News Items

The attackers behind the SolarWinds hack carried out another malicious campaign against government agencies and IT companies. They compromised a machine belonging to a Microsoft customer support agent who had access to customer data. The attack campaign targeted companies in 36 countries, with nearly half of the impacted companies being in the U.S. Customers whose accounts were affected by the compromise of the agent's machine have received a warning from Microsoft. According to Microsoft, the campaign was a phishing attack that performed password spraying to access accounts. Microsoft's Threat Intelligence Center said that most of the targets were not successfully compromised. Microsoft discovered the compromise of its customer service agent during the investigation of activity by the threat group Nobelium. This group has been found to be affiliated with the Russian SVR and is also referred to as APT29. The U.S. government has attributed the compromise of SolarWinds and many of its customers to Nobelium. Microsoft has not specified where the compromised customer service agent was located or whether the agent is a company employee or a contractor. The investigation also led to the detection of information-stealing malware on a customer support agent's machine that has access to account information for some of Microsoft's customers. In some cases, the threat actor used this information to launch highly targeted attacks as part of the broader campaign. This article continues to discuss the tactics used by Nobelium attackers in a recent campaign against government agencies and IT companies.

Decipher reports "Nobelium Attackers Compromised Microsoft Customer Support Agent"

A team of researchers from the Security & Privacy Research Unit at TU Wien and Ca' Foscari University discovered a new security vulnerability associated with subdomains. Large websites often consist of several subdomains (e.g., "sub.example.com" could be a subdomain of the website "example.com"). There are certain tricks that hackers could use to take control over such subdomains. The team analyzed the vulnerability and the scope of the problem. They studied 50,000 of the world's most popular websites and discovered 1,520 vulnerable subdomains. One might think that access to a subdomain is possible only if the administrator of the website explicitly allows it, but this is a misconception. A subdomain often points to another website physically stored on completely different servers. The owner of the website "example.com" may use an existing blogging service to add a blog to the website instead of building it from scratch. Therefore, the subdomain "blog.example.com" is connected to another site. The address bar would show the correct subdomain "blog.example.com," but the data will come from a different server. When this link is no longer valid, it will point to an external page that is not there. This presents the problem of dangling records, which are loose ends within the network of a website that provide ideal attack points. If these dangling records are not removed, attackers can use them to set up their own malicious page that appears as a legitimate subdomain. This article continues to discuss the researchers' findings surrounding the security vulnerability associated with subdomains.

TU Wien reports "Danger Caused by Subdomains"

Researchers at the antivirus firm Avast discovered malware in cracked versions of popular games, such as The Sims 4, Grand Theft Auto V, Far Cry 5, and more, that have been distributed for free on forums. Malware called Crackonosh was found in these games. According to Avast, this malware can disable security tools and Windows Update. Crackonosh also runs cryptocurrency mining software called XMRig to mine Monero cryptocurrency. Hackers have built the XMRig mining tool into different pieces of malware, secretly impacting computer systems, including corporate systems. Through the distribution of Crackonosh malware, criminals have generated more than $2 million in Monero since 2018. Avast has detected more than 200,000 infected users, with 800 added each day. As this figure only covers Avast users, the number of infections is likely significantly higher. The Philippines, Brazil, and India have the most infections. This article continues to discuss hackers' use of Crackonosh malware to bypass security tools and secretly mine cryptocurrency from gamers' computers.

Silicon UK reports "Hackers Use Cracked Games To Make Crypto-Millions"

According to a report released by Honeywell, USB threats that can severely impact business operations increased significantly during a disruptive year when the usage of removable media and network connectivity also grew. Researchers found that 37% of threats were specifically designed to utilize removable media, which almost doubled from 19% from the 2020 report. The researchers also found that 79% of cyber threats originating from USB devices or removable media could lead to critical business disruption in the operational technology (OT) environment. There was also a 30% increase in the use of USB devices in production facilities last year, highlighting the growing dependence on removable media. The researchers stated that many industrial and OT systems are air-gapped or cut off from the internet to protect them from attacks, which means intruders are using removable media and USB devices as an initial attack vector to penetrate networks and open them up to significant attacks.

Help Net Security reports: "USB Threats Could Critically Impact Business Operations"

The Iowa-based Wolfe Eye Clinic was hit with a ransomware attack earlier this year in February, resulting in the access and possible theft of data belonging to 500,000 patients. An unauthorized individual was observed attempting to access the network on February 8. While the attack occurred in February, its complexity and scope were not determined until the end of May. The attacker accessed and possibly stole information, such as names, contact details, dates of birth, and Social Security numbers. The information accessed by the attacker varied by patient. For example, in some cases, medical and health information was affected. Patients impacted by the incident will be provided with one year of free identity monitoring. As part of the response, Wolfe Eye Clinic implemented additional safeguards and enhanced its security. This article continues to discuss the impact of the Wolfe Eye Clinic ransomware attack as well as other notable cyberattacks that have targeted healthcare organizations so far this year.

SC Media reports "Data of 500K Patients Accessed, Stolen After Eye Clinic Ransomware Attack"

WatchGuard Technologies analyzed threat data collected from customer networks during the first quarter of 2021. The analysis revealed that 74 percent of threats detected were zero-day malware, which were able to evade signature-based threat detection tools and breach enterprise systems. According to the security vendor, the number of zero-day malware detections in the first quarter was the highest number that WatchGuard has ever seen in a single quarter. This finding calls on enterprises and organizations of all sizes to take proactive malware detection more seriously. Attackers continue to get better at repackaging old malware so that its binary profile does not match previous fingerprints used to detect it. Tools that make it easy for attackers to digitally alter the same malware in order to bypass signature-based systems are now more readily available. WatchGuard's analysis also found that network attack volumes reached a three-year high in the first quarter of this year, with over 4.2 million hits on its intrusion prevention systems at customer suites. The company's Firebox appliances blocked an average of 113 attacks per appliance, a 47 percent increase over the previous quarter. WatchGuard observed a decline in malware using encrypted communications during the first quarter. The vendor says malware sent over encrypted communication declined below 44 percent last quarter, which is a 10 percent decrease from the third quarter of 2020 and a 3 percent drop from the fourth quarter of 2020. Findings surrounding the first quarter of 2021 emphasize the need for organizations to implement more advanced protections than signature and pattern-based tools. Organizations need controls for blocking threats prior to execution and for detecting and responding to them after execution. This article continues to discuss WatchGuard's findings regarding the rise in zero-day malware and network attack volumes.

Dark Reading reports "74% of Q1 Malware Was Undetectable Via Signature-Based Tools"

The City of Tulsa has learned that the persons responsible for the ransomware attack that it faced in May 2021 leaked more than 18,000 city files on the dark web. According to a statement from the city officials, most of the files are police citations and internal department files. The police citations include Personal Identifiable Information (PII), such as names, dates of births, addresses, and driver's license numbers. Brett Callow, a threat analyst with Emsisoft, identified the Conti ransomware group to be the attacker behind the incident. Callow says the Tulsa ransomware attack marks the 37th time a municipality has been hit with ransomware this year. Residents who have filed a police report, received a police citation, made a payment with the city, or interacted with the city online, in-person, or on paper before May 2021 are advised to take monitoring precautions. This article continues to discuss the May 2021 Tulsa ransomware attack, the leak of over 18,000 city files via the dark web, and what potential victims are advised to do to protect themselves.

BankInfoSecurity reports "Tulsa: Ransomware Attackers Leaked 18,000 Files"

According to Website Planet, a misconfigured cloud database exposed over 800 million records linked to WordPress users before its owner was notified. The trove was left online with no password protection by US hosting provider DreamHost. The data in the database appeared to date back to 2018. In the 86GB database, there was purportedly admin and user information, including WordPress login location URLs, first and last names, email addresses, usernames, roles, host IP addresses, timestamps, and configuration and security information. Some of the leaked information was linked to users with .gov and .edu email addresses, the researchers stated. The database was secured within hours of DreamHost receiving a responsible disclosure notice from the researchers. The researchers noted that it was unclear how long the database had been exposed, potentially putting users at risk of phishing. Threat actors scanning for exposed databases like this have in the past also stolen and ransomed the information contained within.

Infosecurity reports: "Cloud Database Exposes 800M+ WordPress Users' Records"

Columbia Engineering researchers recently presented two major papers at the International Symposium on Computer Architecture (ISCA) that improve the security of computer systems. These new studies have zero to little effect on system performance and are already being used to create a processor for the Air Force Research Lab. Simha Sethumadhavan, associate professor of computer science, said memory safety, which has been a problem for nearly 40 years, continues to be a problem because its burden is not distributed fairly among software engineers and end-users. The two papers are believed to have found the right balance of burdens. Sethumadhavan's team found that most security issues take place within a computer's memory, specifically pointers. Pointers are used in the management of memory, and they can lead to memory corruption, which leaves the system vulnerable to hackers who hijack the program. Current mitigation methods for memory attacks consume a lot of energy and can break software. These methods also significantly impact system performance (e.g., cellphone batteries drain quickly, apps run slowly, and computers crash). The group created a novel memory security solution called ZeRO that features a set of memory instructions and a metadata encoding scheme, protecting a system's code and data pointers. This combination is said to eliminate performance overhead as it does not affect the speed of a system. The team's second paper presents a system called No-FAT that increases the speed at which security checks are performed without greatly affecting the computer's performance. According to the researchers, No-FAT speeds up fuzz testing and is easy for developers to add when building a system. Both ZeRO and No-FAT aim to make memory systems more resilient against attacks while having little to no impact on computer speed or power consumption. This article continues to discuss why memory safety has remained an issue for so long and the solutions developed by Columbia Engineering researchers to strengthen memory safety.

Columbia Engineering reports "Columbia Engineering Researchers Design New Techniques to Bolster Memory Safety"

According to researchers at Venafi, cybercrime is now the primary means by which the North Korean state is funded. The researchers analyzed publicly available information on state-sponsored attacks directed by the hermit kingdom over the past four years. The researchers concluded that the Asian dictatorship now monetizes cyberattacks to circumvent economic sanctions and keep the Kim Jong-un regime alive. The researchers stated that North Korean attacks are often much more brazen and reckless than those sponsored by other states because they are not afraid of getting caught, making them particularly dangerous. It gives the cybercriminals they sponsor free reign to engage in highly destructive global attacks, such as the 2017 WannaCry attacks, affecting more than 200,000 users across at least 150 countries. North Korea is setting an example for other rogue states to follow. Belarus and even Myanmar can now see that cybercrime offers them a way of countering the worst effects of sanctions while making themselves more of a threat to the broader community. The researchers stated that global democracies must take more decisive action to mitigate the cyber threat from North Korea.

Infosecurity reports: "Cyber-Attacks Are Primary Funding Source for North Korea"

Eclypsium researchers have discovered a series of vulnerabilities in the BIOSConnect feature of Dell SupportAssist that could allow attackers to remotely execute code on Dell machines. Dell SupportAssist is used to manage support functions, including troubleshooting and recovery. The BIOSConnect feature is used to update firmware and recover an OS when corruption occurs. The critical bug chain received a cumulative CVSS score of 8.3. The exploitation of the security flaws could enable malicious actors to impersonate the vendor and execute attacks on the BIOS/UEFI level in 128 Dell laptops, tablets, and desktop models, including those protected by Secure Boot. An attack launched through the abuse of these flaws would allow adversaries to take control over a device's boot process and subvert the OS and higher-layer security controls. When BIOSConnect connects to Dell's backend HTTP server, any valid wildcard certificate is accepted, thus allowing an attacker to impersonate Dell and deliver attacker-controlled content back to the victim device. The researchers discovered some HTTPS Boot configurations that use the same underlying verification code, potentially leaving them exploitable. Three of the vulnerabilities uncovered by the team are described as overflow bugs, two of which impacted the OS recovery process, while the other existed in the firmware update mechanism. Dell has issued a security advisory and scheduled BIOS/UEFI updates for impacted systems. This article continues to discuss the BIOSConnect code execution bugs affecting millions of Dell devices.

ZDNet reports "BIOSConnect Code Execution Bugs Impact Millions of Dell Devices"

The frequency and sophistication of attacks against the container infrastructure continues to grow. Using internet scanning tools such as Masscan, a new vulnerable container can be detected within a few hours. Aqua Security's Cloud Native Report shares findings from the analysis of more than 17,000 attacks that hit its honeypots between June 2019 and December 2020. According to the report, it takes an average of five hours for adversaries to detect a new misconfigured container, with the fastest detection time being within a few minutes and the longest being 24 hours. In half of the cases, a new container was detected in less than one hour. Public search engines like Shodan and Censys continue to be used by some adversaries to find misconfigurations. When a host is compromised, the adversary will likely use worms to detect and infect new hosts, thus increasing the frequency of scanning and the likelihood of detecting new misconfigurations. Over 90 percent of the attacks were found to be designed to hijack cryptocurrency mining resources. Most of the attacks are related to the Kinsing malware campaign that downloads a cryptominer. Aqua also warned that more than 40 percent of the attacks involve backdoors. The frequency of attacks has increased significantly from an average of 12.6 per day in H2 2019 to 77 per day in H1 2020 and 97.3 in H2 2020. Based on the honeypots, Russia launched the greatest number of attacks, followed by the U.S. This article continues to discuss key findings from Aqua Security's Cloud Native Report on attacks against the container supply chain and infrastructure.

Security Week reports "Attacks Against Container Infrastructures Increasing, Including Supply Chain Attack"

Cybersecurity Snapshots #19 -

Are Smart Home Gym Equipment and Health and Fitness Apps Secure?

Cybersecurity vendor BlueVoyant conducted a new study and analyzed a representative sample of 300 smaller contractors from a defense industrial base (DIB) estimated to have anywhere from 100,000-300,000 suppliers. The researchers uncovered signs of weaknesses in this complex ecosystem of contractors, potentially putting national security at risk. More than half of SMB contractors in the US defense supply chain are critically vulnerable to ransomware attacks. Half of the companies studied had unsecured ports vulnerable to ransomware attacks. In contrast, 48% had vulnerable ports and other weaknesses, including unsecured data storage ports, out-of-date software and operating systems, and other vulnerabilities rated severe by NIST. Unpatched flaws were particularly concerning: more than six months after critical F5 and Microsoft Exchange vulnerabilities were published, nine companies were yet to fix them. The researchers also found that a fifth (20%) of SMB contractors have multiple vulnerabilities and evidence of targeting, while 7% also featured evidence of compromise. In total, BlueVoyant found evidence of over 1300 email security issues, more than 400 vulnerabilities, and 344 indications that suggest "company resources are involved in anomalous or criminal activity." Over a quarter (28%) of appraised contractors showed evidence indicating they would fail to meet the most basic tier-1 requirement for the Cybersecurity Maturity Model Certification (CMMC). CMMC is a critical compliance standard designed to improve security best practices among US defense contractors.

Infosecurity reports: "Nearly 10% of SMB Defense Contractors Show Evidence of Compromise"

A bug has been discovered in iOS that can disable Wi-Fi connectivity for iPhones when they join a network that uses the SSID "%p%s%s%s%s%n." The device loses the ability to join any networks in the future when they connect to that Wi-Fi network. According to the reverse engineer Carl Schou, the internal logging functionality in the iOS Wi-Fi daemon, which uses the SSID inside of format expressions, causes the bug. In some cases, this condition makes it possible for unauthorized format strings to be injected into sensitive parts of the Apple OS. Schou and other security experts have said that the bug is not likely to be exploited to execute malicious code. Another analysis of the bug found that it stems from a flaw contained by an iOS logging component that uses the CONCAT function to convert the SSID string into a format string before it is written to the log file. Since the strings are not echoed to sensitive parts of the iOS, a hacker will likely be unsuccessful in maliciously abusing the logging feature. In addition, the exploitation of the bug would require a person to actively connect to a network containing a suspicious-looking name. Researchers from the security firm AirEye reached a different assessment, finding that it is possible for this technique to be used to circumvent security appliances sitting at the perimeter of a network to block unauthorized data from entering or exiting. This article continues to discuss the discovery and source of the iOS bug that causes a specific network name to disable Wi-Fi on iPhones.

Ars Technica reports "Connecting to Malicious Wi-Fi Networks Can Mess With Your iPhone"

Tens of thousands of Reproductive Biology Associates (RBA) patients have had sensitive personal and medical information stolen in a ransomware attack. Reproductive Biology Associates (RBA) is a US fertility clinic and was the first organization of its kind to offer IVF in the US state of Georgia and is the founding partner of the nationwide fertility clinic network My Egg Bank. In a new breach notification, RBA claimed to have first become aware of the cyber-incident on April 16 this year, when they discovered that a file server containing embryology data had been encrypted. Based on RBA's investigation, they believe the actor first gained access to their system on April 7, 2021 and subsequently to a server containing protected health information on April 10, 2021. On June 7, 2021 access to the encrypted files was regained, and RBA obtained confirmation from the actor that all exposed data was deleted and is no longer in their possession. In total, information of 38,000 patients was exposed in the incident, with full names, addresses, Social Security numbers, lab results, and "information related to the handling of human tissue" potentially impacted. RBA stated it also conducted web searches to check if any of the stolen information was being discussed or traded online and so far had no indication of such activity.

Infosecurity reports: "Over 30,000 Fertility Clinic Patients Hit by Ransomware Data Breach"

Elastic Security uncovered a new image tampering attack called Process Ghosting. Remote hackers are using this new type of executable image-altering technique to deploy malware on a targeted Windows system stealthily. Process Ghosting escapes anti-malware defenses and detection by using veiled malicious codes. Using this technique, an attacker can write a piece of malware to disk in a way that makes it difficult to scan or delete. According to researchers, this technique does not involve code injection, Process Hollowing, or Transactional NTFS (TxF). A gap exists between when a process is created and when security products are notified of its creation, providing a window for malware authors to tamper with the executable before the products can scan it. This article continues to discuss the flow of the new image tampering attack Process Ghosting.

CISO MAG reports "Process Ghosting: A New Executable Image Tampering Technique in the Wild"

Researchers at the email and collaboration security firm Avanan have discovered a new method that attackers are using to trick victims into visiting malicious phishing websites via Google Docs. The attack begins with the threat actor sending an email, based on a likely topic of interest or relevance, to potential victims. The email comes with a link that directs the user to a Google Docs page with what seems to be a downloadable document. Although the page appears to be a typical Google Docs page for sharing documents outside the organization, it is actually a custom web page designed to look like a legitimate Google Docs page. The link to download the document redirects the user to a malicious phishing website that mimics the Google Docs sign-in page. This phishing website steals usernames and passwords entered by the victims. According to Gil Friedrich, CEO and Co-Founder of Avanan, this is the first time his company has seen Google Docs being used to render an entirely attacker-created web page. The Google Docs hack is one of the latest examples of the abuse of trusted cloud services such as Google Docs, AWS, and Microsoft Azure to host and distribute malicious content. New research from Proofpoint showed that growth in the adoption of cloud collaboration tools and services is accompanied by the increase in the abuse of such services. For example, in 2020, thousands of Proofpoint customers were targeted with around 60 million malicious messages via Microsoft Office 365 and 90 million messages sent or hosted on Google Cloud. This article continues to discuss the new way in which attackers are exploiting Google Docs for phishing and the increased abuse of trusted cloud services to send and host malicious content.

Dark Reading reports "Attackers Find New Way to Exploit Google Docs for Phishing"

Security researchers at WebsitePlanet found the non-password-protected database, which had no form of authentication in place to prevent unauthorized entry, on March 21. The database contained information about CVS Health customers. The researchers stated that the database included enough information to derive customers' PII. The total size of the database was 204 GB, according to the researchers. It held 1.1 billion records, or, to be precise, 1,148,327,940 files. They were labeled "production" and included information typed into search bars, such as the data types add to cart, configuration, dashboard, index-pattern, more refinements, order, remove from cart, search, and server. The records also exposed fields called Visitor ID, Session ID, and device information, such as whether customers were using an iPhone, an Android, an iPad, or a desktop PC. The team noted that by stringing together the data, they could reveal emails that could be targeted in a phishing attack, in social engineering, or "potentially used to cross-reference other actions." The researchers believe that the database was left open due to human error. The researchers stated that this instance is probably yet another incidence of rampant misconfiguration that is plaguing cloud-based storage, leading to exposure of sensitive data on an internal network. After the researchers contacted CVS Health, the naked database was closed off from public view.

Threatpost reports: "CVS Health Records for 1.1 Billion Customers Exposed"

Former NSA’er Chris Inglis was confirmed by the Senate as the first national cyber director. His job is to make sure that all federal agencies are operating consistent with the national cyber policy. The director will be the Biden administration’s main contact for cyber security problems when things go wrong as the coordinator for the response from the federal agencies with offensive and defenses responsibilities in cyberspace. https://www.scmagazine.com/home/security-news/government-and-defense/inglis-confirmed-as-first-national-cyber-director/

The NotPetya malware attack and the recent SolarWinds cyberespionage campaign both present real-world examples of software supply chain attacks in which a hacker slips malicious code into legitimate, widely used software. Supply chain security has become more important than ever as more software supply chain attacks emerge. The Sigstore platform, which is affiliated with the Linux Foundation and led by Google, Purdue University, and Red Hat, was developed in hopes of encouraging the adoption of code signing, an important practice for protecting software supply chains but is often overlooked by popular and widely used open-source software. Open-source developers do not always have the resources, time, or expertise to implement code signing with other nonnegotiable components required for their code to run. Software developers can use the Sigstore service to digitally sign their releases and other software artifacts, improving the security of the open-source software supply chain. Sigstore can coordinate complicated cryptography for its users. The service offers the option to let it handle everything for those developers who are unable or do not want to take on the extra work themselves. Developers can immediately start cryptographically signing their code as having been made by them at a specific time, using established, preexisting identifiers such as an email address or a third-party sign-in system like Sign In With Google or Sign In With Facebook. Sigstore also automatically produces a public, unchangeable open-source log of all activity, thus providing public accountability of every single submission as well as a place to investigate if something goes wrong. This article continues to discuss the importance of code signing for protecting software supply chains, why developers often overlook this practice, how the Sigstore tool encourages the adoption of code signing, and why open-source security is complicated.

Wired reports "A New Tool Wants to Save Open Source From Supply Chain Attacks"

Carnival Corp., the world's largest cruise ship operator, has sprung another leak. Carnival, in a data breach notification, stated that it appears that in mid-March, an unauthorized third party gained access to certain personal information relating to some of their guests, employees, and crew. On Thursday, the company added that there is evidence indicating "a low likelihood of the data being misused." The improperly accessed information included names, addresses, phone numbers, passport numbers, dates of birth, health information, and, in some limited instances, additional personal information such as social security or national identification numbers. This is the fourth time in a bit over a year that Carnival has admitted to breaches, with two of them being ransomware attacks.

Threatpost reports: "Carnival Cruise Cyber-Torpedoed by Cyberattack"

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued an Industrial Controls Systems (ICS) Medical Advisory on the discovery of multiple vulnerabilities in the ZOLL Defibrillator Dashboard. The exploitation of these vulnerabilities could allow a hacker to take control of an affected system. The ZOLL Defibrillator Dashboard is designed for biomedical engineering departments in the hospital environment and provides efficient management of defibrillators, enabling real-time device monitoring in the enterprise environment and across many sites. The six vulnerabilities were discovered in all versions of the dashboard released before 2.2. A hacker does not need to be highly skilled to exploit the flaws. Through the abuse of the vulnerabilities, the attacker could gain access to credentials as well as impact the availability, confidentiality, and integrity of the application. One of the flaws, warned by CISA to have a high likelihood of exploitation, is the dashboard's use of hard-coded cryptographic keys, which significantly increases the possibility of encrypted data being recovered by an attacker. The cryptographic key is in a hard-coded string value that is compared to the password. Therefore, it is likely that an attacker can read the key and compromise the system. This article continues to discuss the potential exploitation and impact of the critical flaws found in the ZOLL Defibrillator Dashboard.

SC Media reports "Critical Flaws in Defibrillator Management Tool Pose Account Takeover, Credential Risk for Hospitals"