News Items

Florida's Department of Economic Opportunity (DEO) revealed that it had sustained a data breach that targeted its unemployment benefits system affecting over 57,920 claimant accounts. The security incident involved user accounts in the Reemployment Assistance Claims and Benefits Information System - CONNECT. While the attackers behind the data breach are unknown, the authorities at DEO have notified the affected users via email. The threat actors allegedly accessed sensitive information from the CONNECT public claimant portal between April 27, 2021, and July 16, 2021. The exposed data in the breach include social security numbers, driver's license numbers, bank account numbers, addresses, phone numbers, and birthdates. The attackers may also have obtained the PIN used to access the CONNECT account. As a security precaution, DEO locked the CONNECT accounts and enhanced its authentication procedures and network security systems to defend against future threats.

CISO MAG reports: "Florida DEO Suffers Data Breach, Over 57K Accounts Affected"

Army researchers have developed a new machine learning-based framework to improve the security of vehicles' computer networks without weakening performance. This development supports a larger Army effort to invest in more advanced cybersecurity protection measures for aerial and land platforms. Researchers at the U.S. Army Combat Capabilities Development Command, known as DEVCOM, Army Research Laboratory, in collaboration with a team of experts from Virginia Tech, the University of Queensland, and Gwangju Institute of Science and Technology, came up with a technique called DESOLATOR, which stands for deep reinforcement learning-based resource allocation and moving target defense deployment framework. This method helps optimize a well-known cybersecurity strategy called the moving target defense. The idea behind this strategy is that it is hard for adversaries to hit a moving target. The adversary could get a better look at everything and choose their targets if everything was static. However, if IP addresses were shuffled fast enough, then the information assigned to the IP is quickly lost, thus requiring the adversary to look for it again. DESOLATOR helps computer networks inside vehicles identify the optimal IP shuffling frequency and bandwidth allocation for the delivery of effective and long-term moving target defense. Dr. Frederica Free-Nelson, Army computer scientist and program lead, said DESOLATOR facilitates lightweight protection in which fewer resources are used for maximized protection. DESOLATOR is beneficial as it utilizes fewer resources to safeguard mission systems and connected devices in vehicles while preserving the same service quality. This article continues to discuss how the new machine learning-based framework DESOLATOR bolsters the cybersecurity of in-vehicle networks.

Homeland Security News Wire reports "Cybersecurity Technique Protects in-Vehicle Networks"

Data Leaks - What Are They?

The tides may be starting to turn on the ransomware epidemic, new industry findings show. According to researchers at Coveware, the average ransomware payment declined to $136,576 in the second quarter of 2021. The 38% decrease is a dramatic drop from the average demand of $220,298 that Coveware reported in April for the first quarter. That number was a 43% increase from the last quarter of 2020. The decline comes in the shadow of three major ransomware attacks hitting the U.S. supply chain. Since May, U.S. officials have faced three high-profile ransomware attacks against fuel provider Colonial Pipeline, meat supply company JBS, and most recently, Florida IT company Kaseya. The attacks on JBS and Kaseya have been attributed to REvil, a ransomware gang thought to be based in Russia. These latest attacks have resulted in a wake-up call in both the government and private sector that could continue to drive a decrease in ransomware demands, the researchers suggested. During their study, the researchers also found that Sodinokibi, the ransomware created by REvil, held the biggest share of the market at 16.5%, and a version of the Conti ransomware ranked at second place 14.4%.

CyberScoop reports: "Average Ransomware Payment Declined by 38% in Second Quarter of 2021, New Coveware Report Says"

Researchers at the cybersecurity firm Sophos analyzed over 1,800 malicious files on Discord's Content Distribution Network (CDN) that were detected by the company's telemetry. According to Sophos, the number of URLs hosting malware on the collaboration platform's CDN rose by 140 percent year-on-year during the second quarter of 2021. Threats include information-stealing malware, backdoors, spyware, and ransomware. Discord is said to be attractive to malware operators because it provides a persistent, highly available, global distribution network and a messaging system that can be adapted into command-and-control channels for malware. Discord's wide user base also provides an ideal environment for performing social engineering attacks to steal personal information and credentials. One malware distributed via Discord was found to be capable of stealing private images from an infected device's camera. Malware spread through Discord is often masqueraded as gaming-related tools and cheats, as well as cracked versions of Photoshop and other popular commercial software. Organizations that use Discord for work purposes are urged to adopt multi-factor authentication, ensure that all work devices have up-to-date malware protection, and more. This article continues to discuss Sophos researchers' findings surrounding the use of Discord to distribute malware.

iTWire reports "Sophos Warns of Discord-Borne Malware"

According to a recent DHS Office of Inspector General audit, Customs and Border Protection (CBP) failed to ensure that its Mobile Passport Control (MPC) applications were protected from cybersecurity threats. The internal watchdog report found that the organization charged with border control did not scan its apps for vulnerabilities, detect vulnerabilities identified in scans, complete security and privacy compliance reviews, and properly manage its system configuration. If CBP does not address these cybersecurity vulnerabilities, MPC apps and servers will remain vulnerable to attacks, thus putting travelers' personally identifiable information (PII) at risk of exploitation by malicious actors. The audit revealed that over 10 million travelers used the unsecured MPC apps between July 2017 and December 2019. CBP is encouraged to ensure that all MPC app update versions are scanned prior to release by developers, codify processes surrounding scanning, ensure specialists review all scan results for vulnerabilities, define processes for performing required security and privacy compliance reviews, and more. This article continues to discuss the discovery of CBP's failure to conduct required cybersecurity activities for its MPC apps.

NextGov reports "CBP Cybersecurity Failures Left Travelers' Personal Info at Risk, IG Says"

A study conducted by researchers at Carnegie Mellon University's CyLab found that people have many misconceptions about the available security and privacy tools meant to protect their privacy and online security. The researchers surveyed 500 demographically representative U.S. participants to measure their use and perceptions of five web browsing-related tools, including private browsing, Virtual Private Networks (VPNs), Tor Browser, ad blockers, and antivirus software. They were asked about the effectiveness of each tool in different scenarios, such as blocking hackers from gaining access to their devices or preventing law enforcement from seeing the websites they visit. For all but one scenario, participants answered over half of the assessment questions incorrectly. That one scenario is the prevention of friends or family with physical access to your device from seeing visited websites in their browser history. People were found to know some things about these tools' capabilities, but they tended to incorrectly assume that the tools could do other things too. Those who were more familiar with these tools were more likely to answer a question about them correctly or incorrectly than to recognize that they were not sure. For example, one participant said that private browsing could be effective at preventing their employer from seeing their browsing history on the employer's network, but this is false. The most concerning misconception participants had, was that they often confused tools' privacy protections with security protections as some suggested that private browsing, VPNs, and Tor Browser would protect them from security threats. The researchers have provided some recommendations for designing nudging interventions, which could promote security and privacy tools, as well as help people use them effectively. This article continues to discuss the key findings from the study regarding users' misconceptions about security and privacy tools, along with suggestions for combating these misconceptions.

CyLab reports "Misconceptions Plague Security and Privacy Tools"

Netskope recently released the fifth edition of its Cloud and Threat Report covering the cloud data risks, threats, and trends they see throughout the quarter. The report noted that cloud storage apps account for more than 66% of cloud malware delivery. In Q2 2021, 43% of all malware downloads were malicious Office docs, compared to just 20% at the beginning of 2020. The researchers stated that this increase comes even after the Emotet takedown, indicating that other groups observed the success of the Emotet crew and have adopted similar techniques. The researchers also found that collaboration apps and development tools account for the next largest percentage, as attackers abuse popular chat apps and code repositories to deliver malware. In total, Netskope detected and blocked malware downloads originating from 290 distinct cloud apps in the first half of 2021. The researchers explained that cybercriminals deliver malware through cloud apps to bypass blocklists and take advantage of any app-specific allow lists. Cloud service providers generally remove most malware immediately, but some attackers have found ways to do significant damage in the short time they spend undetected in a system. The researchers also found that about 35% of all workloads are exposed to the public internet within AWS, Azure, and GCP, with public IP addresses that are reachable from anywhere on the internet. The researchers stated that RDP servers have become a popular infiltration vector for attackers and were exposed in 8.3% of workloads. The average company with anywhere between 500 and 2,000 employees now deploys 805 separate apps and cloud services, with 97% of those being unmanaged and often freely adopted by business units and users, the researchers stated. During the report, the researchers pointed out that the rapid adoption of enterprise cloud apps has continued into 2021, with data showing adoption is up 22% for the first half of the year.

ZDNet reports: "Netskope Report Finds Cloud-Delivered Malware Increased 68% in Q2"

Washington State University (WSU) was selected to receive a $1.5 million Department of Defense (DOD) grant to set up a new cybersecurity education and research program. The Northwest Virtual Institute for Cybersecurity Education and Research (CySER) program establishes a cyber operations research and teaching center at WSU. This program includes a consortium of Pacific Northwest research partners from Central Washington University (CWU), Montana State University (MSU), Columbia Basin College (CBC), and the University of Idaho (UI). The program will train ROTC and DOD-skilled civilian workers in computer science and other areas regarding cyber basics, operations, or defense. They will be able to earn bachelor's degrees and specialized certificates. In addition, this effort will bring major Northwest institutions, industry, and national labs together for the first time to develop coordinated training with cyber-related courses, summer workshops, internships, research, a seminar series, and field trips to national labs. The delivery of training modules will involve enhanced teaching methods, such as teamwork, technical communication, hands-on problem-solving approaches, and more. Areas of research in CySER include cyber education, network security, information security, cyber-physical systems, quality assurance, software security, Machine Learning (ML), and Artificial Intelligence (AI). This article continues to discuss the structure and goals of the CySER program.

Homeland Security News Wire reports "New Cybersecurity Education and Research Institute"

The United States Federal Bureau of Investigation (FBI) has issued a warning about threat actors potentially attempting to disrupt the upcoming Tokyo 2020 Summer Olympics. The FBI is warning that cybercriminals could utilize various types of cybercrime such as distributed denial of service (DDoS) attacks, ransomware, and social engineering to derail the Olympic games. As of now, there have been no signs of an attack targeting the popular sporting event. The FBI stated that they encourage any companies partnering with the Olympic games to remain vigilant and maintain best practices in their network and digital environments. The Bureau highlighted that large-scale popular events such as the Olympics attract various cybercriminals since it allows them to pursue different agendas, ranging from making money and boosting their notoriety to sowing confusion. The FBI shared advice on how service providers could mitigate the risks of such attacks. This includes creating and setting business continuity plans to lower the chances of service interruptions in case an attack occurs and regularly monitoring networks and applying best practices since a substantial part of the workforce has transitioned to remote-work environments, and employs the use of Virtual Private Networks.

WeLiveSecurity reports: "Cybercriminals may target 2020 Tokyo Olympics, FBI warns"

New NPM malware has been observed stealing Google Chrome credentials through the use of legitimate password recovery tools on Windows systems. NPM, short for Node Package Manager, is a packet manager for the JavaScript programming language. The NPM malware has also been discovered listening for incoming connections from the attacker's command-and-control (C2) server and providing advanced capabilities, including directory listing, file lookup, file upload, shell command execution, and camera access. Researchers at ReversingLabs shared their findings surrounding two malicious NPM packages called "nodejs_net_server" and "temptesttempfile." The researchers' report primarily focuses on nodejs_net_server, which has the core malware functionality. The malware, specifically nodejs_net_server, uses the legitimate ChromePass freeware utility for Windows to carry out credential-stealing activities. This password recovery tool aims at extracting passwords from the user's Chrome web browser. It was found packed inside the NPM package with misleading names. This article continues to discuss findings regarding the two malicious NPM packages that steal passwords from the Chrome web browser via the password recovery tool ChromePass.

Bleeping Computer reports "NPM Package Steals Chrome Passwords on Windows via Recovery Tool"

Campbell Conroy & O'Neil, P.C., a U.S. law firm to many huge companies, put out a press release that an intruder may have accessed their client's data. The law firm was hit with ransomware in February and is now suffering the data-breach fallout. Some of the law firm clients include Apple, Boeing, British Airways, Chrysler, Exxon Mobil, Fisher-Price, Ford, Honda, IBM, Jaguar, Monsanto, Toyota, and US Airways. Campbell did not mention which ransomware gang claimed responsibility. None of the big ransomware groups had claimed the breach as of Tuesday morning. Campbell's ensuing investigation hasn't yet determined if the unauthorized threat actors got at specific information, but the law firm does know that the adversaries could have gained access to a treasure trove of sensitive personally identifiable information (PII) belonging to certain individuals. The information that could have been accessed includes names, dates of birth, driver's license numbers/state identification numbers, financial account information, Social-Security numbers, passport numbers, payment card information, medical information, health insurance information, biometric data, and/or online account credentials.

Threatpost reports: "Law Firm to the Fortune 500 Breached with Ransomware"

Cybersecurity researchers at SentinelOne have shared details about a high-severity vulnerability in HP printer drivers, which impacts millions of devices. According to the researchers, the vulnerability has existed since 2005 and impacts more than 380 HP and Samsung printer models along with at least a dozen different Xerox products. The exploitation of the security bug could allow attackers to install programs, create new accounts with full user rights, as well as view, change, encrypt, or delete data. The security flaw is described as a buffer overflow vulnerability that could be exploited in a local user privilege escalation attack. This article continues to discuss the potential exploitation and impact of the 16-year-old printer security bug.

TechRadar reports "This Ancient Printer Security Bug Affects Millions of Devices Worldwide"

Security researchers at Microsoft created a new method for detecting brand impersonation attacks. These attacks refer to the crafting of content to mimic a trusted company or known brand to trick unsuspecting victims into responding and disclosing information. Brand impersonation attacks have become increasingly hard to detect due to the continued advancement of technology and techniques. Justin Grana, an applied researcher at Microsoft, says these attacks have increased in accuracy from a visual perspective as brand impersonation can look the same as legitimate content. Today's brand impersonation attacks lack copy-and-paste or jagged logos, making it more difficult for people and technology to pick up on visual cues that previously helped distinguish fake content from true content. To address the challenge of detecting brand impersonation attacks, the team developed and trained a Siamese Neural Network on labeled images. Siamese Neural Networks are designed to make better predictions using a smaller number of samples, unlike standard deep learning, which is trained using many examples. The team's dataset contains over 50,000 screenshots of malicious login pages covering more than 1,000 brand impersonations. Each image is a collection of numbers, which were translated into what is described as a point on an N-dimensional coordinate plane. The team tried to make the numbers meaningful in order to distinguish fake from real brand images. The algorithm used by the team was rewarded for translating content of the same brand to similar numbers and content of different brands to different numbers. Any numbers observed to be close together were likely from the same brand. This article continues to discuss the concept of brand impersonation attacks, the Siamese Neural Network developed to detect these attacks, and lessons learned from the research behind this approach.

Dark Reading reports "Researchers Create New Approach to Detect Brand Impersonation"

The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) warns of the exploitation of a known vulnerability in SonicWall Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products with end-of-life (EOL) firmware as part of targeted ransomware campaign. CISA urges users and administrators to either upgrade their devices to the latest firmware or disconnect all EOL appliances as soon as possible. The cybersecurity firm CrowdStrike confirmed that HelloKitty is one of the groups behind the ongoing ransomware attacks. HelloKitty is a human-operated ransomware operation that has been active since November 2020. This ransomware group is known for attacking the Polish video game company CD Projekt Red and claiming to have stolen source code for Cyberpunk 2077, Witcher 3, and other games. This article continues to discuss the targeting of a known and previously patched vulnerability contained by EOL SonicWall SMA and SRA products in an ongoing ransomware campaign, the HelloKitty ransomware group said to be among the multiple threat actors behind the campaign, and other threat groups that have targeted vulnerabilities in SonicWall devices to launch ransomware attacks.

Bleeping Computer reports "HelloKitty Ransomware Is Targeting Vulnerable SonicWall Devices"

Researchers at Bitdefender have discovered a never-before-documented Windows malware strain dubbed MosaicLoader. MosaicLoader is spreading indiscriminately worldwide through paid ads in search results, targeting people looking for pirated software and games. It masquerades as a cracked software installer, but in reality, it's a downloader that can deliver any payload to an infected system. Researchers at Bitdefender stated that the adversaries behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service. The researchers also stated that MosaicLoader downloads a malware sprayer that obtains a list of URLs from the command-and-control (C2) server and downloads the payloads from the received links. The researchers observed the malware sprayer delivering Facebook cookie stealers, which exfiltrate login data. This allows cyberattackers to take over accounts, create posts that spread malware, or cause reputational damage. The researchers also stated that MosaicLoader is also spreading the Glupteba backdoor and a variety of RATs for espionage purposes, which can log keystrokes, record audio from the microphone and images from the webcam, capture screenshots, and so on. Other observed threats so far include cryptocurrency miners.

Threatpost reports: "MosaicLoader Malware Delivers Facebook Stealers, RATs"

It has recently been discovered that adversaries are stealing the identities of those lost in the condo-collapse tragedy. Families mourning the loss of loved ones to the partial collapse of the Champlain Towers South condo building in Surfside, Florida, are now being urged to check their deceased relative's credit thanks to a group of hackers targeting victims in a new identity-theft scheme. Cybercriminals are watching the news and stealing the identities of victims read during the broadcast. Surfside Mayor Charles Burkett told local Florida news station 10 News that law enforcement is working to track down the cybercriminals. Officials aren't releasing details about how many of the victims have already been targeted. The death toll from the tragic condo collapse is currently hovering around 100. Law enforcement is urging family members of victims to check recent credit history and contact the Social Security office.

Threatpost reports: "Ruthless Attackers Target Florida Condo Collapse Victims"

Researchers from the security firm CyberArk have discovered a potential vulnerability in Microsoft's facial recognition technology. They demonstrated a new method for deceiving Microsoft's Windows Hello facial recognition system. Windows Hello facial recognition only works with webcams containing an infrared sensor and the regular RGB sensor. However, the system does not look at RGB data, meaning that with one straight-on infrared image of a target's face and one black frame, the researchers were able to unlock the victim's Windows Hello-protected device. The researchers successfully tricked Windows Hello into thinking that the device owner's face was present, and unlocking by manipulating a USB webcam into delivering an attacker-chosen image. The researchers created a complete map of the Windows Hello facial recognition and found that it would be more convenient for an attacker to pretend to be the camera since the entire system relies on that input. Microsoft considers the researchers' finding a Windows Hello security feature bypass vulnerability. The company recently released patches to address the vulnerability and suggested that users enable Windows Hello enhanced sign-in security, which applies virtualization-based security to encrypt Windows Hello face data as well as process it in a protected memory area where attackers cannot tamper with it. The CyberArk research falls into the category of hacks known as downgrade attacks in which a device is tricked into relying on a less secure mode (e.g., a malicious cell phone tower that forces a phone to use 3G mobile data, with its weaker defenses, instead of 4G). This article continues to discuss the use of infrared photos and third-party hardware to fool Microsoft's facial recognition technology.

Wired reports "Hackers Got Past Windows Hello by Tricking a Webcam"

On Monday, the United States and their allies blamed China for exploiting flaws in the Microsoft Exchange Server that enabled worldwide ransomware attacks on tens of thousands of victims. It was part of a multi-front response Monday from the European Union, NATO U.S. intelligence partners that included the announcement of charges against four Chinese hackers that the Justice Department said worked on behalf of Beijing to breach U.S. companies and institutions over seven years. For the first time, the U.S. government also accused the Chinese government of employing criminal hackers who have conducted criminal attacks. The United States government agencies also released a technical report Monday that warned of China's ongoing appetite for targeting the defense, medical, semiconductor, and other industries to steal intellectual property. A senior administration official stated that "no one action can change China's behavior in cyberspace, and neither can just one country acting on its own." He also said that "our cooperation with the EU, NATO, and the Five Eyes countries in this effort will allow us to enhance and increase information sharing, including cyber threat intel and network defense information with public and private stakeholders, and expand diplomatic engagement to strengthen our collective cyber resilience and security cooperation." Microsoft itself attributed the Exchange Server attack to Chinese government hackers in March. The administration official said the delay in the U.S. government action came because the administration wanted to be sure about its attribution and combine it with the technical report release and present an allied front. China has denied responsibility for the Microsoft breach.

CyberScoop reports: "US Blames China For Microsoft Hacking, Ransomware Attacks as Part of Global Condemnation"

The U.S. Department of Justice said in the announcement that ransomware is a long-standing problem and a growing national security threat. Tackling this challenge requires collaboration across every level of government, the private sector, and our communities. Roughly $350 million in ransom was paid to malicious cyber actors in 2020, a more than 300% increase from the previous year. Further, there have already been multiple notable ransomware attacks in 2021. Despite making up roughly 75% of all ransomware cases, attacks on small businesses often go unnoticed. The U.S. Government has set up a cross-agency ransomware task force, a hub for ransomware resources, and is offering $10 million for information on state-sponsored cyber attackers. StopRansomware.gov integrates ransomware resources from all U.S. federal government agencies into a single platform that includes guidance on how to report attacks and the latest ransomware-related alerts and threats from the DHS's Cybersecurity and Infrastructure Security Agency (CISA) and the U.S. Secret Service, the DOJ's FBI, the Department of Commerce's National Institute of Standards and Technology (NIST), and the Departments of the Treasury and Health and Human Services.

Help Net Security reports: "U.S. Government Sets up Ransomware Task Force, Offers $10 Million Reward for Info"

Researchers from Royal Holloway, University of London (RHUL), are part of a team, which conducted a security analysis of the encryption protocol used by the popular Telegram messaging platform that is used by more than half a billion active users monthly. They discovered several cryptographic vulnerabilities in the protocol, ranging from technically minor and easy to exploit to more advanced. Results from the analysis showed that the immediate risk is low for most users, but the weaknesses emphasize that Telegram failed to meet the cryptographic guarantees made by other deployed cryptographic protocols such as Transport Layer Security (TLS). Telegram's 'MTProto' protocol, used to secure communication between the platform's users and servers, replaces the industry-standard TLS protocol. By default, Telegram provides a basic level of protection through the encryption of traffic between clients and servers. End-to-end encryption, which would also protect communication from Telegram employees or anyone who infiltrates Telegram's servers, is only optional and unavailable for group chats. The adoption and proper implementation of changes suggested by the research team can allow Telegram's MTProto to provide security comparable to TLS. According to the Telegram developers, these recommended changes have now been adopted. This article continues to discuss findings and suggestions from the security analysis of Telegram's encryption protocol.

RHUL reports "New Research Shows Cryptographic Vulnerabilities on Popular Messaging Platform, Telegram"

Network-based technologies continue to grow in use among individuals, professionals, and businesses worldwide. However, most network-based systems have been discovered to be significantly vulnerable to attacks. A malicious attack on network-based systems can have severe and devastating consequences. For example, an attack on a power utility network could result in the loss of electricity for millions of individuals and offices. Computer scientists have been trying to develop advanced Intrusion Detection Systems (IDSs) capable of identifying and counteracting malicious attacks in order to strengthen network security. Machine Learning (ML) algorithms have been proven to be promising in the automatic detection of attacks and intrusions on a network. The practice of selecting data features that a model can use when making predictions is important in developing and training ML-based IDSs. Researchers from Canadian University Dubai in the UAE created a new feature selection method that could help allow the development of more effective ML-based IDSs. Their feature selection method, MICorr, addresses some of the limitations of existing feature selection techniques. The researchers tested their method on the CSE-CIC-IDS2018 dataset, which contains 10,000 benign and malicious network intrusion instances. The new feature method is said to address the challenge of considering continuous input features and discrete target values. They showed that their proposed method performs well against the benchmark selection methods. This article continues to discuss the vulnerability of network-based systems to attacks, ML-based IDSs, and the new feature selection technique developed for IDSs.

NewsUpdate UK reports "A New Feature Selection Technique For Intrusion Detection Systems"