News Items

A major US energy company was the target of a phishing campaign that sent more than 1,000 emails containing malicious QR codes designed to steal Microsoft credentials. The campaign, which Cofense discovered in May, used both PNG image attachments and redirect links associated with Microsoft Bing and well-known business applications, such as Salesforce and CloudFlare's Web3 services, with embedded QR codes. The fake Microsoft security alerts claimed that recipients were required to update their account's security settings for two-factor authentication (2FA), multi-factor authentication (MFA), and more. The images and links within the messages led recipients to a phishing page aimed at stealing Microsoft credentials. Although the campaign impacted multiple industries, a leading energy company in the US received the lion's share of the phishing emails, with its employees receiving over 29 percent of the more than 1,000 emails containing malicious QR codes. This article continues to discuss findings regarding the QR code phishing campaign.

Dark Reading reports "QR Code Phishing Campaign Targets Top US Energy Company"

Cleaning products manufacturer and marketer Clorox recently announced that it has taken certain systems offline in response to a cyberattack. In a statement, the organization said it recently identified unusual activity on its IT systems. Upon detection, they immediately took steps to stop the activity and took certain systems offline. The affected systems remain offline as it is working on adding more "protections and hardening measures to further secure them." Clorox noted that, as a result, some operations are temporarily impaired. In a Form 8-K filing with the Securities and Exchange Commission (SEC), the company said it has implemented workarounds to enable offline operations and continue servicing customers, but disruptions are expected to continue. Clorox also told the SEC that it has informed law enforcement of the incident and that it is working with third-party cybersecurity experts to investigate the attack and restore its operations. Clorox did not provide additional information on the type of cyberattack it has fallen victim to. Clorox did not say whether any data was stolen from its systems nor how long it might take to restore the impacted systems. Clorox noted that the investigation into the nature and scope of the incident remains ongoing and is in its very early stages. Based in Oakland, California, Clorox makes and sells consumer and professional cleaning products, including Brita, Glad, Green Works Cleaning Products, Kingsford, Liquid-Plumr, Pine-Sol, and Tilex. The company has locations in 25 countries and territories worldwide and a market presence in over 100 countries.

SecurityWeek reports: "Cleaning Products Giant Clorox Takes Systems Offline Following Cyberattack"

According to SafeBreach researcher Or Yair, Microsoft's OneDrive file-sharing program can be used as ransomware to encrypt most files on a target machine beyond recovery, partly because Windows and Endpoint Detection and Response (EDR) programs inherently trust the program. Microsoft has patched OneDrive so that this vulnerability no longer affects client versions 23.061.0319.0003, 23.101.0514.0001, and later. Yair has packaged his OneDrive attack process into an automated tool called DoubleDrive, which is available on GitHub and compatible with older OneDrive versions. This article continues to discuss the DoubleDrive attack.

SC Media reports "'DoubleDrive' Attack Turns Microsoft OneDrive Into Ransomware"

The Colorado Department of Health Care Policy and Financing (HCPF) has recently revealed that the personal information of millions of individuals was compromised in a data breach resulting from the recent MOVEit cyberattack. The HCPF informed the Maine Attorney General's office that it has started informing close to 4.1 million individuals that their personal information might have been compromised in the incident. HCPF revealed that, on May 28, an unauthorized party accessed certain HCPF files that IBM, which is providing certain services to the organization, was transferring using MOVEit. Those files contained the personal information of both Health First Colorado (Medicaid) and Child Health Plan Plus members. The exposed information, the organization says, includes names, addresses, birth dates, Social Security numbers, demographic or income information, medical information, treatment information, and health insurance information. On August 11, the agency started notifying the potentially impacted individuals of the data breach, offering free credit monitoring and identity restoration services.

SecurityWeek reports: "Colorado Health Agency Says 4 Million Impacted by MOVEit Hack"

A new cybersecurity threat known as QwixxRAT, a Remote Access Trojan (RAT), was recently discovered by the Uptycs Threat Research team in early August 2023. According to the researchers, QwixxRAT has caught attention due to its unusual distribution method. The threat actor behind it is spreading the malicious tool through popular communication platforms, Telegram and Discord. The researchers noted that once it gains access to a victim's Windows-based machine, QwixxRAT discreetly collects sensitive data, sending it to the attacker's Telegram bot. The researchers stated that beyond mere data theft, QwixxRAT wields formidable remote administrative tools, enabling attackers to control victim devices, launch commands, and even destabilize systems. To evade detection, the RAT employs a Telegram bot for command-and-control functionalities. This also allows the attacker to remotely manage the RAT and execute operations without triggering antivirus alarms. The researchers noted that QwixxRAT's impact is global, as its reach has been observed in evaluations of compromised systems worldwide. The researchers noted that from a technical standpoint, the RAT file is a C# compiled binary, functioning as a 32-bit executable file designed for CPU operations. The researchers revealed that the threat actor employed two distinct names for the same Remote Access Trojan (RAT). One alias used was "Qwixx Rat," while the other was identified as "TelegramRAT." The main function consists of a total of 19 individual functions, each serving a unique purpose.

Infosecurity reports: "New QwixxRAT Trojan Spreads Through Messaging Apps"

The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) has been updated, and is now aimed at organizations of all sizes. The framework was introduced nearly a decade ago as technical cybersecurity guidance for critical infrastructure interests such as energy, banking, and hospitals. Version 2.0 of the widely used NIST CSF has added a sixth function, govern, to the original framework's five (identify, protect, detect, respond, and recover) for an effective cybersecurity program. Viakoo's CEO, Bud Broomhead, explained that the new NIST update does not just help organizations with basic cybersecurity functions as it extends to other enterprise areas. Expanding the scope of the NIST framework to include all types of organizations acknowledges that all organizations face cyber threats and must have a plan to manage cyber hygiene and incident response. This article continues to discuss the updates and business benefits of CSF 2.0.

Dark Reading reports "What's New in the NIST Cybersecurity Framework 2.0"

In the second quarter of 2023, according to Gartner, the availability of generative Artificial Intelligence (AI), such as OpenAI's ChatGPT and Google Bard, became a top concern for enterprise risk executives. Generative AI was the second most frequently cited risk in Gartner's second quarter survey, making its debut in the top ten. This reflects the rapid rise in public awareness and usage of generative AI tools, as well as the scope of potential use cases. Gartner surveyed 249 senior enterprise risk executives in May 2023 to provide a benchmarked view of 20 emerging risks to business leaders. The report contains comprehensive information on the potential impact, time frame, level of attention, and perceived opportunities associated with these risks. This article continues to discuss key findings and observations regarding generative AI risks and regulatory challenges.

Help Net Security reports "Navigating Generative AI Risks and Regulatory Challenges"

The Norfolk and Suffolk police in the UK have recently confirmed the accidental exposure of personal data belonging to more than 1000 individuals, including crime victims. The disclosure occurred within Freedom of Information (FOI) responses issued by law enforcement agencies. According to a joint statement from the East Anglian constabularies, a "technical issue" resulted in the inclusion of raw crime report data in a "very small percentage" of FOI responses distributed between April 2021 and March 2022. The compromised data in the Norfolk and Suffolk breach encompassed information stored within a dedicated police system, including data on crime reports, details regarding victims, witnesses, and suspects, and descriptions of the criminal acts. The spectrum of offenses encompassed domestic incidents, sexual offenses, assaults, thefts, and instances of hate crime.

Infosecurity reports: "UK Police Data Breach Exposes Victim Information"

As opportunities for network data collection increase and usage patterns change, "network parenting" methods must evolve. People continue to make mistakes despite well-defined security policies, technical safeguards, and extensive user education, and adversaries continue to be successful. According to Daniel Ruef, a researcher with Carnegie Mellon Software Engineering Institute's (SEI) Computer Emergency Response Team (CERT) Division, using the perspective of a Security Operations Center (SOC) treating their network as children for which they are responsible, aspects of parenting can be applied to determine uses of monitored data to build greater situational awareness. This article continues to discuss the importance of listening to one's network, the role of Endpoint Detection and Response (EDR) data, tailoring analytics to the cloud, and the need for real-time streaming data analysis.

Carnegie Mellon University Software Engineering Institute reports "Netflow in the Era of EDR and Cloud: Helicopter Parenting for Your Network"

The US government recently announced that the DHS's Cyber Safety Review Board (CSRB) is going to conduct a review on malicious attacks targeting cloud environments. The initiative will focus on providing recommendations for government, industry, and cloud services providers to improve identity management and authentication in the cloud. The DHS noted that initially, the review will focus on the recent Microsoft cloud hack but will then expand to issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers. The CSRB was established in February 2022 and is an initiative tasked with reviewing major cyber events, including their root cause, mitigations, and response.

SecurityWeek reports: "US Cyber Safety Board to Review Cloud Attacks"

Synack Red Team Members discovered several vulnerabilities in the ScrutisWeb ATM fleet monitoring software made by French company Iagona that could be exploited to remotely hack ATMs. The vendor patched the vulnerabilities in July 2023 with the release of ScrutisWeb version 2.1.38. ScrutisWeb allows organizations to monitor banking or retail ATM fleets from a web browser, enabling them to quickly respond to problems. The solution can be used to monitor hardware, reboot or shut down a terminal, send and receive files, and modify data remotely. It's worth noting that ATM fleets can include check deposit machines and payment terminals in a restaurant chain. The four types of vulnerabilities found by the researchers include CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189. The flaws include path traversal, authorization bypass, hardcoded cryptographic key, and arbitrary file upload issues that can be exploited by remote, unauthenticated attackers. The researchers noted that threat actors could exploit the flaws to obtain data from the server (configurations, logs, and databases), execute arbitrary commands, obtain encrypted administrator passwords, and decrypt them using a hardcoded key. The researchers said an attacker can leverage the flaws to log into the ScrutisWeb management console as an admin and monitor the activities of connected ATMs, enable management mode on the devices, upload files, and reboot or power them off. Hackers could also exploit the remote command execution vulnerability to hide their tracks by deleting relevant files. The researchers noted that additional exploitation from this foothold in the client's infrastructure could occur, making this an internet-facing pivot point for a malicious actor.

SecurityWeek reports: "Iagona ScrutisWeb Vulnerabilities Could Expose ATMs to Remote Hacking"

Alberta Dental Service Corporation (ADSC) has recently revealed that nearly 1.47 million individuals have been affected by a data breach that occurred between May 7 and July 9, 2023. ADSC administers dental benefits through various programs, and the incident has raised concerns over compromised personal information. The company stated that the breach was discovered on July 9, 2023, when an unauthorized third party gained access to a portion of ADSC's IT infrastructure and deployed malware, temporarily encrypting specific systems and data. ADSC didn't reveal how they were compromised. The breach impacted three groups in particular. Dental Assistance for Seniors Plan clients enrolled between July 1, 2015, and July 9, 2023, may have had their personal information compromised, including name, address, personal health number, date of birth, and dental benefits details. Low-Income Health Benefits Plan clients enrolled from January 1, 2006, to July 9, 2023, may have had their name, date of birth, dental benefits details, and government-issued identification number compromised. Dental Services Providers enrolled for direct payment of eligible health claims between January 1, 2010, and July 9, 2023, may have had their corporate details and license numbers exposed.

Infosecurity reports: "Alberta Dental Services Security Breach Exposes 1.47M Records"

Phishing attacks are becoming increasingly sophisticated, requiring more advanced detection methods. Din Serussi, manager of the incident response group at Perception Point, explained that this is because modern forms of phishing are more difficult to detect, especially when employees work remotely, and are more challenging to protect. According to Serussi, 91 percent of cyberattacks start with a phishing email. In the past, it required time for an attacker to create a phishing template, but Artificial Intelligence (AI) can now generate a phishing template with an embedded malicious URL and malicious file in 30 seconds. This article continues to discuss Serussi's insights on modern phishing tactics used by attackers and how to address them.

Dark Reading reports "As Phishing Gets Even Sneakier, Browser Security Needs to Step Up"

Ford warns of a buffer overflow vulnerability in the SYNC3 infotainment system used in many Ford and Lincoln vehicles, which could enable Remote Code Execution (RCE), but claims that vehicle safety is unaffected. SYNC3 is a modern infotainment system that supports Wi-Fi hotspots, phone connectivity, voice commands, and third-party applications. The WL18xx MCP driver for the Wi-Fi subsystem of the car's infotainment system contains the vulnerability, tracked as CVE-2023-29468. It allows an attacker within Wi-Fi range to cause a buffer overflow using a specially crafted frame. This article continues to discuss the potential exploitation and impact of the vulnerability in the SYNC3 infotainment system.

Bleeping Computer reports "Ford Says Cars With Wi-Fi Vulnerability Still Safe to Drive"

Multiple security flaws in AudioCodes desk phones and Zoom's Zero Touch Provisioning (ZTP) could be exploited by an adversary to conduct remote attacks. Using the vulnerabilities discovered in AudioCodes desk phones and Zoom's ZTP feature, an external attacker can gain complete remote control of the devices, according to an analysis by a SySS security researcher. The unrestricted access could then be used to eavesdrop on rooms or phone conversations, pivot through the devices to attack corporate networks, and even assemble a botnet of infected devices. This article continues to discuss the potential exploitation and impact of the vulnerabilities in AudioCodes desk phones and Zoom's ZTP.

THN reports "Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping"

Southwest Research Institute (SwRI) has developed an algorithm to remotely update and fix spacecraft software using less time and data than other techniques. Not only does the tool improve the overall efficiency of satellite software transmissions, but it can also recover data from unsuccessful over-the-air updates and malicious cyberattacks. It identifies missing bytes and other errors before applying a custom "micropatch" to missing or damaged software. Instead of updating an entire file or operating system, as is typically required with over-the-air satellite software updates, the tool can detect and fix smaller errors, according to Henry Haswell, a research engineer in SwRI's Intelligent Systems Division. Researchers deployed and tested the tool on the International Space Station (ISS). SwRI collaborated with Axiom Space Inc. and Amazon Web Services (AWS) to upload and assess the micropatch technology on an ISS computer operated by Axiom Space. This article continues to discuss the SwRI micropatch algorithm that improves ground-to-spacecraft software update efficiency.

Southwest Research Institute reports "SwRI Micropatch Algorithm Improves Ground-To-Spacecraft Software Update Efficiency"

Gootloader, a Search Engine Optimization (SEO) watering hole technique, has been observed targeting legal-related search terms. It has been identified as a threat to law firms and individuals conducting research online for legal information. According to Trustwave's SpiderLabs, the Gootloader malware exploits compromised WordPress sites for malware distribution and uses SEO poisoning techniques to achieve high rankings in web search results. Through the manipulation of search engine results and luring of unsuspecting users to compromised websites, Gootloader exploits users' trust in search results to deliver malicious payloads. Researchers found that close to 50 percent of these cases target law firms. In addition to English, the Gootloader campaign also targets the French, Spanish, Portuguese, German, and South Korean languages. This article continues to discuss findings regarding the Gootloader campaign.

SC Magazine reports "Gootloader SEO Watering Hole Malware Targets Law Firms"

Multiple vulnerabilities have recently been identified in the widely used Avada theme and its accompanying Avada Builder plugin. Security researchers at Patchstack discovered the flaws. The researchers noted the Avada Builder plugin exhibits two weaknesses. The first is an Authenticated SQL Injection (CVE-2023-39309). The researchers stated that by exploiting this vulnerability, attackers possessing authenticated access could breach sensitive data and potentially execute remote code. The second vulnerability is a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-39306), enabling unauthenticated attackers to pilfer sensitive information and potentially heighten their privileges on impacted WordPress sites. Patchstack also discovered various vulnerabilities in the Avada theme. First among them is a Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307). With this vulnerability, contributors gain the ability to upload arbitrary files, which may encompass detrimental PHP files, thereby enabling remote code execution and compromising site integrity. The researchers also found an Author+ flaw (CVE-2023-39312). Here, the researchers were able to attain the capability to upload malevolent zip files, thereby introducing the potential for remote code execution and vulnerabilities within the site. The researchers stated that the last vulnerability discovered is the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). Through this loophole, Contributors can instigate requests to internal services on the WordPress server, thereby potentially initiating unauthorized actions or data access within the organizational framework. The researchers noted that the vulnerabilities were reported to the Avada vendor on July 6, 2023, leading to the release of patched versions on July 11, 2023. To address these vulnerabilities, users are urged to update the Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2. The researchers noted that ensuring prompt updates is crucial to maintain website security.

Infosecurity reports: "Multiple Flaws Found in the Avada WordPress Theme and Plugin"

According to university researchers, nearly 70 Virtual Private Network (VPN) clients and servers are vulnerable to an attack that can cause them to leak user traffic. The multi-campus collaboration named their attack TunnelCrack and has released proof-of-concept (POC) exploit code. TunnelCrack is a combination of two widespread security vulnerabilities in VPNs. According to the researchers, tests indicate that every VPN product is vulnerable on at least one device. The underlying cause of the vulnerabilities has been present in VPNs since their emergence in 1996. The researchers found that VPN clients enable traffic to be sent in the clear in two cases. In the first case, the traffic is being sent to their local network, meaning enabling the VPN does not disable access to the LAN. In the second case, the destination is the VPN server, a rule that eliminates routing loops. In these two cases, they discovered that routing exceptions could be manipulated to send arbitrary traffic outside of the VPN tunnel. This article continues to discuss TunnelCrack, a combination of two security vulnerabilities in VPNs.

iTnews reports "Most VPNs Can Be Tricked Into Leaking Traffic"

As technology advances, the manufacturing industry increasingly adapts to digital instruction, from the production of fighter jets to cars. Mechanical parts can be designed on a computer and sent via the network to a manufacturing machine that follows digital instructions to create a part. The transition into the digital realm makes protecting online information a national interest. Recently, Dr. Narasimha Reddy, a professor in the Department of Electrical and Computer Engineering at Texas A&M University, received a grant from the National Science Foundation (NSF) to explore cybersecurity issues in digital manufacturing. He hopes that by getting ahead of the implementation of these digital manufacturing machines and addressing cybersecurity issues, manufacturing could be made more secure. Since these machines must receive instructions over the network, they could be sent malicious packets that cause damage. When a company uses modern manufacturing processes to produce parts for fighter jets, there is a risk that someone will compromise their network security. If these jets contain faulty equipment, there is a national security problem. This article continues to discuss the research aimed at making digital manufacturing more secure.

Texas A&M University reports "Cybersecurity Project Plans to Connect Researchers Across the Country"

In June, Johns Hopkins University and Johns Hopkins Health System learned that their systems were among those affected by a broad-based cybersecurity attack that targeted a widely used software platform for transferring data files called MOVEit. Initially, they believed 5,500 people were impacted at Johns Hopkins Health Care System and Johns Hopkins Howard County General Hospital. In a new update, now Johns Hopkins reveals that 310,405 people were affected by the hacking incident at Johns Hopkins Medicine. Hopkins noted that it has sent letters to those affected by the data breach, notifying them that they were eligible to sign up for two free years of credit monitoring. With such a large number of people affected, cybersecurity experts are warning that when unsecured protected health information is involved, that can mean things like Social Security numbers, medication information, and many other very personal and private information can be compromised.

WBAL reports: "More Than 300K People Affected by Johns Hopkins Data Breach"

Malicious actors are using a legitimate Rust-based injector called Freeze[.]rs to launch the commodity malware XWorm. The attack chain, discovered by Fortinet FortiGuard Labs on July 13, 2023, begins with a phishing email containing a malicious PDF file. It has also been used to introduce the Remcos Remote Access Trojan (RAT) by means of the SYK Crypter cipher, which Morphisec first documented in May 2022. Cara Lin, a security researcher, noted that this file redirects to an HTML file and uses the 'search-ms' protocol to access an LNK file on a remote server. Once the LNK file is clicked, a PowerShell script executes Freeze[.]rs and SYK Crypter in order to carry out additional malicious actions. Freeze[.]rs is an open-source red teaming tool from Optiv that serves as a payload creation tool for bypassing security solutions and executing shellcode stealthily. This article continues to discuss the use of the Freeze[.]rs by malicious actors for XWorm malware attacks.

THN reports "New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks"

According to OPSWAT, malware, one of the most prevalent and pervasive initial threat vectors, continues to evolve and become more sophisticated. Using malware as a foothold, threat actors infiltrate targeted infrastructures and then move laterally to gain long-term access, cause damage, or exfiltrate data. Organizations rely on actionable threat intelligence garnered through sandboxes and advanced malware analysis technologies and processes to effectively combat these threats. This proactive approach enables organizations to strengthen infrastructure defenses, improve incident response capabilities, and customize security strategies based on the threats they likely face. Sixty-two percent of organizations recognize the need to increase their investments in threat intelligence tools and processes. Only 22 percent of organizations have fully matured threat intelligence programs, with most indicating that they are still in the early phases or need to invest in additional tools and processes. This article continues to discuss key findings from OPSWAT's survey on threat intelligence.

Help Net Security reports "Threat Intelligence's Key Role in Mitigating Malware Threats"

Eye-Shield is an innovative screen protection system developed by researchers at the University of Michigan that obscures images and text on a user's phone and other devices when seen from a distance. According to the researchers, previous methods have been ineffective, inconvenient, or limited. Some involve applying a physical privacy film to the device, which cannot be turned off or easily removed, provides only limited protection, and in many cases, prevents screen protector usage. Other solutions have taken the form of apps focused on specific functions, such as obscuring numbers by overlaying low- and high-frequency images, and substituting text with difficult-to-read handwriting. Eye-Shield is designed to exist on a device as a free, built-in feature that the user can turn on and off as needed. The program takes advantage of the visual perception of contrast to blur text and images at a distance. This article continues to discuss the Eye-Shield solution that uses a pixelation scheme to obscure device screens when viewed from a distance, protecting against shoulder surfing attacks.

The University of Michigan reports "University of Michigan Researchers Create Screen Protection System to Fend Off Shoulder Surfers"