News Items

According to Cyjax researchers, a financially motivated group based in China called Fangxiao has been orchestrating a large-scale phishing campaign since 2017. The sophisticated phishing campaign takes advantage of international brand reputations and targets businesses in various industries, including retail, banking, travel, and energy. More than 400 companies were impersonated, including Emirates, Singapore's Shopee, Unilever, Indomie, Coca-Cola, McDonald's, and Knorr. In order to trick victims into visiting a series of sites owned by advertising agencies, the attackers use financial or physical incentives offered via WhatsApp. In addition, Fangxiao registered over 42,000 fake domains that were used to distribute malicious apps and fake rewards. These landing pages prompt visitors to complete a survey in order to win prizes, and they are instructed to tap a box. The site may require up to three taps for a "win," a high-value gift card. To be eligible for the prize, victims must share the phishing campaign with 5 groups and 20 friends via WhatsApp. In some cases, the Fangxiao landing pages displayed malicious ads that delivered the Triada malware when clicked from an Android device. In regard to iOS users, they are redirected to Amazon via an affiliate link, which generates revenue for every purchase made on the platform. The presence of Mandarin text in a web service associated with "aaPanel," as well as China Standard Time for domain registration, led to the campaign being attributed to a China-linked threat actor. This article continues to discuss the China-based financially motivated group Fangxiao.

Security Affairs reports "China-Based Fangxiao Group Behind a Long-Running Phishing Campaign"

According to a new joint advisory released by the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS), the Hive ransomware variant has made its operators and affiliates around $100 million, so far from over 1300 global companies. The estimated profits generated by the ransomware-as-a-service (RaaS) variant come over a period of around 15 months after it was first discovered back in June 2021. The advisory noted that victim organizations have come from various verticals, including government, communications, critical manufacturing, and IT, although the group has a particular focus on healthcare. In the past, the group's affiliates gained initial access to victim networks via phishing emails containing booby-trapped attachments that exploited Microsoft Exchange Server vulnerabilities. They have also focused on remote desktop infrastructure. The advisory warned that Hive actors have been known to reinfect victim networks if organizations restored from backups without making a ransom payment.

Infosecurity reports: "Hive Ransomware Has Made $100m to Date"

The PCI Security Standards Council (PCI SSC) has released a new standard to help in the evolution of mobile payment acceptance solutions. PCI Mobile Payments on COTS (MPoC) expands on the existing PCI Software-based PIN Entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) standards, which address security requirements for merchants accepting cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile device. The PCI MPoC standard aims to increase flexibility in payment acceptance and in the development, deployment, and maintenance of COTS-based payment acceptance solutions. PCI MPoC is a new, adaptable mobile standard and program for the development of payment solutions. It provides a modular, objective-based security standard that supports various payment acceptance channels and consumer verification methods on COTS devices. The new standard combines many of the existing PCI SPoC and PCI CPoC standards, most notably the ability to enter both PIN and contactless cardholder data on the same COTS device. It will be of interest to vendors of card payment acceptance technologies and solutions because it may provide new types of solutions for them to address in their markets. Similarly, entities that deploy or use terminals may be interested in seeing what controls are put in place to secure the technologies that they may use next year and in the future. This article continues to discuss the new PCI MPoC standard.

Help Net Security reports "PCI SSC Publishes New Standard for Mobile Payment Acceptance Solutions"

Since mid-September, a sophisticated phishing kit has been targeting North Americans with lures themed around holidays such as Labor Day and Halloween. The kit employs a variety of evasion detection techniques as well as several mechanisms to keep non-victims away from its phishing pages. According to Akamai security researchers who discovered the campaign, one of the most intriguing features of the kit is a token-based system that ensures each victim is redirected to a unique phishing page URL. The campaign began in September 2022 and ran through October 2022, preying on online shoppers. The main theme of the phishing emails sent to potential victims is the opportunity to win a prize from a reputable brand. The links in the email raise no red flags because they lead to the phishing site after a series of redirections, and URL shorteners hide most URLs. Furthermore, the attackers take advantage of legitimate cloud services such as Google, AWS, and Azure, using their good reputation to circumvent security measures. After completing a short survey, everyone who visits the phishing site receives the promised prize. In addition, a five-minute timer instills a sense of urgency in those taking the survey. DICK'S Sporting Goods, Delta Airlines, Sam's Club, Costco, and more are among the impersonated brands. The phishing actors also included fake user testimonials showcasing the received prizes to increase the campaign's effectiveness. This article continues to discuss the phishing kit targeting North American online shoppers.

Bleeping Computer reports "Phishing Kit Impersonates Well-Known Brands to Target US Shoppers"

Bluetooth-enabled mobile devices have been found to be vulnerable to a flaw that could allow attackers to track a user's location. The study centers on Bluetooth Low Energy (BLE), a type of Bluetooth that uses less energy than Bluetooth Classic, an earlier generation of Bluetooth. Billions of people rely on this type of wireless communication on smartwatches and smartphones for various activities such as entertainment, sports, retail, and healthcare. However, due to a design flaw in Bluetooth's protocol, users' privacy may be jeopardized, according to Yue Zhang, the study's lead author and a postdoctoral researcher in computer science and engineering at the Ohio State University (OSU). Zhang and his advisor, Zhiqiang Lin, an Ohio State professor of computer science and engineering, demonstrated the threat by testing more than 50 commercially available Bluetooth devices as well as four BLE development boards. They informed major Bluetooth industry stakeholders, including the Bluetooth Special Interest Group (SIG), hardware vendors like Texas Instruments and Nordic, and operating system providers such as Google, Apple, and Microsoft, about the flaw. Google classified their discovery as a high-severity design flaw and awarded the researchers a bug bounty. Zhang and Lin also created a potential solution to the problem, which they tested successfully. Bluetooth devices have Media Access Control (MAC) addresses, a series of random numbers uniquely identifying them on a network. An idle BLE device sends out a signal every 20 milliseconds advertising its MAC address to other nearby devices with which it could connect. The study identifies a flaw that could allow attackers to observe how these devices interact with the network and then collect and analyze data to violate a user's privacy, either passively or actively. One of the reasons researchers are concerned about such a scenario is that a captured MAC address could be used in a replay attack, enabling the attacker to monitor the user's behaviors, track where the user has been in the past, or even determine the user's current location. The researchers' solution, called Securing Address for BLE (SABLE), entails adding an unpredictable sequence number or a timestamp, to the randomized address to ensure that each MAC address can only be used once, thereby preventing the replay attack. It was successful in preventing attackers from connecting to the victim's devices. This article continues to discuss the new threat to the security and privacy of Bluetooth devices as well as the countermeasure developed to address it.

OSU reports "Study Uncovers New Threat to Security and Privacy of Bluetooth Devices"

BetterCloud, a cloud service management company, discovered that organizations are increasingly using Software-as-a-Service (SaaS) apps, but the industry is changing due to consolidation and app security concerns. The company's 10th annual State of SaaSOps report, based on a survey of 742 Information Technology (IT) and security professionals, looked into the growing adoption of SaaS, the most pressing challenges confronting IT operations today, and why SaaS security keeps IT staff awake at night. In the last year, 43 percent of those surveyed said they had added a new SaaS app that stores sensitive data, and 81 percent said they are responsible for protecting this sensitive data. The implementation of new SaaS apps was balanced by those that were canceled, with 40 percent reporting that they had retired duplicate and overlapping applications in the last 12 months. The net growth of SaaS apps was 18 percent year-over-year, with organizations now using an average of 130 apps. According to 59 percent of those surveyed, SaaS sprawl is causing management headaches, and SaaS proliferation is difficult to manage. One of the major issues is "shadow" SaaS apps, which are considered a problem by 65 percent of respondents. However, 57 percent reported that their teams' support for the number of SaaS apps they manage has increased in the last year. Eighty percent of respondents cited employee experience as a driving force behind SaaS adoption and changes. Employee experience was also cited as a key motivator for initiatives to automate workflows by those surveyed. Eighty-six percent of respondents emphasized that automation is critical to overcoming today's SaaSOps challenges. Seventy-one percent have automated at least one help desk process, such as onboarding or password resets, and 43 percent have a dedicated SaaSOps automation role or team, with another 23 percent planning to do so. This article continues to discuss key findings from BetterCloud's latest State of SaaSOps report.

SiliconANGLE reports "As SaaS App Usage Soars, Consolidation and Security Concerns Drive Change"

Dynamic-Link Library (DLL) sideloading, also known as DLL hijacking, often gets overlooked. However, because of their widespread nature and ease of exploit development, these flaws are valuable for digital adversaries. Many Windows services are currently vulnerable to these attacks. The FBI, the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the US Cyber Command Cyber National Mission Force, the National Security Agency (NSA), and the UK's National Cyber Security Center detected a DLL file renamed as a legitimate filename to enable the DLL sideloading technique in a detailed analysis of 23 files identified as MuddyWater tools. In a DLL sideloading attack, the threat actor places a malicious DLL file in the same directory as a trusted EXE. If the EXE tries to load a DLL with the same name, the attacker's DLL is loaded instead. In many cases, an attacker does not need to know which methods the EXE plans to call in the DLL because it is possible to create a DLL that runs code immediately as it is loaded. This is by design, putting any user account at risk of compromise. It is worth noting that this is a particularly serious issue with Windows services because service configurations allow attackers to quickly force the issue by simply adding a malicious DLL and then restarting the service, possibly with a simple reboot. The required level of sophistication is low, and a single DLL sideloading exploit kit can be used against almost any software with unsafe permissions in the installation folder. This article continues to discuss DLL sideloading attacks and how to stay ahead of them.

Security Boulevard reports "Detecting and Defending Against DLL Sideloading Attacks"

According to a new report from the Office of the Inspector General (OIG), as the Department of Health and Human Services (HHS) strives for greater interoperability across the healthcare sector, the agency must increase efforts to modernize its approach to cybersecurity. The report, "Top Management and Performance Challenges Facing HHS," outlines the healthcare regulator's complex challenges, with a section dedicated to cybersecurity concerns. OIG discovered that HHS had made efforts to improve its posture, particularly following the Biden administration's executive order in May 2021 directing federal agencies to fundamentally and systemically change their approach to cybersecurity. HHS is finalizing its strategic plan, but the road ahead has challenges shared by the government and healthcare sectors, including persistent cybersecurity threats. According to the report, significant investments in resources, as well as cultural and organizational change, will be required. HHS has long struggled to meet the challenges confronting its information security program, with yearly reports from both the OIG and the Government Accountability Office (GAO) consistently deeming the program ineffective, under the Federal Information Security Modernization Act (FISMA) metrics. The most recent OIG audit, released in April, discovered that HHS failed to meet the "managed and measurable" maturity level for all five elements of the identifying, protecting, detecting, and recovering function elements required by Department of Homeland Security (DHS) guidance and FISMA. HHS is working to address these vulnerabilities to meet the executive order's requirements for federal agencies on specific cybersecurity standards and objectives by the end of fiscal year 2024, which includes adopting a zero-trust security architecture approach. This article continues to discuss HHS cybersecurity challenges.

SC Media reports "Persistent Cybersecurity Threats Impede HHS Strategic Plans, Watchdog Warns"

Despite their insecurity, sequential strings of numbers and "password" remain users' most popular password choices worldwide. NordPass' annual study of the top 200 most popular passwords also revealed that in the UK, names of football teams ranked highly among the most-used passwords of the year. For example, the password "liverpool" was the fourth most popular of the year, while "arsenal," "chelsea," and "liverpool1" were all in the top 15. Regional results, such as those from France, revealed similarly insecure password practices, but the actual passwords differed. For example, the third most popular password in the country was "azerty," the equivalent of "qwert" on a French keyboard layout. NordPass also included data sets organized by user gender, which revealed some significant differences in password frequency. In the US, the most popular password among women was "guest," while "12345" was the most popular among men. The most secure password in the top 200 was "9136668099," which is estimated to take hackers four days to crack. However, it is still not a secure password because it contains no letters or special characters. Regularly updating one's password is good security practice, and experts advise against using easy-to-guess words or phrases, or anything that a threat actor could easily link to an individual. Hackers employ various password-cracking techniques, but brute-force attacks, in which hackers guess a victim's password through different forms of trial and error, are common. Hackers can use powerful hardware such as Graphics Processing Units (GPUs) to speed up password cracking, but the most basic brute-force attacks involve trying common passwords until access is granted, which is reason enough for users to avoid using anything that resembles a password in the top 200. This article continues to discuss findings from NordPass' report on the top 200 most common passwords.

ITPro reports "Revealed: The Top 200 Most Common Passwords of 2022"

According to new research by Bitdefender, over half (56%) of Black Friday spam emails received between October 26 and November 6, 2022, were scams. The researchers analyzed all unsolicited Black Friday-related emails delivered to its customers over the period, with the vast majority (68%) sent on the final three days (November 4, 5, and 6). Unsurprisingly, the highest proportion of Black Friday spam messages were received in the US (27%). This was closely followed by Ireland (24%), then Sweden (8%), Denmark (7%), and France (5%). The researchers found that scammers placed a heavy emphasis on using fake discount offers on designer bags and sunglasses to lure consumers to fake shops to steal their money and data. Another significant avenue pursued by fraudsters was "giveaway scams." The researchers stated that, similar to 2021, spammers were keen on exploiting internet users' attraction to freebies and giveaways.

Infosecurity reports: "More Than Half of Black Friday Spam Emails Are Scams"

Data is one of the most valuable resources for businesses, but extracting that value requires effective content management. According to a new Rocket Software survey of more than 500 corporate Information Technology (IT) professionals from various industries in the US, UK, and APAC regions, business data is still vastly unstructured, with 81 percent indicating that at least some of their data is considered 'dark.' Security rises to the top of organizations' concerns once they begin managing their data, but respondents note additional features that would greatly enhance content management, such as the ability to apply automation and rules-based redaction (full or partial) to protect sensitive data (62 percent), the ability to manage content types regardless of size or origin (61 percent), and having a single view of content from across multiple, disparate repositories (60 percent). According to 81 percent of respondents from larger organizations with 1,000-4,999 employees, automating their organization's current information security and compliance processes would give them a competitive advantage. This article continues to discuss key findings from Rocket Software's survey.

BetaNews reports "Better Governance Is Crucial to Getting Value From Data"

A server misconfiguration at a company that processes medical claims for correctional facilities exposed sensitive information on nearly 600,000 inmates. CorrectCare Integrated Health Inc. of Kentucky reported to the US Department of Health and Human Services (HHS) on October 31 at least three "unauthorized access/disclosure" breaches involving its server misconfiguration incident that affected nearly 500,000 people. The HHS Office for Civil Rights' HIPAA Breach Reporting Tool website also lists several breaches reported by CorrectCare's clients in recent weeks, affecting an additional 100,000 people. Clients include the Louisiana Department of Public Safety and Corrections, Sacramento County Adult Correctional Health, and Mediko Correctional Healthcare, a company that provides medical and mental health services to inmates in correctional facilities. Two file directories on a CorrectCare web server had been exposed to the Internet, according to a notification letter. According to CorrectCare, the file directories contained Protected Health Information (PHI) of individuals who were incarcerated in the state prison. The exposed file directories contained patient information such as full names, dates of birth, Social Security numbers, and limited health information such as diagnosis codes and procedure codes. CorrectCare says no driver's license numbers, financial accounts, or payment cards were compromised. This article continues to discuss the exposure of PHI on 600,000 inmates due to a server misconfiguration.

InfoRiskToday reports "Misconfigured Server Exposed PHI of 600,000 Inmates"

WASP malware uses steganography and polymorphism to avoid detection, with malicious Python packages designed to steal credentials, personal information, and cryptocurrency. Earlier this month, researchers from Phylum and Check Point reported finding new malicious packages on the Python Package Index (PyPI). Checkmarx analysts linked the same attacker to both reports and said the operator is still releasing malicious packages. A Checkmarx report detailed hundreds of successful infections of the WASP information-stealer malware, discovering a number of features to ensure persistence in a compromised PC and evade cybersecurity tools. The operator is selling copies of WASP to other criminals for $20 in cryptocurrency or gift cards. PyPI is becoming a more popular target in software supply chain attacks for uploading malicious code via fake packages. Typosquatting is a technique in which malicious packages are given names that sound legitimate or are similar to real packages. As a result, developers are duped into installing booby-trapped packages that appear to be useful and legitimate. Check Point noted that such packages typically include malicious code to download and run a virus, carrier code for sneaking the malicious code in, and luring victims to install the malicious package, such as through typosquatting. In August, the PyPI community issued a warning about the first-ever phishing attack against its users. If a developer installs the malicious package on their system, it becomes an initial infection point for other malware, in this case, the WASP information-stealing Trojan. This article continues to discuss the WASP information-stealing malware impacting the software supply chain.

The Register reports "WASP Malware Stings Python Developers"

MITRE Engenuity has released a new set of evaluations for Managed Security Service Providers (MSSPs), which could provide enterprise decision-makers with a useful resource to consult when choosing a provider. The key to gaining value from the information is understanding how to interpret the results, according to MITRE and others. The first-ever MITRE Engenuity evaluation of security service providers offers detailed information on how various MSSPs analyze and describe adversary behavior to their clients. MITRE's assessment leaves it entirely up to security professionals and teams who use the data to make vendor comparisons. MITRE Engenuity provided each participating vendor with the opportunity to deploy their adversary detection and monitoring tools on an MITRE-hosted Microsoft Azure environment for the evaluation. A MITRE purple team then carried out a simulated environmental attack using the tactics and techniques of the well-known Iranian threat group OilRig. Participants in the evaluation were aware that the simulated attack would take place during business hours over a two-week period. However, MITRE did not provide them with more specific timing, techniques, or which adversary MITRE Engenuity was emulating. MITRE Engenuity's team demonstrated commonly used adversary tactics such as spear-phishing for initial access, credential dumping, web shell installation, lateral movement, data exfiltration, and cleanup during the simulated attack. Vendors could use any of the tools in their MDR portfolio to evaluate and report on malicious activity. However, MITRE's rules prevented them from responding or blocking the attack because the goal was to see how each service provider detected and analyzed the unfolding attack, as well as the detail and clarity with which they reported their findings. This article continues to discuss MITRE Engenuity's ATT&CK Evaluations for Managed Services.

Dark Reading reports "MITRE Engenuity Launches Evaluations for Security Service Providers"

As electric vehicles become more prevalent, so do the risks and hazards of a cyberattack on electric vehicle charging equipment and systems. Jay Johnson, an electrical engineer at Sandia National Laboratories (SNL), has been researching the vulnerabilities of electric vehicle charging infrastructure. Johnson emphasized the importance of exploring electric vehicle charger vulnerabilities to make recommendations to policymakers and inform them of what security improvements are required by the industry. The Bipartisan Infrastructure Law includes $7.5 billion in funding for electric vehicle charging infrastructure. The federal government requires states to implement physical and cybersecurity strategies as part of this funding. The Sandia team's review will help states prioritize hardening requirements as well as help the federal government in standardizing best practices and mandating minimum security levels for electric vehicle chargers. Electric vehicle charging infrastructure is vulnerable to various threats, ranging from skimming credit card information at conventional gas pumps or ATMs to hijacking an entire network of electric vehicle chargers using cloud servers. The team explored entry points, such as vehicle-to-charger connections, wireless communications, electric vehicle operator interfaces, cloud services, and charger maintenance ports. They investigated standard AC chargers, DC fast chargers, and extreme fast chargers. The study discovered several flaws in each interface. For example, vehicle-to-charger communications could be intercepted, and charging sessions terminated from over 50 yards away. Electric vehicle owner interfaces were particularly vulnerable to data theft or changes in charger pricing. For protection, most electric vehicle chargers use firewalls to maintain separation from the Internet, but Argonne National Laboratory (ANL) researchers discovered that some systems did not. An Idaho National Laboratory (INL) team also discovered that some systems were vulnerable to malicious firmware updates. This article continues to discuss the vulnerabilities of electric vehicle charging infrastructure.

Sandia National Laboratories reports "Sandia Studies Vulnerabilities of Electric Vehicle Charging Infrastructure"

The recent string of major supply chain and critical infrastructure attacks highlighted threat actors' willingness to target those systems and the importance of organizations planning for such attacks and being able to recover from them when they occur. Incidents such as the software supply chain attacks on SolarWinds and Kaseya, as well as the ransomware attack on Colonial Pipeline, can have long-term consequences for customers and other organizations for months or even years. They can also make government agencies and defenders more aware of specific vulnerabilities and weak points that organizations have, as well as stimulate new thinking about how to address them. The DarkSide ransomware attack on the Colonial Pipeline, a major gas delivery conduit, exemplified the ever-increasing overlap between cybersecurity incidents and real-world consequences. Resilience is an important property for both critical infrastructure networks and enterprise networks, but it is not easy to achieve. Absorbing, responding to, and recovering from attacks are critical capabilities for security teams, but they need a thorough understanding of an organization's strengths and weaknesses, comprehensive planning, and the ability to redirect resources as needed. It also requires collaboration, both within and outside of the organization. The White House issued a fact sheet on critical infrastructure security, emphasizing the importance of increased collaboration with the private sector and a more attack-resistant approach. Although utilities, transportation systems, and other critical infrastructure components have all been shown to be vulnerable to cyberattacks, the good news is that many of these systems were built with resilience in mind from the start. Power companies, water companies, and rail operators must deal with a variety of disruptions on a regular basis and have contingency plans in place. This article continues to discuss the importance of bolstering resilience in critical infrastructure security.

Decipher reports "Resilience Seen as a Key to Critical Infrastructure Security"

The US President's Council of Advisors on Science and Technology (PCAST) met on November 9 to hear expert opinions on how to better build a cyber-resilient digital infrastructure at the national level, with current government officials backing a combination of emerging technologies and risk mitigation. The Defense Advanced Research Projects Agency (DARPA) has led efforts to fortify critical infrastructure using advanced data analytics and cybersecurity technology. Kathleen Fisher, DARPA's Information Innovation Office director, described an experiment in which her office developed sensor tools for power grids to distinguish cyberattacks from weather incidents. Failures caused by nature and accidents are very different from failures caused by cyber adversaries, she said during her presentation, emphasizing that cyber adversaries can make the system lie. In their Rapid Attack Detection, Isolation, and Characterization Systems (RADICS) program, DARPA tested a new sensor and corresponding algorithm to model power grids. RADICS successfully trained power engineers to black start a compromised power grid or restore a portion of an electric grid to operation without external power. The RADICS technology was created to detect incorrect data, isolate compromised communication channels and nodes, and implement new traffic analyses and Information Technology (IT) protocols. According to Fisher, DARPA's RADICS algorithm is now being used by several utility companies and independent state system operators. A key feature allowed electrical grid operators to conduct forensic analyses using both software and hardware to assess cyberattacks on a system and help restore grid operations in a timely manner. This article continues to discuss the RADICS program and the need for a combination of emerging technologies and risk mitigation for a cyber-resilient digital infrastructure.

GCN reports "Emerging Tech Can Protect Critical Infrastructure From Cyberattacks"

INKY Technology researchers have detailed a new image-based phishing scam that uses brand impersonation to encourage victims to call the scammers rather than click on a link or download a file. The researchers observed malicious actors using an image-based phishing technique in phone scams, involving sending a phishing email with the message embedded in an attached image. Phishers create an email, convert it to an image, and then send the image to their victims. As most email clients display the image file directly to the recipient rather than sending a blank email with an image attached, recipients will be unaware that they are viewing a screenshot rather than HTML code with text. The email also appears to be safe because there are no links or attachments to open. The goal of sending the phishing message via image is to avoid anti-spam and email security scanning because there is no text in the email. In one case, the researchers observed bad actors impersonating Geek Squad, with potential victims receiving an email stating that their Geek Squad subscription had been renewed for a year and that a large sum of money would be debited from their accounts within 24 hours. When recipients call the phone number listed in the email, they are given options to prevent the payment from going through, including the installation of remote access tools on their computers. Victims are then directed to a malicious website where banking information is requested, and victims are instructed to purchase gift cards in order to be reimbursed for the Geek Squad charges. The effectiveness of the technique is based on instilling fear in victims that they are about to be charged for goods or services they did not purchase. Those behind the scam hope that by eliciting an emotional response, they will impair victims' judgment and cause them to fall for the bait. This article continues to discuss the image-based phishing scam.

SiliconANGLE reports "New Image-Based Scam Bypasses Filtering, Encourages Victims to Call Attacker"

Google recently announced plans to roll out Android Privacy Sandbox in beta starting early next year, delivering a more private advertising experience to mobile users. The initiative was initially announced in February, with the developer preview version of the feature being released in May. Google noted that Privacy Sandbox on Android is meant to limit the sharing of user data and prevent cross-app identifiers, such as advertising IDs, while supporting developers and businesses that are targeting mobile devices. In May, Google offered an early look at the SDK Runtime and Topics API associated with the Privacy Sandbox, allowing interested parties to test the technologies and plan adoption paths. Now, Google says it has improved and refined these tools based on the received feedback and that it will continue to deliver new features in developer preview while kicking off the beta rollout. Google stated that moving forth, developers interested in testing Privacy Sandbox APIs (including Topics, FLEDGE, and Attribution Reporting) will have to complete an enrollment process meant to verify their identity and gather data required by the APIs. Both ad tech and app developers interested in including these ads-related APIs as part of their solutions can participate. The researchers noted that the Privacy Sandbox beta will require developers to use an API level 33 SDK extension update set to be released soon. Google encourages companies that use third-party solutions for ad serving or ad measurement to work with their providers for participation in the testing of Privacy Sandbox.

SecurityWeek reports: "Google Ready to Roll Out Android Privacy Sandbox in Beta"

Ransomware attackers are taking advantage of organizations having fewer security personnel available on weekends and holidays in order to launch more devastating attacks. According to a new Cybereason report, 44 percent of businesses reduce security staffing by up to 70 percent during holidays and weekends compared to weekday levels. Twenty-one percent cut staff by up to 90 percent. The study, which was based on a survey of over 1,200 cybersecurity professionals, discovered that attacks on weekends and holidays result in higher costs and revenue losses for organizations than attacks on weekdays. More than one-third of respondents who experienced a ransomware attack during the weekend or holiday report that their organizations lost more money, a 19 percent increase from 2021. Thirty-four percent of respondents whose organizations were attacked on a weekend or holiday say it took them longer to assemble their incident response team. Thirty-seven percent say it took them longer to assess the scope of the attack, and 36 percent say it took them longer to stop and recover from the attack. In the US, 44 percent of respondents said it took them longer to assess and respond to a weekend/holiday ransomware attack. The survey results show that traditional Monday through Friday staffing models are out of step with cyber threats and can leave organizations vulnerable. A ransomware attack has caused 88 percent of respondents to miss a holiday or weekend celebration. In addition, more than 90 percent of respondents in the financial services industry say they have missed out on family time. This article continues to discuss the impact of weekend/holiday ransomware attacks on companies.

BetaNews reports "Companies Caught off Guard by Holiday and Weekend Ransomware Attacks"

European privacy experts warn FIFA World Cup attendees that their personal data may be at risk if they download two local tracking apps. The two apps in question are contract-tracing software Ehteraz, which football fans may be asked to download if they are forced to visit healthcare facilities during their stay in Qatar, and the official World Cup app Hayya. Hayya functions as a fan ID app that may be needed to gain entry into stadiums. However, concerns have been raised that it also tracks device location and network connections, even preventing devices from going into sleep mode. With 1.5 million fans expected to travel to the tiny Gulf state, several European governments have issued advice to mitigate privacy and security concerns. German data protection agency, BfDI, said that "the data processing of both apps probably goes much further" than their descriptions in the app store indicate. Among other things, one of the apps collects data on whether and with which number a telephone call is made. This sometimes involves sensitive telecommunications connection data. Neil Jones, director of cybersecurity evangelism at Egnyte, argued that the data collected by the apps could also be a treasure trove for would-be cyber-criminals. Jones stated that if you plan to travel to the event, he strongly recommends the purchase of a burner phone if the privacy-limiting capabilities cannot be disabled.

Infosecurity reports: "Euro Authorities Warn World Cup Fans Over Qatari Apps"

According to new research by researchers at Trellix, the infamous LockBit ransomware variant remained the most widespread in the third quarter of 2022, accounting for over a fifth (22%) of detections. The researchers noted that LockBit and Phobos were the most common ransomware families during Q3 2022. LockBit has been the most prolific variant of 2022 so far. The researchers noted that at the end of Q3, their "builder" was released, and allegedly various groups are already establishing their own RaaS with it. The researchers stated that Phobos ransomware continues to be active and accounts for 10% of ransomware attacks they observed. Their tactic of selling a complete ransomware kit and avoiding large organizations allows them to stay under the radar. The researchers noted that Germany recorded the highest detections of APT-related activity (29%) and the highest volume of ransomware (27%), while telecoms was the sector most impacted by ransomware, followed by transportation and shipping. The researchers claimed that the most active advanced threat groups during the quarter were the China-linked Mustang Panda, Russia's APT29, and Pakistan-linked APT36. Red team software Cobalt Strike remained a popular tool for threat actors, seen in a third (33%) of observed global ransomware activity and 18% of APT detections in Q3.

Infosecurity reports: "LockBit Remains Most Prolific Ransomware in Q3"

Veeam Software has released its "Cloud Protection Trends Report 2023," which covers four key "as a Service" scenarios: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Backup and Disaster Recovery-as-a-Service (BaaS/DRaaS). According to the survey, businesses are becoming more aware of the need to protect their SaaS environments. For example, almost 90 percent of Microsoft 365 customers surveyed use supplemental measures in addition to built-in recovery capabilities. Preparing for a quick recovery from cyber and ransomware attacks was the most frequently cited reason for this backup, with regulatory compliance coming in second. According to Danny Allan, CTO and SVP of Product Strategy at Veeam, the growing adoption of cloud-powered tools and services, increased by the shift to remote work and current hybrid work environments, has put a spotlight on hybrid IT and data protection strategies across industries. As cybersecurity threats grow, organizations must look beyond traditional backup services to develop a strategic approach that best meets their business needs and cloud strategy. The findings of this survey reveal that workloads continue to move fluidly from data centers to clouds and back again, as well as from one cloud to another, adding to the complexity of data protection strategy. According to the findings of this survey, while modern IT enterprises have made significant advances in cloud and data protection, there is still work to be done. This article continues to discuss key findings from Veeam's Cloud Protection Trends Report 2023.

Help Net Security reports "Cloud Data Protection Trends You Need to Be Aware Of"

New research from Mitiga, a cloud incident response company, reveals that hundreds of databases on Amazon Relational Database Service (Amazon RDS) are exposing Personally Identifiable Information (PII). According to researchers, this kind of PII leakage presents threat actors with a potential gold mine, either for extortionware/ransomware campaigns or the reconnaissance stage of the cyber kill chain. Names, email addresses, phone numbers, dates of birth, marital status, information on rented cars, and even company logins are included in the leak. Relational databases can be set up in the Amazon Web Services (AWS) cloud using Amazon RDS. Various database engines are supported, including MariaDB, MySQL, Oracle, PostgreSQL, and SQL Server. Public RDS snapshots, a feature that enables the creation of a backup of the entire database environment running in the cloud and is accessible by all AWS accounts, is the primary cause of the leaks. According to Amazon's documentation, users must ensure that none of their private information is present in the public snapshot before sharing it. When a snapshot is made publicly available, all AWS accounts have the ability to copy it and use it to build database instances. The researchers discovered 810 snapshots that were publicly shared for varying lengths of time, ranging from a few hours to weeks, making them susceptible to abuse by malicious actors. The research was conducted from September 21, 2022, to October 20, 2022. Over 250 of the 810 snapshots' backups were visible for 30 days or more, indicating that they were probably forgotten. This article continues to discuss the exposure of PII by hundreds of databases on Amazon RDS.

THN reports "Researchers Discover Hundreds of Amazon RDS Instances Leaking Users' Personal Data"