News Items

Malicious actors have been observed using advertisements on the Telegram messenger app to distribute samples of cryptocurrency-stealing malware called HackBoss malware to would-be hackers. According to the cybersecurity firm Avast, the malware family's creators have more than 100 cryptocurrency wallet addresses, with the wallets containing a collective total of over $560,000 when the analysis was conducted. However, the real amount stolen using HackBoss malware might be less as the security firm found that some of the creators' wallet addresses were also associated with scams aimed at tricking users into purchasing fake software. This could mean that the operators behind HackBoss have used the same cryptocurrency wallet addresses to carry out other malicious campaigns. The malware actors have been running a Telegram messenger channel called HackBoss to advertise applications said to be "the best software for hackers" for cracking banking sites, social sites, cryptocurrency wallets, and more. In reality, these fake cracking applications attempt to steal cryptocurrency from other hackers. In addition to the Telegram messenger channel, the creators of HackBoss used YouTube channels with promotional videos and posted advertisements on public forums to promote their malware. Malware such HackBoss, emphasizes the need for organizations and individual users to use caution when dealing with cryptocurrency by confirming the wallet address to which they are sending money and setting up multi-factor authentication (MFA). This article continues to discuss the use of the Telegram messenger app to distribute the cryptocurrency-stealing malware HackBoss to other hackers, other malware campaigns that have involved Telegram, and how to defend against malware like HackBoss.

Security Intelligence reports "Telegram Messenger Ads for 'Hacker' Software Hide Cryptocurrency Theft"

The FBI recently posted an alert stating that they tracked at least 16 Conti ransomware attacks that struck U.S. health care and first-responder networks within the last year. That accounting only factors in attacks in the past year and incidents that the FBI itself identified. In all, the alert said Conti had hit 400 organizations, nearly 300 of which were in the U.S. The FBI said the recent first responder victims include 9-1-1 dispatch centers, emergency medical services, law enforcement agencies, and municipalities. According to the alert, the Conti gang has sought as much as $25 million to decrypt systems it locked up. Conti actors gain unauthorized access to victim networks through weaponized malicious email links, attachments, or stolen Remote Desktop Protocol (RDP) credentials. Conti weaponizes Word documents with embedded Powershell scripts, initially staging Cobalt Strike via the Word documents and then dropping Emotet onto the network, giving the actor access to deploy ransomware. The hackers tend to seek payment within two to eight days and will make Voice over Internet Protocol calls or communicate via ProtonMail to negotiate payment.

CyberScoop reports: "Conti Ransomware Gang Victimized US Health Care, First-Responder Networks, FBI Says"

A new report revealed that most organizations plan to invest more money in cybersecurity. However, it remains unclear as to whether additional cybersecurity investments will prepare organizations to face advanced attacks that target the supply chain and cross hybrid infrastructure. The data management software company Splunk, in collaboration with the IT analyst, research, validation, and strategy firm Enterprise Strategy Group, surveyed 535 security leaders to gain further insight into security teams' spending challenges and priorities. More than 80 percent of the security leaders revealed that their organization will increase cybersecurity spending, with 35 percent having said that there will be a "significant" boost. Over half of the respondents said cyberattacks increased during the COVID-19 pandemic, and 84 percent said that they experienced a major security incident within the past two years. The most common types of attacks include email compromises, data breaches, mobile malware attacks, distributed denial-of-service (DDoS) attacks, phishing attacks, ransomware attacks, and regulatory compliance violations. Over 40 percent of the security leaders cited IT time and personnel needed for remediation as the primary cost of security incidents. Other significant costs behind security incidents include loss in productivity, disruptions to applications and systems, disruptions to business processes, the breach of confidential data, public breach disclosure, and employee termination or prosecution. Security spending is expected to increase significantly in cloud security, cyber risk management, network security, security operations, security analytics, endpoint security, and data privacy. This article continues to discuss the common attacks experienced by organizations during the pandemic and areas in which security spending is expected to increase.

Dark Reading reports "Businesses Boost Security Budgets. Where Will the Money Go?"

The U.S. National Aeronautics and Space Administration (NASA) identified over 6,000 cyber incidents in the last four years. NASA has institutional systems, including data centers, web services, computers, and networks that are used for daily work activities. The agency also has mission systems, such as those used to control spacecraft and process scientific data in support of aeronautics, space exploration, and science programs. NASA consists of over 4,400 applications, more than 15,000 mobile devices, about 13,000 software licenses, almost 50,000 computers, and 39,000 TB of data. An audit conducted by NASA's inspector general revealed an increase in the complexity and severity of cyber incidents aimed at stealing critical information. The audit also revealed the limitation of the agency's ability to detect, prevent, and mitigate attacks. In 2020, most incidents faced by NASA were related to improper usage, which includes installing unapproved software or accessing inappropriate materials. Such incidents increased from 249 in 2017 to 1,103 in 2020. NASA also believes that the increase in the number of detected incidents is a result of better network visibility. This article continues to discuss some key findings from a report published this month by NASA's Office of Inspector General pertaining to cyber incidents faced by the agency.

Security Week reports "NASA Identified Over 6,000 Cyber Incidents in Past 4 Years"

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) released a report that explores the potential threat vectors to 5G infrastructure. The report draws further attention to the risks to 5G that threaten national and economic security and that could also affect other national and global interests. The 5G Threat Model Working Panel, which was formed as part of the "National Strategy to Secure 5G," reviewed existing work to develop an aggregated list of known and potential threats to 5G infrastructure. The panel identified sample scenarios in which 5G might be adopted, and then assessed the risks related to 5G core technologies. Although IT and communication firms are strengthening security with 5G, systems architectures are at risk because malicious actors may exploit both legacy and new vulnerabilities. The overlay of 4G legacy and 5G architectures may lead to the performance of a downgrade attack in which 5G network user is forced to use 4G. As a result, the malicious actor could exploit known 4G vulnerabilities. The increased use of information and communications technologies by 5G networks will also give malicious actors more potential points of entry. This article continues to discuss the main potential threat vectors to 5G networks identified by the new report.

GCN reports "5G Infrastructure Faces Foundational Threats"

The United States Federal Bureau of Investigation issued a flash warning Thursday over the exploitation of Fortinet vulnerabilities by advanced persistent threat (APT) groups. According to the FBI, an APT actor group has been exploiting a FortiGate appliance since at least May 2021 to access a web server hosting the domain for a US municipal government. The APT actors may have established new user accounts on domain controllers, servers, workstations, and the active directories to help them carry out malicious activity on the network. The FBI stated that some of these accounts appear to have been created to look similar to other existing accounts on the network, so specific account names may vary per organization. However, the Feds warned organizations to be on the lookout for accounts created with the usernames "elie" or "WADGUtilityAccount." Once inside a network, the APT actors can conduct data exfiltration, data encryption, or other malicious activity. The alert comes just one month after the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned that APT actors had gained access to devices on ports 4443, 8443, and 10443 for Fortinet FortiOS CVE-2018-13379, and enumerated devices for FortiOS CVE-2020- 12812 and FortiOS CVE-2019-5591.

Infosecurity reports: "FBI Issues Fortinet Flash Warning"

Hackers used fake ads on Google to trick users into downloading a malicious AnyDesk application. The ad campaign ranked higher in downloads than even the real AnyDesk ads. Researchers estimated that over 40% of users who clicked on the fake ad, downloaded and installed the malware, showing that this was a very successful strategy for the fraudsters.

Researchers at Trend Micro conducted a new study where they polled 2300 cybersecurity decision-makers that run Security Operations Centers (SOCs) or SecOps from within their iT security function. The researchers found that nearly three-quarters of security operations (SecOps) leaders say the stresses of alert overload are impacting their home lives. Over half (51%) of the participants stated that their team is being overwhelmed by the volume of alerts, and 55% admitted that they aren't confident in their ability to prioritize and respond to them. On average, respondents said they're spending over a quarter (27%) of their time dealing with false positives. This is taking its toll emotionally, with 70% of participants claiming they feel so stressed outside of work that they cannot switch off or relax and are irritable with friends and family. In the SOC or IT security department, many admitted to turning off alerts (43%), walking away from their computer (43%), hoping another team member would step in (50%), or ignoring alerts entirely (40%). The researchers stated that the research revealed the inadequacy of current tooling to help SOCs and SecOps to prioritize alerts generated from multiple security controls.

Infosecurity reports: "Alert Overload Distressing 70% of SecOps Teams"

Canada's primary postal operator, Canada Post, confirmed Wednesday that it had suffered a data breach. The security incident occurred following a cyberattack on one of the Crown corporation's suppliers, Commport Communications, which provides electronic data interchange solutions. Following the cyberattack, Canada Post has informed 44 of its commercial customers that data belonging to more than 950,000 customers has been compromised. The exposed information dates from July 2016 to March 2019, and most of it (97%) contains the name and address of the receiving customer. The customer's email address and/or phone number were included in 3% of the compromised data. Canada Post stated that a detailed forensic investigation into the data breach had not turned up any evidence of compromised financial information.

Infosecurity reports: "Data Breach at Canada Post"

Columbia Engineering researchers have developed SeKVM, the first formally verified system that guarantees the security of virtual machines in the cloud. Formal verification is a process that proves the mathematical correctness of software, correct functionality of the program's code, and the absence of hidden security bugs. According to Jason Nieh, a Professor of Computer Science and Co-Director of the Software Systems Laboratory at Columbia University, this is the first time that a real-world multiprocessor software system has been proven to be mathematically correct. This will ensure that the software running in the cloud manages user data correctly, and that the data is protected from security bugs and hackers. The significant advancement of cloud computing has allowed companies and users to move their data and computation off-site into virtual machines in the cloud. Cloud computing providers use hypervisors to support these virtual machines. Hypervisors make cloud computing possible. The security of data stored on a virtual machine depends on the correctness and trustworthiness of the hypervisor. Even if a hypervisor is written 99 percent correctly, just one weak link can allow a hacker to take over a system. The researchers' work is the first to verify a commodity system, specifically the KVM hypervisor used by cloud providers such as Amazon to run virtual machines. They proved that SeKVM could guarantee that virtual computers are isolated. MicroV is a new framework for verifying the security properties of large systems, which was used to verify SeKVM. This hacker-resistant cloud software system is expected to change how cloud services are designed, developed, deployed, and trusted. This article continues to discuss the development and applications of SeKVM.

Columbia University reports "Columbia Engineering Team Builds First Hacker-Resistant Cloud Software System"

Apple has patched a vulnerability, discovered by Jamf researchers, that malware actors have been exploiting to circumvent the Transparency Consent and Control (TCC) framework. The evasion of this framework allows the actors to take screenshots of an infected computer desktop without having to trick the user into granting permissions to them. Since the TCC system controls which resources and tools that different applications can access, bypassing it could have allowed the attackers to perform more malicious activities besides just taking screenshots, according to the researchers who found the flaw. Tests have shown that the same exploit could be used to avoid prompts that display when an application accesses the microphone and webcam. The exploit could also be used to bypass applications that are supposed to display prompts when accessing a user's personal files and folders. The zero-day exploit was leveraged by a malware program called XCSSET. This discovery brings further attention to the fact that non-Windows operating systems are increasingly being targeted and that attackers are actively looking for macOS vulnerabilities. This article continues to discuss the recently patched zero-day vulnerability found in macOS and its exploitation by attackers using XCSSET malware.

SC Media reports "Malware Used Zero-Day Exploit to Take Screenshots of Victims' Macs"

Cyber Scene #56 -

Part Deux: Cyber Climate Change with Chinese Characteristics

Researchers at VPNoverview discovered that there were over 2300 data breach incidents reported by just 22 of the UK's police forces in 2020. The researchers requested information from the UK's 45 police forces and received responses from 31. The results revealed a national average of 299 data breaches per police station over the period dating from 2016 to the first four months of 2021. The researchers found that Lancashire Constabulary topped the list of forces suffering the most data breaches over the period (1300), followed by nearby Cheshire Constabulary (1193), Sussex Police force (980), and the Police Service of Northern Ireland (928). Five police forces reported fewer than ten incidents from 2016-21, while London's Metropolitan Police and Dorset Police claimed to have suffered no breaches in over four years. Sussex Police has already recorded 62 data breach incidents so far in 2021, followed by West Midlands Police (37), North Wales (24), and Wiltshire Constabulary (12).

Infosecurity reports: "UK Police Suffered Thousands of Data Breaches in 2020"

The growing frequency and severity of cyberattacks are increasing the demand for cyber insurance. However, a recent report from the US Government Accountability Office (GAO) reveals that insurers are struggling to adjust their policies to keep up with new cyber risks. According to the GAO report, the number of insurance customers who have opted for cyber insurance grew from 26 percent in 2016 to 47 percent in 2020. This increase in cyber insurance demand has also led to a rise in insurer costs, as indicated by GAO's survey of insurance brokers. Most of them revealed that their clients' insurance premiums rose between 10 and 30 percent in later 2020. GAO pointed out that the rapidly growing level of cyber risk is creating uncertainty surrounding the affordability and availability of cyber insurance policies, especially for healthcare, education, and other high-risk industries. Cyber risk will continue to evolve as technology and cyberattack techniques change, making it increasingly difficult for insurers to underwrite coverage. Challenges faced by cyber insurers include a lack of sufficient comprehensive data on cyber losses to quantify risk accurately, lack of clarity surrounding security-related terms for cyber insurance policies, aiding in ransomware payouts, and more. The GAO report also highlighted how insurers are becoming more selective when offering coverage to industries considered high-risk, such as healthcare and education. Insurers have been increasing coverage prices to reduce cyber coverage limits for riskier industry sectors that face more significant damage from ransomware attacks. This article continues to discuss findings shared by the GAO report regarding cyber insurance challenges.

Decipher reports "Cyber Insurance Industry Grapples With Evolving Security Risks"

According to a new Splunk report, some 84% of global organizations have suffered a severe security incident over the past two years, and a majority are expecting another SolarWinds-style supply chain attack. Researchers interviewed 535 security leaders in nine leading economies across multiple industries to compile its latest report called "The State of Security 2021". Of the companies that were successfully attacked, email compromise (42%) was the most common incident, followed by data breaches (39%), mobile malware (37%), and DDoS (36%). Over three-quarters (78%) of the participants expressed concern about more sophisticated supply chain attacks coming in the future. The researchers also found that cloud complexity is emerging as a major threat to global organizations, with three-quarters (75%) of respondents already using multiple providers. Over half (53%) of the respondents claimed attacks had increased in this area during the pandemic, and 76% of the respondents claimed that remote workers are harder to secure. Nearly 90% of participants already run a substantial number of their business-critical applications in the public cloud. Two of the key challenges of securing cloud environments highlighted by respondents were maintaining and enforcing consistent policies (50%) and the complexity of using multiple security controls (42%). The researchers are urging organizations to modernize their Security Operations Centers (SOCs) with new SIEM platforms and more automation, such as in user and entity behavior analytics (UEBA) and security orchestration, automation, and response (SOAR) tools.

Infosecurity reports: "Three-Quarters of CISOs Predict Another SolarWinds-Style Attack"

Researchers at Ruhr-University Bochum (RUB) have discovered a security issue in the certification signatures of PDF documents. This form of signed PDF files can be used in the conclusion of contracts. The certification signature allows certain changes to be made to the document after it has been signed so that a second contractual party can also sign the document, unlike a normal PDF signature. The researchers at the Horst Gortz Institute for IT Security in Bochum demonstrated that it is possible for the second contractual party to change the contract text when adding their digital signature, without invalidating the certification. The integrity of the protected PDF documents was undermined through the performance of two new attacks called the Sneaky Signature Attack (SSA) and the Evil Annotation Attack (EAA). These attacks allowed the researchers to display fake content in the document instead of the certified content. They did this without rendering the certification invalid or triggering the PDF applications to warn users. Out of the 26 PDF applications tested by the security experts, 24 were found to be affected by at least one of the attacks. They also discovered a vulnerability contained by Adobe products that attackers could exploit to insert malicious code into certified Adobe documents. This article continues to discuss the demonstration of two new attacks that can break PDF certification, along with the discovery of a weakness in Adobe products that can be used to implant malicious code into Adobe documents.

RUB reports "Two New Attacks Break PDF Certification"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

Cybersecurity Snapshots #18 -

Oil And Gas Companies Need to Take Cybersecurity More Seriously

A team of researchers at the University of Michigan has developed a new secure computer processor called Morpheus that can thwart attacks from hackers by rapidly and continuously randomizing elements of code and data. The randomization of such elements makes it significantly more difficult to hack the processor. Last summer, over 500 security researchers tried hacking the Morpheus processor as part of the US Defense Advanced Research Projects Agency's (DARPA) program to design a secure processor capable of protecting vulnerable software. All of them failed to hack the processor. Hackers must be familiar with the details of a processor's microarchitecture in order to place malicious code or malware onto vulnerable systems. Therefore, Morpheus randomizes these details to turn the computer into a puzzle that must be solved before a security exploit can be performed by hackers. Details, such as the commands executed by the processor or the format of program data, change between Morpheus machines. Software running on the Morpheus processor remains the same as these changes only occur at the microarchitecture level. A skilled hacker could reverse-engineer a Morpheus machine within a few hours. Therefore, Morpheus changes the microarchitecture once every few hundred milliseconds, thus requiring attackers to be fast at reverse-engineering the microarchitecture. The common approach behind computer security is to fix individual software flaws to prevent hacking. However, programmers need to write perfect software that has no bugs for patch-based techniques to succeed, which is considered impossible by many. The Morpheus processor's approach to security is to augment its underlying structure to make it harder for attackers to graft malware onto the device, which protects the vulnerable software running on it. This article continues to discuss how the Morpheus processor can thwart hackers, the research behind this processor, and other research efforts surrounding the use of hardware to help strengthen software security.

The Conversation reports "Shape-Shifting Computer Chip Thwarts an Army of Hackers"

Irish authorities are testing a decrypt tool to recover health data following the recent ransomware attack on the Health Service Executive (HSE) of Ireland, which led to disruption of healthcare and social services in hospitals and community centers across the country. Medical staff members have had to go back to paper records because of the attack. The attack has also resulted in a drop in appointments in some areas by 80 percent and many outpatient service cancellations. It has been reported that private IT specialist contractors and the Irish National Cyber Security Centre are assessing the integrity of a decryption tool to see if it can safely be applied to healthcare systems. According to the Irish broadcaster RTE, the HSE also secured a High Court order to prevent the hackers behind the ransomware attack and any other individuals or businesses from processing, sharing, or selling the sensitive medical information stolen during the cyberattack. The attackers' threats to leak the information and other patient data online to the public prompted the order. It has been confirmed that the human-operated double extortion ransomware variant called Conti was involved in the attack. Double extortion is a scheme in which hackers try to maximize their chances of making a profit by threatening to sell or auction data encrypted in a ransomware attack. However, the Irish government said that it has not paid the attackers' demanded ransom, and that the ransom will not be paid. This article continues to discuss the impact of the HSE ransomware attack and the decryptor tool being tested to recover stolen health data.

Silicon UK reports "Ireland Tests Decrypt Tool After 'Catastrophic' Ransomware Attack"

Security researchers at Akamai did a new study that revealed the sheer scale of attempts to crack open users' accounts using previously breached credentials. The researchers found that 193 billion credential stuffing attempts occurred during 2020 as cyber-criminals looked to capitalize on surging numbers of online users. Their research was mainly focused on the financial sector. Akamai detected 3.4 billion credential stuffing attempts targeting the financial sector, which is a 45% increase from the previous year. Akamai also saw nearly 6.3 billion web application attacks in 2020, over 736 million of which were aimed at financial services organizations which is an increase of 62% from 2019. In the financial services industry, Local File Inclusion (LFI) attacks were the number one web application attack type in 2020, accounting for 52% of the total, followed by SQLi (33%) and cross-site scripting (9%). However, globally across all sectors, SQLi was in the top spot and accounted for 68% of all web application attacks in 2020. LFI attacks came second with 22%. The researchers also found that there was a rise of smishing and phishing attacks against the financial services sector, specifically via two popular toolkits: Kr3pto and Ex-Robotos.

Infosecurity reports: "Global Credential Stuffing Attempts Hit 193 Billion in 2020"

According to a new report from the managed detection and response firm eSentire, six ransomware gangs have hit over 290 enterprises between January 1 and April 30 this year, bringing in an estimated $45 million for the attackers. The six ransomware groups include Ryuk/Conti, Sodin/REvil, Clop, DoppelPaymer/BitPaymer, DarkSide, and Avaddon, each of which has focused on specific industries and regions. For example, the Ryuk/Conti gang executed attacks against 352 organizations since 2018 and 63 this year, most of which have been manufacturing, construction, and transportation companies. Sodin/REvil ransomware operators focus on healthcare organizations and laptop manufacturers, such as Acer and Quanta. The DoppelPaymer/BitPaymer gang largely focuses on government institutions and schools. The Clop ransomware group has focused its efforts on exploiting a vulnerability in Accellion's file transfer system, which has led to attacks against the University of California, Stanford University, the Canadian jet manufacturer Bombardier, the global law firm Jones Day, and more. An attack on Colonial Pipeline by the DarkSide gang led to gas shortages and higher prices in the US. The Avaddon group was recently reported to have attacked the major European insurance company Axa, which provides cyber insurance to many companies and is known for pledging to stop reimbursing customers in France that pay ransoms. It is highly suspected that these groups are attacking many more entities than the public realizes. As no single sector or region is immune from ransomware, it is important that both public and private sector organizations put security protections in place to mitigate damages from ransomware attacks. This article continues to discuss findings from eSentire's report regarding the targets, capabilities, and impact of six ransomware groups.

ZDNet reports "More Than 290 Enterprises Hit by 6 Ransomware Groups in 2021"

A new framework of security protocols, called CITADEL, will allow researchers to tap into supercomputers operating at Oak Ridge National Laboratory's National Center for Computational Sciences (NCCS) for projects that use protected data, including health information. CITADEL presents new security controls for handling large datasets consisting of private or health information as well as data protected by the Health Insurance Portability and Accountability Act (HIPAA) and International Traffic in Arms Regulations (ITAR). The new framework allows researchers to comply with the Federal Information Security Management Act (FISMA) when they work with highly protected data contained by supercomputers. With CITADEL, an encrypted parallel file system is utilized to enhance performance and security while ensuring that researchers are following all of the regulations implemented to protect the data. This article continues to discuss the development and features of the CITADEL security framework.

GCN reports "Security Framework for Protected Data Allows Researchers To Tap Oak Ridge Supercomputers"

Researchers at the security provider FingerPrintJS discovered a vulnerability that can enable websites to track users across different desktop browsers, including Google Chrome, Apple Safari, Mozilla Firefox, and Tor, posing a significant threat to user privacy. They have explained how malicious actors can use a technique called scheme flooding to see what sites users are visiting even when they switch browsers, enable incognito mode, or access the Internet via a Virtual Private Network (VPN). The exploitation of the scheme flooding flaw allows sites to ping multiple third-party applications, such as Skype or Zoom, and then use the ping responses to create a list of apps on the user's system. This list can then be used to fingerprint a user across multiple browsers and Internet connections. A website could identify individuals for more sinister purposes based on the apps installed on a device. For example, a website may detect a government or military official on the Internet depending on their installed apps. The website may also associate browsing history that is supposed to be anonymous. According to the FingerPrintJS researchers, the scheme flooding bug stems from the way in which a website uses Application Program Interface (API) calls to bring up an application. This article continues to discuss the source and potential impact of the scheme flooding bug.

SearchSecurity reports "Scheme Flooding Bug Threatens to Sink User Privacy"