News Items

Security researcher Karl Koscher and his colleagues explored what happens when an old satellite has been decommissioned and transitioned into a graveyard orbit. They were given permission to access and broadcast from a Canadian satellite called Anik F1R, which was set up to support Canadian broadcasters in 2005 and was designed to be used for about 15 years. As the satellite will soon move to its graveyard orbit, nearly all services that use it have already moved to a new satellite. However, the researchers were still able to communicate with the satellite using special access to an uplink license and transponder slot lease. Koscher took over the satellite and broadcasted to the northern hemisphere. He and his colleagues from the Shadytel telecommunications and embedded device hacking group broadcasted a livestream from another security conference. They turned an unidentified commercial uplink facility, which is a station consisting of a special powered dish to communicate with satellites, into a command center in order to broadcast from the satellite. Although the researchers were permitted to access both the uplink facility and the satellite, the experiment highlighted the gray area in which a defunct satellite is no longer being used but has not yet moved to its final resting orbit. Besides independent hacking, the researchers pointed out that the lack of authentication and controls on satellites could allow countries to take over each others' equipment. For example, a state could broadcast propaganda without launching their own satellite as they could hijack another state's satellite if they have the ground equipment. This article continues to discuss the potential use of decommissioned satellites by hackers for their own malicious purposes.

Wired reports "Researchers Used a Decommissioned Satellite to Broadcast Hacker TV"

Customers of a popular cryptocurrency hardware provider have been urged not to reply to any official-looking emails after a convincing phishing campaign was uncovered. Trezor makes hardware devices that customers can use to store their digital currency, which is a more secure alternative to the online equivalent. Over the weekend, several customers complained to the firm's Twitter account after being sent a scam email claiming that a data breach had hit over 100,000 customers. The email went on to say that a "malicious actor" managed to compromise Trezor Suite servers and therefore access their wallets. The customers were then urged to download the latest version of the application to 'protect' their crypto assets. In reality, doing so would enable the threat actors to steal the user's recovery code used to recover wallets in the event a device is lost or stolen. The email is sent from a convincing "trezor.us" domain, although the official one used by the Prague-headquartered company is "trezor.io." Trezor subsequently confirmed yesterday that the scammers had targeted one of its newsletters hosted on popular provider MailChimp to get the details of Trezor customers. Trezor stated that they managed to take the phishing domain offline and are trying to determine how many email addresses have been affected. MailChimp has also confirmed that their service has been compromised by an insider targeting crypto companies. Trezor stated that they would not be communicating by newsletter until the situation was resolved. They are urging customers not to open any emails appearing to come from Trezor until further notice.

Infosecurity reports: "Trezor Customers Phished After MailChimp Compromise"

Threat actors are infiltrating cloud accounts to create distributed workloads for cryptomining. According to researchers, the threat actors are hacking misconfigured and vulnerable cloud instances to carry out Distributed Denial-of-Service (DDoS) attacks and abuse trial accounts from DevOps service providers. Outlaw is the name of a Romanian group that seeks to compromise Internet of Things (IoT) devices, Linux servers, and containers through the exploitation of known vulnerabilities and use of stolen or default credentials to mine the Monero digital currency or launch DDoS attacks. TeamTNT is a highly sophisticated group that targets vulnerable software services. The Kinsing group is known to have a considerable number of cloud exploits. The attacks executed by these groups call on companies to increase efforts towards strengthening their security controls in the cloud. Stephen Hilt, a senior threat researcher with Trend Micro, says these malicious groups are taking advantage of the large amount of poorly configured cloud instances. Other attack groups have discovered ways to exploit the free tier of Continuous Integration and Continuous Deployment (CI/CD) pipeline services, such as Azure DevOps, BitBucket, CircleCI, GitHub, GitLab, and TravisCI. They have also found ways to combine the transient workloads into a cryptomining cloud service. For example, an attacker used multiple six-hour build steps to add processor cycles to a pooled mining service. Different cybercriminal groups have also been competing for cloud services. For instance, TeamTNT has targeted systems compromised by Kinsing, a rival cryptocurrency mining group. This article continues to discuss recent findings regarding cybercriminal groups' use of cloud resources for cryptomining.

Dark Reading reports "Cybercriminals Fighting Over Cloud Workloads for Cryptomining"

According to new research at Imperva, a shocking 70% of EMEA organizations have no insider risk strategy despite employees directly or indirectly causing most data security incidents over the past year. The researchers, during a survey, found that insider threats caused 59% of incidents impacting sensitive data in the past 12 months. Imperva defines an insider threat as originating from "inappropriate use of legitimate authorized user accounts" by either their rightful owner or a threat actor who has managed to compromise them. The largest number of respondents to the survey cited a lack of budget (39%) and internal expertise (38%) as their reason for not prioritizing insider risk. However, nearly a third (29%) claimed they don't see employees as a significant threat, and a similar number (33%) cited internal roadblocks such as a lack of executive sponsorship. The most common tactics to protect against insider threats in EMEA included staff training (65%), manual monitoring of employee activity (50%), and encryption (47%). However, the researchers noted that they appear to be having a limited impact, and (56%) of respondents claimed their end-users found ways to circumvent data protection policies. The security researchers stated that an effective insider threat detection system needs to be diverse, combining several tools to not only monitor insider behavior but also filter through the large number of alerts and eliminate false positives. Imperva recommended that organizations put together a dedicated function to handle insider risk and follow zero trust principles as they build out their programs.

Infosecurity reports: "Over Half of Data Security Incidents Caused by Insiders"

Researchers at the Washington University in St. Louis (WUSTL) propose an inexpensive, more convenient, and scalable security system that is resistant to quantum attacks. Other potential solutions for securing data against quantum attacks have been found to be significantly computationally expensive or require dedicated optical fibers or satellite links through lasers. The new protocol for Symmetric Key Distribution, which the team refers to as SPoTKD, does not need lasers, satellites, or miles of new cable as it only relies on tiny microchips embedded with tiny clocks that function without batteries. According to the researchers, the clocks are electrons that transport themselves between two locations on the chip through the use of quantum tunneling. The time refers to the electrons' motions. When a chip is created, its initial state is recorded on a computer server. When someone creates a secure channel, they make a note of the time on a subset of the clocks and send that information to the server, which can then use its knowledge about the initial state to determine what time the clocks read at the time they were sent. The server alerts the person of what the times were and, if they are correct, a secure channel of communication has been opened. The quantum nature of the electron transportation provides additional layers of security. The clock collapses when they are measured, and neither a spy nor the recipient can access the information. This article continues to discuss the new quantum attack-resistant security system proposed by researchers at WUSTL.

WUSTL reports "Tiny, Cheap Solution for Quantum-Secure Encryption"

Plans of Russian-affiliated hackers to disable and hold over 400 US hospitals hostage were discussed in 2020 in an online chatroom. However, these plans were successfully disrupted by the Department of Homeland Security and the US Cyber Command. A Ukrainian researcher revealed that the Russian cybercriminal gang known as Trickbot was behind the ransomware plot to force 428 US hospitals to quickly pay ransomware as they dealt with surging COVID-19 cases. The group's documents date from the summer and fall of 2020, and US authorities disrupted the gang's attack infrastructure. Since then, Trickbot's operations and malware have been enhanced. US federal authorities have been warning healthcare organizations of the growing threat of ransomware. In fall 2020, the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the Department of Health and Human Services (DHHS) issued alerts pertaining to the targeting of the healthcare sector with Trickbot malware to launch ransomware attacks, steal data, and disrupt critical healthcare services. US hospitals that experienced ransomware attacks include Sonoma Valley Hospital, the Champaign-Urbana Public Health District, Enloe Medical Center, all 250 Universal Health Services facilities, and many others. Trickbot is also suspected of having been behind 16 attacks against US emergency responders in 2021. This article continues to discuss the Russian-affiliated Trickbot cybercriminal gang's plans to attack over 400 US hospitals in 2020, the disruption of the group's infrastructure by US authorities, and the overall growth in ransomware attacks on healthcare facilities.

Campus Safety reports "Pro-Russia Hackers Targeted More than 400 US Hospitals in 2020"

A widely used online grading and attendance system has been hacked, causing what could be the largest ever exposure of students' personal data in American history. Adversaries broke into the IT systems of Illuminate Education in January, gaining access to a database containing the personal data of around 820,000 current and former New York City public school students. Illuminate Education is a taxpayer-funded software company based in California. Illuminate Education created the popular IO Classroom, Skedula, and PupilPath platforms used by New York City's Department of Education to track grades and attendance. Data compromised in the incident included students' names, birthdates, ethnicities, home languages, and student ID numbers. The Department said that the attackers had exfiltrated class and teacher schedules and data regarding which students received free lunches or special education services.

Infosecurity reports: "Personal Data of 820,000 NYC Students Exposed"

A new study conducted by researchers at the University of Georgia (UGA) proposes the use of a novel approach to protecting the nation's solar farms from cyberattacks. A team at UGA's College of Engineering developed a sensor system capable of monitoring an essential electrical component of solar farms for signs of cyber intrusion in real-time. WenZhan Song, the study's lead investigator, emphasized that hackers' exploitation of the converters that connect solar farms with the power grid is a growing concern. In today's grid-connected solar farms, it is possible to remotely control power electronics, but this Internet connection has increased the likelihood of cyberattacks. In order to safeguard solar farms against cyber threats, the UGA researchers developed a system that can detect anomalies in the operations of power electronic converters in real-time through the use of a single voltage sensor and a current sensor. The system also applies deep learning methods to distinguish between normal conditions, open-circuit faults, short-circuit faults, and cyber intrusions. A small passive sensor device is connected to the power converter to collect data on electrical waveforms and feed the information to a computer monitor. Even if an attack evades the firewall or security software, the sensors will still detect unusual activity in the power electronics device's electrical current. According to the researchers, their system can also run diagnostic tests to determine what type of problem occurred. Compared to other existing detection methods, which only detect abnormal waveforms, the UGA researchers say their system has been proven to be more accurate in identifying cyberattacks in testing using a solar farm model. They also say their system can identify new types of cyberattacks that have not been programmed into deep learning algorithms. This article continues to discuss the UGA research team's sensor system designed to protect solar farms from hackers.

UGA Today reports "Researchers Protecting Solar Technologies From Cyberattack"

Cybersecurity Snapshots #28 -

Implementing Zero Trust Models is Easier Said Than Done

A cryptocurrency firm used by gamers to transfer virtual coins has found that hackers stole hundreds of millions of dollars worth of currency from it. Vietnamese blockchain game developer Sky Mavis created the Ronin Network to function as an Ethereum sidechain for its Axie Infinity game. In practice, it allows users to transfer cryptocurrency in and out of the game. Ronin Network discovered the cyber-heist after a user complained that they could not withdraw funds from the bridge. The company found that an adversary compromised Sky Mavis's Ronin validator nodes and Axie DAO validator nodes and used hijacked private keys to forge fake withdrawals. This resulted in the theft of 173,600 Ethereum ($592m) and $25.5m from the Ronin bridge in two transactions. The company noted that Sky Mavis's Ronin chain currently consists of nine validator nodes. In order to recognize a deposit event or a withdrawal event, five out of the nine validator signatures are needed. The attacker managed to get control over Sky Mavis's four Ronin validators and a third-party validator run by Axie DAO. Ronin Network said it had paused its bridge functionality to ensure no further attack vectors are open, and it has increased the validator threshold from five to eight. The company is currently working with analytics firm Chainalysis to monitor where the stolen funds go. The company claimed, "most" of the funds are still in the attacker's wallet. According to Comparitech, the incident makes it the most significant cryptocurrency theft ever recorded, topping the raid on Poly Network, which netted $610m in August last year.

Infosecurity reports: "Attackers Steal $618m From Crypto Firm"

Rapid7's new 2021 Vulnerability Intelligence Report reveals a 71 percent decrease in 'time to known exploitation' (TTKE) due to the surge in widespread zero-day attacks, most of which were launched by ransomware gangs. Hackers were found to be faster in the exploitation of software bugs in 2021, with the average time to exploitation decreasing from 42 days in 2020 to just 12 days. Google's Threat Analysis Group (TAG) and Project Zero researchers also observed a surge in zero-day attacks in which the threat actors exploit a flaw before a vendor has released a patch for it. This article continues to discuss key findings from Rapid7's report on vulnerability and attack trends in 2021.

ZDNet reports "Hackers Are Getting Faster at Exploiting Zero Day Flaws. That's Going to Be a Problem for Everyone"

Security researchers at Veracode have discovered that more than four-fifths (82%) of public sector applications have security flaws, the highest proportion of any industry. The researchers also found that the public sector takes around twice as long to fix flaws once detected compared to other industries. In addition, 60% of flaws in third-party libraries in the public sector remain unfixed after two years. This is double the time frame of other industries and 15 months behind the cross-industry average. The researchers analyzed data collected from 20 million scans across half a million applications in the public sector, manufacturing, financial services, retail & hospitality, healthcare, and technology. The public sector also had the joint lowest vulnerability fix rate of all industries, at 22%. The researchers stated that the findings suggest that public sector entities are particularly vulnerable to software supply chain attacks like SolarWinds and Kaseya, which could lead to disruptions and critical data being compromised. The researchers noted that they found that public sector organizations have made significant improvements in tackling high severity flaws, which is encouraging. According to the analysis, high-level flaws only appear in 16% of public sector applications, and the total number has decreased by 30% in the past year.

Infosecurity reports: "82% of Public Sector Applications Contain Security Flaws"

A new email phishing campaign has been discovered hijacking conversations to deliver IcedID information-stealing malware. The campaign exploits unpatched and publicly-exposed Microsoft Exchange servers. The phishing emails apply the social engineering tactic of conversation hijacking, also known as thread hijacking. It involves the use of a forged reply to a previous stolen email to trick the recipient into opening an attachment. This method has been shown to increase the credibility of the phishing email and cause a high infection rate. The latest wave of attacks targeted organizations within the energy, healthcare, law, and pharmaceutical sectors. IcedID is a banking trojan that has become an entry point for more sophisticated threats, including human-operated ransomware and the Cobalt Strike adversary simulation tool. It can connect to a remote server and download next-stage implants and tools for attackers to perform follow-on activities and move laterally across impacted networks to deliver additional malware. This article continues to discuss findings surrounding the new email phishing campaign aimed at delivering IcedID information-stealing malware by taking over email reply chains on unpatched Microsoft Exchange servers.

THN reports "Hackers Hijack Email Reply Chains on Unpatched Exchange Servers to Spread Malware"

Browser-in-the-Browser (BITB) is a novel phishing method in which third-party Single Sign-On (SSO) options are abused. These SSO options are embedded on websites and issue pop-up windows for authentication via Google, Facebook, Apple, or Microsoft. The BITB attack involves simulating a pop-up window in order to spoof a legitimate domain. This approach of spoofing a pop-up login window is dangerous as it undermines the standard practice of checking the URL of sites. According to the researcher who demonstrated the technique, this type of attack is difficult to detect because the fake window looks identical to the real window. The fake one only has a few minor differences, making it difficult to notice. This article continues to discuss the BITB phishing method and how it differs from traditional phishing techniques.

Security Boulevard reports "Browser-in-the Browser (BITB) - A New Born Phishing Methodology"

Utah has passed a new privacy law called the Utah Consumer Privacy Act (UCPA). UCPA will take effect in under two years, on December 31, 2023. The provisions will apply to organizations with annual revenue of $25m or more that conduct business in Utah or produce products or services targeted at Utah residents and process large volumes of personal data. Utah is the fourth US state to enact a consumer privacy law in recent years, following in the footsteps of California, Virginia, and Colorado. The UCPA will provide Utah consumers with a range of new rights regarding the collection and use of their personal information. These include the right to access, delete and obtain a copy of their personal data in a portable manner. In addition, Utah consumers can choose to opt-out of the sale of their personal data and targeted advertising. However, unlike California, Virginia, and Colorado laws, the UCPA does not give consumers the ability to correct inaccuracies in their personal data. UCPA will also require controllers to implement reasonable and appropriate data security measures, provide certain content in their privacy notices, and include specific language in contracts with processors. Unlike the other US state privacy laws, controllers will not be required to conduct data protection assessments before engaging in data processing activities that present a heightened risk of harm to consumers or to conduct cybersecurity audits or risk assessments.

Infosecurity reports: "Utah Becomes Latest US State to Pass a Data Privacy Law"

Biometrics help identify and authenticate a person by analyzing and measuring physical characteristics such as the face, voice, fingerprint, retina, and more. Biometric-based tools are increasingly supplementing or replacing password systems in the realm of security. A team of researchers from Universidad Carlos III de Madrid (UC3M) and the Shahid Rajaee Teacher Training University (SRTTU) proposes an innovative identification method that is based on the exclusive characteristics of the heartbeat. Their technique involves using electrocardiograms (ECG) and analyzing five musical qualities, including dynamics, rhythm, timbre, pitch, and tonality, which are commonly used to characterize audio files. These qualities are applied to the sound of heartbeats, which are then used to obtain a combination of parameters unique for each person. According to the team, their approach has an accuracy rate of 96.6 percent. Although biometric identification based on cardiac recordings has already been proven effective through years of studies, this new work is different as the researchers look at the ECG recording as if it were a sound wave. They also analyze this sound wave using qualities commonly explored to characterize music. The universality of this method's identification is its main advantage since some people still cannot be recognized by certain types of biometrics due to injury, amputation, or disabling physical characteristics. The heartbeat is a bio-signal present in all humans, without exception. This article continues to discuss the proposal and continued development of the researchers' method for using the heartbeat as a biometric tool.

UC3M reports "An Algorithm Makes It Possible to Identify People by Their Heartbeat"

Google's Threat Analysis Group discovered that two distinct sets of North Korean hackers were exploiting the same remote code execution vulnerability in the Chrome web browser. One set of North Korean hackers targeted news media and IT companies, and the other aimed at cryptocurrency and fintech organizations. The vulnerability that was being targeted was patched on February 14th. If the vulnerability was exploited, it would have allowed the hackers to deliver malware packages in hidden iframes, both on websites they owned and websites they had compromised. The researchers stated that the two groups had different aims and used different techniques, but they used the same exploit kit, meaning they likely worked for the same entity with a shared supply chain.

CyberScoop reports: "Dual North Korean Hacking Efforts Found Attacking Google Chrome Vulnerability"

ESET researchers have spotted a cyberespionage campaign involving a previously undocumented Korplug variant by the Mustang Panda Advanced Persistent Threat (APT) group. The campaign takes advantage of the war in Ukraine and other European news topics. Targets include research entities, Internet service providers (ISPs), and European diplomatic missions in East and Southeast Asia. The new Korplug variant has been dubbed Hodur because it resembles the THOR variant documented in 2020. Those who have fallen victim to the new campaign were likely lured with phishing documents that exploit Russia's invasion of Ukraine and other latest events in Europe. For example, one of the filenames related to this campaign is "Situation at the EU borders with Ukraine.exe." Other phishing lures used in this campaign mention COVID-19 travel restriction updates, an approved regional aid map for Greece, and a Regulation of the European Parliament and of the Council. These lures show that the APT group behind the campaign is closely following current affairs to quickly react to them. According to ESET researchers, code similarities and the commonalities in Tactics, Techniques, and Procedures (TTPs) suggest Mustang Panda, also known as TA416, RedDelta, or PKPLUG is behind the campaign. This cyberespionage group is known to mainly target governmental entities and Non-Governmental Organizations (NGOs). This article continues to discuss the latest findings regarding the new cyberespionage campaign abusing the latest events.

Help Net Security reports "New Cyberespionage Campaign Targeting ISPs, Research Entities"

Palo Alto Networks' Unit 42 conducted an analysis of ransomware attacks launched in 2021, finding that large and highly organized cybercrime groups such as Conti are contributing to the increase in the overall cost of ransomware attacks. Cases handled by Unit 42 incident responders show that the average ransom demand rose 144 percent in 2021 to $2.2 million, while the average payment increased 78 percent to $541,010. Ransomware attackers were also more likely than ever to leak data from breaches on the dark web as a way to further pressure victims into paying demanded ransoms. The number of victims whose data was made publicly available by ransomware attackers rose 85 percent in 2021 to 2,566 organizations. Almost 1 in 5 ransomware cases handled by Unit 42 involved Conti. This Eastern European gang has made international headlines in recent weeks after thousands of its own documents leaked. Unit 42 also discovered 35 new ransomware gangs in 2021, further indicating that ransomware is continuously growing.

CyberScoop reports "Bigger Demands, Bigger Payouts Are the Trend in Ransomware, Report Says"

The United States and Canada held talks on Tuesday to explore how the countries could collaborate better to counter cross-border illegal activity, including cybercrime. During the meeting, the countries have agreed to work together to improve coordination around reporting of ransomware attacks that can affect cross-border critical infrastructure. They also plan to identify and implement options to strengthen "sectors of their economies that are increasingly targeted by criminals and implement effective responses." Another target agreed by the United States and Canada was to promote the adoption of best practices on cyber hygiene and provide stakeholders with the tools they need to quickly and effectively report cyber incidents. The United States and Canada welcomed negotiations for a potential bilateral agreement relating to the US Clarifying Lawful Overseas Use of Data Act (CLOUD Act). If finalized and approved, the agreement would make it easier for Canadian and United States investigative authorities to access communications and associated data in the other country for the purposes of prevention, detection, investigation, and prosecution of serious crime, such as terrorism, child sexual exploitation and abuse, and cybercrime.

Infosecurity reports: "US and Canada Collaborate to Tackle Cybercrime"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) released a joint advisory warning critical infrastructure organizations about cyber risks associated with satellite communication (SATCOM) networks. SATCOM networks are used across all sectors for voice and data communication. Therefore, CISA and the FBI are urging SATCOM network providers and customers to stay vigilant against cyberattacks on SATCOM networks, which could lead to the disruption of network environments. For example, hackers targeted the SATCOM provider Viasat in February, disrupting network access in Ukraine. Viasat is also a defense contractor for the US, and so it is used across US critical infrastructure. CISA and the FBI call on SATCOM providers and customers to enable Multifactor Authentication (MFA), enforce the principle of least privilege, and inspect trust relationships with IT service providers. The agencies pointed out that threat actors often abuse the trusted relationships between providers and their customers in order to access data. Organizations are also encouraged to monitor network logs, implement robust patching practices, maintain a cyber incident response plan, and more. This article continues to discuss the joint advisory released by CISA and the FBI warning critical infrastructure organizations of SATCOM cyber risks.

HealthITSecurity reports "CISA, FBI Warn Critical Infrastructure of SATCOM Cyber Threats"

The FBI's Internet Crime Complaint Center (IC3) collects cybercrime complaints and received 847,376 of them last year, with estimated potential losses totaling $6.9 billion, a 64% increase from 2020. The total number of crime reports tallied by the IC3 only rose 7%, which highlights the increased costliness of the attacks. Paul Abbate, deputy director of the FBI, stated that in 2021, America experienced an unprecedented increase in cyberattacks and malicious cyber activity. The IC3 found that business email compromise led the pack again as the costliest crime, tallying $2.4 billion in adjusted losses in 2021. Investment schemes ($1.5 billion), romance scams ($956 million), personal data breaches ($517 million), and real estate scams ($350 million) rounded out the top five most expensive reported crimes. The IC3 also found that cryptocurrency played a more significant role in estimated 2021 cybercrime losses, totaling $1.6 billion compared to $246 million in 2020.

CyberScoop reports: "FBI: Cybercrime Reports Saw 'Unprecedented' Rise Last Year, Costing Nearly $7B"

A malicious Android app has been downloaded more than 100,000 times from the Google Play Store. The Android password-stealing malware called FaceStealer is disguised as a cartoonifier app, Craftsart Cartoon Photo Tools. According to security experts and the mobile security firm Pradeo, FaceStealer displays a Facebook login page and demands the user to register before accessing the program. When users submit their credentials, the app sends them to a command-and-control (C2) server, where the attackers then gather the information. The malicious Android application will also connect to a website that has previously been used for advertising other malicious FaceStealer Android apps. The creator and distributor of these apps appear to have automated the repackaging process and injected malicious code inside an otherwise legal application, thus allowing the apps to pass the Play Store screening process without being flagged. The user does not see any functionality when they open the app unless they sign in to their Facebook account. Pradeo has contacted Google about the Craftsart Cartoon Photo Tools app so that it could be removed. Those who have downloaded the app on their devices should uninstall it as soon as possible, reset their Facebook account password, and enable two-factor authentication for an extra layer of security. This article continues to discuss the infection of over 100,000 Google Play users with the FaceStealer Android password-stealing malware.

CyberIntelMag reports "100,000 Google Play Users Infected With Android Password-Stealer"