News Items

Qualys researchers warn of a 12-year-old memory-corruption bug in Polkit's pkexec tool, which impacts every major Linux distribution. According to the researchers, the exploitation of the vulnerability, tracked as CVE-2021-4034, allows any unprivileged user to gain full root access on the vulnerable host. Polkit allows non-privileged processes to communicate with privileged processes in an organized manner. It can be used to execute commands with elevated privileges using the pkexec command, followed by the command intended to be executed with root permission. The Qualys researchers dubbed the vulnerability PwnKit and developed a proof-of-concept (PoC) exploit that allowed them to obtain root privileges on Ubuntu, Debian, Fedora, and CentOS default installations. They also suspect that other Linux distributions are likely vulnerable and exploitable. Most Linux distributions are working on releasing patches or have documented temporary mitigations, including Red Hat, Debian, and Ubuntu. It has been noted that bugs such as those that have been lurking in networks for more than a decade, present significant problems for security teams as they often do not know where to find all the instances of the newly troubling piece of their organization's infrastructure. Like the open-source Apache Log4j logging library, pkexec is widely-used across many organizations. Greg Fitzgerald, the co-founder of Sevco Security, calls on organizations to prioritize patching Linux machines. Fitzgerald also pointed out that this issue further emphasized the need for Software Bill of Materials (SBOMs). Many organizations do not have an accurate IT asset inventory that dates back more than a decade. Therefore, an organization may still be susceptible to the PwnKit vulnerability even if they patch all known machines. An organization cannot apply a patch to an asset unknowingly connected to its network. This article continues to discuss the findings and concerns regarding the PwnKit vulnerability.

Threatpost reports "Linux Bug in All Major Distros: 'An Attacker's Dream Come True'"

SoS Musings #57 -

Securing Building Automation Systems

Cybersecurity Snapshots #26 -

North Korean Hackers Are Focusing on Stealing Cryptocurrency

An Ohio-based healthcare provider has been fined $600k over a data breach that exposed the records of 2.1 million patients across America. Adversaries targeted EyeMed Vision Care in June 2020. Attackers gained access to an EyeMed email account to which EyeMed clients sent sensitive consumer data relating to vision benefits enrollment and coverage. During the week-long intrusion, the adversaries were able to view emails and attachments dating back six years. Contained within those emails and attachments was sensitive information that included consumers' names, addresses, social security numbers, and insurance account numbers. In July 2020, the adversaries used the compromised EyeMed account to launch a phishing attack against EyeMed clients. Approximately 2,000 emails were sent asking clients for their EyeMed account login credentials. The Office of the Attorney General recently determined that the affected email account had not been secured with multi-factor authentication at the time of the attack, despite being accessible via a web browser. The Office of the Attorney General also recently determined that EyeMed failed to adequately implement sufficient password management requirements for the enrollment email account and failed to maintain adequate logging of its email accounts.

Infosecurity reports: "EyeMed Fined $600k Over Data Breach"

The Android malware known as BRATA has new features that allow it to track device locations and do a factory reset in what appears to be an attempt to hide fraudulent wire transfers. According to researchers at the cybersecurity firm Cleafy, the latest variants are distributed through a downloader to evade detection by security software. BRATA has targeted banks and financial institutions in Poland, Italy, Latin America, and the UK. The Android Remote Access Trojan (RAT) can operate directly on victims' devices rather than using a new device, thus significantly reducing the chances of being flagged as suspicious since the fingerprint of the device is already known by the bank. BRATA originally only targeted users in Brazil and then evolved into a feature-packed banking Trojan. Since 2018, the malware has been updated many times. BRATA abuses Accessibility Service permissions gained during the installation phase to secretly monitor the user's activity on the compromised device. This article continues to discuss the history, capabilities, and new variants of the BRATA Android malware.

THN reports "Mobile Banking Trojan BRATA Gains New, Dangerous Capabilities"

The increased use of editable Portable Document Files (PDFs) has created another path for attackers, but the National Security Agency (NSA) says the right configuration can protect most systems without sacrificing usability. NSA advises users to enable security features that allow greater collaboration rather than disabling the JavaScript that supports higher functionality. NSA released guidance pointing out JavaScript as the programming language commonly used in electronic forms for recipients to fill out, sign, and return documents electronically. As the use of JavaScript in PDFs continues to grow, NSA suggests that administrators not change the default setting for Adobe Acrobat Reader DC that enables JavaScript. According to NSA, Protected Mode and the enhanced security setting can help alleviate some of the security concerns surrounding the enabling of JavaScript in PDFs. Malicious actors can plant code into PDFs that can abuse the vulnerabilities contained by PDF readers built into web browsers or applications designed for reading and creating them. Therefore, malicious PDFs continue to be an access vector to infiltrate networks. NSA's recommendations aim to help users secure their Adobe Reader and make it difficult for adversaries to get in. This article continues to discuss the NSA's recommended security configurations for Adobe Acrobat Reader DC that protect most systems without compromising functionality.

NextGov reports "NSA: Securing Cloud-Related PDFs Shouldn't Mean Sacrificing Usability"

Nigerian authorities have arrested 11 individuals believed to be members of the business email compromise (BEC) crime ring tracked as SilverTerrier. SilverTerrier is also known as the TMT BEC gang and has been active since 2014, compromising thousands of organizations worldwide and gathering numerous factions under its umbrella. The Nigerian Police collaborated with Interpol and private security firms Palo Alto Networks and Group-IB. It is believed that the individuals arrested are collectively involved in BEC attacks targeting more than 50,000 victims. On the laptop of one of the suspects, authorities found more than 800,000 potential victim domain credentials, Interpol stated. Another suspect was observed monitoring conversations that 16 companies had with their clients and diverting funds whenever transactions were to be made, while a third is believed to have been involved in BEC attacks across West African countries such as Gambia, Ghana, and Nigeria. BEC fraud incurred losses of more than $1.8 billion in 2020, and the SilverTerrier fraudsters are believed to be responsible for much of these losses.

SecurityWeek reports: "Nigerian Authorities Arrest 11 Members of Prolific BEC Fraud Group"

A team of researchers from the Universities of Arizona, Georgia, and South Florida developed a Machine Learning (ML)-based CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) solver claimed to be capable of overcoming over 90 percent of real challenges on dark web platforms. The goal of this study was to develop a system that can streamline cyber threat intelligence, which currently requires humans to manually solve dark web CAPTCHA challenges. Large-scale dark web data collection is often hindered by anti-crawling measures such as text-based CAPTCHA. This measure in the dark web identifies and blocks automated crawlers by forcing the user to enter a combination of hard-to-recognize alphanumeric characters, thus decreasing the transparency of the dark web for security researchers looking to prevent cyberattacks and data breaches. This article continues to discuss the ML-based system developed to counteract dark web text-based CAPTCHA for proactive cyber threat intelligence.

Bleeping Computer reports "Researchers Develop CAPTCHA Solver to Aid Dark Web Research"

Researchers at the Identify Theft Resource Center (ITRC) have discovered that the volume of publicly reported data compromises in the US soared 68% year-on-year to a record high of 1862. The researchers stated that the figure was 23% higher than the previous record, set in 2017. The number of victims was down 5%, continuing a recent trend as threat actors focus their efforts on collecting specific data types rather than acquiring mass troves of data indiscriminately. The researchers noted that ransomware continues to be a significant driver of the overall upward trend for breaches. Ransomware is on course to surpass phishing as the number one cause of breaches in 2022, the ITRC claimed. The manufacturing and utilities sector reported the largest percentage increase in data compromises, up 217% over 2020. Every sector saw a rise in incidents bar the military vertical, where there were no publicly reported breaches. The only positive from the researchers' findings was that the number of data events involving sensitive information like Social Security numbers increased only slightly year-on-year. It nudged up from 80% to 83% over the period but is still well below the record high of 95% in 2017.

Infosecurity reports: "US Data Breaches Surge 68% to All-Time High"

Researchers have discovered attackers targeting industrial enterprises with spyware campaigns aiming to steal corporate credentials for financial gain and cannibalizing compromised networks to launch additional attacks. Although the campaigns use off-the-shelf spyware, they are unique because they limit each malicious sample's scope and lifetime. The researchers consider the attacks anomalous because they are not typical spyware attacks. One researcher explained that the attackers use spearphishing emails sent from compromised corporate mailboxes. These emails contain malicious attachments that deliver the spyware. The attackers use industrial enterprises' SMTP services to send spearphishing emails and collect data stolen by the spyware as a command-and-control (C2), which allows them to launch future attacks. The initially stolen data is believed to be used by the threat operators to spread the attack inside the local network of the compromised organization and to attack additional organizations. The researchers noted that the malware used in the attacks was typically found to belong to AgentTesla/Origin Logger, Snake Keylogger, Azorult, Noon/Formbook, and other well-known commodity spyware families. Nearly 45 percent of the computers targeted in the campaigns are Industrial Control System (ICS)-related and have access to their respective company's corporate email service. Over 2,000 corporate email accounts belonging to industrial companies have been stolen and leveraged as next-attack C2 in the malicious campaigns. However, the researchers estimate that more than 7,000 corporate email accounts have been stolen, sold, or used in other ways. This article continues to discuss findings regarding the spyware campaigns aimed at collecting corporate credentials.

Threatpost reports "Spyware Blitzes Compromise, Cannibalize ICS Networks"

Researchers at Barracuda Networks observed a 667% month-on-month surge in COVID-19 phishing emails from February to March 2020. The security vendor also observed another significant increase when new vaccines were released at the start of 2021. Now public concern over the highly transmissible Omicron variant is catching the eye of phishers. The researchers discovered that the latest COVID-19 variant has led to a 521% increase in phishing attacks using the virus as a lure to trick users into clicking. The researchers stated that among the tactics used to trick users into clicking on malicious links and/or entering personal details are offers of counterfeit or unauthorized COVID-19 tests and protective equipment such as masks or gloves. The researchers noted that some adversaries are impersonating testing labs and providers or even employees sharing their results. In other phishing emails, the user may receive a fake notification for an unpaid order of tests and is urged to provide their PayPal details to complete the delivery of the kit.

Infosecurity reports: "#COVID19 Phishing Emails Surge 500% on Omicron Concerns"

The International Committee for the Red Cross (ICRC) has revealed that hackers stole personal data on nearly 515,000 "highly vulnerable people" who received aid from a program aimed at reuniting family members separated because of conflict, disaster, or migration. Robert Mardini, the ICRC's director-general, released a statement directly pleading with the hackers to not leak, sell, or use the data. According to the ICRC, the data was stolen through the hack of a Switzerland-based subcontractor that stores data for the Red Cross. The data comes from at least 60 different Red Cross and Red Crescent National Societies globally. The perpetrators behind the cyberattack remain unknown, and the ICRC is still unaware as to whether any of the compromised information has already been leaked or shared publicly. This article continues to discuss the cyberattack on the Red Cross that left sensitive data of millions of people exposed.

Ars Technica reports "Red Cross Implores Hackers Not To Leak Data for 515k 'Highly Vulnerable People'"

According to the Public Sector Cybersecurity Survey Report released by SolarWinds, the public sector is more concerned about external threats than internal ones. The report gives insight into how state and local government professionals perceive IT challenges and the sources of IT security threats. One of the key findings in the report is that hackers are the primary source of security threats faced by public sector organizations, followed by negligent or untrained employees and foreign governments. Careless insiders were not cited as the top security threat for the first time in five years. Another finding is that state and local governments are more likely to be concerned about hackers than other public sector groups. Concerns surrounding ransomware, malware, and phishing have increased the most over the last year. Government respondents have suggested improving investigation and remediation capabilities as well as increasing threat information sharing between public and private sectors. This article continues to discuss key findings from SolarWinds' seventh Public Sector Cybersecurity Survey Report.

GCN reports "Top Public Sector Cybersecurity Threat No Longer is Employees"

Security researchers asked more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the course of two weeks. The security researchers also conducted a series of in-depth interviews with 36 professionals who were forced to work remotely due to the Covid-19 pandemic to better understand how the transition to work-from-home has impacted cybersecurity. The researchers found that adherence to security conventions was intermittent. During the 10 workdays they studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks. When asked why they failed to follow security policies, the participants' top three responses were, "to better accomplish tasks for my job," "to get something I needed," and "to help others get their work done." These three responses accounted for 85% of the cases in which employees knowingly broke the rules. In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches, making non-malicious breaches 28 times more common than retaliatory ones. The researchers also found that people were substantially more likely to knowingly break security protocols on days when they reported experiencing more stress, suggesting that being more stressed out reduced their tolerance for following rules that got in the way of doing their jobs.

Harvard Business Review reports: "Research: Why Employees Violate Cybersecurity Policies"

Researchers with Varonis Threat Labs have discovered a way to circumvent the multi-factor authentication for Box accounts in which SMS text code is used for log-in verification. With this method, an attacker could use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without having to access the victim's phone. The team found that if the user does not navigate to the SMS verification form from Box, an SMS message does not get sent, but a session cookie still gets generated. They said an attacker would only need to enter the user's email address and password, stolen from a password leak or phishing attack, in order to get a valid session cookie. Therefore, an SMS message code is not required. Following the disclosure of the issue to Box via HackerOne on November 2, 2021, Box issued a cloud-based update. The Varonis research is considered significant because 97,000 companies and 68 percent of Fortune 500 companies rely on Box for collaboration and access to information from anywhere. Although multi-factor authentication is known to prevent account takeover, it is not a silver bullet solution because there are ways to bypass it, and not everyone can use it. Varonis has highlighted that malicious actors could make additional authentication tools less effective through compromised user credentials. Organizations are encouraged to implement coverage for mobile phishing attacks to protect against compromised credentials. Doing this will protect users from socially engineered phishing campaigns that give threat actors access to corporate infrastructure, apps, and data. This article continues to discuss the Box multi-factor authentication bypass that leaves accounts open to attack and why this type of authentication is not the ultimate solution.

SC Magazine reports "Researchers Find Way to Bypass SMS Codes on Box Accounts"

Law enforcement officials from almost a dozen countries teamed up to take down a virtual private service used by threat actors to distribute malware, carry out ransomware operations, and commit other cybercriminal activities. According to the European law enforcement agency Europol, investigations into malware distribution and other criminal activities led authorities to the VPNLab website. As a result, they seized and disrupted 15 servers that hosted the website's infrastructure. A screenshot of the VPNLab website's front page following its takedown shows a message saying the service provided a platform for the anonymous commission of high-value cybercrime cases and was used in multiple major international cyberattacks. The takedown operation was led by German police and included the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US, and the UK. This article continues to discuss the shutdown of the VPNLab website and why this service was a popular choice for cybercriminals.

CyberScoop reports "International Effort Takes Down VPN Service, VPNLab, Used for Criminal Activity"

According to security experts, threat actors using the data-sharing website, Doxbin, have had highly sensitive information leaked online. Doxbin is often used by hackers to dump their victims' Personally Identifiable Information (PII). According to the threat intelligence firm, Cyble, and independent researcher and threat hunter, Troy Hunt, the leaked data includes PII belonging to an undisclosed number of Doxbin users, including hackers and their victims. This data contains plaintext passwords, multi-factor authentication codes, stealer logs, and chat history. On January 8, Hunt revealed that Doxbin had 380,000 email addresses across user accounts and doxes shared online. Cyble estimates that over 700,00 email addresses were leaked, based on a recent count. A report released by Cyble also reveals that the leaked information includes the identities of the threat actors' family members, IP addresses, and geolocation. Cyble says the doxed information contains work-related information that could be used to perform phishing attacks. The firm warns of an increase in identity theft and other malicious activities because of the Doxbin leak. Based on discussions on the dark web observed by Cyble, the leaked doxed information can augment or verify law enforcement agencies' investigative work. Dhanalakshmi PK, senior director of malware and intelligence research at Cyble, says that the leaked information could be aliases used by threat actors, and therefore, may not be real. However, she adds that it could help authorities verify information about the threat actors. This article continues to discuss the source and potential impact of the Doxbin leak.

BankInfoSecurity reports "Doxbin Leak Includes Criminals' Data, Could Boost Hacking"

A new initiative has been launched in the UK to divert young people from cybercrime after cyberattacks designed to block access to school networks and websites more than doubled during the COVID-19 pandemic. Data from the National Crime Agency's National Cyber Crime Unit (NCCU) revealed a 107 percent increase in reports from the police cyber prevent network on young students executing distributed denial-of-service (DDoS) attacks from 2019 to 2020. Students as young as nine have been performing such attacks. The National Crime Agency (NCA), in collaboration with Schools Broadband, part of the Talk Straight Group, launched a new initiative aimed at educating students who search for terms related to cybercrime on school computers. When a student searches for specific terms associated with cybercrime, they will see a warning message and suggestion to visit the Cyber Choices website, where they can learn about the Computer Misuse Act, cybercrime, and the consequences of committing such crime. This article continues to discuss the increase in the deployment of cyberattacks by young students and the new initiative designed to prevent young people from getting involved in cybercrime.

NCA reports "Rise in School Cybercrime Attacks Sparks NCA Education Drive"

Zoho Corp has released patches for a critical vulnerability affecting Desktop Central and Desktop Central MSP, the endpoint management solutions from ManageEngine. Tracked as CVE-2021-44757 and rated critical severity, the newly addressed security error is an authentication bypass issue that could allow a remote attacker to perform various actions on the server. When exploited, Zoho stated that the authentication bypass vulnerability can allow an attacker to read unauthorized data or write an arbitrary zip file. Zoho also noted that anyone with access to the internal network can exploit the vulnerability, even if a security gateway is in use for access to the central server. The vulnerability can be exploited from the Internet as well, provided that UI Access is enabled via Secure Gateway. Users of Desktop Central and Desktop Central MSP should upgrade to build 10.1.2137.9 to address the issue. Customers are advised to log into their Desktop Central console and check the current build number on the top right corner. Those in the build range 10.1.2140.X to 10.1.2149.X should contact the ManageEngine team.

SecurityWeek reports: "Zoho Patches Critical Vulnerability in Endpoint Management Solutions"

The need for electric vehicle (EV) charging stations and Internet-based managing systems grows as the number of electric cars on the road increases. However, these managing systems are vulnerable to cyberattacks. A team of researchers from the UTSA Cyber Center for Security and Analytics, University of Dubai, and Concordia University, are bringing further attention to the vulnerabilities of these cyber systems and recommending measures for protecting them. The systems implemented into electric cars as well as the Internet-enabled EV charging stations perform critical duties over the Internet such as remote monitoring, customer billing, and more. The team delved into the real-life implications of cyberattacks on EV charging stations and how to mitigate them with cybersecurity measures. They also assessed how compromised systems could be used to attack critical infrastructure such as the power grid. The researchers categorized 16 EV charging managing systems into groups, including firmware, mobile, and web apps, then conducted an in-depth security analysis of each one. The team discovered a range of vulnerabilities contained by the systems but highlighted only 13 flaws as the most severe, which include missing authentication and cross-site scripting. Attackers can manipulate the firmware, disguise themselves as actual users, and access user data by exploiting these vulnerabilities. Although it is possible to execute different attacks on various entities in the EV ecosystem, the team's study focuses on exploring large-scale attacks that could severely impact the compromised charging station, its user, and the connected power grid. This article continues to discuss the study on protecting EV charging stations from cyberattacks.

UTSA reports "UTSA Researcher Part of Team Protecting EV Charging Stations From Cyberattacks"

Nonprofit organization Goodwill has started notifying users of its ShopGoodwill.com e-commerce platform that their personal information was compromised due to a cybersecurity breach. The company has informed users that an "unauthorized third party" accessed buyer contact information, including name, email address, phone number, and mailing address. Goodwill noted that no payment card information was exposed. The organization said the website vulnerability exploited in the incident has been addressed. The ShopGoodwill website is currently offline "for maintenance," but it's unclear if it's related to the breach. This appears to be the second data breach disclosed by the nonprofit in the past decade. In 2014, Goodwill informed customers that more than 800,000 payment cards had been compromised due to a breach at a third-party vendor. The affected payment processor confirmed at the time that hackers had access to its systems for more than a year.

SecurityWeek reports: "Personal Information Compromised in Goodwill Website Hack"

Amazon Web Services (AWS) has fixed two vulnerabilities contained by its core services. According to Orca Security, the exploitation of one of the flaws could have allowed any user to access and take over any company's infrastructure. Although the vulnerabilities have now been fixed, the attack chain involving compromising a core service, escalating privileges, and using those privileges to attack other users, also affects users on different cloud services. Yoav Alon, chief technology officer at Orca Security, says the method impacts many other cloud vendors. The root of the problem is that there is a lack of isolation between services and little granularity in the permissions of different services and users. The most critical of the two vulnerabilities was discovered in AWS Glue, a serverless integration service that lets AWS users manage, clean, and transform data. Attackers could have used this flaw to compromise the service and gain administrative privileges. Since the AWS Glue service is trusted, the attackers could have used their role to access other users' environments. Orca's researchers were able to escalate privileges to the point where they had unrestricted access to all the service's resources in the region, including complete administrative privileges. The second vulnerability was found in AWS CloudFormation (CF), a service that enables users to provision resources and cloud assets. This flaw allowed the researchers to compromise a CF server and run as an AWS infrastructure service. It is an XML External Entity (XXE) issue that could have allowed attackers to penetrate protections implemented to isolate different AWS users. These vulnerabilities highlight the advantages and weaknesses of the cloud model. Cloud providers are encouraged to improve isolation between their services to prevent malicious actors from abusing flaws in a core service to compromise the security model of the overall cloud. This article continues to discuss the two major AWS security flaws and how these vulnerabilities highlight the risk of trust in the public cloud.

Dark Reading reports "New Vulnerabilities Highlight Risks of Trust in Public Cloud"

The Department of Defense (DoD) has launched the DoD University Consortium for Cybersecurity (UC2), which aims to foster better communication between the Secretary of Defense and academia, and meet a requirement set by the 2020 National Authorization Act. The National Defense University's College of Information and Cyberspace (CIC) will operate as the UC2 Coordination Center, with Jim Chen, a CIC faculty member, being the center's director. The University of Idaho's Center for Secure and Dependable Systems (CSDS) will serve as a support center for UC2. This article continues to discuss the purpose and support behind UC2.

MeriTalk reports "DoD Launches University Consortium for Cybersecurity"

Unknown hackers launched a cyberattack on Ukrainian government websites early Friday, blocking access and warning internet users to "expect the worst." Officials say it is too early to tell who was behind the attacks. Viktor Zhora, deputy head of Ukraine's state agency of special communication and information protection, said that "close to 70" federal and local government websites were attacked, and a "substantial portion" is up and working again. Viktor Zhora also stated that Ukrain is seeing increased cyber intrusions that appear to be intelligence collection for potential execution of a kinetic operation by the Russians. Earlier this month, Ukraine's state security services said that they had blocked in December close to 60 cyberattacks "against information systems of state institutions." These included malware and "web app attacks." Officials stated that the hackers did not obtain the personal information of Ukrainians during the cyberattack. The cyberattack came immediately after a flurry of diplomatic efforts in Europe failed to resolve the mounting crisis over Russian demands for sweeping new security arrangements by the United States and NATO.

The Washington Post reports: "Ukraine's Official Websites Hit by Massive Cyberattack Amid High Tensions With Russia"