News Items

IBM announced on Tuesday that it has expanded a program to improve the cybersecurity defenses of public schools with $5 million in grants. IBM stated that $5 million of in-kind grants would be awarded to public schools, including K-12 institutions in the United States. While IBM's existing grants program has previously focused on US schools, the scheme has now expanded to other countries. IBM said these programs are necessary to "help address cybersecurity resiliency in schools, including against ransomware." IBM noted that six grants are being awarded to US school districts. In addition, four grants are destined for Brazil, Costa Rica, Ireland, and the United Arab Emirates. Each award is worth $500,000, bringing the total to $5 million in resources and hours. IBM teams will work with schools to audit existing defenses and create playbooks for incident response. In addition, they will address cybersecurity awareness and training for staff, students, and parents and develop a management-level strategic plan for handling communication in the aftermath of a cyberattack. According to research by Emsisoft, more than 1,000 educational establishments in the US alone suffered a ransomware attack in 2021, including school districts, colleges, and universities. Charles Henderson, head of IBM Security X-Force, stated that for schools, a significant barrier to strengthening their cybersecurity posture often comes down to constrained budgets.

ZDNet reports: "IBM is Helping These Schools Build up Their Ransomware Defenses"

In cybersecurity, "whaling" refers to cybercriminals targeting high-level executives to steal the most privileged information and obtain access to the most sensitive data. According to Tonia Dudley, strategic adviser at Cofense, these whaling attempts typically begin with a phishing email. The FBI revealed that high-level whaling attacks cost businesses more than $12.5 billion in losses in 2021. Dudley pointed out that the themes observed across many campaigns were typically finance-related as they involved invoices, purchase orders, or quotes. Dudley added that Cofense has seen fewer attachments reaching the inbox for users to interact with, but HTML and HTM files have been observed consistently making it through security filters. Whaling campaigns are increasingly leveraging multiple stages in their attacks. For example, the first stage could begin with a link to a file-sharing cloud site such as Google, Dropbox, or DocuSign. Once the file has been downloaded, embedded files or links to pages will run the second stage, which might contain anything from a credential login page to malware leading to an entry point for a ransomware attack. This article continues to discuss the threat of whaling attacks against the financial industry.

SC Media reports "A 'Whale' of a Threat Evolves in the Financial Industry to Steal Sensitive Data"

According to a new report by the United States Senate Committee on Homeland Security & Governmental Affairs, the US government lacks comprehensive data on ransomware attacks, including how much is lost in payments. The report presented the findings of a 10-month investigation into the growing threat of ransomware. It cited FBI figures showing that the agency had received 3729 ransomware complaints with adjusted losses of more than $49.2m. However, it was stated that even these figures "likely drastically underestimate the actual number of attacks and ransom payments made by victims and related losses." Following numerous interviews with federal law enforcement and regulatory agencies, in addition to private companies that assist ransomware victims with extortion demands, the report concluded that there is a lack of data on this surging attack vector at the government level. It was noted that changing this is vital because "more data is needed to better understand and combat these attacks." In addition, it noted that this information will assist the investigation and prosecution of ransomware threat actors. The committee also emphasized the significant threat ransomware poses to US national security. According to the committee's report, the committee stated that data reporting and collection on ransomware attacks and payments is fragmented and incomplete. This is partly due to two separate federal agencies, the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI, hosting different websites that each claim to host the government's one-stop location for reporting ransomware attacks. While the agencies state they share data with each other, companies that handle ransomware incident responses questioned the effectiveness of such communication channels' impact on assisting victims of an attack. The investigation also highlighted the growing role of cryptocurrencies, particularly Bitcoin, in ransomware attacks, which "has become a near-universal form of ransom payment." The committee noted that the decentralized nature of these currencies makes it challenging for law enforcement to identify and arrest the perpetrators, particularly foreign-based groups. Therefore, the committee recommended the prioritization of data collection on ransomware attacks as a crucial means of addressing increased national security threats.

Infosecurity reports: "Senate Report: US Government Lacks Comprehensive Data on Ransomware"

A December cyberattack on a Canadian healthcare organization compromised a wide range of data, including patient information dating back to 1996 and personnel vaccination records from last year. Some of the compromised data came from a non-profit organization of affiliated clinicians. Arnprior Regional Health (ARH), which includes a hospital, long-term health facility, and other healthcare services in Arnprior, Ontario, Canada, claims it learned of unauthorized access to its IT system on December 21, 2021, during which data was stolen. According to ARH, the incident impacted 13 different categories of data, including several groupings of information regarding colonoscopies, COVID-19 and flu vaccinations, emergency room and in-patient satisfaction surveys, and patients on waiting lists. Individuals' personal and health information that could have been compromised included name, date of birth, health card number, time of visit, procedure and diagnosis, and demographics, depending on the category of data affected. This article continues to discuss the December cyberattack faced by ARH and recommendations for protecting legacy data.

InfoRiskToday reports "Hospital Cyberattack Compromises Data From Decades Ago"

According to Microsoft, card-skimming malware is increasingly using malicious PHP software on web servers to modify payment sites and avoid browser safeguards activated by JavaScript code. Card skimming has been fueled in recent years by Magecart malware that uses JavaScript code to inject scripts into checkout sites and transmit malware that captures and steals credit card information. Injecting JavaScript into front-end processes was "very conspicuous," according to Microsoft, because it may have triggered browser defenses like Content Security Policy (CSP), which prohibits external scripts from loading. By attacking web servers with malicious PHP scripts, malicious actors identified a less noisy technique. Microsoft discovered two malicious image files on a Magento-hosted server in November 2021, one of which was a fake browser favicon. The images contained an embedded PHP script, which did not run by default on the compromised web server. Instead, in order to target customers, the PHP script only begins once cookies validate that the web administrator is not currently signed in. The PHP script got the URL of the current page and searched for the keywords "checkout" and "one page," which are connected to Magneto's checkout page. The FBI recently issued a warning about new incidents of card-skimming cybercriminals infecting US corporate checkout sites with web shells that allow backdoor remote access to the web server via malicious PHP. According to Sucuri, PHP skimmers targeting backend web servers accounted for 41 percent of new credit card-skimming malware found in 2021. This article continues to discuss observations surrounding credit-skimming cybercriminals' tactics.

CyberIntelMag reports "Microsoft: Credit Card Skimmers Are Changing Their Tactics to Remain Undetected"

General Motors (GM), a US automobile manufacturer, announced that it was hit by a credential stuffing attack last month that exposed customer information and allowed hackers to redeem rewards points for gift cards. GM said they detected the malicious login activity between April 11-29, 2022. GM stated that there is no evidence that the log in information was obtained from GM based on the investigation to date. GM noted that they believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account. The personal information of affected customers includes first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile pictures and search and destination information. Other information available to hackers included car mileage history, service history, emergency contacts, and Wi-Fi hotspot settings (including passwords). GM advised users to reset their passwords, and that affected individuals should request credit reports from their banks and place a security freeze if required. GM also confirmed that hackers redeemed customer reward points for gift cards in some instances.

Infosecurity reports: "US Car Giant General Motors Hit by Cyberattack Exposing Car Owners' Personal Info"

Researchers at Cardiff University have developed a new method for automatically detecting and killing cyberattacks on laptops, desktops, and smart devices in less than a second. The method, which uses Artificial Intelligence (AI) and Machine Learning (ML) in a novel way, has been found to successfully protect up to 92 percent of files on a computer from being corrupted, with malware removal taking only 0.3 seconds on average. According to the researchers, this is the first demonstration of a system that can both detect and wipe out malware in real-time. The new approach, developed in collaboration with Airbus, is based on monitoring and predicting malware behavior rather than more standard antivirus methods that analyze how malware looks. It is feasible to rapidly predict how malware will behave further down the line in less than a second by training computers to execute simulations on specific pieces of malware. When a piece of the malware is flagged, the next step is to remove it, which is where the new research comes in. To test the novel detection system, the researchers set up a virtual computing environment to mimic a number of regularly used laptops, each of which could run up to 35 programs at once to simulate usual behavior. Thousands of malware samples were then used to test the AI-based detection approach. This article continues to discuss the team's new method capable of automatically detecting and killing malware in under a second.

Cardiff University reports "Scientists Create New Method to Kill Cyberattacks in Less Than a Second"

Zola, a wedding planning startup that allows couples to create websites, budgets, and gift registries, recently discovered that hackers gained access to user accounts but has denied a breach of its systems. The incident first came to light over the weekend after Zola customers took to social media to report their accounts had been hijacked. Some Zola customers reported that hackers had depleted funds held in their Zola accounts, while others said they had thousands of dollars charged to their credit cards. A Zola spokesperson stated that the accounts had been breached due to a credential stuffing attack, where existing sets of exposed or breached usernames and passwords are used to access accounts on different websites that share the same set of credentials. Zola said fewer than 0.1% of accounts were compromised but would not say specifically how many users that equates to. Zola said it temporarily suspended its iOS and Android apps during the incident and reset all user passwords out of an "abundance of caution.

TechCrunch reports: "Hackers Compromised Some Zola User Accounts to Buy Gift Cards"

According to security researchers, hackers can hijack online accounts before users even register them. This is possible through the exploitation of vulnerabilities that have already been resolved on popular websites, including Instagram, LinkedIn, Zoom, WordPress, and Dropbox. Of the 75 analyzed popular online services, at least 35 were found to be vulnerable to account pre-hijacking attacks, according to Andrew Paverd, a researcher at the Microsoft Security Response Center (MSRC), and Avinash Sudhodanan, an independent security researcher. The type and severity of these attacks vary, but they all arise from poor security policies followed by the websites. First, a hacker must know a target's email address for a pre-hijacking attack to work, which is easy to obtain through email correspondence or data breaches faced by companies. Next, the attacker uses the target's email address to create an account on a vulnerable website, hoping that the victim will ignore the notification sent to their inbox as spam. Finally, the attacker either waits for the victim to sign up for the site or tricks them into doing so. During this process, there are five different attacks that threat actors can perform, including the classic-federated merge (CFM), the unexpired session (US) ID, the trojan identifier (TID), the unexpired email change (UEC), and the non-verifying (NV) identity provider (IDP) attack. This article continues to discuss the researchers' findings surrounding the performance and potential impact of the pre-hijacking attacks.

BC reports "Hackers Can Hack Your Online Accounts Before You Even Register Them"

It has recently been discovered that the personal information of more than half a million Chicago Public Schools (CPS) students and staff was leaked in a ransomware attack last December, and the breach wasn't reported until April. On Friday, the district said that technology vendor Battelle for Kids notified CPS of the breach on April 25. CPS stated that a server used to store student and staff information was breached, and four years' worth of records were accessed. CPS said that 495,448 student and 56,138 employee records were accessed from 2015-16 through 2018-2019 school years. Student information involved in the breach included students' names, schools, dates of birth, gender, CPS identification numbers, state student identification numbers, class schedule information, and scores on course-specific assessments. Employee information included names, employee identification numbers, school and course information, emails, and usernames. CPS noted that the affected information did not include Social Security numbers, financial information, health data, current course or schedule information, home addresses and course grades, standardized test scores, or teacher evaluation scores.

Infosecurity reports: "Ransomware Hackers Steal Personal Data of 500,000 Students and Staff in Chicago"

Group-IB has released its "Ransomware Uncovered 2021/2022" guide to the evolution of the number one threat. According to the findings of the second edition of the research, the ransomware empire's winning streak continued, with the average ransom demand increasing by 45 percent to $247,000 in 2021. Since 2020, ransomware gangs have gotten greedier. Hive demanded a record-breaking ransom of $240 million ($30 million in 2020). Hive and Grief rose to the top ten gangs based on the number of victims publicized on Dedicated Leak Sites (DLS). Ransomware has become more sophisticated, as evidenced by the victim's downtime, which climbed from 18 days in 2020 to 22 days in 2021. Ransomware-as-a-Service (RaaS) programs began offering affiliates custom tools for data exfiltration in order to simplify and streamline operations. The double extortion tactic became even more common as sensitive victim data was exfiltrated to obtain the ransom in 63 percent of the cases examined. Ransomware groups posted data belonging to almost 3,500 victims on DLS during Q1'2021 and Q1'2022. The majority of enterprises whose data was released on DLS by ransomware operators in 2021 were based in the US, Canada, and the UK, with the manufacturing, real estate, and professional services industries being the most affected. The most aggressive gangs were Lockbit, Conti, and Pysa, with 670, 640, and 186 victims uploaded to DLS. This article continues to discuss key findings from Group-IB's recent ransomware report.

Help Net Security reports "Ransomware Still Winning: Average Ransom Demand Jumped by 45 Percent"

According to an analysis conducted by researchers from the University of Trento, Italy, organizations that always upgrade to the most recent versions of all of their software have nearly the same risk of being compromised in cyber-espionage campaigns as those that just apply specific patches after a vulnerability is reported. A quantitative analysis of data from 350 Advanced Persistent Threat (APT) campaigns carried out by the researchers between 2008 and 2020 reveals that organizations with a purely reactive software update strategy had roughly the same risk exposure to advanced cyberattacks as those that kept up to date on everything. This is despite the fact that the subjects applied only 12 percent of the updates that firms that always updated instantly deployed. The findings show that the same is true for organizations that may apply updates to fix vulnerabilities based on information they have gotten in advance, such as by paying for zero-day information. When it comes to breach risk, even these entities do not have a considerable advantage over those that patch only on a reactive basis. Although this conflicts with traditional wisdom, the study results represent two realities: 1) APTs tend to be reactive, and 2) time-to-patch metrics are important. The researchers discovered that APTs targeted publicly reported vulnerabilities more frequently than zero-days in an analysis of 350 campaigns dating back to 2008 (containing information on vulnerabilities exploited, attack vectors, and affected software products). They also shared or targeted the same known vulnerabilities in their campaigns. Between 2008 and 2020, the researchers discovered 86 different APT organizations that exploited 118 unique vulnerabilities in their campaigns. Only Stealth Falcon, APT17, Equation, Dragonfly, Elderwood, FIN8, DarkHydrus, and Rancor leveraged exclusive vulnerabilities in their campaigns. This means IT teams can prioritize flaws known to be APT favorites to eliminate the majority of the risk of compromise. This article continues to discuss key findings from the study regarding patching strategies, their risk exposure, and the issue of patch prioritization.

Dark Reading reports "Partial Patching Still Provides Strong Protection Against APTs"

Blockchains have sparked a lot of interest, not only because they enable the creation of new financial instruments but also because they provide alternative solutions to challenges in fault-tolerant distributed computing and cryptographic protocols. Miners maintain and build blockchains, which are used in various situations, the most well-known of which is as a distributed ledger that records all transactions between users in cryptocurrency systems like bitcoin. Many of these protocols are based on a "proof of work" (PoW), which has been widely used in cryptography and security literature for over 20 years in a number of settings, including spam mitigation, sybil attacks, and Denial-of-Service (DoS) prevention. Its involvement in the design of blockchain protocols is likely its most significant application. When miners receive new transactions, the data is entered into a new block, but adding additional blocks to the chain requires solving a PoW. A PoW is a bitcoin transaction validation algorithm generated by bitcoin miners competing to create new bitcoin by being the first to solve a complex mathematical puzzle. Solving this puzzle requires the use of expensive computers and a lot of electricity. Once a miner discovers a solution to a puzzle, they broadcast the block to the network for other miners to verify. Those who successfully solve a puzzle are rewarded with a predetermined amount of bitcoin. Despite advances in understanding the PoW primitive, determining the exact properties required to prove the security of bitcoin and associated protocols has been difficult. All existing instances of the primitive have been based on idealized assumptions. Therefore, a team of researchers at Texas A&M University has identified and proven the concrete properties. Then they used those properties to build blockchain protocols that are both secure and safe. The researchers demonstrated that such PoWs could defeat adversaries and environments while owning less than half of the network's computational power, with their novel algorithms. This article continues to discuss the research on cryptography in the blockchain.

Texas A&M University reports "Cryptography in the Blockchain Era"

New research from Tessian and the Ponemon Institute reveals that nearly 60% of organizations experienced data loss or exfiltration caused by an employee mistake on email in the last 12 months. More than half (67%) of IT security practitioners said email was the riskiest channel for data loss in organizations. This was closely followed by cloud file-sharing services (62%) and instant messaging platforms (57%). The researchers surveyed 614 IT security practitioners around the globe. During their research, the researchers also found that employee negligence by not following policies was the leading cause of data loss incidents (40%). More than a quarter (27%) of data loss incidents are caused by malicious insiders. The researchers noted that it takes up to three days for security and risk management teams to detect and remediate a data loss and exfiltration incident caused by a malicious insider on email. Almost a quarter (23%) of organizations experience up to 30 security incidents involving employees' use of email every month (for example, an email was sent to an unintended recipient). The most common types of confidential and sensitive information lost or intentionally stolen include customer information (61%), intellectual property (56%), and consumer information (47%). The researchers found that user-created data (sensitive email content, text files, M&A documents), regulated data (credit card data, Social Security numbers, national ID numbers, employee data), and intellectual property were identified as the three types of data that are most difficult to protect from data loss.

Help Net Security reports: "Email is The Riskiest Channel For Data Security"

The US Department of Justice (DoJ) has announced that its policy on violations of the Computer Fraud and Abuse Act (CFAA) has been revised. For the first time, the policy states that good-faith security research should not be charged. According to the DoJ, good-faith security research means accessing a computer only for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a way that avoids harming individuals or the public. The information derived from good-faith security research activity must also primarily promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or services. Deputy Attorney General Lisa O. Monaco highlighted computer security research as a key driver of stronger cybersecurity. Monaco said the department has never been interested in charging good-faith computer security research as a crime. The announcement enhances cybersecurity by giving clarity for good-faith security researchers who identify vulnerabilities for the common good. However, the new policy recognizes that claiming to be undertaking security research does not give individuals acting in bad faith a pass. For example, identifying flaws in devices to extort their owners, even if disguised as "research," is not done in good faith. The policy instructs prosecutors to consult with the Criminal Division's Computer Crime and Intellectual Property Section (CCIPS) concerning specific applications of this criteria. All federal prosecutors who want to pursue cases under the CFAA must follow the new policy and consult with CCIPS before proceeding. This article continues to discuss the new policy for charging cases under the CFAA and what it means for cybersecurity research.

DoJ reports "Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act"

Security researchers at Ivanti, Cyber Security Works, and Cyware have discovered that there was an "alarming" surge in activity by the Conti ransomware gang in the first three months of 2022. The researchers observed a 7.6% rise in the number of vulnerabilities tied to ransomware in Q1 2022. The researchers also found that the Conti group exploited most of these (19/22). The researchers also saw a 7.5% increase in APT groups associated with ransomware, a 6.8% increase in actively exploited and trending vulnerabilities, and a 2.5% increase in ransomware families in Q1. The researchers stated that there are signs that ransomware operators are becoming more targeted and sophisticated in their approach. Worryingly, the researchers found that more than 3.5% of ransomware vulnerabilities are being missed by scanners, further exposing organizations to risks. Gaps also exist within the National Vulnerability Database (NVD), the Common Attack Pattern Enumeration and Classification (CAPEC) list by The MITRE Corporation, and the Known Exploited Vulnerabilities (KEVs) catalog by the US Cybersecurity and Infrastructure Security Agency (CISA), according to the researchers.

Infosecurity reports: ""Alarming" Surge in Conti Group Activity This Year"

According to Microsoft, the activity of the stealthy and modular malware strain used by hackers to infiltrate Linux devices and compose a Distributed Denial-of-Service (DDoS) botnet has increased by 254 percent in the last six months. This malware is known as XorDDoS or XOR DDoS because it uses XOR-based encryption when communicating with command-and-control (C2) servers and is used to execute DDoS attacks. Microsoft revealed that the botnet's success stems from its extensive use of a variety of evasion and persistence techniques that enable it to remain stealthy and difficult for security teams to remove. The Microsoft 365 Defender Research Team found that XorDDoS is capable of obfuscating its activities, circumventing rule-based detection mechanisms, using anti-forensic techniques to break process tree-based analysis, and more. In recent campaigns, XorDDoS was observed overwriting sensitive files with a null byte to hide malicious activities from analysis. XorDDoS is known for compromising vulnerable Linux system architectures in SSH brute-force attacks. It uses a shell script that tries to log in as root using different passwords against thousands of Internet-exposed computers until it finds a match. In addition to launching DDoS attacks, the malware's operators use the XorDDoS botnet to install rootkits, maintain access to compromised devices, and drop additional malicious payloads. This article continues to discuss findings surrounding the surge in XorDDoS activity.

Bleeping Computer reports "Microsoft Detects Massive Surge in Linux XorDDoS Malware Activity"

A new study conducted by researchers from Monash University proposes the most effective way to accurately predict vulnerabilities contained by software code and improve cybersecurity. Software vulnerabilities are common in all systems developed with source code, resulting in various issues such as deadlock, hacking, and system failure. Therefore, early vulnerability detection is crucial for securing software systems. The researchers developed the 'LineVul' approach, which boosted accuracy in predicting software vulnerabilities by over 300 percent while spending only half the typical amount of time and effort compared to current best-in-class prediction tools. LineVul can also protect against the top 25 most damaging and prevalent source code flaws, and it could be used to improve cybersecurity in any application developed using source code. According to research co-author Dr. Chakkrit Tantithamthavorn, LineVul can predict the most crucial areas of vulnerability and pinpoint the actual position of vulnerabilities down to the line of code. This article continues to discuss the LineVul approach to predicting software vulnerabilities and how it can strengthen applications against cyberattacks.

Monash University reports "Unglitching the System: Advancement in Predicting Software Vulnerabilities"

Researchers at Trustwave SpiderLabs have discovered a new approach being taken by phishers to increase victim engagement and confidence: the addition of an interactive chatbot. The phishers hope that this reluctant acceptance of chatbots will help lower the attention of the target victim. The researchers noted that the basic lure is the common failed DHL delivery, and if the victim falls for it, the victim is not immediately directed to the phishing site. Instead, the 'please follow our instructions' results in the delivery of a PDF with a 'fix delivery' button. If the victim clicks the button, he or she is sent to another website where the phishing chain begins with the introduction of a chatbot that promises to fix the delivery but really harvests personal data. If the target accepts the chatbot, it continues the engagement by showing the victim a photo of the damaged package and asks for details on how to deliver it. If the victim asks to schedule delivery, a false CAPTCHA is presented to increase confidence further. In the next stage, the chatbot asks for a delivery address and time. An unspecified password is also requested. The researchers noted that it really doesn't matter what password is entered, it could be a DHL account password or the user's email account, the phisher steals it anyway, along with the delivery address and the user's email address (which they already have). The phishing has begun but is not complete. The chatbot explains that the additional delivery attempt is an additional service that requires payment, so a credit card payment page is displayed. The amount asked for is small. Paying for the fake redelivery gives up the phisher's real target, bank card details.

SecurityWeek reports: "Phishers Add Chatbot to the Phishing Lure"

Quantum computing will significantly increase computing power. However, that capability poses a threat to cryptographic systems, potentially jeopardizing global data. To solve the problem, QuSecure is introducing an industry-first end-to-end post-quantum cybersecurity (PQC) software-based solution that protects encrypted communications and data with quantum resilience. Leading experts, including Arthur Herman, senior fellow and director of the Hudson Institute's Quantum Alliance Initiative, think that a Cryptographically Relevant Quantum Computer (CRQC) will be ready within the next three to five years. A CRQC is a quantum computer capable of breaking current cryptography and exposing the world's encrypted conversations and data. Nation-state attackers are also suspected to be stealing encrypted data today, using a 'steal now, decode later' approach to capture global encrypted data that will be decrypted retroactively once a CRQC is available. QuSecure's new QuProtect solution enables quantum-resilient cryptography at any time, on any device. It employs an end-to-end Quantum-as-a-Service (QSaaS) security architecture that addresses the most vulnerable aspects of the digital ecosystem, combining zero-trust, next-generation post-quantum cryptography, quantum-strength keys, high availability, ease of deployment, and active defense into a comprehensive and interoperable cybersecurity suite. The end-to-end strategy considers the whole data lifecycle, including data storage, communication, and consumption. This article continues to discuss QuSecure's new QuProtect solution aimed at addressing quantum security threats.

BetaNews reports "New Solution Aims to Address Quantum Security Threats"

According to researchers at Imperva, malicious bots accounted for almost 28% of global web traffic in 2021, a record high that exceeded the previous year's figure of 26%. The researchers stated that bots are software apps that run automated tasks. However, while most of them perform legitimate work such as crawling and indexing the internet for search engines, an increasing number are being used for malign purposes. The researchers claimed that the most common of these last year were account takeover (ATO), content or price scraping, and scalping to obtain limited-availability items. The researchers found that two-thirds of this traffic could be traced to "evasive bad bots," software that uses the latest evasion techniques to circumvent security tools. These include cycling through random IPs, entering sites and apps through anonymous proxies, changing identities, and mimicking human behavior to evade detection. The researchers noted that some 36% of bad bots hid as mobile web browsers in 2021, with Safari the most popular choice due to its enhanced privacy settings. The researchers stated that due to the increase in malicious bot traffic, ATO attacks soared by 148% from 2020 to 2021, allowing scammers to access sensitive account information and potentially carry out fraudulent transactions. Financial services was the most targeted industry (35%) in ATO attacks, followed by travel (23%), with the US the leading origin country of ATO attacks (54%) in 2021. Overall, travel (34%), retail (34%), and financial services (9%) were the sectors most targeted by bad bots in 2021, which stands to reason given the large amounts of sensitive data stored in customer accounts and the potential for monetization.

Infosecurity reports: "Bad Bots Swarm the Internet in Record Numbers in 2021"

Microsoft has issued a warning about brute-force attacks on Internet-exposed and inadequately protected Microsoft SQL Server (MSSQL) database servers using weak passwords. Although this is not the first time MSSQL servers have been attacked, Redmond claims that the threat actors are using the genuine sqlps.exe program as a LOLBin (living-off-the-land binary). The Microsoft Security Intelligence team said that the attackers achieve fileless persistence by spawning the sqlps.exe utility, which is a PowerShell wrapper for running SQL-built cmdlets, to run recon commands and alter the start mode of the SQL service to LocalSystem. The attackers also use sqlps.exe to create a new account that they add to the sysadmin role, giving them complete control of the SQL server. Then they gain the ability to perform other actions like deploying payloads such as coin miners. The sqlps utility, included with Microsoft SQL Server, enables loading SQL Server cmdlets as a LOLBin. Using sqlps, attackers can run PowerShell commands without worrying about defenders noticing their actions. Since sqlps is an effective way to avoid Script Block Logging, a PowerShell feature that would otherwise report cmdlet activities to the Windows event log, it also ensures that the threat actors leave no traces for the investigation of their attacks. This article continues to discuss Microsoft's warning pertaining to brute-force attacks on MSSQL servers.

CyberIntelMag reports "Microsoft Has Issued Warning About Brute-Force Attacks on MSSQL Servers"

The National Institute of Standards and Technology (NIST) is working on updating its influential Cybersecurity Framework, which was first published in 2014 and updated in 2018. A NIST official stated on May 17 that the agency is relying on industry feedback for the new update. According to Kevin Stine, chief of NIST's Applied Cybersecurity Division, NIST issued a request for information (RFI) in February to gather input on three categories: the Cybersecurity Framework, cybersecurity resources, and supply chain cybersecurity. The RFI was closed at the end of April, and Stine stated that most of the 130-135 comment submissions NIST received focused on the Cybersecurity Framework. NIST was thrilled with the volume of feedback it received, as well as with submissions from various organizations, including associations representing thousands of companies across the sector and around the world. This article continues to discuss NIST's efforts to update its Cybersecurity Framework.

MeriTalk reports "NIST Leaning on Strong Feedback for Cyber Framework Update"

An MIT Lincoln Laboratory study explored the implementation of zero-trust security, a cybersecurity approach that requires users to prove their authenticity every time they access data or a network application. The goals of the study were to review the implementation of zero-trust architectures in government and industry, identify technical gaps and opportunities, and develop recommendations for the Unites States' approach to a zero-trust system. The first step in the study was to define zero-trust and understand the field's misconceptions about it. For example, some of these misperceptions claim that a zero-trust architecture requires purchasing entirely new equipment or that it renders systems unusable. Jeffrey Gottschalk, the study's co-lead, says that part of the reason there is so much confusion about zero-trust is that it takes what the cybersecurity world has known for many years and applies it in a new way. He emphasizes that it represents a paradigm shift in how we think about security, but it takes many things we already know how to do, such as Multi-Factor Authentication (MFA), encryption, and software-defined networking, and combines them in different ways. The research team examined recent significant cybersecurity incidents to determine which security principles were most responsible for the attack's scope and impact. While several of these attacks used previously unknown implementation vulnerabilities, also known as zero-days, most were caused by the exploitation of operational security principles. The malicious actor had become an insider. By treating every component, service, and user of a system as constantly exposed to and potentially compromised by a malicious actor, zero-trust security principles could protect against this type of insider threat. Each time a user requests access to a new resource, their identity is verified, and every access is mediated, logged, and analyzed. This article continues to discuss key takeaways from the study on zero-trust architectures and how zero-trust security principles could protect against insider threats.

MIT News reports "Zero-Trust Architecture May Hold the Answer to Cybersecurity Insider Threats"