-dozen schools last year before the group shut down their leak site.

Windows RDP brute-forcing

A recent report from TRUNC found that 75% of the RDP brute-force attacks the company registered over the past week tried to gain access to their system via the “Administrator” account.

Solver services

Bot detection and mitigation service Kasada said that it detected a 750% rise in the use of “solver services” to bypass existing bot detection systems. These solver services are typically maintained by cybercrime groups and provided as a paid service to other groups that want to engage in fraud against an online service, such as online retail stores, social networks, and others.

Banks in Singapore Must Take Steps to Protect Customers from Online Fraud

Banks in Singapore are being required to take steps to help protect customers from online fraud. The new measures require that the banks provide customers with a kill switch that lets them suspend their accounts in the event of a breach. They also have to improve their fraud surveillance systems. Customers are being urged to use mobile banking aps instead of visiting bank sites in browsers.

Note

Many of the steps required earlier are remedial measures to get up to common practice levels of fraud reduction. The self-service kill switch in place of a phone call seems likely to have unintended consequences of driving calls up when hit accidentally. The move to more use of mobile banking apps reinforces the importance of the mobile telecom service providers and cell phone vendors stepping up the pace of pushing out security updates to all devices, and for Apple and Google to reduce the quantity of fraudulent or “leaky” apps that make it into the Apple App Store and Google Play.
This is an interesting option, there will be some user training as all parties also learn when not to use this feature. Too often legitimate transactions are mistaken for fraud when the supporting details are inaccurate or truncated, such as POS systems still including test or outdated information in their name. Note the user is expected to call the help desk or use an ATM to initiate the lock. Increased functionality in mobile applications is welcome, don’t overlook weaknesses in the web interface, APIs or other entry points needed to support online users. Make sure users can equally access supporting details for transactions from all provided entry points.

Atlassian Warns of Confluence Server Vulnerability

Atlassian has released an advisory warning of a critical unauthenticated remote code execution vulnerability in its Confluence Server and Data Center. The flaw, which affects all currently supported versions of Confluence Server and Confluence Data Center, is being actively exploited. There are currently no fixes available for the vulnerability. Atlassian Cloud sites are not affected.

Note

This vulnerability was found after it was used in an attack against two different companies. So far, there is no patch for this vulnerability. Do not expose your Confluence server to the public. If you find a server exposed: Take it out back and rm -rf it.
The advisory notes that all supported versions of Confluence are affected, and hints that unsupported versions are as well. Don’t take a chance, implement the mitigations on all instances of Confluence. Apply the update when released and update unsupported versions or migrate to the Atlassian Cloud service. The mitigations are to either restrict access from the Internet or shutdown your instances. The CISA bulletin on CVE-2022-26134 recommends blocking Internet access. Make sure that you are monitoring activity for malfeasance. www.cisa.gov: Atlassian Releases Security Advisory for Confluence Server and Data Center, CVE-2022-26134

FBI Blocked Cyberattack Against Boston Children’s Hospital

In a speech at Boston College earlier this week, FBI Director Christopher Wray said that his agency helped to thwart a cyberattack that was targeting Boston Children’s Hospital in 2021. The FBI learned of the impending attack from an intelligence partner.

Note

All too often notification to law enforcement is the first indication to organizations that they have already been compromised. Good to see the FBI taking timely action to aid in prevention of damage.
Chalk one up for the good guys. The hospital was able to partner with the FBI and take needed steps to stop the attack. This information triggered the production of subsequent advisories on both healthcare and critical infrastructure protection. Make sure that you have relationships with the FBI, CISA and/or relevant ISOC partners before you need them to facilitate a timely response. Ensure you aren’t overlooking key component security on devices labelled as appliances which silently “just work.”

VPN Company Will Move Servers Out of India

ExpressVPN says it will move its servers out of India due to new rules recently introduced by India’s Computer Emergency Response Team (CERT-In). ExpressVPN says it cannot comply with the rule’s requirement to retain customers’ names and activity because it does not retain logs of users’ activity. The company also describes the new rule as “incompatible with the purpose of VPNs.”

Note

This implies that any VPN company still operating in India will comply with data retention laws.
Keep an eye to regulations for the regions and countries where you operate services. Not all regulators are willing to accept a response of not technically feasible. Or you may wind up in a perpetual cycle of explaining the impossibility of compliance. Either way, removing operation from that area may be the best overall solution; don’t make that decision in a vacuum, make sure the C-Suite and board are behind you.

FluBot Takedown

Law enforcement agents from 11 countries have taken down the infrastructure that was supporting the FluBot malware. FluBot has been infecting Android devices since December 2020. The malware disables security features and steals banking app credentials and cryptocurrency account information. FluBot can spread quickly because it accesses contact lists of infected devices.

Note

The contact list in mobile devices has become a lifeblood for maintaining connections with our friends, partners, and businesses, synchronization with desktop tools for consistency is now SOP. As such attention should be paid as to what has been granted access to your contacts. Look at application permissions, particularly mobile apps, restricting them to the minimum set. Check for applications you don’t use any longer and remove them. Resist the temptation to install a new app to view a unique content type. Make sure that content type is legitimate long-term, and not a lure.

Foxconn Plant Hit with Ransomware

Electronics manufacturer Foxconn disclosed that one of its production facilities in Mexico was the target of a ransomware attack in late May. The affected plant in Tijuana is “gradually returning to normal,” according to a Foxconn spokesperson.

Note

The LockBit ransomware group is taking credit for the attack and threatening to publish the exfiltrated information on June 11th. It is expected that the demand is a substantial as LockBit only targets large businesses with the ability to pay large ransom demands. Foxconn manufactures electronics, LCD TVs, mobile devices, computers for many brands, so there is a risk of substantial IP disclosure. This creates an interesting dilemma as you’re dealing with disclosure of customer data, not just yours. Consider the actions you would need in this scenario, not just to prevent recurrence, or redistribute workload to meet customer demand, but also to retain their business.

US Dept. of Justice Seizes Domain Names Used for Cybercrime

Earlier this week, the US Department of Justice (DoJ) seized three domain names that were being used to sell stolen personal information and provide distributed denial-of-service (DDoS) attacks for hire. The WeLeakInfo site claimed to be offering about 7 billion stolen records that contained personally identifiable information (PII).

Note

In 2020, the WeLeakInfocom domain was seized, and two suspects were arrested in Ireland and Netherlands. This action seized the WeLeakInfoto, ipstressin and ovh-bootercom domains. The latter two provided booster or stressor services used for a DDoS attack. The FBI is still seeking information on any individuals connected with any of these domains.

Nakasone: US Conducted Offensive Cyber Ops

General Paul Nakasone, Director of US Cyber Command, said that the US has ”conducted a series of operations across the full spectrum: offensive, defensive, [and] information operations.” Nakasone also said that his agency conducted a “hunt forward” cyber operation in Ukraine shortly before the Russian invasion.

Note

Use extreme caution with offensive cyber operations. Not only can you become a target if discovered, but you also put affiliated parties at risk. Understand the value and purpose of disclosing these activities. It’s safer to learn from the ongoing battle between Russian threat actors and the Ukraine; applying lessons learned to your area than to actively participate, even though that participation is alluring.

CISA Says Dominion Voting Machine Flaws Were Not Exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) says that while several vulnerabilities were found in Dominion Voting Systems machines, there is no evidence that the flaws were ever exploited. CISA has notified election officials in states that use the equipment and has provided mitigations.

Note

The key quote is “Of note, states’ standard election security procedures would detect exploitation of these vulnerabilities and in many cases would prevent attempts entirely.” So, the key is making sure that standard election security procedures are being followed by the large and small government election authorities and that vulnerabilities in processes are being remediated before any exploitation attempt.
A lot of success can be attributed to defense-in-depth of the procedures, cyber, physical, and operational, supporting the voting process. If you’re a steward of electronic voting machines, make sure that you’re applying updates whenever they are released, not waiting until the last minute because they’re all in storage.

Apple App Store stats

Apple published a report on Wednesday summarizing its work in protecting the App Store. The company said that its safety systems blocked more than $1.5 billion in potentially fraudulent transactions, preventing the attempted theft of user funds, and also blocked more than 1.6 million risky and vulnerable apps and app updates. More stats are in the image below.

Microsoft Autopatch

Back in April, Microsoft teased a new product called Autopatch that could be used to automatically install updates on large fleets of PCs. A first public preview of this upcoming service has been released this week. The service will be offered to Windows 10/11 Enterprise E3 customers in July this year.

Firefox 101

Mozilla has released Firefox 101. Patch to fix a bunch of security bugs.

Some Mozilla VPN code goes FOSS

Mozilla has open-sourced this week the source code of its affiliate marketing component that is used to promote its Mozilla VPN service. Mozilla said the “affiliate marketing is a space rife with tons of data collection practices” and they wanted to be transparent about their system and what it collects from new users landing on its service.

ExpressVPN pulls out of India

ExpressVPN, one of the largest VPN providers in the world, has announced that it will pull servers from India after the local government passed a new cybersecurity law that would have mandated the company to collect and store information on all its users.

Voice privacy nightmare

Wired has an excellent report on the future troubles everyone is going to have with (re)securing their voices if voice biometrics and deep fake technology see broader adoption, especially after so many of us have uploaded our voice recordings on social media or have used tools based on voice recognition, such as Alexa or other smart assistants.

FluBot takedown

Law enforcement agencies from 11 countries have disrupted the operations of the FluBot Android malware gang, Europol announced on Wednesday. The malware, first spotted in December 2020, had built a reputation in recent months for carrying out large-scale SMS spam campaigns that redirected users to malicious sites hosting malicious Android apps infected with its trojan. Once it infected a new smartphone, it would use the contacts list to spread to send out new spam messages.

DOJ seizures

The US Department of Justice seized on Wednesday three domains that hosted cybercrime services. Together with Dutch and Belgium police, officials seized ipstress.in and ovh-booter.com, the domains of two DDoS-for-hire services, and weleakinfo.to, a domain used to advertise and sell access to more than 10,000 hacked databases. This last domain was, in fact, a clone of an older service hosted at weleakinfo.com that the DOJ seized back in 2020.

Operation KillerBee

Trend Micro has published additional details regarding the recent arrests of three BEC scammers on Monday, announced by Interpol, as part of Operation KillerBee.

Elasticsearch ransom attacks

Cybersecurity firm Secureworks said that it detected a new wave of ransom attacks targeting Elasticsearch servers that have been left unsecured online. The attackers are demanding a ransom of $620 (paid in Bitcoin) to restore deleted files, and Secureworks said it found this particular ransom note on around 1,200 Elasticsearch databases so far.

Malicious npm package

ReversingLabs said it identified a malicious npm package that would install a cryptocurrency miner on infected systems. The package, named maintainancewebsite, has been removed in the meantime.

EvilCorp evading sanctions

Mandiant said in a report published on Thursday that the EvilCorp cybercrime cartel, which previously operated the Locky, Hades, and the BitPaymer ransomware strains, is now using the LockBit ransomware in recent intrusions. Mandiant said the group has stopped operating its own ransomware strains after sanctions from the US Treasury have made it impossible to receive ransom payments. By using ransomware developed by other gangs, Mandiant said EvilCorp may be trying to avoid US sanctions.

Faking malicious traffic

An unidentified entity has created malware samples that have the Xinjiang Police Files leak site (xinjiangpolicefiles.org) as the command-and-control domain in the hopes of getting the site blacklisted in web browsers.

Possible that "someone" wants to get that domain blacklisted, so people won't read the stuff on that site? Any other possible explanations?
🤔 pic.twitter.com/uqgocQDqtJ

— MalwareHunterTeam (@malwrhunterteam) June 2, 2022

Clipminer

The Broadcom Symantec security team has published a report on Clipminer, a malware strain that the company said has made at least $1.7 million worth of cryptocurrency for its operators. Symantec sais the trojan installed crypto-mining software on infected devices and hijacked transactions by replacing legitimate cryptocurrency addresses inside the infected computer’s clipboard. The malware was first spotted in January 2021, and its operators have used game and pirated software cracks, P2P networks, torrent indexers, or YouTube videos to spread it to victims.

SMSFactory

Avast published a technical report on Wednesday on SMSFactory, a new Android malware strain. SMSFactory spreads via malvertising campaigns, and once it infects victims, it generates money for its operators by sending premium SMS and making calls to premium-rate phone numbers from compromised devices.

YourCyanide ransomware

Trend Micro’s threat research team published a report on Thursday on YourCyanide, a new ransomware strain targeting Windows systems that relies on the CMD utility to spread and encrypt a victim’s files.

R4IoT

Forescout has published a technical report [PDF] on how ransomware gangs could use IoT and OT devices for initial access and lateral movement.

TeamTNT

Cado Security has an update on the recent TTPs used by the TeamTNT crypto-mining botnet. Per the company, the group’s recent antics have targeted Docker Engine API endpoints and Redis servers.

Conti goes after Intel firmware

The Eclypsium team has published a report on the Conti’s gang use of Intel firmware vulnerabilities in their attacks, based on the gang’s recently leaked internal chat logs.

Popping Eagle

Palo Alto Networks has published a report on a new malware strain called Popping Eagle. The malware is written in Go and is used as a late-stage backdoor in targeted attacks.

NDSW/NDSX

The GoDaddy Sucuri team published a technical analysis of what the company calls the NDSW/NDSX malware, a collection of malicious JavaScript files inserted on hacked WordPress sites. According to the company, this is what Avast tracks as the Parrot TDS.

LuoYu

Kaspersky has published a report on LuoYu, a Chinese APT, and its use of a new malware strain named WinDealer. The Russian security firm said LuoYu carried out rare man-on-the-side attacks, where it tried to respond to a victim’s network traffic with trojanized application updates before the legitimate ISP could complete the request. These malicious app updates contained the WinDealer malware, which the attackers used as a backdoor on infected systems to search and exfiltrate sensitive data. Kaspersky said the vast majority of LuoYu victims were located in China.

SideWinder

Group-IB researchers have discovered a new malicious infrastructure and a custom tool of the APT group SideWinder (aka Rattlesnake, Hardcore Nationalist, RAZOR TIGER, T-APT-04, and APT-C-17), a threat actor that is believed to be originating from India and primarily targeting Pakistan. The newly discovered custom tool codenamed SideWinder.AntiBot.Script, is being used in the gang’s phishing attack against Pakistani targets.

Chinese APTs and cybercrime

Recorded Future has published a report summarizing the different incidents where Chinese state-sponsored hacking groups have dabbled in cybercrime targeting neighboring countries. This includes cryptocurrency theft, romance scams, and the theft and trade of PII data.

Backdoor stays in

Following a two-year-long vulnerability disclosure process, Korenix refused to remove a backdoor account from its JetPort serial devices. The vendor told SEC-Consult—the security that found the hardcoded backdoor account—that they “will not remove the hardcoded backdoor account as it is needed for customer support and it can’t be cracked in a reasonable amount of time.”

Confluence zero-day

Atlassian said that threat actors are using a new zero-day vulnerability (CVE-2022-26134) to compromise on-premises Confluence servers. The zero-day is an unauthenticated, remote code execution vulnerability in Confluence Server and Data Center systems. There is no patch at the time of writing. Security firm Volexity first identified the attacks, which it said were being used to install JSP web shells on the affected servers, and then a malicious server implant called BEHINDER.

New MSFT zero-day, same core problem

British security researcher Matthew Hickey said he found another zero-day vulnerability in the Office software suite where malicious documents can automatically open a Windows Search window containing remotely-hosted malware executables. The yet-to-be-formally-confirmed zero-day is in the same tune as this Positive Technologies reported bug and the recent Follina (CVE-2022-30190) issue, where attackers are abusing various Office protocol handlers to connect to remote sites and download and run malicious content. In this case, it was the Microsoft Office search-ms: URI handler, while the previous vulnerabilities abused the ms-officecmd: and ms-msdt: handlers.

Microsoft Office search-ms: URI handler exploitation, requires user-interaction. Unpatched. pic.twitter.com/iYbZNtMpnx

— hackerfantastic.crypto (@hackerfantastic) June 1, 2022

OpenSSL vulnerability

Sophos security researcher Hardik Shah published a technical analysis of CVE-2022-0778, a denial of service vulnerability in the OpenSSL library. The vulnerability can be used to trigger an infinite loop by crafting a certificate that has invalid elliptic curve parameters. Because certificate parsing happens before verification of the certificate signature, any process that parses an externally supplied certificate may be subject to a denial of service attack if they don’t use a patched version of the OpenSSL library.

UNISOC bugs

Check Point said it found vulnerabilities in UNISOC baseband chips that open modern smartphones to remote attacks. UNISOC is the fourth largest baseband chipset maker after MediaTek, Qualcomm, and Apple, and is widely used in low-cost Android devices sold across Africa and Asia.

Unpatched Horde webmail bug

Security firm SonarSource published a report this week detailing a vulnerability (CVE-2022-30287) in the Horde webmail application that can allow an authenticated Horde user to execute arbitrary code on the underlying server. The company said that the Horde team patched another bug but passed it as a fix for this issue, meaning the vulnerability remains unpatched.

Digital Shadows

Cyber security firm ReliaQuest announced on Wednesday that it plans to acquire threat intelligence firm Digital Shadows for $160 million.

Tool release

Security firm XM Cyber has released a tool called VmwarePasswordDecryptor that can recover and decrypt passwords stored on a local PC and which are used to connect to remote VMWare systems such as ESXi, vSphere, and Workstation.

Amnesty fellowship

Amnesty has announced a Digital Forensics Fellowship for anyone interested in helping secure human rights activists and investigate attacks against civil societies across the world. Five positions are available.

We are looking for 5 people working at the intersection of human rights and tech to join our new Digital Forensics Fellowship. You'd work with me and the whole Security Lab, build new skills, and advance capacity to support your communities. Apply & share!https://t.co/imcaounPx4

— nex (@botherder) June 2, 2022

FBI thwarts Iranian attack

FBI Director Christopher Wray said that the FBI Boston office blocked a cyberattack orchestrated by Iranian hackers against the Boston Children’s Hospital last year.

Scraping

shot-scraper: automated screenshots for documentation, built on Playwright: A CLI tool for automating screenshots of web pages, by Simon Willison. You can also have it screenshot just a subsection of the page using CSS selectors.

Web scraping with Python open knowledge: Re Analytics shares best practices for scalable and efficient to maintain web scraping in Python. See also advanced-scrapy-proxies, a Scrapy rotation proxy package with advanced functions.

Cloud Security

Azure/aztfy: A tool to bring existing Azure resources under Terraform’s management.

google/cloud-forensics-utils: A Python library to carry out DFIR analysis on the cloud. Currently supports GCP, Azure, and AWS.

AWS Startup Security Baseline: Guidance by AWS’ Jay Michael on a set of controls that create a minimum foundation for businesses to build securely on AWS without decreasing their agility.

How to Think about Threat Detection in the Cloud: Google’s Anton Chuvakin and Tim Peacock share their views on a foundational framework for thinking about threat detection in public cloud computing.

Container Security

How to use Atomic Red Team to test Falco rules in K8s: It’s important to test that your security controls and tools actually work! Sysdig’s Jason Avery describes how to use Red Canary’s Atomic Red Team in a Kubernetes environment to confirm that Falco’s rules flag the malicious behavior.

Blue Team

google/santa: A binary authorization system for macOS.

Avoiding Security Alert Hell: Introducing Squyre: Bill Mahony announces Squyre, a new open source tool aimed at reducing analyst fatigue by automatically enriching alerts with helpful context. It uses Lambdas and Step Functions to extract IP addresses, domains, hashes etc. from an alert body, looks them up on various services, and then adds the results to the alert in your ticketing system (e.g. Jira).

Supply Chain

Software Supply-Chain Security Reading List: A list of resources by Chainguard covering policy, incidents/threats, solutions, organizations, background, and reports and summaries.

Running Bug Bounty Programs

Eight years of the GitHub Security Bug Bounty program: By GitHub’s Jill Moné-Corallo. GitHub awarded $803,769 in bounties for 235 vulnerabilities in 2021, bringing them to ~$2.4M in total rewards via HackerOne since 2016. Npm has also been added to GitHub’s bug bounty scope.

From Hacker to Bug Bounty Program Owner: A Learning Experience: Braze’s Tommy DeVoss describes the lessons he’s learned in going from a top bug bounty researcher to building Braze’s program. Four big learnings:

Launching a Bug Bounty Program Takes Cross-Team Collaboration
Never Lose Sight of Your Relationship With Hackers and Researchers
Bug Bounties Look Different From the Company Side
The Work Doesn’t End When a Bug is Identified

Network Security

cisagov/Malcolm: A powerful, easily deployable network traffic analysis tool suite for full packet capture artifacts (PCAP files) and Zeek logs, by CISA.

A few Tailscale tricks for Security Testers: Pulse Security NZ’s Michael Fincham shares some interesting details about how Tailscale works, including that Tailscale currently only supports ingress access control rules, all outbound network traffic leaving a host is allowed. So if you’ve compromised a machine, you could re-install a modified version of Tailscale to allow any traffic to the device. Also:

As a tailnet administrator you still have to make sure your containers are running with tags rather than a human user if you want to avoid containers being able to leak each other’s environment variables.

See also Tailscale’s Hardening Guide. I feel like I’ve been hearing a lot of good things about Tailscale recently, I’ve been meaning to play with it when I have time.

Web Security

Damn Vulnerable Web Sockets Walkthrough: A walkthrough of the Damn Vulnerable Web Sockets app, including brute forcing the login, CSRF, file inclusion, error and blind SQL injection, and stored XSS.

Hacking Swagger-UI – from XSS to account takeovers: Vidoc Security Lab’s Dawid Moczadło found a DOM XSS in Swagger UI, which he was able to successfully report across 60 different bug bounty programs. Swagger UI had an outdated version of DomPurify, and Dawid found a new way to exploit a known DomPurify bypass.

I think this post is a good example of finding and building on related work to achieve a goal, and maximizing impact.

GitLab had CSP that did not allow me to use event handlers – <img onerror=alert(window.origin) src=1> was blocked. The good thing with Gitlab is that they disclose all of their security issues, so I just searched for XSS and copied the CSP bypass from there;) (remember to work smart not hard)

AppSec

Ruby Vulnerabilities: Exploiting Dangerous Open, Send and Deserialization Operations: Bishop Fox’s Ben Lincoln walks through a number of ways to get sweet, sweet remote code execution when testing Rails apps, as well as a sample vulnerable app and example exploit code. Vulnerabilities: Kernel-level open function, insecure send, binary deserialization, YAML deserialization, and Oj JSON Deserialization.

“Follina” exploit in Microsoft Office gives attackers potential backdoor to code execution

Security researchers and Microsoft are warning of a zero-day vulnerability in Office that could allow an attacker to run malicious code on targeted systems. The vulnerability, tracked as CVE-2022-30190, exists in Microsoft Word’s remote templating feature, unlike traditional Office vulnerabilities that rely on macros. If successful, an attacker could load malware onto targeted machines from remote servers while bypassing Microsoft Defender’s anti-virus scanner. This issue affects every version of Microsoft Office currently receive updates, some versions dating back to 2003. Although no patch was available as of Tuesday, Microsoft did publish remediation guidelines to keep the vulnerability from being exploited.

Vulnerabilities in Open Automation Software Platform could lead to information disclosure, denial of service

Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software Platform that could allow an adversary to carry out a variety of malicious actions, including improperly authenticating into the targeted device and causing a denial of service. The OAS Platform facilitates the simplified data transfer between various proprietary devices and applications, including software and hardware. The most serious of these issues is TALOS-2022-1493 (CVE-2022-26082), which an attacker could exploit to gain the ability to execute arbitrary code on the targeted machine. This issue has a severity score of 9.1 out of a possible 10. Another vulnerability, TALOS-2022-1513 (CVE-2022-26833) has a 9.4 severity score and could lead to the unauthenticated use of the REST API.

Vulnerability: OAS platform vulnerable to critical RCE and API access flaw

Bleeping Computer has featured news of a pair of vulnerabilities in the widely used Open Automation Software (OAS) platform. The OAS platform is a popular data connectivity platform used in industrial control systems, and it allows inter-operation between a wide range of devices and protocols.

The first vulnerability is a critical RCE flaw that could have potentially compromised the whole platform: an API endpoint allowed remote administration of the platform. The researchers discovered that they were able to access the endpoint in question with a blank username and password, allowing arbitrary remote access to the platform. The issue has a CVSS rating of 9.4 and is tracked as CVE-2022-26833. This is an example of API2:2019 — Broken authentication.

The second vulnerability is due to lack of authentication at an API endpoint and relates to a file write vulnerability in the platform’s secure file transfer module. The researchers found that they could send specially crafted requests to an API endpoint that allowed to upload arbitrary files, including a new authorized_keys file in the root user’s SSH directory which in turn allowed full remote access. The issue has a CVSS rating of 9.1 and is tracked as CVE-2022-26082.

The vulnerabilities were disclosed responsibly and have been fixed in version 16.00.0.113, released on 22 May 2022. The researchers recommend either upgrading to the latest version of the platform, or explicitly deactivating the impacted service endpoints.

Vulnerability: Mass account takeover in Yunmai smart scale API

The second vulnerability this week comes from the security team at Fortbridge who discovered a range of vulnerabilities in the API of the Yunmai smart scale.

The researchers performed a penetration test on both Android and iOS versions of the smart scale app and discovered four vulnerabilities relating to the backend API. By combining these vulnerabilities, they successfully executed a mass account takeover. The vulnerabilities were responsibly disclosed to the vendor, but it is unclear if the issues have been resolved at the time of writing.

The first vulnerability allowed attackers to bypass the limit on the number of family members per account. The app only allows creating 16 accounts in a family, but using the API directly did not pose any number limit. The root cause is that the limit was enforced only client side, not in the backend API. This is a common application design flaw — always ensure restrictions and limits are enforced in the backend API.

The second vulnerability allowed arbitrary enumeration of user IDs by guessing IDs using Burp Suite automation. The API did not adequately authorize access to the guessed ID, instead returning full user information, including sensitive PII. This is an example of API1:2019 — Broken object-level authorization — remember to always fully authorize access to objects against the object owner.

The third vulnerability is an example of API2:2019 — Broken authentication, allowing the researchers to add and delete users from other people’s accounts using the ability to enumerate user IDs. Always ensure all API endpoints are authenticated.

The fourth vulnerability allowed the researchers to gain access to both the refresh token and access token when creating new users. By inspecting the response in Burp Suite, the researchers found that these tokens were accidentally leaked as shown:

Armed with this combination of tokens, attackers were effectively granted access to the platform for perpetuity. This is an example of API3:2019 — Excessive data exposure — always be wary of leaking information, particularly access tokens.

For the coup de grace, the researchers were able to combine three of the vulnerabilities to perform mass account takeover attacks using the forgotten password flow.

Clop Ramps Up

The Clop ransomware group suddenly added 21 new victims on their data leak site after being quiet from November through to February.

Universities Put On Watch

The FBI has warned the US education sector that college and university credentials are being offered for sale on criminal marketplaces. University attacks are already fairly common, so we don’t think this alert is all that useful, but perhaps it explains why they are so common.

Alphv claims to have hit Florida International University. FIU is the 3rd US university/college to be attacked by Alphv this year: Phillips Community College was hit in Feb NC A&T State University in March. 1/3 pic.twitter.com/LLDbnx7VF4

— Brett Callow (@BrettCallow) April 8, 2022

Arrested REvil Members Will Skate

Russian media reports the prosecution of REvil suspects arrested in January has stalled, with Russian prosecutors not receiving the material they need to press ahead from US law enforcement officials. CyberScoop has English-language coverage, which suggests that this may not indicate broader Russian policy but simply reflects the facts on the ground. Cyber security cooperation just stopped after the invasion of Ukraine. Regardless, we won’t look to Russian law enforcement efforts to solve problems with ransomware.

SpiceJet Grounded

Indian low-cost airline SpiceJet was affected by an “attempted ransomware attack” that left some passengers stranded for hours including many actually stuck in planes.

The interesting thing is that passengers trapped on planes that can’t take off are tweeting from the runway. They are directly engaging and putting pressure on the company. This is an interesting dynamic that hasn’t been explored in cyber extortion. It opens new perspectives on possible ways to force a company to pay a ransom.

Oh. Great. A new way for ransomware crews to ratchet up the pressure.

#ImportantUpdate: Certain SpiceJet systems faced an attempted ransomware attack last night that impacted and slowed down morning flight departures today. Our IT team has contained and rectified the situation and flights are operating normally now.

— SpiceJet (@flyspicejet) May 25, 2022

ROFLbins?

A Microsoft Office 0day, which takes advantage of the Microsoft Support Diagnostic Tool (MSDT) is being actively exploited. Microsoft Word’s remote template feature can be used to load HTML, which then calls MSDT to execute Powershell.

Exploitation in the wild dates back to April. This week Proofpoint reported a group linked to Chinese state interests is using it to target the international Tibetan community, and the ACSC says it is being used to target Australian organisations.

Kevin Beaumont has, as usual, been doing a bang-up job collating new information as it comes to light and also keeping Microsoft honest by pointing out its sometimes inconsistent behaviour.

…Microsoft would’ve gotten away with it too, if it wasn’t for that meddling @GossiTheDog https://t.co/iKLLcv3pFx

— thaddeus e. grugq 🌻 @[email protected] (@thegrugq) May 31, 2022

Beaumont notes, for example, that Microsoft initially said the bug was “not a security related issue,” and also managed to recently fix very similar bugs in Teams but not Office. (He dubbed the bug Follina, btw, because the sample he had included the string “0438”, the area code of Follina in Italy.)

https://twitter.com/GossiTheDog/status/1531185196619468801

https://twitter.com/GossiTheDog/status/1531721482161758212

Microsoft has issued guidance that recommends disabling the MSDT URL protocol, but a patch is not yet available at the time of writing.

60 million wins

Microsoft has announced plans to apply sensible security defaults to Azure customers who haven’t applied them already. These defaults were introduced for new tenants in October 2019, but previous customers remained unprotected unless they explicitly enabled the features. Some interesting stats: This move will bring MFA to another 60 million accounts, and organisations with these protections experience 80% less compromise than the overall tenant population.

SilverTerrier Head Arrested

On Wednesday, INTERPOL announced the Nigeria Police Force cybercrime unit had arrested a 37-year-old Nigerian man who is alleged to have run a Business Email Compromise gang, dubbed SilverTerrier by Palo Alto Networks. Interpol was assisted by a smattering of cyber security companies, including Palo Alto Networks, Group-IB, and Trend Micro.

A Minister for Cyber Security!

The recently-elected Australian government appointed the Hon Clare O’Neill MP to a new Cabinet-level Minister of Cyber Security position. This is a vast improvement over the previous arrangement where no government minister had “cyber security” in their job title. We do worry, however, about how much bandwidth O’Neill will be able to dedicate to the role as she is also Minister for Home Affairs.

I’m deeply honoured to today be sworn-in as Minister for Home Affairs and Cyber Security.

Every day in government is a privilege – we won’t be wasting a single one. pic.twitter.com/ZwGKJExiMW

— Clare O'Neil MP (@ClareONeilMP) June 1, 2022

Chinese Open Source is Not that Open

Gitee, a Chinese version of Github, has started to manually review code before it is made publicly available, with the MIT Technology Review reporting the company stating “it didn’t have a choice”. The suspicion, naturally enough, is that Gitee has fallen afoul of the Chinese government’s need to censor information.

These types of companies are strategically important for both companies and countries. Microsoft spent USD$7.5bn to acquire GitHub, and the PRC government is likely concerned about its developer’s dependence on the platform. Making Gitee much harder to use won’t help it grow, though.

Russia orders Google to remove Tor Browser from Russian Play Store

Roskomnadzor, Russia’s telecommunications watchdog, has ordered Google to remove the Tor Browser Android app from the Russian version of the Play Store, the agency said in a message posted on its official Telegram channel on Tuesday.

The agency said that the Tor Browser allows users to access the Tor network, which it had previously ruled that it contains “content prohibited in Russia.”

Yesterday’s decision comes after Roskomnadzor previously ordered Russian internet service providers (ISPs) to block access to the Tor network and its official website in December 2021.

While the Tor Project is currently fighting last year’s ruling in a Moscow court, arguing that the ban was issued without giving Tor representatives an opportunity to participate and hence broke Russian law, the writing is already on the wall.

Coupled with another December 2021 decision to block access to half-a-dozen popular VPN services and with recent rumors that ISPs are testing blocks of several VPN protocols at the lowest level, it is very apparent that Roskomnadzor is on a crusade to limit Russians’ access to censorship-evading tools.

Unless you’ve been living under a rock for the past three months, Roskomnadzor’s actions are driven by the Russian state’s need to control its online space and what information Russians can access online during its illegal and genocide-abundant invasion of Ukraine. Since February 24, when Russian troops officially crossed the border into Ukraine, Roskomnadzor has banned access to foreign news websites that report on the invasion and don’t toe its state-mandated propaganda “denazification” line or websites for western companies that have pulled out of Russia as a sign of protest or because of sanctions.

Roskomnadzor’s decision to go after the Tor Project makes sense since Russia is the country with the second-most users on the Tor network, with more than 300,000 daily users, or 15% of all Tor users; the Tor Project said last year.

Mirror Protocol hack #1

A threat actor exploited a bug in the Mirror Protocol DeFi platform to steal almost $90 million worth of cryptocurrency last year in October 2021. The hack exploited a vulnerability in one of the Mirror Protocol’s smart contract mechanisms that allowed the attacker to generate large sums of cryptocurrency via blockchain betting transactions. The incident went completely undetected for almost seven months until last week, when a Twitter user discovered the vulnerability and its aftermath.

🧵👇 What if I told you that Mirror Protocol, up until 18 days ago, was susceptible to the one of the most profitable exploits of all time, allowing an attacker to generate $4.3m from $10k in a single transaction? Here's how I discovered this – by pure serendipity. 🧵👇

— FatMan (@FatManTerra) May 27, 2022

Mirror Protocol hack #2

…and then the same person who found the first attack found a second one.

Mirror Protocol is being exploited again as we speak, and the devs are completely MIA. So far, the attacker has drained over $2m and counting – the attack will get worse when markets open tomorrow unless the dev team steps in and fixes the price oracle. @mirror_protocol (1/4)

— FatMan (@FatManTerra) May 30, 2022

Portland falls to BEC

The US city of Portland, Oregon, said it lost $1.4 million to a BEC scammer last month, in April 2022. In a press release last week, city officials said they identified that they sent city funds to the wrong bank account after the threat actor attempted to scam the city a second time.

Hackers-for-hire

Reuters is reporting on a court case where independent journalist Scott Stedman testified that Israeli jailed private detective Aviram Azari worked to hire Indian hackers to carry out espionage operations on behalf of several Russian oligarchs. Azari pleaded guilty last month to working for BellTroX, a New Delhi-based hacker-for-hire company.

AON incident

AON, one of the largest providers of insurance, pension administration, and health insurance plans, has disclosed a security breach [PDF]. The company said in February this year, it found that a threat actor accessed some of its servers several times between December 29, 2020, and February 26, 2022, from where it downloaded documents containing sensitive data on some of its customers. AON did not say how many customers had data exposed in the incident.

365 Data Centers lawsuit

365 Data Centers, a major data center operator on the US East Coast, was sued last week by one of its customers after a ransomware attack appears to have permanently destroyed some of its customers’ data. The incident took place on May 14, and the data center operator has yet to publicly acknowledge it besides some private emails sent to its customers. Plaintiffs in the class -ction lawsuit claim they have suffered “damages amounting to hundreds of thousands, if not millions, of dollars in lost revenue and profit.”

Hey @SwiftOnSecurity have you heard anything about the security "incident" that has knocked three data centers run by @365datacenters offline since 14 May?

— John Cole (@Johngcole) May 25, 2022

Chinese FOSS censorship

Thousands of Chinese developers complained last month that Gitee—a Chinese version of the GitHub platform—has started censoring open-source projects they were hosting on the platform. According to MIT Technology, developers said they had projects locked or hidden from view. Responding to user criticism, Gitee said in a statement posted earlier this month that, going forward, all code posted on the platform will need to be manually reviewed before being published. The company didn’t confirm it was implementing this manual review process at the request of the Chinese government, but let’s face it, who else has the desire and power to force Gitee to do this?

Microsoft Entra

Microsoft launched on Tuesday a new product called Microsoft Entra. According to the company, the Entra product family will include all of Microsoft’s identity and access services, such as Microsoft Azure Active Directory (Azure AD), as well as two new product categories: Cloud Infrastructure Entitlement Management (CIEM) and decentralized identity.

PSP protocol

Google has open-sourced PSP, a security protocol that uses cryptography to offload and distribute traffic across multiple servers and which Google has used internally for its intra- and inter-data center traffic. The GitHub repo is here, and below is a Twitter thread from an AWS exec discussing Google’s technical design.

I love this work from Google, and as someone who worked a lot on AWS VPC Encryption, it's really interesting to see how the differences in environment result in quite different designs. Just a few thoughts … https://t.co/M97ithc9Kq

— Colm MacCárthaigh (@colmmacc) May 31, 2022

Ukrainian BGP hijack

Qrator Lab, a Russia-based DDoS mitigation provider, disclosed today that Lurenet, a Ukraine-based internet service provider, has hijacked BGP routes for several Russian companies at the start of March, after Russia’s invasion of Ukraine, and in April. The company told Russian news outlet Vedomosti that Lurenet hijacked traffic for Beeline, Megafon, and MTS, three Russian telcos.

May 31, 2022 — AS38744 — AONB-AS-AP [BD] — hijacked 461 prefixes creating 1517 conflicts for 666 prefixes and 100 ASNs in 2 countries. Maximum propagation: 80%. Duration: 25 minutes. pic.twitter.com/fQ6EABeZng

— Radar by Qrator (@Qrator_Radar) May 31, 2022

Romania

Romanian lawmakers have proposed a new bill this week that would make the Romanian Intelligence Service (SRI) the official telecommunications interception agency. The new bill will also grant the agency the right to operate internationally, would force local companies and Romanian citizens to cooperate with its investigations, and introduce special rules for investigating SRI agents.

New HelloXD ransomware

Security researcher MalwareHunter has spotted a new ransomware strain in the wild, named HelloXD, and targeting VMWare ESXi servers.

"HelloXD" ransomware…
😂 pic.twitter.com/xFZk1jU3Dl

— MalwareHunterTeam (@malwrhunterteam) May 30, 2022

Android malware ecosystem

According to the ThreatFabric Mobile Threat Landscape for H1 2022, the operators of mobile banking trojans are switching their focus from Account Take-Over (ATO) attacks to adding more On-Device Fraud (ODF) capability to their malware toolkits. Android banking trojans that support ODF features include strains like Alien, Anatsa, Medusa, Hydra, Exo/Octo, Gustuff, and SharkBot.

Operation KillerBee

Interpol reported on Monday that Nigerian law enforcement arrested three locals on charges of cybercrime. Officials said the suspects distributed the Agent Tesla remote access trojan. Once they infected victims, the group would engage in business email compromise (BEC) schemes. Their campaigns primarily targeted corporate organizations, such as oil and gas companies in South East Asia, the Middle East, and North Africa.

FBI alert

The FBI has warned US organizations about a rise in fraudulent schemes seeking donations or other financial assistance related to the crisis in Ukraine. The Bureau says that criminal actors are taking advantage of the war in Ukraine by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts, including monetary and cryptocurrency donations.

WSO2 exploitation

Trend Micro has a report out on the recent attacks targeting CVE-2022-29464, a remote code execution vulnerability in WSO2 servers.

XLoader

Check Point published a technical report on XLoader, an infostealer malware and the successor of the Formbook malware, abandoned last year.

Amadey Loader

OALABS has published a report on Amadey Loader, a malware loader botnet that was first seen in 2018 and is currently being advertised on Russian-speaking cybercrime forums.

Mars Stealer

Security researcher Mohamed Ashraf has published a deep dive into the Mars Stealer malware.

TA413

Cybersecurity firm Proofpoint said on Tuesday that it discovered that at least one state-sponsored group has already weaponized the recent Office zero-day that was disclosed over the weekend. Per the company, a threat actor tracked as TA413 (or Keyboy) has used this technique to target individuals in the Tibet region.

TA413 CN APT spotted ITW exploiting the #Follina #0Day using URLs to deliver Zip Archives which contain Word Documents that use the technique. Campaigns impersonate the "Women Empowerments Desk" of the Central Tibetan Administration and use the domain tibet-gov.web[.]app pic.twitter.com/4FA9Vzoqu4

— Threat Insight (@threatinsight) May 31, 2022

Office zero-day mitigation

Microsoft published official guidance for the Office zero-day that was discovered being exploited in the wild over the weekend. The zero-day is now tracked under the CVE-2022-30190 identifier.

UPnProxyChain

Finnish security researcher Valtteri Lehtinen released a new tool called UPnProxyChain. The tool creates a network of SOCKS proxy servers out of devices vulnerable to the UPnProxy vulnerability [PDF].

Microsoft Office Zero-Day Vulnerability

A zero-day vulnerability in Microsoft Office can be exploited to allow arbitrary code execution. According to “nao_sec,” the Japanese research team that detected the issue, the flaw “uses Word’s external link to load the HTML and then uses the ‘ms-msdt’ scheme to execute PowerShell code.” The flaw, dubbed Follina, can be exploited even when macros are disabled in Microsoft Word.

Note

This is a significant vulnerability and underscores problems that likely exist in other protocol handlers (there are many). You can disable troubleshooting tools entirely by entering the following command, which mitigates the current attack:
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics" /t REG_DWORD /v EnableDiagnostics /d 0
I’m doing an emergency webcast this Tuesday (today) at 5pm ET to discuss additional mitigations, detections, and just more information about the vulnerability itself. In the meantime, I’ve written a pretty in-depth blog on the topic here (including detection engineering): https://www.scythe.io/library/breaking-follina-msdt-vulnerability
Microsoft assigned this vulnerability an “important” rating. However, this does not properly reflect the impact this vulnerability may have. Even with current counter measures (for example prompts to enable macros), malicious documents are very commonly used to gain access to networks for ransomware and other malware. This vulnerability bypasses all these protections and all it takes is opening or even just previewing an office document. While reasonable workarounds are available, a push to educate users should be included in your response.
Practitioner’s note: With no patch available, the ISC offers (among other mitigations) that administrators can remove the ms-msdt:// URI scheme. This lives in HKEY_CLASSES_ROOT\ms-msdt in the registry and can be removed via Group Policy Object (GPO) or with PowerShell: Remove-Item -Path Registry::HKEY_CLASSES_ROOT\ms-msdt\ -Recurse -Force
Microsoft have issued an advisory with some workarounds outlined in it [https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/] The recommendation from Microsoft is to disable the MSDT URL Protocol, however be aware some applications may not work as expected once implemented. However, should this happen you can always re-enable the MSDT URL Protocol on affected computers.
Word protected mode does kick in to protect you some, but, if you save the malicious document as an RTF it can be executed via the document preview tab in Explorer – bypassing protected mode. The attack appears not to work on the Insider and Current versions of Office; your defense is going to be making sure that your systems running Office are keeping them updated.

GitHub Details npm Account Information Stolen in April

GitHub says that access credentials for about 100,000 npm accounts were stolen earlier this year. The breach was conducted with the use of stolen OAuth tokens. GitHub initially disclosed the breach in mid-April. Last week, GitHub Senior Director for Product Security Engineering Greg Ose said the intruders stole approximately 100k npm usernames, password hashes, and email addresses from a 2015 archive of user information; all private package manifests and metadata as of April 7, 2021; names and the semVer of published versions of all private packages as of April 10, 2022; and private packages from two organizations.

Note

The investigation into the OAuth compromise found an unrelated exposure: some npm service logs stored in GitHub’s internal logging system contained plaintext credentials received in requests to npm services that should have been sanitized. This kind of “exposure hunting” is a good thing to do regularly, but taking advantage of a breach investigation to do so is a no-brainer.

Plaintext passwords in logs is something we should all be making sure we don’t capture, except for the user who puts their password into the username prompt. Like GitHub, if you discover passwords captured in logs, directly connect to those account holders and have them change the passwords _AFTER_ you make sure that you won’t continue to capture plaintext passwords. This would be a good time to make sure users are enabling MFA. If you’re concerned about your account being among the ones which were captured, change the password and verify 2FA is in place.

Microsoft Rolling Out Security Defaults

Microsoft plans to roll out security defaults to Azure Active Directory users who have not yet enabled security defaults or Azure AD Conditional Access. Microsoft Director of Identity Security Alex Weinert notes that “When we look at hacked accounts, more than 99.9% don’t have MFA.” Microsoft introduced security defaults for new tenants in October 2019. Microsoft estimates the rollout will protect an additional 60 million accounts.

Note

There are basic security hygiene concepts that ought to be like fluoride in public water – should be the default for all services and should be implemented to be transparent and unalterable to provide a base level of protection. The 2% of use cases that need something different can be handled by exception, vs. put allowing the 98% of use to be put at risk because defaults were left unchanged. The users (even developers) are getting used to accepting this – take advantage.
There are times when leaving the security to the customer to (finally) implement is as good as never implementing them. All service providers need to not only continue to raise the security bar commensurate with the current threat landscape, but also, ensure customers are notified and implement those improvements. Microsoft’s conditional access allows you to have different security settings for trusted and untrusted devices and networks. You can enable the security defaults on your Microsoft 365 admin center.

Commerce Publishes Final Rule on Cybersecurity Tools Export Controls

The US Department of Commerce’s Bureau of Industry and Security has published a final cybersecurity export control rule in the Federal Register. The new rule is aimed at preventing the resale or export of certain cybersecurity tools to countries like Russia and China without a license. The rule took effect on May 26, 2022.

Note

This aligns the US with the other 42 members of the Wassenaar Arrangement on Export Controls for Conventional Arms and Dual-Use Goods and Technologies. The latest revisions incorporated feedback provided to the October 2021 proposed final ruling. Essentially items under this rule must have proper licensing through the Department of Commerce before they can be used outside the country.
This is mostly of interest to vendors selling products, but if you are using any of the tools on the list, worth checking to see if any potential spillover impact on your company’s global use of such products.

FBI Warns Criminals are Selling University Credentials

The FBI has published a TLP: White level Private Industry Notification warning that network access credentials for US colleges and universities are being sold in online criminal marketplaces. The FBI recommends that academic institutions take steps to improve their networks’ security, including keeping software up to date, implementing lockout rules for multiple password attempts, and requiring multi-factor authentication.

Note

While university network and student support services can be challenging, the recommended actions are doable. Make sure that you are segmenting; particularly research and back-end IT, monitoring, and aware of services exposed to the Internet. Seriously block SMB, RDP, FTP and other insecure protocols. Be aware of trust relationships, establish a process for these connections as well as verifying they remain appropriately secure. When looking at MFA, look to phishing resistant options.
If you have any collaborative agreements with universities with VPN access involved, good idea to investigate impact.

Talos List of Open Automation Software Vulnerabilities

Researchers from Cisco Talos recently discovered eight vulnerabilities in the Open Automation Software (OAS) Platform. The flaws could be exploited to execute arbitrary code, allow unauthenticated use of the REST API, and conduct other malicious activity. OAS has released an update to address the vulnerabilities.

Note

OAS is often used for data transfer in OT/ICS and IIoT environments. The flaws have CVE scores in the 9.1-9.4 range, can be used to conduct DOS attacks or even enumerate username/password pairs, RCE and other mischief. If you’ve got it in your environment, make sure you apply the update. If it’s bundled with a larger package, get your vendor’s update plans. Also make sure that you’re following hardening guidelines, particularly segmentation and monitoring of connections to administration services and ports.

Italy’s CSIRT Warns of Potential DDoS Attacks

An alert from Italy’s Computer Security Incident Response Team (CSIRT) warns that there is a high risk of distributed denial-of-service (DDoS) attacks on national computer systems. The alert notes that “There continue to be signs and threats of possible imminent attacks against, in particular, national public entities, private entities providing a public utility service or private entities whose image is identified with the country of Italy.”

Note

“ChromeLoader” uses PowerShell on Windows, and a Bash script on the Mac and is distributed via an ISO claiming to be a hacked game image. The loader is used to install a browser plugin. Consider blocking or otherwise limiting use of ISO’s downloaded from the Internet.

More Pushback Against CERT-In Breach Reporting Requirements

Nearly a dozen technology-related lobby groups have written to India’s Computer Emergency Response Team (CERT-In) to voice their objection to the organization’s new breach reporting requirements. The groups include the US Chamber of Commerce, The Alliance (BSA), Digital Europe, the Information Technology Industry Council, techUK, the Cybersecurity Coalition US Chamber of Commerce, the US-India Business Council, and the US-India Strategic Partnership Forum. The groups object to numerous requirements , including the six-hour breach reporting rule and the burden and risk of storing customer data.

Note

The objections highlight important factors to consider when implementing incident reporting, make sure the reporting requirement is obtainable, understand how data is protected, as well as what data is required, some of which may necessitate updated NDAs. Also ensure that you can use machine-based reporting tools which allow you to leverage existing systems and processes.

Mitel VoIP appliances used in ransomware attack

Read more in

Syniverse (Vodafone supplier) compromised since May 2016

Read more in

Call forwarding “trick” allows for Whatsapp account hijack

Read more in

Discord as a financial messenger – what could go wrong?

Read more in

Metasploit 6.2 released which adds a SIP capture module

Read more in

Nessus adds a Cisco IOS-XE destination pattern bypass module

Read more in

Mitel phones had a backdoor when booted into special mode

Read more in

VitalPBX missing access control vulnerability

Gallium APT uses new PingPull malware for espionage campaigns

Read more in

Oracle Took Six Months to Fix Critical Flaw in Fusion Middleware

Note

Read more in

CafePress Fined Over Data Breach and Cover-up

Note

Read more in

$100M Stolen from Blockchain Firm Harmony

Note

Read more in

Ransomware as a Distraction from IP Theft

Note

Read more in

GAO: Private Cyber Insurance, TRIP May Not be Enough to Cover Catastrophic Losses

Note

Read more in

CISA: Assume VMware Products Not Patched Against Log4Shell are Compromised

Note

Read more in

CISA Asks for Feedback on Trusted Internet Connections 3.0 Cloud Use Case

Note

Read more in

Google: Hermit Spyware is Being Used in Italy and Kazakhstan

Note

Read more in

ToddyCat APT

Note

Read more in

US critical infrastructure needs better cyber insurance coverage

Harmony mega-hack

CafePress fine

Ransomware attacks in Japan

XCarnival hack

Abortion hacktivism

Google Analytics banned in Italy

Opera launches no-log VPN

Supreme Court ruling bot activity

More cash for CISA

New Air Force cyber chief

Russia’s IT balkanization continues

Mitel zero-day

Malicious Python packages

Cobalt Strike update

Social engineering report

LockBit 3.0

Snake Keylogger

API hammering

Ransomware TTPs

Agent Saitama

Vulnerabilities get patched slower and slower

Miracle exploit

Codesys bugs

Zena RCE

The NYTimes Analyzes China’s Surveillance State Plans

Read more in

BEC Attackers Starting to Impersonate Third-party Vendors

Read more in

Attacker Selling Access to Networks via Atlassian Vuln

Read more in

Chinese Attackers Using Ransomware to Hide Espionage

Read more in

2 New Cybersecurity Bills Signed Into Law

Read more in

CISA’s Cloud Security Technical Reference Architecture