News Items

According to new research conducted by Sophos, global healthcare organizations (HCOs) experienced a 94% year-on-year surge in ransomware attacks last year, with almost twice as many electing to pay their extorters. The researchers found that two-thirds of HCOs were hit by ransomware last year, up from just a third in 2020. Sophos claimed this surge was down to the popularity of ransomware-as-a-service on the cybercrime underground. However, it could also result from the increased willingness of HCOs to pay their attackers. The researchers noted that some 61% paid a ransom in 2021, up from just 34% a year previously. Sophos claimed that the high cost of remediation, and the impact of operational outages, coupled with the increased sophistication of attacks on the sector, could explain this jump. Just 2% of respondents paid a ransom and got all their data back. The researchers stated that healthcare saw the highest increase in the volume of cyberattacks (69%) and the complexity of cyberattacks (67%) compared to the cross-sector average of 57% and 59%, respectively. In terms of the impact of these cyberattacks, healthcare was the second most affected sector (59%) compared to the global average of 53%. HCOs hit by ransomware recorded a major impact to their business: 94% said it impaired their ability to operate, and 90% that it caused loss of revenue. On average, it took victim organizations one week to recover. The researchers noted that the problem is exacerbated because many HCOs are finding it more challenging to obtain cyber insurance. Only 78% are covered versus 83% across all sectors.

Infosecurity reports: "Twice as Many Healthcare Organizations Now Pay Ransom"

EnemyBot, a rapidly evolving IoT malware, is targeting content management systems (CMS), web servers, and Android devices. Researchers at AT&T Alien labs believe that the threat actor group "Keksec" is behind the malware distribution. The researchers stated that services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase, and more are being targeted as well as IoT and Android devices. The researchers noted that the malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities. After the researchers analyzed the malware's codebase, they found that EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot, and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices. This threat group was formed back in 2016 and includes several botnet actors. The researchers found four main sections of the malware. The first section is a python script 'cc7.py', used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, the researchers noted that a batch file "update.sh" is created and used to spread the malware to vulnerable targets. The second section is the main botnet source code, which includes all the other functionality of the malware, excluding the main part, and incorporates source codes of the various botnets that can combine to perform an attack. The third module is obfuscation segment "hide.c" and is compiled and executed manually to encode/decode the malware strings. The researchers noted that a simple swap table is used to hide strings, and "each char is replaced with a corresponding char in the table." The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers. After further analysis, the researchers revealed a new scanner function to hunt vulnerable IP addresses and an "adb_infect" function that is used to attack Android devices. The researchers advise organizations to properly configure firewalls and focus on reducing Linux server and IOT devices' exposure to the internet. The researchers also recommend organizations monitor the network traffic, scan the outbound ports and look for suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

Threatpost reports: "EnemyBot Malware Targets Web Servers, CMS Tools and Android OS"

Microsoft has confirmed that Windows is affected by a zero-day vulnerability after researchers warned of exploitation in the wild. The vulnerability is now tracked as CVE-2022-30190. A researcher who uses the online moniker "nao_sec" recently reported finding a malicious Word file designed to execute arbitrary PowerShell code. The file was uploaded to VirusTotal from Belarus. Kevin Beaumont was among the first to analyze the exploit and decided to name it "Follina" because the malicious file references 0438, which is the area code for the Italian village of Follina. Since April, Microsoft had known about the vulnerability when it was notified by "CrazymanArmy" of the Shadow Chaser Group, a research team focusing on APT hunting and analysis. Microsoft initially classified the vulnerability as "not a security related issue," despite the researcher informing the company in April that a sample exploiting it had been seen in the wild. Microsoft later informed the researcher that the "issue has been fixed," but a patch does not appear to be available. Follina was initially described as a Microsoft Office zero-day vulnerability, but Microsoft says it actually affects the Microsoft Support Diagnostic Tool (MSDT), which collects information that is sent to Microsoft support. Microsoft explained that a remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, delete data, or create new accounts in the context allowed by the user's rights. Microsoft noted that unlike other exploits involving documents, this attack does not rely on macros, and the malicious code is executed even if macros are disabled. Researchers stated that exploitation works against Office Pro Plus, Office 2013, Office 2016, Office 2019, and Office 2021. According to Microsoft, the vulnerability affects Windows 7, Windows 8.1, Windows 10, Windows 11, Windows Server 2008, Windows Server 2012, Windows Server 2016, Windows Server 2019, and Windows Server 2022. Microsoft has released guidance for this remote code execution vulnerability, including workarounds and information on new Defender updates designed to detect and block files and behavior associated with the threat.

SecurityWeek reports: "Microsoft Confirms Exploitation of 'Follina' Zero-Day Vulnerability"

The cyber division of the Federal Bureau of Investigation (FBI) has recently warned universities and colleges located in the U.S. that higher education credentials have been advertised for sale on online criminal marketplaces and publically accessible sites. As of January 2022, Russian cyber-criminal forums offered access to credentials from several universities and colleges across the country, with prices ranging from a few to multiple thousands of dollars. In May 2021, over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were found on a publicly available instant messaging platform. The FBI warned that the exposure of such sensitive credential and network access information could lead to cyberattacks against individual users or affiliated organizations, particularly in the case of privileged user accounts. The FBI explained that credential harvesting against organizations is often caused by spear-phishing, ransomware, or other cyber intrusion tactics. To mitigate these threats, the FBI called for colleges, universities, and all academic entities to establish and maintain strong relationships with the FBI Field Office in their region. Moreover, the FBI also recommended that academic entities keep all systems and software up-to-date, implement user training programs and phishing exercises for students and faculty members, and implement strong password hygiene measures.

Infosecurity reports: "U.S. Academic Credentials Displayed in Public and Dark Web Forums"

A team of researchers from the Indian Institute of Science (IISc) has developed a record-breaking True Random Number Generator (TRNG) to improve data encryption and provide enhanced security for sensitive digital data such as credit card details, passwords, and more. Only authorized individuals with access to a cryptographic "key" can decode encrypted data. To avoid hacking, the key must be unpredictable and thus randomly generated. Typically, cryptographic keys are generated on computers through Pseudorandom Number Generators (PRNGs), which use mathematical formulae or pre-programmed tables to generate numbers that appear random but are not. A TRNG, on the other hand, generates random numbers from naturally unpredictable physical processes, making it more secure. IISc's breakthrough TRNG device generates random numbers using the random motion of electrons. It contains an artificial electron trap made by stacking atomically-thin layers of materials such as black phosphorus and graphene. The current measured from the device increases when an electron is trapped and decreases when it is released. As electrons move in and out of the trap randomly, the measured current also changes randomly. The change's timing determines the generated random number. You cannot precisely predict when the electron is going to enter the trap, so there is an inherent randomness embedded in this process. The device's performance on the standard tests for cryptographic applications designed by the US National Institute of Standards and Technology (NIST) exceeded the researchers' expectations. This article continues to discuss the importance of random number generation in encryption and IISc's TRNG new device.

IISc reports "How Randomly Moving Electrons Can Improve Cyber Security"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) issued a warning in late March that critical US infrastructure sectors could be targeted by Russian cyberattacks. The rapid development of new information and communication technologies, as well as their inevitable integration with critical infrastructure, has increased the risk of digital attacks and other new challenges, thus calling for more preparation. The Science and Technology Directorate (S&T) recently collaborated with the Center for Accelerating Operational Efficiency (CAOE), a DHS Center of Excellence (COE) led by Arizona State University, in an effort to help the country prevent possible cyberattacks. The effort brought Subject Matter Experts (SMEs) and students from four other university-led DHS Centers of Excellence (COEs) together to address real-life problem scenarios and identify practical solutions to current critical infrastructure risks and emerging threats. The third annual Grand Challenge Hackathon, held both in-person and virtually in late February, paired students with homeland security, critical infrastructure, criminal investigations, cybersecurity, and counterterrorism professionals, providing them with a specialized learning environment and allowing them to explore and solve real-life homeland security problem sets. Through this, the students were encouraged to consider pursuing careers in the homeland security science and engineering fields. S&T Program Manager Eleanore Hajian said these hackathons are unique because they allow students to develop their skills in critical research, communication, and team building while simultaneously learning more about the Department of Homeland Security's goals and operations. A total of 73 undergraduate and graduate-level students from across the five COEs and their affiliated universities participated in the hackathon, with students forming their own teams. This article continues to discuss the goals and winning solutions of the S&T Hackathon.

DHS reports "S&T Hackathon Addresses Emerging Threats to Critical Infrastructure"

Twitter has agreed to pay a $150m fine to settle a federal privacy suit over privacy data violations. Twitter reportedly was collecting phone numbers and email addresses for account security measures and then using the information for advertising purposes without letting users know. Associate Attorney General Vanita Gupta stated that this practice affected more than 140 million Twitter users while boosting Twitter's primary source of revenue. The violation was recorded between May 2013 to September 2019 and violated a 2011 consent order between the Federal Trade Commission (FTC) and Twitter that prevented the company from misrepresenting how it used individuals' contact information. The complaint that was filed by the U.S. District Court for the Northern District of California also alleged that Twitter falsely claimed to comply with the European Union-US and Swiss-US Privacy Shield Frameworks. The social media giant said it will comply with the court's decision, pay the fine and introduce a comprehensive privacy and information security program, which will include independent security audits every two years until 2042. Twitter will also have to notify U.S. customers who joined its platform before September 17, 2019, about the settlement and provide them with options for protecting their privacy and security in the future.

Infosecurity reports: "Twitter to Pay $150m Fine to Resolve Data Privacy Violations"

Google's Chrome team is exploring the use of heap scanning to decrease memory-related security flaws in Chrome's C++ codebase, but the method takes up a lot of memory unless newer ARM hardware is used. Google cannot simply replace Chrome's existing C++ code with memory-safe Rust, so it is working on ways to increase the memory safety of C++ by scanning heap-allocated memory. Chrome engineers have discovered how to make C++ safer to reduce memory-related security flaws such as buffer overflow and Use-After-Free (UAF), which make up 70 percent of all software security flaws. C++ does not guarantee that memory is always accessed with the most up-to-date structure information. Therefore, Google's Chrome team has been experimenting with using a "memory quarantine" and heap scanning to prevent the reuse of memory that is still reachable. According to Google, the idea behind ensuring temporal safety with quarantining and heap scanning is to prevent reusing memory until it has been proven that there are no more (dangling) pointers referring to it. This article continues to discuss Google's efforts towards improving C++ memory safety.

ZDNet reports "Programming Languages: How Google Is Improving C++ Memory Safety"

Security researchers at Perforce Software released the results of its annual State of Automotive Software Development survey conducted in partnership with Automotive IQ. Close to 600 automotive development professionals across the globe provided responses to current practices and emerging trends within the industry. The researchers stated that key findings suggest a growing concern for automotive software security while the automotive vehicle market continues to evolve rapidly. The increasing amount of software installed in vehicles can lead to more safety and security considerations during the development process. In fact, 76% of automotive developers have adopted or are in the process of adopting a shift-left strategy to identify software security and safety vulnerabilities as early as possible. The researchers also found that automotive developers' top three leading concerns are safety (34%, a decrease of 9% from last year), security (27%, an increase of 5% over last year), and quality (25%, a rise of 4% over last year). Of those most concerned with safety, 46% said their biggest concerns are the difficulties and time required to fulfill every ISO 26262 requirement. The researchers stated that autonomous, semi-autonomous, electric, and connected vehicle development is also significantly impacting development teams. The majority of teams are working on autonomous and semi-autonomous components (82%, an increase of 38% over last year), electric components (87%, an increase of 39% over last year), and connectivity components (83%, an increase of 34% over last year) to some degree. Another notable finding was that 86% use a coding standard to ensure safe, secure, and reliable code, with 46% of those surveyed using a static code analysis tool to aid in compliance, and 31% use a SAST tool to ensure secure software.

Help Net Security reports: "What is Keeping Automotive Software Developers up at Night?"

The BlackCat ransomware gang, also known as ALPHV, has targeted the Austrian federal state Carinthia, demanding $5 million to unlock encrypted computer systems. The threat actor allegedly locked thousands of workstations during the attack, causing significant operational interruption to government services. Carinthia's website and email service are temporarily down, and the government cannot issue new passports or traffic fines. Furthermore, the cyberattack has hindered the processing of COVID-19 tests and contact tracing through the region's administrative offices. However, according to Gerd Kurath, a spokesperson of the state, the attacker's demands will not be met. According to the representative, there is currently no proof that BlackCat stole any data from the state's systems. The state's current plan is to restore the workstations using available backups. In November 2021, the ALPHV/BlackCat ransomware gang emerged as one of the more advanced ransomware operations. They are a rebranded version of the DarkSide/BlackMatter group that carried out the Colonial Pipeline attack last year. The FBI issued a warning that BlackCat had compromised at least 60 entities globally. The attack on Carinthia and the hefty ransom demands suggest that the threat actor is focusing on organizations that can pay a considerable sum of money to have their systems decrypted and avoid further financial losses due to lengthened operational disruption. This article continues to discuss the BlackCat/ALPHV ransomware attack on Carinthia and the history of this ransomware gang.

Bleeping Computer reports "BlackCat/ALPHV Ransomware Asks $5 Million to Unlock Austrian State"

Searchable Symmetric Encryption (SSE) enables secure outsourcing of encrypted databases to cloud storage, while maintaining searchable features. Most of the various SSE schemes assume the server is honest but curious, while the server could be trustless in the real world. Given the possibility of a malicious server not performing the queries honestly, Verifiable SSE (VSSE) techniques are designed to guarantee the verifiability of the search results. Existing VSSE schemes, on the other hand, are either limited to single-keyword searches or suffer high computational costs during verification. Therefore, a research team led by Joseph K. Liu, has proposed a new VSSE construction that supports conjunctive keyword queries, which is an improvement of a recent VSSE solution. The team's proposed VSSE scheme is based on a privacy-preserving hash-based accumulator, using Symmetric Hidden Vector Encryption (SHVE), a well-established cryptographic primitive. This article continues to discuss SSE schemes, VSSE schemes, and the new proposed VSSE construction for conjunctive keyword queries in cloud storage.

SCIENMAG reports "Verifiable Searchable Symmetric Encryption for Conjunctive Keyword Queries in Cloud Storage"

Cybernews researchers' investigation of the Facebook 'Is That You?' video phishing scam, which has been active since 2017, has resulted in the discovery of a 'cybercriminal stronghold.' Every day, threat actors perform this phishing scam to infect the social network with malicious links. The investigation also identified at least five suspects, all of whom are believed to reside in the Dominican Republic. Following a tip from cyber investigator Aidan Raney, the Cybernews team found that thousands of phishing links had been distributed via a sophisticated network spanning the social media platform's back channels. Using the threat actors' own information, the team was able to gain access to a website proven to be the command-and-control (C2) center for most of the gang's phishing attempts. All pertinent information has been turned over to authorities for further investigation. Meanwhile, Facebook users are urged to create complex passwords, enable Multi-Factor Authentication (MFA), and be on the lookout for any unusual social media messages, even if they appear to come from contacts. This article continues to discuss findings from the Cybernews research team's investigation of the infamous 'Is That You?' phishing scam.

Cybernews reports "Exposed: The Threat Actors Who Are Poisoning Facebook"

India's SpiceJet airline has revealed that its systems were hit with a ransomware attack, delaying flights and leaving many stranded at airports. According to SpiceJet, the incident impacted several flights, specifically at airports where restrictions are put in place for night operations. Although the company claims that its IT team has contained the attack to a large extent and fixed the situation, flights are still impacted by the incident, leading to delays. SpiceJet is India's second-largest airline, carrying nearly 12 million domestic passengers a month. Based in Delhi and Hyderabad, the airline has over 630 flights each day and serves 54 Indian cities as well as 15 other international destinations. This is not the first time the airline has had a cybersecurity problem. In 2020, a security researcher was able to hack into SpiceJet's systems and gain access to personal information belonging to 1.2 million passengers, including some government leaders. This article continues to discuss the ransomware attack on the SpiceJet airline that left passengers stranded and other cybersecurity issues previously faced by the airline.

The Record reports "Multiple Flights Across India Grounded After SpiceJet Airline Hit With Ransomware"

Cisco's Talos research and threat intelligence unit discovered several critical and high-severity vulnerabilities in the Open Automation Software Platform. Open Automation Software is a US-based company that provides connectivity solutions for ICS or IoT devices, databases, and custom applications. The company's Open Automation Software (OAS) Platform, powered by a universal data connector, can be used to move data between PLCs from different vendors, from a PLC to a database, or from a database into a visualization. The researchers discovered that the OAS Platform is affected by eight vulnerabilities that an attacker can exploit for arbitrary code execution, DoS attacks, obtaining sensitive information, and other purposes. The vendor was informed about the vulnerabilities in March and April and released patches last week. The researchers stated that two vulnerabilities have been assigned a "critical" severity rating based on their CVSS score. This includes CVE-2022-26082, a file write vulnerability that can be exploited for remote code execution using specially crafted network requests, and CVE-2022-26833, which allows an attacker to authenticate as the default user with a blank username and password sent to a certain endpoint. The researchers stated that the five high-severity issues are related to the cleartext transmission of sensitive data, the exposure of sensitive information to unauthenticated attackers that can send specially crafted network requests, loss of communications triggered by a malicious request, and the creation of user accounts and custom security groups using unauthenticated configuration messages.

SecurityWeek reports: "Critical Vulnerabilities Found in Open Automation Software Platform"

A critical firmware vulnerability has been discovered in several popular Quanta Cloud Technology (QCT) server models that power hyperscale data center operations and cloud provider infrastructure. The vulnerability puts them at risk of attacks that gain complete control of the server and can spread across multiple servers on the same network. According to new research published by Eclypsium, the QCT models are vulnerable to the "Pantsdown" vulnerability (CVE-2019-6260), a flaw found in 2019 that affects Baseboard Management Controller (BMC) technology on many firmware stacks used in modern servers. BMCs are minicomputers housed within servers that include their own power supply, firmware, memory, and networking stack. They enable remote administrators to control the server to manage low-level hardware settings, update host operating systems, and manage virtual hosts, applications, or data on the system. Servers are often managed through BMCs using Intelligent Platform Management Interface (IPMI) controlled groups that share the same password, making it easier to move across systems once one BMC is compromised. That type of privilege makes BMCs attractive targets for attackers when flaws like these emerge. This article continues to discuss the Pantsdown BMC vulnerability present in QCT servers.

Dark Reading reports "Quanta Servers Caught With 'Pantsdown' BMC Vulnerability"

Florida Atlantic University's (FAU) Warner A. Miller, Ph.D., together with Qubitekk and L3Harris, is leading the US in efforts to deliver the first drone-based, mobile quantum network to smoothly maneuver around buildings, inclement weather, and terrain and quickly adjust to changing environments. The US Office of the Secretary of Defense (OSD) entrusted FAU to develop the project in collaboration with Qubitekk, a leader in manufacturing entangled photon sources and other hardware for networking quantum processors and sensors. The network consists of a ground station, drones, lasers, and fiber optics to share quantum-secured information. Arthur Herman, Ph.D., senior fellow and director of the Quantum Alliance Initiative at Hudson Institute and one of the nation's top quantum experts in defense, energy, and technology issues, highlighted that this contract award is a significant step forward for creating hack-proof quantum communication networks, which will eventually span the globe, including space. Quantum distribution offers a secure communication method for sending information between shared parties. This article continues to discuss the project on developing the nation's first drone-based mobile quantum network for unhackable wireless communication.

FAU reports "'Beam Me Up:' Nation's First Quantum Drone Provides Unrivaled Security"

Cyber Scene #68 -

Looking Inward

This week, the Cybersecurity and Infrastructure Security Agency (CISA) has added 41 vulnerabilities to its catalog of known exploited flaws. CISA has urged all organizations to remediate these vulnerabilities promptly to "reduce their exposure to cyberattacks." Federal Civilian Executive Branch (FCEB) agencies are required by law to remediate all vulnerabilities in the catalog by the specified due date. The newly added vulnerabilities span six years, with the oldest disclosed in 2016. This is a Microsoft Internet Explorer information disclosure vulnerability named CVE-2016-0162. The most recent vulnerability added to the catalog was a Cisco IOS XR open port vulnerability (CVE-2022-20821), which was fixed last week. This vulnerability allows attackers to connect to the Redis instance on the open port and allow access to the Redis instance that is running within the NOSi container. The Windows elevation of privileges vulnerability CVE-2020-0638 was disclosed in 2020 but was still being utilized by the Conti ransomware gang for their attacks on corporate networks this year. Other notable vulnerabilities that were newly added to the catalog include two Android Linux Kernel flaws: CVE-2021-1048 and CVE-2021-0920. These are only known to be used in limited attacks against Android devices. The rest of the flaws added to the catalog relate to software products from Cisco, Microsoft, Apple, Google, Mozilla, Facebook, Adobe, and Webkit GTK software products. These range from 2018 to 2021. Federal agencies are required to patch the 21 vulnerabilities added on May 23 by June 13, while the 20 added on May 24 must be fixed by June 14.

Infosecurity reports: "Organizations Urged to Fix 41 Vulnerabilities Added to CISA's Catalog of Exploited Flaws"

Recently an unnamed Nigerian man was arrested over his alleged role in leading a cybercrime group that specialized in phishing and business email compromise (BEC). Interpol announced that the arrest was a result of an international operation involving law enforcement and several cybersecurity companies. In December 2021, Nigerian police arrested 11 people believed to be involved in BEC schemes. They were allegedly part of an activity cluster tracked as SilverTerrier, which has been active since at least 2014 and which is composed of hundreds of threat actors involved in BEC attacks. SilverTerrier cybercrime group has targeted tens of thousands of companies and individuals worldwide with fake emails designed to trick victims into wiring money to bank accounts they control. The 37-year-old, who was the leader of the SilverTerrier, fled Nigeria last year before authorities could apprehend him, but he was detained in March 2022 while attempting to enter Nigeria. Palo Alto Networks stated that this individual's alias had been used to register more than 240 domains, including 50 that were used for malware command and control. The company noted that he shares social media connections with several of the people arrested last year, and he appears "well connected" with other known BEC actors.

SecurityWeek reports: "Alleged Cybercrime Ringleader Arrested in Nigeria"

Security researchers at CloudSEK have discovered a "ransomware with a cause." The researchers warned that GoodWill ransomware could lead to both temporary and permanent loss of company data. In addition, the ransomware could lead to a complete shutdown of operations and revenue loss. The researchers were able to trace the email address provided by the ransomware group back to an India-based IT security solutions and services company that provides end-to-end managed security services. GoodWill ransomware was identified by CloudSEK researchers in March 2022. The ransomware operators are allegedly interested in promoting social justice rather than conventional financial reasons. The researchers stated that if the GoodWill ransomware affects a system, every single document, photo, video, database, and file becomes encrypted, after which users can no longer access the data without a decryption key. The actors then suggest that victims perform three socially driven activities in exchange for the decryption key: donate new clothes to the homeless, record the action and post it on social media; take five less fortunate children to Dominos, Pizza Hut, or KFC for a treat, take pictures and videos and post them on social media; and provide financial assistance to anyone who needs urgent medical attention but cannot afford it, at a nearby hospital, record audio, and share it with the operators. The researchers noted that should the target carry out these three tasks, the ransomware asks them to share a message on Facebook or Instagram, demonstrating "how you transformed yourself into a kind human being by becoming a victim of a ransomware called GoodWill." Once verified, the person orchestrating this invasive event will reportedly provide those affected with a decryption kit to recover the stolen data.

Infosecurity reports: "GoodWill Ransomware Demands People Help the Most Vulnerable"

According to figures from the Information Commissioner's Office (ICO), more than two-thirds (68%) of data breaches at UK law firms are caused by insiders. ICO Data focused on Q3 2021 was analyzed by researchers from NetDocuments. The researchers found that just 32% of breaches in this sector were caused by outside threats, such as external malicious actors. The researchers stated that the dominance of insider breaches during this period is believed to be linked to the "great resignation," whereby workers are changing jobs at an unprecedented rate amid the COVID-19 pandemic. In industries like law, there is the danger of staff taking company data with them as they leave their roles. The researchers also found that over half (54%) of data breaches in the legal sector were due to human error in this period. This included documents being emailed or posted to the wrong recipient, failure to redact or use bcc on correspondence, and hardware misconfiguration. Linked to this, 52% of breaches occurred from sharing data with the wrong person via email, post, or verbally. The researchers noted that one in 10 (10%) incidents were attributed to data loss, such as loss/theft of devices containing personal data or of paperwork left in an insecure location. The researchers stated that it is clear that law firms need to be extra vigilant and take proactive steps to gain control over how files are accessed and what users can do with them while at the same ensuring their staff remain productive.

Information Security reports: "68% of Legal Sector Data Breaches Caused by Insider Threats"

Screencastify, a Chrome extension used for capturing and sharing videos from websites, was discovered to be vulnerable to a cross-site scripting (XSS) flaw that could have enabled arbitrary websites to trick people into unknowingly activating their webcams. A malicious actor could then download the resulting video from the victim's Google Drive account. Software developer Wladimir Palant, co-founder of ad amelioration biz Eyeo, has shared his findings of the XSS bug, which Screencastify's developers fixed in February. Palant claims the browser extension remains a threat since the code trusts several partner subdomains, and an XSS issue on any of those sites might be exploited to harm Screencastify users. Palant's proof-of-concept (PoC) exploit involved locating an XSS flaw in the Screencastify code, which was not difficult because they are prevalent. XSS is the second most common issue in the OWASP Top 10 and is found in almost two-thirds of all applications. This article continues to discuss the Screencastify Chrome extension XSS vulnerability and how it still poses a risk to users.

The Register reports "Screencastify Fixes Bug That Would Have Let Rogue Websites Spy on Webcams"

Researchers discovered fake proof-of-concept (PoC) exploits that appear to have been created by threat actors to deliver malware to members of the cybersecurity community. On May 19, researchers revealed that GitHub was hosting malware disguised as PoC exploits for two Windows vulnerabilities Microsoft fixed with its April 2022 Patch Tuesday updates. The fake PoC exploits, which GitHub has since removed, were delivered as executable files that, when run, can open a backdoor to the system. The PoC exploits claimed to target CVE-2022-24500 and CVE-2022-26809, both of which can be used for Remote Code Execution (RCE) on Windows systems. Although there is no indication that the flaws have been used in attacks, some cybersecurity companies warn that they could pose a serious risk. For example, CVE-2022-26809 is suspected to be wormable. The threat intelligence company Cyble analyzed the fake PoC exploits, determining that threat actors were likely using them against members of the infosec community. Cyble also found posts on cybercrime forums in which the exploits were being discussed. The fake PoC exploits, which appeared to have been created by the same threat actor, were .NET binaries packed with an open-source application protector called ConfuserEx. Once executed, they displayed fake messages showing a failed attempt to exploit CVE-2022-24500 or CVE-2022-26809. Following the execution of this routine, the files executed a covert PowerShell command that delivered the Cobalt Strike Beacon payload, which may be used to download further malware and migrate laterally. This article continues to discuss the discovery of fake PoC exploits being used to deliver malware.

Security Week reports "Cybersecurity Community Warned of Fake PoC Exploits Delivering Malware"