News Items

Cisco has recently issued a "field notice" to advise customers of its Catalyst 2960X/2960XR switches to upgrade the IOS software on their devices to ensure that they are not counterfeit. Counterfeiters often replicate Cisco equipment due to their popularity, but these devices can introduce security vulnerabilities, and the networking giant says they can cause "severe damage" to an organization's network. The company stated that counterfeit devices do not use Cisco hardware, but they still need to run genuine Cisco firmware, and the vendor has several mechanisms in place to detect device counterfeiting. Cisco noted that to detect and mitigate device counterfeiting and malicious attacks on hardware and software, Cisco uses Hardware Trust Anchor, Secure Unique Device Identifier (SUDI), digitally signed software images, secure boot, and other multilayered security approaches to verify the authenticity and integrity of their solutions. These trustworthy technologies run automated checks of hardware and software integrity and can shut down the boot process if a compromise is detected. The company is advising customers using the Catalyst 2960X/2960XR switches to upgrade the IOS software to version 15.2(7)E4 or later to enable the SUDI verification. Cisco noted that this should be done before the devices are added to the network to validate their authenticity. Cisco stated that the illicit grey market for Cisco's gear carries significant risk for customers who buy unauthorized secondhand, third-party, or even stolen networking gear. Cisco's 2960X/2960XR switches have been a flagship product for many years and subsequently have been diverted into the grey market. The company noted that, in addition to introducing security risks, counterfeit devices do not have a valid software license, don't come with a warranty, and are not eligible for certain support plans. Cisco also shared information on how counterfeit devices can be identified and provided detailed instructions for validating the SUDI feature on switches.

SecurityWeek reports: "Cisco Issues Fresh Warning Over Counterfeit Switches"

Researchers have observed phishers exploiting a flaw contained by Google's SMTP relay service to deliver malicious emails that spoof popular brands. There has been a significant surge in SMTP relay service exploit attacks in the wild since April 2022. Organizations use Google's SMTP relay service to perform activities such as sending out promotional messages to a large number of users without running the risk of their email server getting blocklisted. However, the relay service has a vulnerability that could allow any Gmail tenant to spoof another tenant, meaning a hacker can use the service to spoof legitimate brands and distribute phishing and malware campaigns. Since Gmail's SMTP relay servers are generally trusted, and recipients see a legitimate-looking email address in the "From:" field, email security solutions are bypassed. Users could notice something is wrong only by checking the headers of the messages. According to Avanan researcher Jeremy Fuchs, this brand impersonation technique only works if the impersonated company has not enabled its DMARC reject policy. DMARC is a DNS-based authentication standard that protects organizations against impersonation attacks by preventing malicious spoofed emails from reaching targets. This article continues to discuss the exploitation of Google's SMTP relay service to deliver spoofed emails, Google's response to this discovery, and the importance of enforcing the DMARC reject policy.

Help Net Security reports "Phishers Exploit Google's SMTP Relay Service to Deliver Spoofed Emails"

Researchers at the Southwest Research Institute (SwRI) have developed an Intrusion Detection System (IDS) for Industrial Control Systems (ICS). The technology aims to help government and industry improve the detection of cyber threats to industrial networks in critical infrastructure. The research behind the IDS was funded by SwRI to address emerging cyber threats faced in the continuously changing industrial automation ecosystem. The team applied algorithms to scan for cyber threats across network protocols that transmit industrial control data for natural gas pipelines, manufacturing robots, and more, which led to the development of the IDS for ICS. Ian R. Meinzen, a SwRI intelligent machines engineer who worked on the project, noted that the design of ICS historically did not consider security as there was the benefit of having an air gap to enable ICS to operate securely without a connection to IT networks. However, it is no longer an option to unplug industrial networks from IT networks for modern automation systems that depend on Internet of Things (IoT) devices to transmit large amounts of data. Connecting IoT devices and other hardware leaves industrial networks vulnerable. Malicious actors could launch attacks via a vulnerable IoT device, network protocols, and outdated software. The SwRI team focused their research on scanning for cyberattacks over the Modbus/TCP protocol, which utilities and industry have used in Supervisory Controls and Data Acquisition (SCADA) systems equipment for decades. The algorithms they developed were applied in testing the recognition of normal Modbus/TCP traffic and identifying cyberattack vectors, such as data fuzzing/manipulation, address probing, and out-of-band timing. Their algorithms classify data packets as "regular" if they originate from an uncompromised industrial control device or "attack" if the source is an unexpected or compromised device. This article continues to discuss SwRI's research and development of the IDS system for ICS.

SwRI reports "SwRI Develops Cyber Security Intrusion Detection System for Industrial Control Systems"

Google has been working on finding malicious code packages sneaked into open source software projects. The Open Source Security Foundation's (OpenSSF) Package Analysis Project aims to help automate the process of identifying malicious packages distributed on popular package repositories, such as PyPI for Python and npm for JavaScript. The initiative will provide data pertaining to different types of malicious packages and help inform those who work on open source software on how to improve the security of the software supply chain. Package repositories have limited resources to review the large number of daily updates but must maintain an open model in which anyone can contribute. Caleb Brown of Google's Open Source Security Team emphasizes that this has resulted in regular uploads of malicious packages to popular repositories, which could sometimes have devastating consequences for users. The Package Analysis project identified over 200 malicious packages in one month. It discovered token theft attacks targeting Discord users that were distributed on PyPI and npm. A malicious PyPI package, for example, attacked the Discord Windows client through a backdoor downloaded from GitHub and installed on the Discord app to steal Discord tokens. In March, researchers found that developers using Microsoft's Azure cloud were being targeted with hundreds of malicious packages on npm. This article continues to discuss the goals of the Package Analysis Project, the risks of software supply chain security in open source, and other efforts made to bolster supply chain security.

ZDNet reports "Open-Source Security: It's Too Easy to Upload 'Devastating' Malicious Packages, Warns Google"

Security researchers at Mozilla have discovered that over 90% of mental wellness and prayer apps contain serious privacy issues, while many others raise cybersecurity concerns. The researchers found that 29 out of the 32 apps analyzed did not pass Mozilla's privacy requirements, while 25 out of 32 did not meet its Minimum Security Standards, which cover things like encryption, security updates, strong passwords, and vulnerability management. The researchers reported that many of the apps routinely share sensitive data, allow weak passwords, target vulnerable users with personalized ads, and feature poorly written privacy policies. The six worst offenders on the list featured "incredibly vague and messy privacy policies," shared personal information with third parties, and/or collected chat transcripts. The researchers also noted that only one out of all the app developers they analyzed responded to their questions promptly, despite the app developers being sent requests for more information three times. At least eight apps allowed weak passwords ranging from "1" to "11111111," Mozilla claimed. Only two out of the 32 apps made it into the "best of" category: PTSD Coach, an app created by the US Department of Veterans Affairs, and AI chatbot Wysa.

Infosecurity reports: "Mental Health and Prayer Apps Fail the Privacy Test"

Cloudflare has blocked one of the largest Distributed Denial-of-Service (DDoS) attacks ever recorded. According to Cloudflare, the attack bombarded a cryptocurrency platform with 15.3 million requests. DDoS attacks are measured in different ways, including by the volume of data, the number of packets, or the number of requests sent each second. The current records are 3.4 terabits per second for volumetric DDoS attacks, 809 million packets per second, and 17.2 million requests per second. Although the massive DDoS attack recently mitigated by Cloudflare is still smaller than the record, its power was more significant as the attack was delivered via HTTPS requests instead of HTTP requests. HTTPS requests are more compute-heavy than HTTP requests. Therefore, the latest attack could have put more strain on the targeted platform. The resources used to deliver the HTTPS requests were also greater, thus showing that DDoS attackers are growing more powerful. Cloudflare revealed that the attack came from 112 countries, including Indonesia, Russia, Brazil, India, Columbia, and the US. Within these countries, the attack originated from more than 1,300 different networks, with the flood of traffic mainly coming from data centers such as the German provider Hetzner Online GmbH (Autonomous System Number 24940), Azteca Comunicaciones Colombia (ASN 262186), and OVH in France (ASN 16276). This article continues to discuss Cloudflare's recent mitigation of a massive DDoS attack on a cryptocurrency platform.

Ars Technica reports "One of the Most Powerful DDoSes Ever Targets Cryptocurrency Platform"

Recently the U.S. Cybersecurity and Infrastructure Security Agency (CISA), U.S. National Security Agency (NSA), U.S. Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NZ NCSC), and United Kingdom's National Cyber Security Centre (NCSC-UK), published a joint advisory on the 15 Common Vulnerabilities and Exposures (CVEs) most routinely exploited by malicious cyber actors in 2021. This list has three vulnerabilities that were routinely exploited in 2020: CVE-2020-1472, CVE-2018-13379, and CVE-2019-11510. Their continued exploitation in 2021 indicates that many organizations fail to patch software in a timely manner and remain vulnerable to malicious cyber actors. The advisory notes that to mitigate the risks of falling victim to attacks that exploit such vulnerabilities, the advisory urged organizations to implement vulnerability and configuration management, identity and access management, and protective controls and architecture.

The 15 most targeted vulnerabilities of 2021 were:

1. CVE-2021-44228 (Log4Shell): Remote code execution (RCE) vulnerability in Apache Log4j
2. CVE-2021-40539: RCE vulnerability in Zoho ManageEngine AD SelfService Plus
3. CVE-2021-34523 (ProxyShell): Elevation of privilege vulnerability in Microsoft Exchange Server
4. CVE-2021-34473 (ProxyShell): RCE vulnerability in Microsoft Exchange Server
5. CVE-2021-31207 (ProxyShell): Security feature bypass in Microsoft Exchange Server
6. CVE-2021-27065 (ProxyLogon): RCE vulnerability in Microsoft Exchange Server
7. CVE-2021-26858 (ProxyLogon): RCE vulnerability in Microsoft Exchange Server
8. CVE-2021-26857 (ProxyLogon): RCE vulnerability in Microsoft Exchange Server
9. CVE-2021-26855 (ProxyLogon): RCE vulnerability in Microsoft Exchange Server
10. CVE-2021-26084: Arbitrary code execution vulnerability in Atlassian Confluence Server and Data Center
11. CVE-2021-21972: RCE vulnerability in VMware vSphere Client
12. CVE-2020-1472 (ZeroLogon): Elevation of privilege vulnerability in Microsoft Netlogon Remote Protocol (MS-NRPC)
13. CVE-2020-0688: RCE vulnerability in Microsoft Exchange Server
14. CVE-2019-11510: Arbitrary file reading vulnerability in Pulse Secure Pulse Connect Secure
15. CVE-2018-13379: Path traversal vulnerability in Fortinet FortiOS and FortiProxy

CSO reports: "15 Most Exploited Vulnerabilities of 2021"

Coca-Cola is investigating claims made by the Russian-linked cybercrime gang Stormus of a large-scale data breach. The ransomware group posted on its website this week that it had successfully hacked the servers of the soft drinks giant and stolen 161GB of data. It also offered the data for sale for more than $64,000, or 1.6467 bitcoin. Stormous did not specify the type of data it stole. Coca-Cola is now investigating Stormous' claim and has informed law enforcement about the alleged incident. In a statement, Coca-Cola communications vice president Scot Leith stated that they are aware of this matter and are investigating to determine the claim's validity. Currently, it is unclear whether the alleged hack was partly motivated by Coca-Cola's decision to close its operations in Russia entirely following the Kremlin's invasion of Ukraine. Shortly after the conflict began, Stormous issued its full support for Russia's actions. The group previously posted a poll on Telegram asking users which company it would most like them to attack. Coca-Cola came out on top, receiving 72% of the votes cast.

Infosecurity reports: "Coca-Cola Investigates Data Breach Claim"

Three threat groups have been observed delivering a new sophisticated malware loader dubbed Bumblebee. According to researchers with Proofpoint, the loader, written in C++, is in active development and applies complex detection evasion techniques. The loader aims to download and execute additional payloads. It has been observed dropping Cobalt Strike, shellcode, and Sliver in several different campaigns. An analysis conducted by the researchers reveals that Bumblebee contains anti-virtualization checks and a unique implementation of common downloader capabilities even though it is early in development. The threat actors seen using the loader had previously delivered the BazaLoader and IcedID malware. One of the groups is TA578, which has been executing email-based campaigns since at least May 2020 to deliver Ursnif, IcedID, and BazaLoader. TA579 is another one of the threat actors that has delivered BazaLoader and IcedID since at least August 2021. The actors leveraging Bumblebee could be initial access facilitators that compromise targets and then sell that access to follow-on threat actors. Attacks in which Bumblebee was deployed include email campaigns involving malicious ISO files or thread hijacking. For example, one campaign involved DocuSign-branded emails attempting to trick targets into downloading a malicious ISO file hosted on OneDrive through a hyperlink in the email or an HTML attachment that then redirected targets, which led to the execution of the downloader. The downloader collects system information, including the hostname and UUID, and then establishes communication with the command-and-control (C2) server to receive commands. This article continues to discuss key observations surrounding the Bumblebee malware loader.

Decipher reports "New Bumblebee Malware Loader in Active Development"

Smartphones have become an increasingly attractive target for hackers as their use and the dependence on them continue to grow. Nearly 84 percent of the world's population now owns a smartphone, and there were 3.5 million detected malicious attacks on mobile users in 2021. Over one-fifth of mobile devices have encountered malware and four in ten mobile phones worldwide are vulnerable to cyberattacks. Just like personal computers, phones can get infected with malware. For example, ten million Android devices were infected with the Hummingbad virus in 2016, putting about 85 million devices at risk. A phone virus typically works the same as a computer virus as it involves infecting a device, replicating itself, and spreading to other devices via automated messages to others in a victim's contact list or auto-forwarding as an email. Malware can disrupt a phone's functionality, transmit personal information to hackers, send malware-linked spam messages to contacts, capture keyboard inputs, and more. In Australia, there were 16,000 reports of the Flubot virus over eight weeks in 2021. The Flubot virus sent text messages to Android and iPhone users with links that led to a malicious app being downloaded, which gave scammers access to victims' personal information. Although Apple devices are generally considered more secure than Android devices, and are less vulnerable to virus attacks, iPhone users who jailbreak or modify their phone could open themselves up to attacks. Android users who install apps from third-party app stores increase their risk of installing malware. All phone users should watch out for signs of malware infection, which include poor performance, random crashes, excessive battery drain, increased mobile data consumption, unexplained billing charges, unusual pop-ups, and unexpected device overheating. This article continues to discuss notable phone viruses, differences in security between Apple and Android devices, signs for infection on a mobile device, how phone users could prevent further damage by a virus, and how to protect phones from malware infection.

The Conversation reports "Can Your Mobile Phone Get a Virus? Yes - And You'll Have To Look Carefully To See the Signs"

Group-IB discovered over 91,000 publicly-exposed databases in the first quarter of 2022, which is significantly more than that of 2021. In 2021, the cybersecurity firm identified a total of 308,000 exposed databases, with over 165,000 discovered in the second half of the year. Most of the publicly-exposed databases were found to be using the Redis database management system, followed by MongoDB and Elastic. Group-IB emphasizes that improperly inventoried Internet-facing assets such as databases could be abused in the launch of cyberattacks, which could lead to costly data breaches. Last year, IBM discovered that the average cost of a data breach exceeded $4.2 million during the pandemic, a 10 percent increase from the previous year. In addition, the average time to identify and address a data breach had also increased to 287 days. Although the number of exposed databases has increased, the average amount of time it takes for a database owner to fix the issue is still the same as a year ago, at 170 days. This article continues to discuss the increase in the number of exposed databases, the potential impact of such exposure, and how to improve database security.

Security Week reports "Over 300,000 Internet-Exposed Databases Identified in 2021"

Ricochet Chollima is a North Korean state-sponsored hacking group, also known as APT37, that has been targeting journalists covering the country. The group has been delivering a novel malware strain called Goldbackdoor to journalists through phishing attacks. The phishing emails came from the account belonging to the former director of South Korea's National Intelligence Service (NIS), who APT37 previously compromised. The campaign goes through a two-stage infection process, giving the threat actors more deployment versatility and making it difficult for analysts to sample payloads. The emails sent to journalists include a link to download ZIP archives containing LNK files, both named after Kang Min-chol, North Korea's Minister of Mining Industries. The LNK file (Windows shortcut) uses a document icon to disguise itself. It also uses padding to artificially increase its size to 282.7 MB, thus preventing easy uploads to Virus Total and other online detection tools. When executed, a PowerShell script is launched, and a decoy document is opened for distraction as a second script is decoded in the background. The decoy document has an embedded external image hosted on the Heroku platform that alerts the threat actors when the document is viewed. The second script downloads and executes a shellcode payload called Fantasy, stored on Microsoft OneDrive, which is unlikely to generate AV alerts. According to malware experts at Stairwell, Fantasy is the first of two Goldbackdoor deploying mechanisms, both of which rely on stealthy process injection. This article continues to discuss the APT37 hacking group's targeting of journalists with Goldbackdoor malware.

Bleeping Computer reports "North Korean Hackers Targeting Journalists with Novel Malware"

SoS Musings #60 -

Nature-Inspired Cybersecurity Enhancements

Security firms are pushing for improved cloud vulnerability and risk management. Significant gaps exist in the Common Vulnerability and Exposures (CVE) system as dangerous flaws contained by cloud services are not addressed. Oftentimes, cloud providers expose customers to risk by not sharing details about bugs found on their platform. Therefore, many firms are calling for a CVE-like approach to cloud bug management to help customers weigh exposure and impact as well as mitigate risk. A growing number of security firms argue that the current model is broken because CVE identification rules only assign CVE tracking numbers to vulnerabilities that end-users and network administrators can directly manage. MITRE, the non-profit organization behind the CVE system, does not assign CVE IDs for security issues considered cloud providers' responsibility. The assumption is that cloud providers own the problem, and assigning CVEs not controlled by customers or patched by administrators is outside the CVE system's scope of concern. Scott Piper, a cloud-security researcher with Summit Route, says it is a false assumption that all issues can be resolved by the cloud provider and do not need a tracking number. Even if the cloud provider can solve an issue, researchers still believe it warrants having a record. According to Alon Schindel and Shir Tamari, researchers with the cloud security firm Wiz, as new types of vulnerabilities are discovered, more issues are found not fitting the current MITRE CVE reporting model. Therefore, the security industry is urging the creation of a centralized cloud vulnerability database. Although cloud service providers do respond quickly to cloud bugs and work fast to mitigate issues, the process of identifying, tracking, and helping impacted users needs to be streamlined. Shared industry goals behind the cloud bug CVE approach include standardized notification channels for all cloud service providers, standardized bug or issue tracking, severity scoring to help prioritize mitigation efforts, and transparency into vulnerabilities and their detection. This article continues to discuss the need for a CVE-like cloud bug system.

Threatpost reports "Firms Push for CVE-Like Cloud Bug System"

Web Application Program Interfaces (APIs) have grown as integrated web and mobile-based offerings require more data sharing across products. Security challenges such as broken authentication, accidental disclosure, or the breach of data come with the increased dependence on APIs. A 451 Research and Noname Security report highlights key characteristics and security risks associated with API usage and the benefits of taking a holistic approach to API security. The report includes results from a survey of IT experts from more than 350 global companies in different industries. Responses reveal that API usage is heavy, with an average of 15,564 APIs in use by survey respondent organizations, and a growth rate of 201 percent over the past 12 months. Of the organizations represented by survey respondents, 41 percent had an API security incident within the last 12 months, 63 percent of which said the incident involved a data breach or data loss. Over 30 percent of the survey respondents revealed that API security concerns have resulted in the delay of projects. More than 80 percent of those participants believe more effective integration of API security testing into developer pipeline activities could have prevented the delays. This article continues to discuss key findings from the report on the characteristics and security risks present in API usage.

Help Net Security reports "41% of Businesses Had an API Security Incident Last Year"

The US telecommunications carrier T-Mobile has confirmed that the Lapsus$ ransomware group breached its internal network through compromised employee accounts. However, the company claims that the hackers did not steal any sensitive customer or government information. According to the information security blogger Brian Krebs who recently reviewed a copy of private chat messages between members of the Lapsus$ cybercrime group before its most active members were arrested last month, T-Mobile had been breached by Lapsus$ several times. The group allegedly also stole source code from various company projects. A spokesperson for T-Mobile stated that its monitoring tools detected a bad actor using stolen credentials to infiltrate internal systems housing operational tools software, but no customer or government information was stolen. Lapsus$ openly operated on its Telegram chat channel since December 2021, which currently has nearly 60,000 followers. The group used this channel to leak sensitive data stolen from victims. This article continues to discuss the breach of T-Mobile's systems by Lapsus$ hackers, the group's other activities, the arrest of its most active members, and other notable attacks on T-Mobile.

DataBreachToday reports "T-Mobile Breached Again; Lapsus$ Behind the Attack"

Security researchers at application security firm Sonar have discovered that an unpatched vulnerability affecting the RainLoop webmail client can be exploited to hijack a user's session and steal their emails. RainLoop is an open source web-based email client used by many organizations. Sonar reported identifying thousands of internet-exposed instances using the Shodan search engine. The researchers discovered that RainLoop 1.16.0, the latest version of the application released roughly one year ago, is affected by a stored cross-site scripting (XSS) vulnerability that can be exploited against default configurations. The researchers noted that the attacker could exploit the flaw by simply sending a specially crafted email to a RainLoop user. Once the victim opens the malicious email, a hidden JavaScript payload is executed in the browser without other user interaction being required. The security hole, tracked as CVE-2022-29360, is caused by what the researchers describe as a "logic bug after the sanitization process." The researchers warned that an attacker could exploit the vulnerability to gain access to highly sensitive information that may be stored in the victim's emails, including passwords, documents and password reset links. The company has released a video showing the exploit in action. The vulnerability was initially reported to RainLoop developers in late November 2021, and there were two more responsible disclosure attempts in December and January, but the researchers said they received no response.

SecurityWeek reports: "Unpatched Vulnerability Allows Hackers to Steal Emails of RainLoop Users"

The US Department of Health and Human Services' (HHS) Health Sector Cybersecurity Coordination Center (HC3) released an analyst note pertaining to the Hive ransomware group, a cybercrime group that has launched several attacks against the healthcare sector. HC3 warns that Hive is an aggressive financially-motivated ransomware group with sophisticated capabilities. Hive was behind the August 2021 attack against the Memorial Health System, which impacted more than 200,000 individuals and resulted in the exfiltration of sensitive data. Additionally, Hive was behind the cyberattack on the Missouri Delta Medical Center that occurred in September 2021. HC3 identified the Hive group as one of the top US healthcare ransomware threats in Q3 2021. In March 2022, Hive stole 850,000 records consisting of Personally Identifiable Information (PII) from Partnership HealthPlan of California. HC3's latest analyst note says Hive conducts double extortion and operates based on the Ransomware-as-a-Service (RaaS) model, thus enabling them and affiliates to gain access to victim infrastructure. The group uses Golang (Go)-written malware, and leverages Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) compromise as well as phishing. Their operations include searching victim systems for processes responsible for backing up data and disrupting them by deleting shadow copies and system snapshots. Much of Hive's operations are considered standard practice amongst ransomware operators, but they have a set of unique capabilities. According to the FBI, Hive uses various tactics, techniques, and procedures (TTPs), making mitigation and defense efforts challenging. To defend against Hive, organizations are encouraged to enable Multi-factor Authentication (MFA), use strong passwords, and regularly backup data. HC3 recommends organizations adopt the 3-2-1 rule for data backups by storing data in three different locations, on two forms of media, and with one of them stored offline. This article continues to discuss HC3's analyst note regarding the Hive ransomware group's history, capabilities, and severity, as well as how to defend against this group.

HealthITSecurity reports "HHS Underscores Risk of Hive Ransomware"

A security researcher named Michael Heinzl has discovered several vulnerabilities, including ones rated critical- and high-severity, in industrial products made by Elcomplus, a Russian company specializing in professional radio communications and industrial automation. The researcher discovered a total of nine vulnerabilities in Elcomplus' SmartPTT SCADA product, which combines the capabilities of SCADA/IIoT systems with dispatch software for professional radio systems. In addition, it appears that products made by SmartICS, an Elcomplus unit that specializes in SCADA and industrial IoT visualization platforms, are also affected by some of the vulnerabilities, as they share code. The affected products are used by more than 2,000 organizations across 90 countries, including in the United States, which is why the US Cybersecurity and Infrastructure Security Agency (CISA) this week published two advisories to inform organizations about these vulnerabilities. The list of security holes includes path traversal, cross-site scripting (XSS), arbitrary file upload, authorization bypass, cross-site request forgery (CSRF), and information disclosure issues. Exploiting these vulnerabilities can allow an attacker to upload files, read or write arbitrary files on the system, obtain credentials stored in clear text, carry out various actions on behalf of a user, execute arbitrary code, and elevate privileges to access admin functionality. In some cases, exploitation requires authentication or user interaction. Michael reported the vulnerabilities to the vendor through CISA in April 2021. While the vendor has not been very responsive, it appears that it did release patches by the end of 2021.

SecurityWeek reports: "Several Critical Vulnerabilities Affect SmartPPT, SmartICS Industrial Products"

Android devices running on Qualcomm and MediaTek chipsets have been discovered by security analysts to be vulnerable to Remote Code Execution (RCE) attacks. The vulnerability stems from a flaw in the implementation of Apple Lossless Audio Codec (ALAC), which is an audio coding format for lossless audio compression. Apple open-sourced ALAC in 2011 and has since then been releasing updates, including security fixes, for the format. However, some third-party vendors using ALAC have not applied the updates, including two of the largest smartphone chip makers, Qualcomm and MediaTek. The bug impacts chipsets present in nearly the entire range of products Qualcomm released over the past several years. A remote attacker can exploit the vulnerability to execute code on a target device by sending a specially crafted audio file and tricking an unsuspecting user into opening it. Researchers have dubbed this attack ALHACK. RCE attacks can lead to data breaches, the planting and execution of malware, the modification of device settings, account takeover, and more. An analysis of the vulnerability revealed that the ALAC decoder implementations from Qualcomm and MediaTek suffer from out-of-bounds reads as well as the improper validation of audio frames. These problems could lead to information disclosure and elevated privileges without the need for user interaction. This article continues to discuss the critical chipset bug that opens millions of Android devices to RCE attacks.

Bleeping Computer reports "Critical Bug in Android Could Allow Access to Users' Media Files"

Microsoft was granted a court order to take down seven domains used by APT28, a cyber espionage group sponsored by Russia's military intelligence. Their goal was to prevent attacks by APT28 on Ukraine online resources. Microsoft was able to redirect attacks to a Microsoft sinkhole and let victims know about possible hacks on Ukrainian institutions and government agencies as well as other organizations in the U.S. and Europe.

THN reports "Microsoft Obtains Court Order to Take Down Domains Used to Target Ukraine"

Bob's Red Mill Natural Foods, a popular American brand of whole-grain foods, issued a data breach notice on April 15 after learning that it had fallen victim to a data scraping cyberattack that began two months ago. The company stated that they recently learned that, between February 23 and March 1, 2022, malicious software was used to "scrape" purchase-related information entered into their website. The company said that data entered into its website is usually sent directly to the company's payment processor via secure protocols. However, unidentified cyberattackers used malicious software to divert the information. The company noted that they do not believe any of its physical/in-person count-of-sale terminals have been impacted or that purchases made outside the February 23 - March 1 window have been impacted. Data that may have been exposed in the attack includes online customers' payment card information, billing and shipping addresses, email addresses, phone numbers, and purchase amounts. The company said that no information had been found to indicate that any Social Security numbers, dates of birth, driver's license numbers, or other government-issued ID numbers had been exposed in the attack.

Infosecurity reports: "Bob's Red Mill Reports Data Breach"

According to a survey of business customers who use Microsoft 365 for email, commissioned by Cyren and conducted by Osterman Research, many security teams believe their email security systems are ineffective against ransomware and other significant inbound threats. Security team managers were found to be the most concerned about current email security solutions not being able to block serious inbound threats, which require time for response and remediation by the security team before users trigger dangerous threats. Less than 50 percent of those surveyed said that their organizations can block the delivery of email threats. Less than half of the organizations rank their current email security solutions as effective. Protections implemented against impersonation threats are considered the least effective, followed by measures to detect and block mass-mailed phishing emails. Nearly all of the organizations polled have experienced one or more types of email breaches. Most of the organizations faced one or more successful email breach types during the previous 12 months. The number of email breaches per year has doubled since 2019, most of which were due to successful phishing attacks that stole Microsoft 365 credentials. The survey also revealed that successful ransomware attacks have increased by 71 percent in the last three years. In addition, Microsoft 365 credential compromise grew by 49 percent, and successful phishing attacks increased by 44 percent. This article continues to discuss the key findings from the report on phishing, Business Email Compromise (BEC), and ransomware threats faced by Microsoft 365 Users, as well as where email defense breaks down.

Threatpost "Most Email Security Approaches Fail to Block Common Threats"