News Items

In September 2021, the National Institute of Standards and Technology (NIST) held the "Workshop on Cybersecurity Labeling Programs for Consumers: Internet of Things (IoT) Devices and Software" and solicited comments from stakeholders and experts. NIST was mandated by the Biden administration's Executive Order on Improving the Nation's Cybersecurity to create pilot labeling programs that educate the public about the security of the Internet of Things (IoT) devices and software products they purchase. The goal is to enhance product security by providing security information that consumers and small businesses need to consider when making purchasing decisions. The effort aims to create a label that effectively communicates a product's level of security regarding its design, development, and maintenance. The label will be voluntary, with companies attesting to their security rankings. NIST issued draft "Baseline Criteria for Consumer Software Cybersecurity Labeling" on November 1 and a discussion draft on "Consumer Cybersecurity Labeling for IoT Products" on December 3. The tentative general guidelines NIST has developed for IoT label criteria include product identification, product configuration, data protection, interface access controls, software updates, documentation, cybersecurity state awareness, information reception, and more. This article continues to discuss the effort to develop a consumer-focused security labeling program and the challenges associated with such a program.

CSO Online reports "NIST Gears up for Software Security and IoT Labeling Pilot Programs"

Facebook today announced that it is expanding its bug bounty and data bounty programs to reward security researchers for reporting scraping vulnerabilities and databases. As part of its bug bounty program, the company will pay monetary rewards to security researchers who discover flaws that allow attackers to bypass existing scraping limitations and gain access to data at scale. Facebook says it is seeking ways to make scraping more costly for the attackers and is now starting a private bounty track with Gold+ HackerPlus researchers to reward reports on scraping methods. Facebook stated that they are looking to reward researchers who identify and report "unprotected or openly public databases containing at least 100,000 unique Facebook user records with PII or sensitive data," email and physical addresses, phone numbers, and affiliation. The reported databases should be unique and previously unknown, and Facebook says it will work with relevant parties to remove the datasets, including contacting law enforcement where necessary, contacting web services providers, or working with developers to address potential vulnerabilities. Facebook promises monetary rewards for valid reports on scraping issues and says it will match valid reports of scraped datasets with charity donations. The minimum bounty payout will be $500. So far, in 2021, the social media platform paid over $2.3 million in bug bounty rewards for more than 800 valid reports (out of 25,000 received) from researchers in more than 46 countries.

SecurityWeek reports: "Facebook Will Reward Researchers for Reporting Scraping Bugs"

Ultimate Kronos Group (UKG), a major human resources and workforce management solutions provider, was recently hit by a ransomware attack. A notice sent to affected customers revealed that the ransomware incident impacted the Kronos Private Cloud, which is a part of the business where UKG Workforce Central, UKG TeleStaff, Healthcare Extensions, and Banking Scheduling Solutions are deployed. As a result of the ransomware attack, these solutions have been made unavailable, and it may take several weeks to restore system availability. It remains unknown as to whether the attackers were able to steal customer data before encrypting it. The company released a notice on its website stating that it is aware of the vulnerability contained by the open-source Apache logging library Log4j, which is exposing some of the world's most popular applications and services to attack. According to the company, measures have been put in place to detect and prevent exploitation attempts in its environments. The ransomware attack further highlights the challenges routinely faced by third parties. The Kronos/UKG ransomware event will create problems for time-tracking, scheduling, payroll processing, and more. This article continues to discuss the ransomware attack against the HR solutions provider Kronos and the problems this incident will create for many of its clients.

Help Net Security reports "Ransomware Hits HR Solutions Provider Kronos, Locking Customers Out of Vital Services"

A team of cybersecurity researchers from Rutgers University-New Brunswick and the Georgia Institute of Technology proposed new methods for protecting drones, prostheses, medical devices, and other 3D-printed objects from logic bombs. Rapid prototyping refers to the quick fabrication of a part, model, or assembly using 3D computer-aided design, typically involving 3D printing or additive manufacturing. The use of additive manufacturing is growing in various industries to produce safety-critical products. However, there is currently a lack of trustworthy methods for verifying the integrity of such products against adversarial pre-print design modifications. While next-generation cyber-physical additive manufacturing allows for advanced product designs and capabilities, it is vulnerable to cyberattacks as it increasingly relies on highly networked industrial control systems. The main approach to protecting against such threats relies on host-based intrusion detectors placed within the same target controllers, typically making them the first target of controller attacks. The researchers explored a new class of attacks on printed objects called Mystique that uses emerging 4D printing technology to introduce embedded computer code, known as logic bombs, through the manipulation of the manufacturing process. Mystique causes visually harmless objects to behave maliciously when a logic bomb is triggered by modifications to initially used materials or temperature changes, moisture, or other stimulus changes. The evaluation of Mystique on several 3D printing case studies revealed that it could circumvent prior protections. The researchers proposed two strategies to address this issue. This article continues to discuss the increased vulnerability of additive manufacturing to cyberattacks and solutions proposed by the researchers to protect 3D-printed objects from stealthy logic bombs.

Rutgers University reports "Researchers Unveil New Cyber Protections against 'Logic Bombs'"

European and US law enforcers have joined forces to arrest a suspected ransomware affiliate member who targeted firms in an IT supply chain attack. Europol's European Cybercrime Centre (EC3) supported the FBI and Romanian National Police in making the arrest at the suspect's home in Craiova, Romania, in the early hours of yesterday morning. The individual arrested is suspected of targeting a large Romanian IT company that provides services to corporate customers in the retail, energy, and other sectors. According to Europol, the suspect used this access to deploy crypto-ransomware and steal files from many of those customers located both in Romania and abroad. The data stolen by the suspect includes financial information, personal information on employees and customers, and other important documents. Using classic double extortion techniques, the suspect then threatened to publish the information on a data leak site unless a ransom was paid. However, it's unclear whether each individual company was blackmailed or just the original IT provider.

Infosecurity reports: "Police Arrest Suspected Ransomware Actor in Romania"

Malicious cyber actors are making more than 100 attempts to exploit a critical security vulnerability contained by the Java logging library Apache Log4j every minute, according to security researchers at Check Point. The Log4j vulnerability, also now known as "Log4Shell," is a zero-day vulnerability, which first emerged on December 9. Researchers warned that the exploitation of the flaw can enable unauthenticated remote code execution and access to servers. Various forms of enterprise and open-source software use Log4j, including cloud platforms, web applications and email services. Therefore, there is a wide range of software at risk because of the many attempts made at exploiting the vulnerability. Sophos researchers have detected hundreds of thousands of attempts to remotely execute code using the Log4j vulnerability in the days following its public disclosure, as well as scans looking for the flaw. This article continues to discuss the severity of the Log4j security issue.

ZDNet reports "Log4j Flaw: Attackers Are Making Thousands of Attempts To Exploit This Severe Vulnerability"

New research conducted by Kaspersky has revealed that the lifespan of most phishing pages is as brief as that of an adult mayfly. Between July 19 and August 2, 2021, researchers analyzed 5,307 examples of phishing pages. They found that within 13 hours of monitoring commencing, a quarter of all pages had become inactive. A sizable chunk of links (1,784) ceased functioning after the first day of monitoring, and half of the phishing pages included in the study survived no more than 94 hours. The security researchers emphasized the importance of repelling spam attacks with fraudulent links within the first few hours when the potency of a phishing page is at its highest. The researchers stated that it is important for users to remember that when they receive a link and have doubts about the site's legitimacy, they should wait for a few hours. During that time, not only will the likelihood of getting the link in the anti-phishing databases increase, but the phishing page itself can stop its activity. Explaining why the lifecycle of phishing pages is so fleeting, researchers stated that with every hour of life of a new site, it appears in more anti-phishing databases, which means that fewer potential victims will visit it. What determines the lifespan of a page is how long it takes for site administrators to detect the threat and remove it. The researchers stated that even if phishers have deployed their own server on a purchased domain, if they are suspected of fraudulent activity, then the registrars may deprive the phishers of the right to host the data on it. When a phisher's page is identified by site administrators, the adversary typically prefers to create a new page instead of modifying an existing one. The researchers noted that very rarely, phishers may change the page in order to avoid being blocked. For example, if phishers use a brand as bait, they might alter it to another one. However, most pages are simply blocked by the time phishers decide to change the form of activity.

Infosecurity reports: "Most Phishing Pages Are Short-Lived"

US military network-security researchers have launched a new program to discover more about the tactics of malicious hackers. The Signature Management Using Operational Knowledge and Environments (SMOKE) program was announced on Tuesday. SMOKE is asking the computer industry to develop methods to identify, model, and mitigate the typical behaviors of threat actors. The program aims to develop technologies to generate evasive cyberinfrastructure that accelerates red team cyber operations (CO). DARPA stated that SMOKE will develop data-driven tools to automate the discovery of distinguishable patterns of sophisticated cyber threat infrastructure (i.e., signatures). The agency outlined two key technical objectives of the project. The first is to include informing operators of adversary signatures as they prepare cyberinfrastructure in real-time, and the second is to find a way to provide attribution risk assessments for planning and surveillance of the cyberinfrastructure that is in use. The program's key research challenges include finding a way to automatically build and traverse associations in large-scale cyber datasets, expanding the use of attribution techniques to non-experts, and discovering latent associations between infrastructure elements. Researchers will also be tasked with generating useful statistics for planners to predict how well infrastructure configurations will break from, or conform to, desired infrastructure signatures. DARPA noted that possible approaches that the industry could apply to these challenges include using machine learning to model infrastructure associations through automated pattern recognition and graph-based inference. The start date of the program is anticipated to be August of next year. The deadline to submit proposals to the program is January 31, 2022.

Infosecurity reports: "DARPA Announces SMOKE Program"

New Application Programming Interface (API) threat research from Salt Labs highlights GraphQL API authorization vulnerabilities contained by a B2B financial technology (FinTech) platform. Findings from the analysis of this FinTech provider's mobile applications and Software-as-a-Service (SaaS) platform bring further attention to authorization-level flaws that emerge with nested queries in GraphQL, which is an open-source language used in building APIs. According to Salt Labs, failure to properly implement authorization checks meant that unauthorized transactions could be submitted against any customer account, and malicious actors could harvest any customer's sensitive data. GraphQL provides some advantages in query options compared to REST APIs, but this flexibility poses a risk as a single API call can include multiple separate queries. The Salt Security State of API Security Report, Q3 2021, revealed that over 60 percent of organizations lack or just have a basic API security strategy. This lack of protection is significant because cyberattacks targeting APIs are increasing together with the adoption of relatively new technologies such as GraphQL. The exploitation of the GraphQL authorization flaws could allow attackers to manipulate API calls into exfiltrating sensitive user data and initiating unauthorized transactions. Salt Labs researchers were able to enter any transaction identifier and gather data records of previous financial transactions. Through the discovered vulnerabilities, any user could extract a customer's sensitive Personally Identifiable Information (PII) and secretly transfer funds out of customers' accounts. These findings emphasize the importance of implementing dedicated API security tooling for organizations with API-based applications and platforms. This article continues to discuss the GraphQL API authorization flaws and the importance of improving API security.

Security Magazine reports "Researchers Discover GraphQL Authorization Flaws in FinTech SaaS Platform"

About 300,000 MikroTik routers are vulnerable to remote attacks that can secretly add the devices to a botnet to steal sensitive user data and engage in Distributed Denial-of-Service (DDoS) attacks. Researchers at the security firm Eclypsium estimated the number of affected routers by performing Internet-wide scans that searched for MikroTik devices using firmware versions known to have vulnerabilities discovered within the past three years. Although the manufacturer has released patches addressing the vulnerabilities, Eclypsium found that many users have not installed them. The vulnerabilities collectively provide many opportunities for threat actors to gain full control over powerful devices, which can then be positioned to target devices behind the Local Area Network (LAN) port and other devices connected to the Internet. This article continues to discuss the vulnerabilities impacting 300,000 MikroTik routers and other notable security incidents involving MikroTik routers.

Ars Technica reports "300,000 MikroTik Routers Are Ticking Security Time Bombs"

Onfido has recently released its annual report titled "Identity Fraud Report." Document fraud specialists at Onfido process, millions of identity documents every year, helping clients detect fraud across 2,500 document types issued by 195 countries. The company's findings in the report are based on analysis of data collected from October 1, 2020, to October 1, 2021. Researchers at Onfido have found that passports are now the most frequently attacked form of identity document. The researchers also found that fraudsters typically prefer to create a fake document from scratch rather than doctor a genuine ID. The researchers stated that over 90% of ID fraud in the past year involved counterfeit documents using a complete reproduction of an original document instead of adapting an existing ID. Over the past year, 47% of all identity document fraud was classed as "medium" sophisticated fraud, which is a 57% increase compared with the previous year. Losses from identity theft also grew significantly, increasing by 42% to reach $712bn in 2020.

Infosecurity reports: "Passports Now Most Attacked Form of ID"

Researchers at HackerOne discovered that software vulnerabilities increased by 20% in 2021 compared with 2020. The bug bounty platform said its hackers had uncovered over 66,000 valid vulnerabilities this year, while hacker-powered pentests detected a 264% rise in reported vulnerabilities in 2021 compared to 2020. Additionally, there was a 47% increase in vulnerabilities detected by Vulnerability Disclosure Programs. The researchers stated that the surge in vulnerabilities has partly been driven by the increase in organizations adopting hacker-powered security testing programs. The most commonly discovered bug was cross-site scripting, as it was in 2020. However, there were significant increases in reports of information disclosure (58%) and business logic errors (67%). Of all the vulnerabilities reported, 26% were considered critical, 36% medium severity, and 34% low severity. Encouragingly, the researchers found that the median resolution time fell by 19%, from 33 days in 2020 to 26.7 days in 2021 across all industries. Retail and e-commerce even saw time-to-remediation drop by more than 50% in this period. The researchers also found that the median price of a critical bug rose by 20%, from $2500 in 2020 to $3000 in 2021. Additionally, the average bounty price for a critical bug rose by 13% and by 30% for a high severity rated bug this year.

Infosecurity reports: "Software Vulnerabilities Up by 20% in 2021"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are warning about the active exploitation of a newly identified vulnerability contained by Zoho's ManageEngine ServiceDesk Plus product. The critical flaw, tracked as CVE-2021-44077, is an unauthenticated Remote Code Execution (RCE) vulnerability that affects all ServiceDesk Plus versions up to, and including version 11305. Malicious actors could exploit the vulnerability to upload executable files and drop webshells, enabling the performance of post-exploitation activities, such as conducting lateral movement, exfiltrating Active Directory (AD) files, and more. According to the FBI and CISA, Advanced Persistent Threat (APT) cyber actors are exploiting the vulnerability. This article continues to discuss the active exploitation of the critical Zoho ManageEngine ServiceDesk Plus vulnerability and the patch released by Zoho to address it.

Homeland Security Today reports "APT Actors Exploiting CVE-2021-44077 in Zoho ManageEngine ServiceDesk Plus"

Kafdrop is an open-source user interface and management interface for the distributed event-streaming platform Apache Kafka found to contain a flaw that puts many companies' data at risk. According to a research paper released by the cybersecurity company Spectral, anyone using Kafdrop with Apache Kafka can be a victim. The undisclosed number of affected companies includes those ranging from major global players to small organizations in healthcare, insurance, media, and more. Kafdrop has reportedly been dowloaded over 20 million times and deployed by more than 80 percent of Fortune 100 companies. The Kafdrop flaw enables anyone to view live Kafka clusters, including financial transactions and mission-critical data, without having to be authenticated. The security flaw exposes secrets in real-time traffic as well as provides authentication tokens and other details that hackers could use to reach a company's cloud provider (e.g., IBM, AWS, and Oracle) where Kafka clusters are often deployed. Those who exploit the vulnerability could access a company's nervous system, thus exposing customer data, transactions, medical records, internal system traffic, and other sensitive information. The flaw resulted in the exposure of a medical organization's handling requests, processing, and inventory of medication, along with customer prescription transactions. Another cluster exposed insurance claims, transactions, and interactions between customers and agents, which hackers can use for impersonation, extortion, or the redirection of funds. Although these findings are significant, the severity will vary by organization based on the data exposed. Organizations handling sensitive data are encouraged to review their access policies, firewall rules, and other details pertaining to their digital security posture, regardless of the technology or cloud vendor used. This article continues to discuss the severity, mitigation, and prevention of the Kafdrop flaw.

GovInfoSecurity reports "Vulnerability in User Interface for Apache Kafka Puts Data of 'Major Global Players' at Risk"

A team of researchers from the University of California San Diego, the University of Texas at Austin, and Mozilla developed a new approach to improving browser security. They designed a new framework called RLBox to increase the security of the Firefox browser. Mozilla has started using RLBox on all Firefox platforms. The framework practices sandboxing by separating third-party libraries vulnerable to attacks from the rest of the browser to contain possible damage. Browsers such as Firefox depend on third-party libraries to support XML parsing, spell checking, font rendering, and other functionalities. However, these libraries are often written in low-level programming languages such as C, thus increasing susceptibility to attacks as it is easy to introduce vulnerabilities in C code. Through the application of RLBox, users can be protected from the vulnerabilities contained by such libraries as well as supply-chain attacks in which these libraries are exploited. In order to deal with the exploitation of zero-day vulnerabilities and supply chains by sophisticated attackers, multiple defense layers and new methods are needed to minimize how much code we need to trust for security. This article continues to discuss the purpose, use, and components of the RLBox framework.

Jacobs School of Engineering reports "This Framework Will Improve the Security of All Firefox Users"

Researchers at CrowdStrike have discovered that a staggering 96% of ransomware victims that agree to their extorters' demands are subsequently forced to pay additional fees amounting to hundreds of thousands of dollars. The security vendor's 2021 CrowdStrike Global Security Attitude Survey was compiled from interviews with 2200 senior IT and cybersecurity decision-makers in the US, EMEA, and APAC. The researchers found that two-thirds (66%) of respondents had suffered at least one ransomware attack over the past year, with average payments increasing 63% over the year. They were lowest on average in EMEA ($1.3m), followed by the US ($1.6m), and highest in APAC ($2.4m). The average demand from ransomware groups was $6m. One of the security researchers claimed organizations would be better off spending money on improving protective measures than actually paying the ransom. On average, respondents estimated it would take 146 hours to detect a cybersecurity incident, up from 117 hours in 2020. Once detected, it takes organizations a further 11 hours to triage, investigate and understand a security incident and 16 hours to contain and remediate one. Some 69% of respondents said they suffered an incident because of staff working remotely.

Infosecurity reports: "Ransomware Victims Pay $700K in Extra Extortion Fees"

Research led by Georgia Tech (Georgia Institute of Technology) has resulted in the discovery of a new threat against deep learning models used to detect malicious users on popular e-commerce, social media, and web platforms such as Facebook. These platforms try to bolster their security by creating Machine Learning (ML) and Artificial Intelligence (AI) models that identify and separate malicious and at-risk users from benign users. However, the research team was able to reduce the efficacy of the classification models used to differentiate between malicious and benign users through the application of a newly developed adversarial attack model called PETGEN (Personalized Text Generation). The PETGEN attack model generates text posts that mimic a personalized writing style and have knowledge about a given target site's context. The posts generated by the attack model are also aware of the historical use of a target site and recent topical interests. PETGEN represents the first time researchers successfully performed adversarial attacks on deep user sequence classification models. Srijan Kumar, School of Computational Science and Engineering assistant professor and co-investigator, pointed out that it is important to act as attackers to identify model vulnerabilities and the possible ways in which malicious accounts can circumvent detection systems. The team carried out experiments on two real-world datasets from Yelp and Wikipedia to show that PETGEN significantly reduces the performance of popular deep user sequence embedding-based classification models. Findings from this research pave the path towards the next generation of adversary-aware sequence classification models. This article continues to discuss the new adversarial attack model PETGEN.

Georgia Tech reports "Research Finds Models Used to Detect Malicious Users on Popular Social Sites are Vulnerable to Attack"

ESET analyzed 17 espionage frameworks designed to target air-gapped networks, finding that they all leverage USB drives and are meant to target Windows systems. The list of these frameworks has been developed over the course of 15 years, but the last four of the frameworks appeared in 2020, suggesting that the interest in targeting isolated systems has increased among threat actors. An air-gapped network is isolated and not connected to any other network. Air-gapping is a security measure often used in high-security environments such as those in the realms of military, government, industrial control, and more. Air-gapped networks are meant to protect highly sensitive information, making them attractive to nation-states and other motivated adversaries. Such adversaries have the resources required to execute attacks against air-gapped systems. Some of the frameworks have been attributed to nation-state threat actors such as DarkHotel, Sednit, Tropic Trooper, Equation Group, Goblin Panda, and Mustang Panda. Possible strategies for protecting air-gapped networks from cyberattacks include disabling direct access to emails on connected systems, disabling USB ports on air-gapped systems, sanitizing USB drives inserted in air-gapped systems, preventing execution on removable drives, and ensuring that air-gapped systems are always updated. This article continues to discuss findings from the analysis of 17 malware frameworks designed to target air-gapped networks and how to protect such networks from cyberattacks.

Security Week reports "17 Malware Frameworks Target Air-Gapped Systems for Espionage"

According to the FBI, threat actors behind the Cuba ransomware variant have already amassed $44m through targeting at least 49 victims. The FBI noted that the group had demanded at least $74m from its victims. These victims frequently come from critical infrastructure sectors like financial, government, healthcare, manufacturing, and IT. The FBI claimed that the Cuba ransomware is distributed through Hancitor malware, a loader known for dropping or executing stealers, such as Remote Access Trojans (RATs) and other types of ransomware, onto victims' networks. The FBI noted that Hancitor malware actors use phishing emails, Microsoft Exchange vulnerabilities, compromised credentials, or legitimate Remote Desktop Protocol (RDP) tools to gain initial access to a victim's network. Cuba ransomware actors use legitimate Windows services such as PowerShell, PsExec, and other unspecified services and then leverage Windows admin privileges to execute their ransomware and other processes remotely. Following a compromise, the ransomware will install and execute a CobaltStrike beacon as a service on the victim's network via PowerShell. The FBI claimed that it also uses MimiKatz malware to steal RDP credentials and hijack user accounts. It's believed that Cuba ransomware has been active since January 2020.

Infosecurity reports: "Cuba Ransomware Nets Nearly $50m"

Like sighted people, blind people post on Instagram, text photos to group chats, and more. They also learn about their visual surroundings through photos. Blind users often share their images with Microsoft's Seeing AI, Be My Eyes, and other identification software to learn about their visual surroundings. The demand for such software is high, as indicated by the 20 million times Seeing AI has been used. However, when blind users share images, there is an increased risk of them unknowingly capturing private information such as a return address. A cross-institutional team has been awarded over $1 million through a Safe and Trustworthy Cyberspace (SaTC) grant from the National Science Foundation (NSF) to explore the issue. The team's goal is to develop a novel system capable of alerting blind users when an image contains information considered private. In a general use case, the tool will alert the user about what private information is detected and then present a choice to either discard the image, share the image as-is, or share an edited version where the private content is made obscure. This article continues to discuss the team's four-year interdisciplinary project aimed at strengthening digital privacy for blind people.

The University of Colorado Boulder reports "Keeping the Unseen Safe: Improving Digital Privacy for Blind People"

Threat researchers at Lookout are helping to take down a phishing campaign targeting members of the United States military and their families. The scammers behind the long-running campaign impersonate military support organizations and personnel to commit advance fee fraud, stealing sensitive personal and financial information for monetary gain. The researchers stated that it is clear that the adversaries are looking to steal sensitive data from victims, such as their photo identification, bank account information, name, address, and phone number. If given the data, the adversaries could easily steal the victim's identity, empty their bank account and impersonate the individual online. The campaign's backbone is a series of websites that have been designed to appear as though they are affiliated with the military. To bring an added touch of authenticity to the sites, the operators add advertisements for Department of Defense services to their malicious content. The sites offer expensive services that are never delivered or trick users into thinking that they are in a romantic relationship with a member of the military. Fake services offered include care packages, leave applications, and communication permits. Infrastructure indicators coupled with open-sourced intelligence point to Nigeria as the scammers' operational base. So far, researchers have identified 50 military scam sites tied to this threat campaign, which further investigation showed was linked to other cybercriminal activity.

Infosecurity reports: "Phishing Scam Targets Military Families"

Researchers from the Ruhr University Bochum (RUB) and Niederrhein University of Applied Sciences have discovered 14 new types of attacks on web browsers. These attacks are known as cross-site leaks (XS-Leaks). Through the use of XS-Leaks, a malicious website can collect visitors' personal data by interacting with other websites in the background. The researchers looked at the protection of 56 combinations of web browsers and operating systems against 34 different XS-Leaks. They developed the XSinator.com tool to automatically scan browsers for these leaks. Chrome, Firefox, and other popular browsers were found to be vulnerable to a considerable number of XS-Leaks. The group systematically analyzed XS-Leaks by first identifying three characteristics of such attacks. Based on these characteristics, they derived a formal model that helps gain further understanding of XS-Leaks and detect new attacks. The identification of the 14 new attack categories resulted from this systematic search for new attacks. This article continues to discuss how XS-Leaks work and the website developed by the researchers to analyze many different combinations of browsers and operating systems for their vulnerability to these attacks.

RUB reports "14 New Attacks on Web Browsers Detected"

The Los Angeles branch of Planned Parenthood was hit by a data breach involving about 400,000 patients. However, there is no indication that the information accessed by the adversary was used for fraudulent purposes the group said. The organization stated that a hacker installed computer malware between Oct. 9 and Oct. 17 and "exfiltrated" files containing patient names and possibly addresses, insurance and medical information, including procedures they may have undergone. The organization noted that "patients are encouraged to review statements from their healthcare providers or health insurers and contact them immediately if they see charges for services they did not receive." The attack involved ransomware, and the group didn't immediately say whether any ransom was paid. The breach is currently under investigation.

Bloomberg reports: "Data Hacked for 400,000 Planned Parenthood Patients in Los Angeles"

The BlackByte ransomware gang is breaching corporate networks through the exploitation of Microsoft Exchange ProxyShell vulnerabilities. The ProxyShell vulnerabilities can be chained together to enable unauthenticated, remote code execution, thus allowing an attacker to take over an Exchange server. Security updates were released in April and May 2021 to fix the vulnerabilities. However, malicious actors have still been exploiting them to breach servers, install web shells, deliver ransomware, and more. Researchers at the security firm Red Canary analyzed a BlackByte ransomware attack, finding that the group exploited ProxyShell vulnerabilities to install web shells on a compromised Microsoft Exchange server. Web shells are small scripts uploaded to web servers that allow attackers to gain persistent access to a device, remotely execute commands, or upload more files to the server. The BlackByte ransomware executable handles both privilege escalation and the ability to perform lateral movement in the compromised environment. The malware sets three registry values: one for local privilege elevation, one for enabling network connection sharing between privilege levels, and one to allow long path values for file paths, names, and namespaces. It deletes the "Raccine Rules Updater" scheduled task before encryption to prevent last-minute interceptions. The malware also wipes shadow copies through WMI objects using an obfuscated PowerShell command. WinRAR and anonymous file-sharing platforms are used to exfiltrate stolen files. Trustwave released a decryptor for BlackByte ransomware in October, but it is unlikely that the group is still using the same tactics that enabled victims to recover their files for free. This article continues to discuss the exploitation of ProxyShell flaws in BlackByte ransomware attacks.

Bleeping Computer reports "Microsoft Exchange Servers Hacked to Deploy BlackByte Ransomware"