News Items

According to a warning from researchers at Packstack, a critical security flaw has been discovered in the WP Reset PRO WordPress plugin, which could allow an authenticated user to wipe a website's entire database. Any authenticated user, regardless of their authorization, can exploit the issue to wipe all tables in a WordPress installation's database. This would result in the restart of the WordPress installation process, thus an attacker could abuse this to create an administrator account onto the WordPress website. An attacker could further exploit the newly created account to upload malicious plugins to the website or install Trojan backdoors. WP Reset PRO helps site administrators easily reset a website's database to the default installation while leaving files intact in order to restore damaged sites and remove customizations. The plugin registers a few actions in the admin_action_* scope, including table deletion operations. A check is not performed to determine whether the user is authorized to perform such an action. As this vulnerability exists, someone could just visit the site's homepage to start the WordPress installation process, warned the researchers. WebFactory Ltd, which develops both the WP Reset and its PRO version, addressed the issue in version 5.99 of the plugin. This article continues to discuss the potential exploitation and impact of the flaw found in the WordPress plugin.

Security Week reports "Critical Flaw in WordPress Plugin Leads to Database Wipe"

Security researchers at SophosLabs discovered a new cyberattack involving a malware family known as both BazarBackdoor and BazarLoader. In the attack, adversaries use socially engineered emails to scare their targets into opening an attachment and clicking on a malicious link. Malware is then delivered to the victim through a fairly novel mechanism: the abuse of the appxbundle format used by the Windows 10 app installer. In the email, the adversaries impersonate a company manager and address the victim by name. Using an abrupt and threatening style, the attackers tell the victim that a complaint has been filed against them and demand to know why this information wasn't sent to the manager. The researchers stated that the messages themselves were very short, but they were crafted with an understanding of the human psychology behind the adrenaline-rush of fear and had been personalized with both the name of the recipient and the targeted organization in both the subject line and the body. The recipient is urged to click through to a website where the complaint has seemingly been posted for them to review. This link, if clicked, will eventually lead the user to the malware. The researchers stated that the malware used in this attack steals profiling data, such as the amount of RAM and CPU power that each infected device has. The malware used in the attack also includes a function to download and install more malware.

Infosecurity reports: "New BazarBackdoor Attack Discovered"

Microsoft is working with community colleges to provide free training and resources to help ease the cybersecurity professional shortage. This includes training for faculty at 150 community colleges and scholarships to 25,000 students. By targeting community colleges, Microsoft believes they will also be diversifying the industry which is currently overwhelmingly male and white. The students at community colleges are 57% women and 40% minorities. This initiative supports commitments Microsoft made at a recent White House Cybersecurity summit.

CNBC reports "Microsoft Announces Plan to Cut Cybersecurity Workforce Shortage in Half by 2025"

The use of built-in scanners on devices such as phones, tablets, and laptops to detect illegal images has been proposed by companies and governments. However, researchers from Imperial College London found that the proposed algorithms to detect such images on devices can easily be fooled with imperceptible changes to the images. Their findings were published as part of the USENIX Security Conference. The researchers tested the robustness of five similar algorithms and discovered that altering an illegal image's unique signature on a device can allow it to evade the detection algorithms almost 100 percent of the time. Their testing proved that perceptual hashing-based client-side scanning (PH-CSS) algorithms are not a magic bullet solution for detecting illegal content on personal devices. This finding raises questions about the effectiveness and proportionality of current plans to combat illegal material through on-device scanning. According to senior author Dr. Yves-Alexandre de Montjoye, of Imperial's Department of Computing and Data Science Institute, applying a specifically designed filter imperceptible to the human eye allowed the team to mislead the algorithm into perceiving two nearly identical images as different. The researchers' algorithm was able to generate various filters, which can make it difficult to develop countermeasures. Apple recently postponed plans to introduce PH-CSS on all its personal devices due to privacy concerns. Certain governments have also been reported to be considering using PH-CSS as a law enforcement technique. This article continues to discuss the study that found it possible to easily fool algorithms proposed to detect illegal images on devices and the concept of PH-CSS algorithms.

Imperial College London reports "Proposed Illegal Image Detectors on Devices Are 'Easily Fooled'"

The Russian-speaking hacker-for-hire group dubbed Void Balaur has been spying on over 3,500 individuals, such as politicians, human rights activists, doctors, journalists, and more, stealing their private information and selling it to various financially and politically driven customers. Politicians in Uzbekistan, Belarus, Ukraine, Russia, Norway, France, Italy, and Armenia have fallen victim to the group's attacks. Some victims felt so threatened by Void Balaur's activities that they decided to leave their country and go into exile in other countries. Void Balaur has also targeted mobile companies, cellular equipment vendors, satellite communication companies, ATM manufacturers, point-of-sale system vendors, financial companies, and biotechnology firms. According to researchers from Trend Micro, the group has likely been active since September 2015. Void Balaur has acquired and sold highly private information, including passport details, SMS messages, phone call records, caller locations, information about purchased plane and train tickets, traffic camera shorts, Interpol records, and credit reports. The threat group's customers have not yet been identified, but some of them appear to be members of underground forums, such as Probiv, Darkmoney, and Tenec, in which all types of stolen data are traded. This article continues to discuss findings regarding Void Balaur's targets, tactics, techniques, and procedures.

Dark Reading reports "Hacker-for-Hire Group Spied on More Than 3,500 Targets in 18 Months"

Researchers at Cyber Security Works and Cyware conducted a new study and found that there was a 4.5% increase in CVEs associated with ransomware and a 3.4% increase in ransomware families compared with Q2 2021. A dozen new vulnerabilities were used in ransomware attacks this quarter, bringing the total number of bugs associated with ransomware to 278. Five of the newly found vulnerabilities can be used to achieve remote code execution (RCE), while two can be used to exploit web apps and launch denial-of-service (DoS) attacks. The researchers also found that ransomware groups are still finding and exploiting zero-day weaknesses before CVEs are hatched and patched. During their research, the researchers identified five new ransomware families, bringing the total to 151.

Threatpost reports: "12 New Flaws Used in Ransomware Attacks in Q3"

According to a report released by Dragos and the Ponemon Institute, over 63 percent of organizations have faced an ICS/OT cybersecurity incident in the past two years, but only 21 percent of organizations have a mature ICS/OT cybersecurity program in which emerging threats prompt priority actions, and C-level executives are regularly informed about the security of their OT. In addition, only 43 percent of organizations have cybersecurity policies and procedures aligned with their ICS and OT security objectives. Just 39 percent have IT and OT teams working together to achieve a mature security posture across both environments, while only 35 percent have a unified security strategy in place to secure those environments despite the need for different controls and priorities. Steve Applegate, the chief information security officer at Dragos, pointed out that most organizations lack the IT/OT governance framework needed to push the development of a unified security strategy due to the shortage of OT-specific cybersecurity expertise. This article continues to discuss key findings from the report and the cultural divide between IT and OT teams preventing organizations from having a unified strategy to protect both environments.

BetaNews reports "Divide Between IT and OT Teams Stops Businesses Having a Unified Security Strategy"

Security researchers at Skybox Security stated that most IT and security leaders in critical infrastructure (CNI) organizations are underestimating the scale of the cyberthreat, despite having suffered breaches over the past three years. The researchers polled 179 operational technology (OT) security decision-makers in the US, UK, Germany, and Australia, with most hailing from companies with $1bn or more in revenue from the manufacturing, energy, and utility industries. The researchers found that 73% of CIOs and CISOs are "highly confident" their organizations will not suffer an OT breach next year, despite 83% having suffered such an incident over the past 36 months. Only 37% of hands-on plant managers were similarly confident, highlighting the disconnect between perception and reality at a senior decision-making level. The researchers also found that a third (34%) of respondents appeared to be over-relying on insurance as a security strategy, claiming it is a sufficient solution. The security researchers stated that new OT vulnerabilities were up 46% compared to the first half of 2020. The researchers noted that despite the rise in vulnerabilities and recent attacks, many security teams do not make OT security a corporate priority because some security team personnel deny they are vulnerable yet admit to being breached. The researchers also stated that the belief that their infrastructure is safe despite evidence to the contrary has led to inadequate OT security measures.

Infosecurity reports: "Over 80% of CNI Firms Have Been Breached in Past 36 Months"

It is essential to continue finding strategies that could help companies ensure employee engagement in security awareness training programs. According to panelists who spoke at CyberRisk Alliance's 2021 InfoSec World conference, giving out punishments for bad security practices may be effective for reducing undesirable behavior in the short term, but it is not effective in the long run. They suggested instilling good cyber habits through positive reinforcement, rewards, gamification, and interactivity instead. However, some companies believe in giving employees a wake-up call in the form of negative consequences if they perform an unsafe action or fail a simulated phishing test. The panel moderator Cindy Liebes pointed out that many researchers and cybersecurity awareness experts will say fear tactics and cybersecurity training do not really change behavior. In some cases, punishments could stop employees from reporting incidents out of fear. Companies are encouraged to move away from consequence models to models in which employees are empowered and made to feel like they are part of the fight against cybercrime. This article continues to discuss the negative consequence models put in place by some companies to deter reckless security behavior and why they should adopt positive reinforcement models to improve security training engagement.

SC Magazine reports "Kudos, Not Consequences, Are an Ideal Tactic for Security Training Engagement"

Officials at the United States Immigration and Customs Enforcement's (ICE) Homeland Security Investigations (HSI) department in Texas have issued a warning about a new phone scam. Threat actors carrying out the malicious campaign have been impersonating special agents at the San Antonio HSI to call up members of the public. Victims are told that a problem has been detected with their passport, and they are then threatened with arrest by the imposter agent unless they make a payment to the HSI. HSI stated that the scammers claim the passport is involved in some type of crime and threaten the caller by indicating police will be dispatched to their home to arrest them. The fraudsters have found a way to make it appear to the victim that the call they are receiving is coming from the HSI San Antonio main phone number, 210-979-4500. HSI officials stated that HSI special agents and local police do not call people on the phone to warn them they are about to be arrested, and agents neither request financial information, such as bank account and credit card account information, nor demand money from someone to dismiss an investigation or remove an arrest warrant. HSI noted that individuals who are targeted by the scammers can help law enforcement to catch the criminals by trying to collect contact information from the caller and reporting it to the anonymous ICE tip line, 1 (866) 347-2423 or completing an online tip form.

Infosecurity reports: "Passport Scammers Spoof Texas HSI"

Researchers from the Singapore University of Technology and Design (SUTD) released public exploit code and a proof of concept (POC) tool to test Bluetooth devices for a set of 16 System-on-a-Chip (SoC) flaws known as BrakTooth. The researchers discovered these security vulnerabilities to be impacting commercial Bluetooth stacks on more than 1,400 chipsets used in billions of devices, including devices such as smartphones, computers, audio devices, Internet of Things (IoT) devices, and industrial equipment. Devices including Dell desktops, MacBooks, iPhones, Volo infotainment systems, and more, are on the list of devices with vulnerable SoCs. The exploitation of these security flaws could result in a Denial-of-Service (DoS) condition through firmware crashes or the complete takeover of a targeted device via Arbitrary Code Execution (ACE). The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) is urging vendors to patch the BrakTooth vulnerabilities after the security researchers made the POC tool available for testing BlueTooth devices against BrakTooth exploits. The federal agency is also asking manufacturers and developers to review details about the vulnerabilities published by the researchers in August, as well as update vulnerable Bluetooth SoC applications or employ workarounds. This article continues to discuss the potential exploitation and impact of the BrakTooth vulnerabilities, along with efforts to address them.

Bleeping Computer reports "CISA Urges Vendors To Patch BrakTooth Bugs After Exploits Release"

Cisco Talos is warning US companies about a new variant of the Babuk ransomware. The malicious campaign deploying the new variant was discovered in mid-October but is suspected to have been active since July 2021. According to researchers, the initial infection vector is an exploitation of ProxyShell vulnerabilities contained by Microsoft Exchange Servers through the use of the China Chopper web shell. Babuk can impact various hardware and software platforms, but its new version targets Windows, encrypting the machine, interrupting the system backup process, and deleting volume shadow copies. This article continues to discuss the recently discovered malicious campaign deploying a new variant of the Babuk ransomware via an unusual infection chain method.

TechRepublic reports "Cisco Talos Reports New Variant of Babuk Ransomware Targeting Exchange Servers"

The United States House of Representatives has passed two bills to strengthen the cybersecurity of small businesses. The Small Business Development Center Cyber Training Act of 2021 attracted strong support among House members of all political persuasions and was passed last Tuesday with a vote of 409 in favor to 14 against. The Small Business Development Center Cyber Training Act would establish a cyber counseling certification program at Small Business Development Centers (SBDCs) to better assist small businesses with their cybersecurity and cyber-strategy needs. If enacted into law, the legislation would authorize the Small Business Administration (SBA) to reimburse SBDCs for employee certification costs up to $350,000 per fiscal year. On Tuesday, the House also approved the Small Business Administration (SBA) Cyber Awareness Act, which would require the SBA to generate a report about its cybersecurity capabilities and inform Congress if a cybersecurity breach occurred that could potentially compromise sensitive information. Representative Jason Crow, who co-sponsored the legislation, said: "This bill would ensure we are doing everything we can to protect the millions of small businesses that the SBA serves and prepare them for 21st-century threats."

Infosecurity reports: "US House Passes Acts to Help SMBs with Cybersecurity"

Researchers at Avanan have discovered a new cyberattack that spoofs Amazon to steal victims' financial credentials. The digital deception combines brand impersonation with social engineering. The researchers first saw this scam in October 2021, and it is a two-part scam that begins with an email. The researchers stated that victims receive what looks like a typical Amazon order confirmation email containing links that all direct the user to the legitimate Amazon site. When trying to call the number listed, which is not an Amazon number, the scam begins, with the end goal of obtaining credit card information. Victims who dial the phone number will not receive an answer. However, a few hours later, they will get a call back from attackers based in India. To get the victims to call "Amazon," the attackers include high-price items on the fictitious emailed invoice. The researchers noted that this method of stealing financial details results not only in monetary gain for the hackers but serves as a form of phone number harvesting, enabling them to carry out further attacks by voicemail or text message.

Infosecurity reports: "Amazon Spoofed in New Attack"

The US Department of Defense (DoD) has scaled back the Cybersecurity Maturity Model Certification Model (CMMC) program it rolled out in 2020 to verify the cybersecurity of DoD suppliers. The implementation of the program has been stopped until the changes are made official. The program was supposed to be rolled out over a five-year period with the goal of requiring every defense contractor in possession of certain Controlled Unclassified Information (CUI) to be certified by a third party to show that they are compliant with the CMMC standard. The department will suspend CMMC piloting efforts until CMMC 2.0 changes become effective through title 32 CFR and title 48 CFR rulemaking processes. When the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented, as needed, into acquisition regulation through title 48 rulemaking, the CMMC 2.0 program requirements will become mandatory. The previous iteration of the CMMC framework mapped cybersecurity processes and practices across five maturity levels. CMMC 2.0 will reduce the model to three levels, removing levels two and four. This article continues to discuss the purpose of CMMC and the enhanced CMMC 2.0 program.

NextGov reports "DoD Suspends Cybersecurity Certification Program Pending Major Changes"

A ransomware attack on a laboratory based in Florida has exposed the personal health information (PHI) of more than 30,000 patients. Nationwide Laboratory Services, which is based in Boca Raton, identified suspicious activity on its network on May 19, 2021. An examination of the activity revealed that attackers had used ransomware to encrypt files across the healthcare provider's network, making their contents inaccessible. Digital forensics revealed that cyberattackers had broken into areas of Nationwide Laboratory Services' network that contained patients' PHI. The adversaries behind the ransomware assault encrypted files in which patient data was stored, including names, dates of birth, lab test results, medical record numbers, Medicare numbers, and health insurance information. Nationwide Laboratory Services also found that a limited number of individuals had Social Security numbers also impacted. The lab said that the cyberattack did not affect all patients and that the amount of data exposed in the incident differed from patient to patient.

Infosecurity reports: "Ransomware Attack on Lab in Florida"

Investors in the new cryptocurrency SQUID tokens have fallen for what cryptocurrency watchers call a classic "rug-pull" scam. When SQUID tokens were first released last week, they were valued at $0.01. On November 1st, the price started escalating dramatically, but investors were blocked from selling SQUID by a so-called "anti-dumping mechanism." Meanwhile, scammers cashed out, according to complaints received by CoinMarketCap. SQUID's value peaked at $2,861.80 and dropped to zero within hours. The victims lost around $3.38 million because of the scam. All it took to keep investors from selling was a simple piece of code, researchers at PhishLabs HelpSyst4ems explained.

Threatpost reports: "Squid Game Crypto Scammers Rip Off Investors for Millions"

Security researchers at Malwarebytes have discovered that a new Magecart threat actor is stealing people's payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines (VM) so it targets only actual victims and not security researchers. The researchers discovered the new campaign, which adds an extra browser process that uses the WebGL JavaScript API to check a user's machine to ensure it's not running on a VM. The researchers stated that by performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.

Threatpost reports: "Magecart Credit Card Skimmer Avoids VMs to Fly Under the Radar"

A team of researchers from the University of Geneva (UNIGE), Switzerland, has developed a new system to secure data transfers based on the physical principle of relativity. As the volume of data transferred continues to grow, it is essential to bolster the security of these exchanges. When an individual confirms their identity when they want to withdraw money from an ATM, they must disclose their personal data to the bank, which processes this information, such as the identification number and the pin code. If the prover and the verifier are the only ones who know this data, confidentiality is guaranteed, but if others access this information by hacking into the bank's server, security is compromised. The system developed by the team to counter hacking against data transfers applies the concept of zero-knowledge proof, the security of which is based on the physical principle of relativity. The idea is that information cannot travel faster than the speed of light. Their system enables users to identify themselves in complete confidentiality without having to provide any personal information. The principle of zero-knowledge proof was invented in the mid-1980s and has been applied in recent years, particularly for cryptocurrencies. However, these implementations are weak because they are based on a mathematical assumption that a specific encoding function is hard to decode. If this assumption is invalidated, which cannot be ruled out today, security is jeopardized because the data would become accessible. The team is demonstrating a relativistic zero-knowledge proof, described as a completely different system in practice. The security provided is based on the principle of relativity instead of a mathematical hypothesis. As the principle of relativity is a mainstay of modern physics, it will probably never be challenged. Therefore, the Geneva researchers' protocol is said to guarantee security. This article continues to discuss the new system developed by the Geneva researchers that secures data transfers based on the physical principle of relativity.

SciTechDaily reports "Securing Data Transfers With Relativity: Information Cannot Travel Faster Than the Speed of Light"

A team of researchers with Intel 471 shared their new observations of cybercriminals hitting organizations in the supply chain sector with cyberattacks and claiming to have accessed networks for companies that operate maritime, air, and ground cargo transport. The threat of potential cyberattacks adds to the widespread challenges being faced by the global supply chain, including the COVID-19 pandemic, the shortage of workers available to transport cargo, and more. The researchers warn that a cybersecurity crisis at one of these logistics and shipping companies could significantly impact the global consumer economy, considering how volatile things are right now. Over the past few months, the team detected several network access brokers selling credentials on underground forums, claiming that they belonged to logistics companies. They claimed to have obtained the credentials by exploiting vulnerabilities contained by remote access solutions, including Remote Desktop Protocol (RDP), Citrix, and SonicWall. For example, in August, the researchers saw a threat actor claiming that they had access to the corporate networks of a US-based transportation management and software supplier, and a US-based commodity transportations services company. According to the researchers, the threat actor, known to work with groups that launch the Conti ransomware, gave a Conti affiliate group access to a botnet with a Virtual Network Computing (VNC) function. The botnet was used to download and execute a Cobalt Strike beacon on infected machines. The Intel 471 threat researchers call on logistics companies' security teams to continuously monitor and track adversaries, their tools, and behavior to prevent attacks. However, many companies in this sector lack strong security protections, as suggested by an April report revealing that 90 percent of organizations studied had open remote desktop ports and inadequate email security. This article continues to discuss findings surrounding the targeting of the transport and logistics industry by cybercriminals.

Decipher reports "Cybercriminals Target Transport and Logistics Industry"

Security experts at Imperva are warning of potential disruption to the upcoming holiday shopping season after recording a double-digit year-on-year increase in bot-driven cyberattacks so far in 2021. The researchers found that half (57%) of attacks targeting retail websites this year were carried out by bots, versus just 33% across other industries. Account takeover attempts, looking to hijack customers' accounts to steal personal and financial info, reached 33% so far in 2021, versus 26% across other verticals. The researchers stated that these attacks are usually carried out by "sophisticated" bots, capable of mimicking human mouse movements and clicks to defeat retailers' cyber defenses. The bots are responsible for account takeover and denial of inventory, where items are added to account baskets to take them out of circulation, making them unavailable for legitimate customers. The researchers stated that this could exacerbate existing supply chain issues that threaten stock availability this holiday season. The researchers also recorded a surge in DDoS attacks, including a 200% month-on-month increase in September 2021. The researchers warned that as retailers build out their website functionality with chatbots and web analytics and connect customers via API to features such as product search and order fulfillment tracking, their cyberattack surface will continue to expand.

Infosecurity reports: "Holiday Shopping Disruption Beckons as Retail Bot Attacks Surge 13%"

The European Union Agency for Cybersecurity (ENISA) has released its annual report on the state of the cybersecurity threat landscape. The 9th annual ENISA Threat Landscape (ETL) report covers April 20 to July 2021. The report provides recommendations alongside identified threats, attack techniques, notable incidents, and trends. The constantly growing online presence, the transitioning of traditional infrastructures to online solutions, advanced interconnectivity, and the abuse of new capabilities provided by emerging technologies have all contributed to the increased sophistication, complexity, and impact of cybersecurity threats. Ransomware attacks are cited as the main threat for that period of reporting, followed by malware, cryptojacking, email-related threats, data threats, threats against availability and integrity, disinformation/misinformation, non-malicious threats, and supply chain attacks. The COVID-19 crisis opened doors for adversaries to use the panic and uncertainty surrounding the pandemic as lures in their attack campaigns. Financial gain appears to be the main driver behind these activities. Threat actors have been observed using various techniques, including, but limited to, Ransomware-as-a-Service (RaaS)-type business models, multiple extortion ransomware schemes, Business Email Compromise (BEC), Phishing-as-a-Service (PhaaS), and Disinformation-as-a-Service (DaaS) business models. In the discussion of cybersecurity threat actors, the report focused on state-sponsored attackers, cybercriminals, hacker-for-hire actors, and hacktivists who are integral components of the threat landscape. This article continues to discuss the key findings and development of the ETL report.

Homeland Security News Wire reports "Hackers-for-Hire Drive Evolution of Threat Landscape"