News Items

Mordechai Guri, a cybersecurity researcher from the Ben-Gurion University of the Negev in Israel who specializes in air gap jumping, has recently released a paper detailing yet another method that can be used to stealthily exfiltrate data from systems isolated from the internet and local networks. The researchers stated that the new method involves using the dynamic power consumption of modern computers and manipulation of CPU loads in order to cause the device to generate specific low-frequency (LF) electromagnetic radiation in the 0-60 kHz band. Guri was able to show how a malicious actor who has managed to plant a piece of malware on the targeted device can exfiltrate small pieces of highly sensitive information, such as passwords or encryption keys. The researcher demonstrated that the attack can be conducted over distances of 2 meters (6.5 feet) and even more. The attack method has been named COVID-bit because this distance is often recommended for preventing Covid-19 transmission. Guri noted that the malware planted on the air-gapped computer can cause the device to generate a certain frequency to represent a "1" bit and a different frequency for a "0" bit. The transmitted data can then be captured from a short distance, including through a wall, by a smartphone or laptop that has been fitted with a $1 antenna that can be hidden inside a case or within harmless-looking objects such as headphones. Guri noted that the smartphone records the frequency and translates it to the corresponding "0" or "1" bit. In addition to the actual payload that is being exfiltrated, the attacker can add calibration bits and bits used for error detection, which leads to a reduction in speed, but makes the exfiltration channel more reliable. The researchers stated that experiments showed that the COVID-bit attack can achieve data transmission rates of up to 1,000 bits per second, which would allow an attacker to exfiltrate a Bitcoin private key in less than a second and a 4096-bit RSA encryption key in 4 seconds. The researcher noted that keylogging can be conducted in real time.

SecurityWeek reports: "LF Electromagnetic Radiation Used for Stealthy Data Theft From Air-Gapped Systems"

Security researchers at Censys have discovered that more than 4,000 internet-accessible Pulse Connect Secure hosts are impacted by at least one known vulnerability. Touted as the most widely deployed SSL VPN solution, Pulse Connect Secure provides remote and mobile users with secure access to corporate resources. The researchers stated that Pulse Secure appliances are known for being the target of choice for both cybercriminals and state-sponsored threat actors, and government agencies have issued multiple alerts to warn of continuous exploitation of unpatched vulnerabilities in these products. Despite that, however, the number of vulnerable Pulse Connect Secure hosts remains high. The researchers found that 4,460 out of 30,266 appliances exposed to the internet lack patches. According to the researchers, roughly 3,500 of the vulnerable appliances are missing patches released in August 2021 to resolve six vulnerabilities, including a critical-severity file write bug that can be exploited to execute arbitrary code with root privileges. The researchers also discovered that over 1,800 of the vulnerable hosts have not been patched against three critical-severity issues that Pulse Secure resolved in May 2021, two weeks after warning that one of the flaws (CVE-2021-22893, CVSS score of 10) was being exploited in attacks. The researchers discovered hundreds of Pulse Connect Secure appliances still impacted by other critical vulnerabilities, including CVE-2018-5299 (CVSS score of 9.8), CVE-2018-6320 (CVSS score of 9.8), CVE-2019-11510 (CVSS score of 10), and CVE-2019-11540 (CVSS score of 9.8). According to the researchers, there are roughly 8,500 internet-accessible Pulse Connect Secure hosts in the US, 1,000 of which are impacted by a known vulnerability. Japan is in second place, with 3,000 hosts (700 vulnerable), followed by the UK and Germany with just over 1,700 hosts each (155 and 134 vulnerable ones, respectively).

SecurityWeek reports: "Over 4,000 Vulnerable Pulse Connect Secure Hosts Exposed to Internet"

The PCI Security Standards Council (PCI SSC) has released version 1.2 of the PCI Secure Software Standard as well as the supporting program documentation. The PCI Secure Software Standard is one of two PCI Software Security Framework (SSF) standards. The PCI Secure Software Standard and its security requirements help ensure that the design, development, and maintenance of payment software protects payment transactions and data, reduces vulnerabilities, and prevents attacks. The Web Software Module is a set of supplemental security requirements introduced in version 1.2 of the PCI Secure Software Standard to address the most common security issues associated with the use of Internet-accessible payment technologies. According to Emma Sutcliffe, SVP Standards Officer of the PCI SSC, the PCI Secure Software Standard is designed to provide a more flexible approach to testing the security and integrity of payment software. The Web Software Module was developed to help software vendors and developers identify and implement appropriate software security controls to protect against common web software attacks. The Web Software Module includes high-level requirement areas such as documenting and tracking the use of open-source and third-party software components and Application Programming Interfaces (APIs) in payment software. This article continues to discuss version 1.2 of the PCI Secure Software Standard.

Help Net Security reports "PCI Secure Software Standard 1.2 Released"

Nemesis Kitten, a subgroup of an Iranian nation-state group, has been linked to Drokbk. This previously undocumented custom malware uses GitHub as a dead drop resolver to exfiltrate data from infected computers or to receive commands. According to Secureworks principal researcher Rafe Pilling, using GitHub as a virtual dead drop helps the malware blend in. Since all traffic to GitHub is encrypted, defensive technologies cannot see what is being exchanged. Furthermore, because GitHub is a legitimate service, it raises fewer concerns. The malicious activities of the Iranian government-sponsored actor first came to light in February 2022, when it was observed exploiting Log4Shell flaws in unpatched VMware Horizon servers to deploy ransomware. The larger cybersecurity community has identified Nemesis Kitten as TunnelVision, Cobalt Mirage, and UNC2448. It is also a sub-cluster of the Phosphorus group, with the Microsoft ID DEV-0270. It is also said to have tactical overlaps with Cobalt Illusion, also known as APT42, a Phosphorus subgroup that conducts information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government. This article continues to discuss the Nemesis Kitten nation-state group's use of the new Drokbk malware.

THN reports "Researchers Uncover New Drokbk Malware that Uses GitHub as a Dead Drop Resolver"

According to several security experts, the Log4Shell vulnerability will impact organizations for at least a decade. Those concerns appear to be justified, as a new report from Tenable finds that 72 percent of organizations are still vulnerable, even though it has been one of the most notable items in cybersecurity news for nearly a year. The vulnerability remains buried in many assets, especially legacy systems that are more difficult to address. It also continues to impact the organization as new unsecured devices are added. Information Technology (IT) staff are struggling to build bigger teams of professionals to keep up. The report does identify some areas where significant progress has been made. When Log4Shell was made public in December 2021, it was estimated that 10 percent of all business assets were vulnerable to it. Due to massive patching efforts, that figure has dropped to 2.5 percent as of October 2022. However, after being fully remedied, 29 percent of assets experienced the re-emergence of a Log4Shell vulnerability. This was the basis for security experts' predictions that Log4Shell would continue to be a problem throughout the rest of the 2020s. While an organization could achieve full remediation, vulnerable elements will gradually make their way back in through new software and devices over time. Although 28 percent of organizations now report full remediation, a 14-point increase from six months ago, these organizations may become vulnerable again if monitoring and patching efforts do not continue. All organizations are still potentially vulnerable, as the problem is still circulating and could resurface in the coming years. Engineering is currently the most remedied industry (45 percent), followed by legal services (38 percent). Reports of Log4Shell being exploited in the wild are relatively low in comparison to how prevalent it remains, indicating that attackers are having just as much difficulty locating buried weak points as internal IT teams. The Advanced Persistent Threat (APT) groups of China, Iran, and North Korea have all been observed making attempts, but with limited success thus far. This article continues to discuss the Log4Shell vulnerability and its expected long-term impact on organizations.

CPO Magazine reports "Despite a Year of Warnings and Patching, Nearly 3 Out of 4 Organizations Still Vulnerable to Log4Shell"

According to the cybersecurity firm NordVPN, at least 5 million people worldwide have had their online data stolen and sold on "bot markets." About 3,000 of those affected are from Ireland, while nearly 46,000 are from the UK. Bot markets are online marketplaces where hackers sell data stolen from their victims' devices via malware. According to NordVPN, data is typically sold in packets that include passwords, cookies, digital fingerprints, and other information that can help set up a digital identity. Bot markets differ from other dark web markets in that they collect large amounts of data about a single person in one location. In addition, they guarantee the buyer that the victim's information will be updated as long as the bot infects their device. NordVPN examined three major bot markets accessible via the surface web, compiling data with the assistance of third-party researchers. Cookies and login information were among the most common types of data sold on these markets. Researchers discovered 667 million stolen cookies, 87,000 digital fingerprints, 538,000 auto-fill forms, and 26.6 million logins for sale on the markets examined. There were 720,000 logins from Google accounts, 654,000 from Microsoft accounts, and 647,000 from Facebook. Hackers were also discovered taking screenshots from malware-infected devices. The most common types of data-stealing malware are RedLine, Vidar, Racoon, Taurus, and AZORult. Screen resolution, device information, browser preferences, and other information that makes a user unique are all part of a person's digital fingerprint. Hackers can use this information to make themselves appear legitimate. These bot markets provide a variety of ways to exploit a victim's data, such as connecting to someone's Facebook account and sending malicious content to other users. More sophisticated criminals purchase this information in order to target businesses with phishing attacks by impersonating employees. This article continues to discuss NordVPN's latest report on bot markets.

Silicon Republic reports "Stolen Data of 3,000 Irish People Sold on Bot Markets, Study Claims"

According to a global survey of 4,700 Information Technology (IT) professionals conducted by Cisco, the most common types of incidents were network or data breaches (52 percent), followed by network or system outages (51 percent), ransomware events (47 percent), and Distributed Denial-of-Service (DDoS) attacks (46 percent). Sixty-two percent of organizations reported a security event that impacted business operations in the last two years, including IT and communications disruption (63 percent), supply chain disruption (43 percent), impaired internal operations (41 percent), and long-term brand damage (40 percent). Security resilience is now a high priority for 96 percent of respondents. According to Wendy Nather, Cisco's head of advisory CISOs, the survey revealed that organizations are changing their approach to cybersecurity as they deal with a chronic shortage of cybersecurity skills when attacks continue to increase in volume and sophistication. Cisco also ranked survey participants based on their overall resilience, finding that organizations with a mature zero-trust model have a 30 percent higher resilience score than those without such a model. Compared to organizations that did not have detection and response capabilities, advanced Extended Detection and Response (XDR) capabilities resulted in a 45 percent increase in resilience. Cloud-based Secure Access Service Edge (SASE) solutions improve organizations' security resiliency by 27 percent. Organizations with poor C-suite security support scored 39 percent lower than those with strong executive support, while businesses with an excellent security culture scored 46 percent higher on average. The precise location of IT resources appears to have little impact on cybersecurity resilience. Organizations that are primarily on-premises or primarily cloud-based had the highest and nearly identical security resilience scores. However, organizations in the early stages of transitioning from an on-premises to a hybrid cloud environment saw resilience scores drop by 9 percent to 14 percent, depending on how difficult the hybrid environments were to manage. This article continues to discuss findings from Cisco's survey of IT professionals on security resilience.

Security Boulevard reports "Cisco Survey Reveals Increased Focus on Cybersecurity Resilience"

Endor Labs published "The State Of Dependency Management," which provides insight into the widespread but often unmonitored use of existing open-source software in application development, as well as the risks associated with this common practice. The research reveals that 95 percent of all vulnerabilities are found in transitive dependencies, which are open-source code packages that are not chosen by developers but are still pulled into projects indirectly. This is the first report from Station 9, Endor Labs' research capability that brings together researchers, academics, and thought leaders worldwide. Station 9's new report provides an analysis of the complexities underlying the reliance on open-source software, revealing how traditional methods of vulnerability remediation require far more scrutiny. According to the report, the issue is not necessarily the widespread use of existing open-source code in new applications. Instead, it is that only a small sampling of these software dependencies is selected by the developers involved. The remainder are transitive or indirect dependencies. This allows for significant vulnerabilities impacting both the security and development worlds. Most vulnerabilities are found in transitive dependencies, making it difficult for developers to assess the true impact of these issues or even whether they are reachable. A comparison of the two most popular community initiatives for identifying critical projects, Census II and OpenSSF Criticality Scores, reveals that determining criticality is complex. Seventy-five percent of Census II packages have a Criticality Score of less than 0.64. Organizations must determine which open-source projects are critical for them. Threat actors have benefited from dependency confusion in recent supply chain attacks, while the risk indicators covered in widely used initiatives typically do not detect these attacks. Fifty percent of the most popular Census II packages did not have a release date in 2022, and 30 percent had their most recent release before 2018. These have the potential to cause serious security and operational issues in the future. When upgrading to the most recent version of a package, there is still a 32 percent chance that it will contain known vulnerabilities, proving that new does not imply secure. This article continues to discuss key findings from Endor Labs' report on dependency management.

Business Wire reports "Endor Labs Unveils New Research on Impact of Open-Source Software on Supply Chain Security"

According to the Cybernews research team, web Explorer - Fast Internet, an Android browsing app, left its Firebase instance open, exposing app and user data. Firebase is a mobile app development platform with numerous analytics, hosting, and real-time cloud storage features. Web Explorer - Fast Internet is a Google Play store browsing app with over five million downloads. It claims to increase browsing speed by 30 percent and has received an average user rating of 4.4 out of five stars from over 58,000 reviews. The open Firebase instance contained days' worth of redirect data, presented by user ID, including country, redirect initiating address, and redirect destination address. However, simply obtaining the data that Web Explorer - Fast Internet left exposed would not suffice, as a threat actor would also have to know where app developers keep additional user data. Cross-referencing the leaked data with additional information may amplify any harm done to the app's users. When the team discovered the open instance, they contacted Web Explorer - Fast Internet but had not received a response at the time of publication. However, the open Firebase instance has been closed and is no longer accessible. According to the team, with the instance closed, threat actors no longer have access to sensitive redirect data, which could have allowed them to de-anonymize Web Explorer - Fast Internet users' browsing activity with additional effort. Google Play store data reveals that the app was last updated on October 28, 2020, implying that hardcoded secrets are still present. This article continues to discuss the Android app Web Explorer - Fast Internet leaving its Firebase instance open, exposing sensitive data that malicious actors could use to check users' browsing history.

Cybernews reports "Android App With Over 5M Downloads Leaked User Browsing History"

Google's Threat Analysis Group (TAG) discovered a zero-day exploit for an Internet Explorer (IE) vulnerability that was used to target South Korean users. TAG made the discovery in October 2022 and found malware in documents emailed to targets. The hidden malware in the documents took advantage of a vulnerability, tracked as CVE-2022-41128, in the browser's JScript engine. TAG attributed the attacks to North Korean government-backed actors known as APT37. APT37 has previously used IE zero-days to target users, with a preference for those based in South Korea, such as journalists, human rights activists, and North Korean defectors. The malware-infected document attempted to capitalize on public interest in a devastating accident that occurred in South Korea in October. Multiple South Korean submitters flagged the malware to Google's TAG by uploading the Microsoft Office document to VirusTotal, a Google-owned website that analyzes suspicious files, domains, or URLs. Researchers discovered that the document downloaded a Rich Text File (RTF) remote template before fetching HTML content. Since Microsoft Office renders HTML content with IE, this technique has been widely used to distribute IE exploits via Office files since 2017, according to TAG. Using this vector to deliver IE exploits does not require the target to use IE as its default browser or to chain the exploit with an EPM sandbox escape. The flaw stems from IE's JavaScript engine and can be exploited to execute arbitrary code when rendering an attacker-controlled website. The bug is caused by incorrect JIT optimization, which causes type confusion. TAG notified Microsoft of the vulnerability on October 31, 2022, and it was patched five days later, on November 8, 2022. This article continues to discuss the IE zero-day exploited by the North Korean threat actor APT37.

ITPro reports "Google Unearths Internet Explorer Zero-Day Exploited by North Korean Hackers"

Security researchers at Group-IB have uncovered a prolific investment fraud group that may have made half a billion dollars in profits over the past four years. Named "CryptosLabs" after a scam website template it used, the group's fake investment scheme is built on a highly organized group of "kingpins," sales agents, developers, and call-center operators. The researchers noted that victims are lured by messages left on investment forums or advertising on social media and search engines. The researchers stated that the gang spoofed at least 40 popular European brands from the banking, fintech, crypto, and asset management industries to add legitimacy to their offerings. If victims clicked on an ad, they would be taken to one of 300 spoofed domains hosted on 70 servers, which usually impersonate well-known financial and asset management companies. After leaving their details on the phishing sites, the victims would be contacted by phone by a call-center scammer pretending to be a personal manager from the investment division of the relevant spoofed company. They would be provided with credentials to log in to the trading portal and asked to pay a $210-315 deposit to start investing in stocks, crypto, and NFTs. The researchers noted that victims would be shown fake growth curves and stats to keep them investing, with all the money heading to the scammers. If a victim wanted to leave, they'd be required to pay a fee to receive their non-existent funds, which also goes to the fraudsters. All the victims of CryptosLabs are from French-speaking parts of Europe: France, Luxembourg, and Belgium.

Infosecurity reports: "Investment Fraud Gang May Have Made $500m"

Cybercriminals are scamming each other and using arbitration to settle disputes about the scams. Sophos experts investigated two Russian-language cybercrime forums with Access-as-a-Service (AaaS) listings, as well as an English-language cybercrime forum and marketplace specializing in data leaks. All three were discovered to have their own arbitration rooms. The practice of cybercriminals scamming each other is lucrative even though this resolution process occasionally results in mayhem among the "plaintiffs and defendants," with some accused criminals disappearing or calling the complainants themselves "rippers." Researchers looked at 600 scams over the course of a year that cost threat actors a combined total of more than $2.5 million on just these three forums, with claims ranging from $2 to $160,000. They discovered a sub-economy of cybercriminals while looking into scams, including not just lower-level criminals but some of the most well-known ransomware organizations. These scams are not always just done for money since rivalries and personal grudges were found to be common. They also discovered instances where cybercriminals would scam the scammers who had scammed them. In one instance, they discovered a trolling competition set up to exact revenge on a scammer who was attempting to trick users into paying $250 to become a member of a fake underground forum. The "contest winner" took home $100. The researchers also found that the arbitration processes left a wealth of untapped intelligence behind, which security experts and law enforcement could use to better understand and combat the actions of cybercriminals. This article continues to discuss observations made from the exploration of cybercriminal sites.

Help Net Security reports "Cybercriminals Are Scamming Each Other, Tipping off Law Enforcement"

In supply chain attacks affecting organizations in Israel, Hong Kong, and South Africa, the Iranian Agrius Advanced Persistent Threat (APT) hacking group is employing a new 'Fantasy' data wiper. The campaign began in February and reached its peak in March 2022, infiltrating an Information Technology (IT) support services firm, a diamond wholesaler, a jeweler, and a Human Resources (HR) consulting firm. Agrius used a new wiper called Fantasy in this campaign, which was hidden inside a software suite created by an Israeli vendor. This software is widely employed in the diamond industry. According to ESET analysts, Fantasy is an evolution of the threat actor's previous campaign wiper, 'Apostle.' Wipers are a type of malware that deletes data from compromised computers, resulting in digital destruction and business disruption. On February 20, 2022, the Agrius APT breached a South African diamond industry organization, dropping credential harvesters like MiniDump and SecretsDump on its network to steal account credentials. The Fantasy data wiper is a 32-bit Windows executable. Upon execution, it obtains a list of all drives and their directories, with the exception of the Windows folder. Fantasy overwrites each file's content with random data, resets the timestamps to midnight 2037, and deletes it. This procedure attempts to keep the files from being recovered using data recovery software. Fantasy then deletes registry keys in HKCR, clears all WinEventLogs, deletes the Windows SystemDrive folder, and goes to sleep for two minutes. After another 30-second delay, the wiper overwrites the master boot record, deletes itself, and reboots the system. This article continues to discuss the Agrius APT hacking group and its use of the new Fantast data wiper in supply chain attacks.

Bleeping Computer reports "Hackers Use New Fantasy Data Wiper in Coordinated Supply Chain Attack"

Satellites and the space-based services they provide are critical to modern society, as they support telecommunications, the Global Positioning System (GPS), and accessible Internet connections for millions of people worldwide. In space, security is a persistent issue that is likely to get worse. Attacks launched against ViaSat and Starlink Internet services in Ukraine this year included jamming, GPS spoofing, and other cyberattacks. The flow of information is disrupted by jamming Starlink connections, which could be critical in a conflict. Although limited in scope, anti-satellite weapons (ASAT) are real. According to a University of Oxford research paper on satellite cybersecurity, as space systems become more interconnected and computationally complex, new concerns about the threat of cyberattacks have arisen. The US Department of Defense (DOD) pointed out the People's Republic of China as one threat. According to an in-depth research paper on China's military power, space is on the agenda, with electronic warfare as part of that strategy. A successful cyberattack on a satellite could have serious ramifications. Blocking communications with the satellite, for example, could disrupt critical communications and services for millions of people on the ground. A cyberattack could change a satellite's course to disrupt or permanently damage it. While there may be rules and conventions prohibiting governments from conducting full-scale cyberattacks on satellites operated by other nations in space, the war in Ukraine shows that disrupting satellite communications is not entirely off the table. Although cyberattacks against satellites appear unlikely in the near future, anything built with Internet of Things (IoT) connectivity can be accessed via the Internet, potentially including satellites. This article continues to discuss cyber threats facing space systems.

ZDNet reports "Cyberspace in Space: The Out-Of-This-World Challenges Ahead"

Searching the Internet can expose information that a user would prefer to keep private. For example, when someone searches for medical symptoms online, they may be disclosing their health conditions to Google, an online medical database such as WebMD, and possibly hundreds of these companies' advertisers and business partners. Researchers have long been developing techniques that allow users to search for and retrieve information from a database privately. However, these methods are still too slow to be used effectively. Therefore, MIT researchers developed a method for retrieving private information approximately 30 times faster than comparable methods. Their method allows users to search an online database without disclosing their query to the server. Furthermore, it is driven by a simple algorithm that would be easier to implement than previous work's more complicated approaches. Their method could allow for private communication by preventing a messaging app from knowing what users are saying or who they are communicating with. It could also be used to retrieve relevant online advertisements without advertising servers learning about a user's preferences. The MIT researchers devised Simple PIR, a protocol in which the server performs much of the underlying cryptographic work before a client sends a query. This preprocessing step generates a data structure that contains compressed information about the database contents and is downloaded by the client before sending a query. The data structure serves as a hint to the client about what is contained in the database. Once the client has this hint, it can make an infinite number of queries, and these queries will be much smaller in terms of both the size of the messages sent by the user and the work that the server needs to do. To reduce the size of the hint, the researchers created a second technique called Double PIR, which essentially involves running the Simple PIR scheme twice. This article continues to discuss the fast method developed by MIT researchers to enable users to search for information without revealing their queries.

MIT News reports "A Faster Way to Preserve Privacy Online"

Over half (54 percent) of those who participated in Immuta's third annual State of Data Engineering Survey say one of their biggest challenges is securing data with appropriate access rights. While nearly 60 percent believe their organizations should place a greater emphasis on data security. According to the survey, 89 percent of organizations are missing out on business opportunities due to data access bottlenecks. Data is increasingly being recognized as a critical business resource, but organizations surveyed report using only 58 percent of their data in decision-making. The disconnect between security and access negatively impacts data engineers' daily lives, with 40 percent reporting that managing data access burns them out. According to Matthew Carroll, CEO of Immuta, as data moves from on-premises to the cloud, this disconnect between data security and access harms organizations' data-driven initiatives and business outcomes. It increases their risk of data leaks and breaches. CISOs must become modern data stack enablers to better support data teams in bridging these disconnects. This calls for more collaboration between security and data leaders and their teams in order to effectively balance security and access. More than half (63 percent) of data professionals say they do not have complete visibility into who has access to what data. Responses to which team is responsible for validating policy compliance with regulations vary greatly between the Information Technology (IT) team (40 percent), security team (14 percent), data team (14 percent), compliance team (12 percent), privacy team (12 percent), and legal team (9 percent), thus demonstrating the lack of a standardized process across organizations. This article continues to discuss key findings from Immuta's third annual State of Data Engineering Survey.

BetaNews reports "Security and Access Are Top Issues for Data Engineers"

The cybersecurity firm Trellix has released its annual threat predictions report for 2023. Trellix Advanced Research Center forecasts an increase in geopolitically motivated attacks across Asia and Europe, as well as hacktivism driven by tensions between opposing political parties and vulnerabilities in core software supply chains. According to John Fokker, Trellix's Head of Threat Intelligence, analyzing current trends is important, but being predictive in cybersecurity is critical. While organizations focus on near-term threats, it is essential to have a proactive posture by looking beyond the horizon. Global political events and the adoption of new technology will result in the emergence of novel threats from more sophisticated threat actors. Geopolitical factors will continue to drive misinformation campaigns and cyberattacks coordinated with kinetic military activity. When groups of loosely organized individuals fueled by propaganda band together for a common cause, they will increase their use of cyber tools to express their rage and cause disruption around the world. Both threat actors and security researchers will increase their research into underlying software frameworks and libraries, which will result in a rise in breaches related to software supply chain issues. Teens and young adults will become increasingly involved in cybercrime, from large-scale attacks on businesses and governments to low-level crimes against family, friends, peers, and strangers. Outsourcing malware creation and operation, malware diversification, and the use of leaked source code will make attribution of cyberthreats to specific threat actors increasingly difficult. There will be a significant increase in advanced cyber actors disrupting critical infrastructure in vulnerable targets. Weaponized phishing attacks will become more common across popular business communication services and apps such as Microsoft Teams, Slack, and others. This article continues to discuss threat predictions made by Trellix for 2023.

AP News reports "Trellix Predicts Heightened Hacktivism and Geopolitical Cyberattacks in 2023"

Phosphorus Labs reported that 99 percent of Extended Internet of Things (xIoT) device passwords violate industry best practices. The study discovered that 68 percent of xIoT devices have high-risk or CVSS scores of 8-10. According to the report, 80 percent of security teams are unable to identify the majority of their xIoT devices. According to Bud Broomhead, CEO of Viakoo, the issues identified by Phosphorus are genuine, but the solutions are not so simple. Broomhead stated that knowing that IoT devices are functioning properly through service assurance is also a component of hardening and securing devices. Discovering IoT devices and assessing their vulnerabilities is critical, but it is also a problem that has already been solved by leading vendors such as Armis, Forescout, Nozomi, and others. More emphasis should be placed on adding unique IoT and IoT application data to discovery and configuration management database solutions, so that records of historical operations can be used to harden and secure IoT systems. Phosphorus Labs' new findings should concern leaders from supply chain to engineering. The percentage of vulnerable devices is a direct result of designing without regard for security or lifecycle. Security requirements must sit alongside functional requirements and be considered when a product is conceptualized. This article continues to discuss xIoT devices being out of compliance with industry best practices.

SC Media reports "Vast Majority of xIoT Devices Out of Compliance With Industry Best Practices"

Google recently announced the December 2022 Android updates with patches for over 75 vulnerabilities, including multiple critical remote code execution (RCE) flaws. The most severe of the RCE bugs is CVE-2022-20411, an issue in Android's System component that could be exploited over Bluetooth. Two other critical-severity RCE flaws (CVE-2022-20472 and CVE-2022-20473) were resolved in the Framework component. Google also patched a critical information disclosure (CVE-2022-20498) in the System component. Google noted that all four issues were resolved as part of the 2022-12-01 security patch level, which addresses a total of 41 vulnerabilities in Android Runtime (1), Framework (20), Media framework (1), and System (19). Most of the addressed security defects are high-severity flaws, with escalation of privilege being the most common type. Information disclosure and denial-of-service (DoS) issues were also resolved. Google noted that an additional 35 high-severity vulnerabilities were resolved as part of the 2022-12-05 security patch level in Kernel, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components. Devices using a security patch level of 2022-12-05 or newer include patches for all the vulnerabilities above and those resolved with previous Android security updates. Google stated that a total of 151 Pixel-specific vulnerabilities were resolved this month. Most of the bugs are medium-severity escalation of privilege issues, with numerous information disclosure bugs addressed as well. Pixel devices running a security patch level of 2022-12-05 include patches for all vulnerabilities described in the December 2022 Android security bulletin and the 151 bugs mentioned above.

SecurityWeek reports: "Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates"

Antwerp, Belgium, is working to restore digital services that were disrupted by a cyberattack on its digital provider. The outage has impacted services used by citizens, schools, daycare centers, and law enforcement, all of which have been operating intermittently. An investigation is ongoing, but the limited information available points to a ransomware attack by an unknown threat actor. According to Het Laatste Nieuws (HLN), the hackers were able to disrupt Antwerp's services after breaching the servers of Digipolis, the city's digital partner that provides administrative software. The publication also notes that almost all Windows applications have been impacted. Some departments' phone service was also down. Alexandra d'Archambeau, a councilor from the Wilrijk district, stated that the city's email service was unavailable. According to De Standaard, it received confirmation from an unknown actor that ransomware was the source of the disruption. The city's reservation system has also been shut down, preventing residents from receiving their identity cards. In addition, only travel cards could be collected. The Antwerp Healthcare Company (Zorgbedrijf Antwerpen), which provides residential care services to seniors in the province, was among the services affected by the attack. According to Johan De Muynck, general manager of Zorgbedrijf, the attack rendered the software that tracked who should receive medication inoperable. This compelled the staff at 18 residential care facilities to switch to pen and paper and rely on traditional paper prescriptions for the seniors who required them. This article continues to discuss how a cyberattack has impacted the city of Antwerp, Belgium.

Bleeping Computer reports "Antwerp's City Services Down After Hackers Attack Digital Partner"

The state-owned VTB Bank, Russia's second-largest financial institution, has reported the largest Distributed Denial-of-Service (DDoS) attack in its history. The pro-Ukraine collective IT Army of Ukraine has claimed responsibility for the DDoS attacks as the hacktivist group announced the offensive activity on its Telegram channel in November. The attack is causing issues for the bank's customers, who are unable to access the bank's website or mobile app. However, the bank also stated that the attack did not compromise customer data. Cyberattacks on the infrastructure of government and private Russian entities increased following the start of the invasion of Ukraine. Most of the attacks are carried out by pro-Ukraine hacktivists, while pro-Russian groups such as the Killnet collective target organizations and governments worldwide that have offered support to Kyiv. VTB confirmed that, despite the majority of the malicious traffic originating from outside Russia, the attacks also originated from Russian IP addresses. The financial institution reported the Russian IP addresses to law enforcement in order for them to be taken over. This article continues to discuss the DDoS attack faced by VTB Bank.

Security Affairs reports "Russia's Second-Largest Bank VTB Bank Under DDoS Attack"

Many trusted Endpoint Detection and Response (EDR) technologies may contain a flaw that allows attackers to cause products to erase almost all data on installed systems. Or Yair, a SafeBreach security researcher who discovered the flaw, tested 11 EDR tools from various vendors and discovered that six of them, from a total of four vendors, were vulnerable. Microsoft Windows Defender, Windows Defender for Endpoint, TrendMicro ApexOne, Avast Antivirus, AVG Antivirus, and SentinelOne were all vulnerable. Prior to Yair disclosing the issue at the Black Hat Europe conference on December 7, three of the vendors assigned formal CVE numbers to the bugs and issued patches for them. Yair published proof-of-concept (POC) code dubbed Aikido that he created to demonstrate how a wiper could manipulate a vulnerable EDR into wiping almost any file on the system, including system files, with only the permissions of an unprivileged user. He estimated that the wiper would be effective against hundreds of millions of endpoints running vulnerable EDR versions. The vulnerability is related to how some EDR tools delete malicious files. There are two critical events in the deletion process. There is a time when the EDR flags a file as malicious and another time when the file is actually deleted, which may require a system reboot. According to Yair, between these two events, an attacker can use what are known as NTFS junction points to direct the EDR to delete a different file than the one that it identified as malicious. NTFS junction points are similar to symbolic links, which are shortcut files to other folders and files on a system, except that the junctions are used to connect directories on different local volumes on a system. This article continues to discuss the vulnerability that could manipulate EDR products into becoming data wipers.

Dark Reading reports "For Cyberattackers, Popular EDR Tools Can Turn into Destructive Data Wipers"

Microsoft retired the Boa web server in 2005, but it is still widely used. The company recently revealed that malicious actors in attacks against the energy industry have exploited a vulnerability in the server's open-source component. This development further highlights the supply chain's ongoing vulnerability to attacks. While investigating electrical grid intrusion activity involving common Internet of Things (IoT) devices as the vector used to gain a foothold in Operational Technology (OT) networks and deploy malicious payloads, Microsoft discovered a vulnerable component on all IP addresses published as indicators of compromise (IOCs). The company also found evidence of a supply chain risk that could affect millions of organizations and devices. The ability to collect information undetected before an attack in critical infrastructure networks allows attackers to have a greater impact once the attack is launched, potentially disrupting operations that can cost millions of dollars and affect millions of people. The compromised component was tracked down to the Boa web server. According to Microsoft researchers, the component in question is commonly used to access device settings, management consoles, and sign-in screens. Different vendors continue to implement Boa across various IoT devices and popular Software Development Kits (SDKs). The inclusion of Boa in popular SDKs could be attributed to its continued development in IoT devices. Vulnerable components such as Boa and SDKs are often distributed to customers within devices, adding to supply chain vulnerabilities. Without developers managing the Boa web server, known vulnerabilities could allow attackers to silently gain network access by gathering data from files. Furthermore, those impacted may be unaware that their devices use the decommissioned Boa web server and that firmware updates and patches do not address its known vulnerabilities. This article continues to discuss the flaw in the discontinued Boa web server posing a supply chain risk to IoT and OT environments.

Security Boulevard reports "Flaw in Aged Boa Web Server Threatens Supply Chain"

Security researchers at CrowsStrike are warning that a threat actor tracked as "Scattered Spider" is targeting telecommunications and business process outsourcing (BPO) companies in an effort to gain access to mobile carrier networks and perform SIM swapping. The researchers noted that Scattered Spider is a financially-motivated threat actor and has been observed increasingly targeting the telecoms industry since June 2022, setting up persistence mechanisms and even reverting implemented mitigations to regain access to the compromised networks. According to the researchers, Scattered Spider has been relentlessly trying to gain access to victim networks, typically performing daily operations once access has been obtained. The researchers noted that the threat actor was seen deploying virtual private network (VPN) and remote monitoring and management (RMM) tools. After successfully containing Scattered Spider's intrusion into one organization, the threat actor moved to a different company in the same vertical, using the same tactics, techniques, and procedures (TTPs). The researchers stated that in all observed intrusions, the adversary attempted to leverage access to mobile carrier networks from a Telco or BPO environment. In two investigations, SIM swapping was performed by the adversary. The researchers noted that for initial access, the threat actor leveraged social engineering, including via phone calls and SMS and Telegram messages impersonating IT staff, to trick victims into entering their credentials on a phishing page or downloading and installing an RMM tool controlled by the attackers. The threat actors would also engage with the victims directly to obtain their one-time password (OTP) if multi-factor authentication (MFA) was enabled or relied on MFA push-notification fatigue.

SecurityWeek reports: "Scattered Spider Cybercrime Group Targets Mobile Carriers via Telecom, BPO Firms"