News Items

The cybersecurity firm Sophos reports a significant increase in malware using the Transport Layer Security (TLS) to hide malware communications. Although HTTPS helps prevent man-in-the-middle (MITM) attacks, attempts at impersonating trusted websites, and more, the protocol has also allowed cybercriminals to secretly share information between a website and a command-and-control (C2) server. Threat actors' use of the TLS protocol to hide malware communications has prevented defenders from detecting and stopping malware deployment and data theft. Sophos noted that malware communications fall under three main categories: data exfiltration, command-and-control, and the downloading of more malware. According to Sophos, malware using TLS to communicate has risen from 24 percent to 46 percent. Researchers have also observed an increase in TLS use in ransomware attacks over the past year, particularly in manually-deployed ransomware. This article continues to discuss the growth in the use of TLS by malware and ransomware operators.

ZDNet reports "Malware and Ransomware Gangs Have Found This New Way to Cover Their Tracks"

Security researchers at Specops went through more than 800 million breached passwords to determine which big-screen hits were used the most in passwords. The selection was a subset of a list of 2 billion passwords that have appeared in breached lists. Topping the list was the sports drama Rocky. Rocky, which was released in 1976, was used as a password nearly 96,000 times. Trailing close behind was the 1991 American fantasy swashbuckler adventure movie Hook, which showed up in over 75,000 breached password lists. Taking the number three spot with 50,000 uses was The Matrix. Superhero movies Batman, Superman, Spider-man, X-men, and Iron Man took the fourth, sixth, eleventh, thirteenth, and fourteenth spots, respectively, while Alfred Hitchcock's 1960 American psychological horror thriller Psycho came in at number five. Children's movies were also popular, with Frozen scooping the number 12 spot and Shrek taking the number 16 spot.

Infosecurity reports: "Stallone Classic a Password Favorite"

Researchers at FireEye Mandiant have warned of the exploitation of one zero-day vulnerability and several old flaws in widely deployed Pulse Connect Secure (PCS) Virtual Private Network (VPN) devices to compromise defense, government, and financial organizations. According to PCS Chief Security Officer Phil Richards, software updates for addressing the zero-day vulnerability will be released in early May. Until then, workarounds have been offered to mitigate the risk of that flaw's exploitation. A tool was also released to help defenders check if their systems have been impacted. FireEye Mandiant found that threat actors have been exploiting four PCS vulnerabilities and using 12 malware families to evade authentication as well as obtain backdoor access to targeted devices. The hacking campaigns behind the attacks are labeled as UNC2630 and UNC2717. It is suspected that UNC2630 is working on behalf of the Chinese government, while the government or APT group behind UNC2717 remains unknown. The researchers observed UNC2630 harvesting credentials from various Pulse Secure VPN login flows. This allowed the actor to use legitimate account credentials to move laterally into impacted networks. In addition, the actor used modified Pulse Secure binaries and scripts on the VPN appliance to maintain persistence. This article continues to discuss the exploitation of PCS VPN device vulnerabilities to breach organizations.

Help Net Security reports "Attackers Are Exploiting Zero-Day in Pulse Secure VPNs to Breach Orgs"

Additional details have been shared about the recent Codecov system breach, which is now being compared to the SolarWinds hack. Codecov is a San Francisco-based company that offers code coverage and software testing tools. The scope of this system breach extends beyond Codecov's systems, as hundreds of customer networks have been breached in the incident. The supply chain attack faced by Codecov went undetected for more than two months. The threat actors obtained Codecov's credentials from the company's flawed Docker image, which they then used to alter the Codecov's Bash Uploader script used by clients. They replaced Codecov's IP address with their own in the Bash Uploader script to silently collect credentials, tokens, API keys, and anything else that has been stored as environment variables in the customers' continuous integration (CI) environments. Codecov has over 29,000 customers, including Atlassian, GoDaddy, Washington Post, Procter & Gamble (P & G), and other prominent names, thus making this a significant supply chain incident. Federal investigators found that the Codecov attackers deployed automation to use the collected customer credentials to infiltrate hundreds of client networks. This article continues to discuss the investigation and impact of the breach at the code testing company Codecov.

Bleeping Computer reports "Hundreds of Networks Reportedly Hacked In Codecov Supply-Chain Attack"

Men's social networking website and online dating application Manhunt has suffered a data breach. The 20-year-old site was compromised in a cyber-attack that took place in February 2021. The breach was discovered on March 2nd, and an investigation into the evidence revealed that the attackers had downloaded customer's data at the beginning of February. In the notice of data breach, Manhunt revealed that the personal information of an estimated 7,714 Washington residents had been affected. The attacker gained access to a database that stored account credentials for Manhunt users. The adversary downloaded the usernames, email addresses, and passwords of some users. There is no evidence to suggest that the hacker had accessed users' pictures, messages, or other information from user profiles. No payment card information was exposed because of the incident as Manhunt doesn't transmit or store this type of information. Security researchers warned users to be on the lookout for phishing messages from threat actors impersonating Manhunt or claiming to have information about users.

Infosecurity reports: "Dating Service Suffers Data Breach"

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI revealed a new phishing scheme in which attackers use fake traffic violations to infect victims with TrickBot and steal sensitive information. The attack begins with someone receiving a malicious email with a link. Once the link is clicked, it sends the victim to a website claiming to contain proof of their traffic violation. The link to the proof downloads a malicious JavaScript file that establishes a connection with a command-and-control server (C&C) controlled by the attackers. From there, TrickBot infects the victim's machine and steals their login credentials through man-in-the-middle (MITM) attacks. The malware can also spread across an impacted network to infect other machines. This article continues to discuss attackers' use of fake traffic violations to spread TrickBot malware, the takedown and return of this malware, and how organizations could defend against the latest TrickBot attack.

Security Intelligence reports "TrickBot: Attackers Using Traffic Violation Scam to Spread Malware"

Security researchers have discovered that adversaries repeatedly stole driver's license numbers from a database maintained by Geico over the course of six weeks earlier this year. The security researchers found that the perpetrators of the breach used personal information on Geico customers that they acquired elsewhere to access Geico's sales system and steal the driver's license numbers. The information in the database could allow scammers to apply for unemployment benefits pretending to be the real person. The security researchers stated that if anyone receives any mailings from their state's unemployment agency/department, then they should review them carefully and contact that agency/department if there is any chance fraud is being committed. It is unclear how many people are affected by the breach, and Geico has not responded to multiple requests for comment.

Cyberscoop reports: "Geico Data Breach Opens Door to Unemployment Scams"

McAfee researchers examined cybercriminal activity related to malware and the evolution of cyber threats in the third and fourth quarters of 2020. They published their findings in a new report. In Q4, there was an average of 648 threats per minute, an increase of 60 threats per minute (10%) over Q3. The two quarters also saw COVID-19-related cyber-attack detections increase by 240% in Q3 and 114% in Q4, while Powershell threats again surged 208% due to continued increases in Donoff malware activity. Mobile malware grew 118% in Q4 in part due to a surge in SMS Reg samples. The HiddenAds, Clicker, MoqHao, HiddenApp, Dropper, and FakeApp strains were the most detected mobile malware families. The researchers also found that ransomware grew in volume 69% from Q3 to Q4, driven by Cryptodefense. REvil, Thanos, Ryuk, RansomeXX, and Maze groups topped the overall list of ransomware families. MacOS malware exploded in Q3 420% due to EvilQuest ransomware but then slowed towards the end of the year.

Help Net Security reports: "COVID-19-Themed Cyberattack Detections Continue to Surge"

Researchers with the industrial cybersecurity firm Claroty recently disclosed five vulnerabilities in the OpENer Ethernet/IP (ENIP) stack designed for I/O adapter devices. The OpENer stack supports multiple I/O and explicit connections. It implements the ENIP and CIP industrial protocols and is widely used among top SCADA vendors. The exploitation of vulnerabilities found in the OpENer stack could allow attackers to cause denial-of-service (DoS) conditions, achieve remote code execution, and more. The Cybersecurity and Infrastructure Security Agency (CISA) warned of the vulnerability of all OpENer Ethernet/IP stack commits and versions before February 10, 2021, and urges the application of the latest commits. CISA also recommends taking measures to minimize the risk of these vulnerabilities' exploitation, which include ensuring that control systems are not exposed to the Internet, isolating control system networks and remote devices from the business network, and using secure methods for remote access. This article continues to discuss the discovery of multiple vulnerabilities in the OpENer stack, the potential exploitation of these vulnerabilities by attackers, and CISA's recommendations for addressing those flaws.

Security Week reports "Vulnerabilities in OpENer Stack Expose Industrial Devices to Attacks"

According to a study from Netskope, over 60 percent of malicious payloads were sent via cloud-based apps in 2020. That is an increase from 48 percent of malware samples delivered via cloud applications in 2019. This discovery brings further attention to the fact that attackers are increasingly turning to the cloud to execute attacks. Cloud apps are attractive to attackers as they allow them to circumvent older email and web solutions. Organizations with about 500 to 2,000 employees are now using an average of 664 different cloud apps each month, half of which received a 'Poor' rating on the study's Cloud Confidence Index. This article continues to discuss the growth in the distribution of malware using cloud apps, the importance of improving the security of these apps, recent cloud app breaches, and how organizations could defend against the misuse of such apps.

Security Intelligence reports "Over Half of Malware Delivered via Cloud Applications"

The National Security Council plan expected out next week will offer incentives rather than regulations to encourage utilities to install monitoring software to identify hackers and report the incidents to the government. This action comes after more than 25% of the country's 1500 utilities were infected with the SolarWinds software malware.

https://threatpost.com/biden-power-grid-hacks/165428/

The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has expanded pilot testing of a technology solution aimed at strengthening the cybersecurity of the nation's emergency communications infrastructure. SecuLore Solutions, a cybersecurity company based in Odenton, Maryland, received funding from DHS S&T for its research and development (R&D) of a cybersecurity defense solution in which predictive analytics and cyber data are applied to help detect and mitigate cyberattacks targeting legacy emergency communications systems as well as new Next Generation 911 (NG911) and Internet Protocol-based technologies. The company updated its existing cybersecurity solutions with a new capability that enables near-real-time behavioral threat analysis of traffic flowing to an Emergency Communications Center's (ECC) network and provides recommended steps for remediation based on the malware's behavior, type, or both. SecuLore is currently pilot testing its cybersecurity solution with the Emergency Services Department in Palm Beach County, Florida. Pilot testing of the solution will expand to five more ECCs across the US. The feedback and insights captured during these pilots will help SecuLore and DHS gain a better understanding of how other Emergency Services Departments would use and manage the cybersecurity technology. This article continues to discuss the expanded pilot testing of SecuLore Solutions' newly developed cybersecurity solution for ECCs to bolster the nation's emergency communications infrastructure, as well as the Cybersecurity and Infrastructure Security Agency's (CISA)'s role and S&T's cybersecurity mission.

The US Department of Homeland Security reports "DHS S&T Expands Pilot of Cybersecurity Tech for Emergency Communications Centers"

Pwn2OW is a contest that allows white-hat cybersecurity professionals and teams to compete in the discovery of bugs in popular software and services. This year the winning team was Computest, and they discovered a vulnerability in Zoom. The team earned themselves $200,000 for their Zoom discovery. The Computest researchers demonstrated a three-bug attack chain that caused an RCE on a target machine, and all without any form of user interaction. The team was able to show how an attacker could open a calculator program of a machine running Zoom following its exploit. Zoom has not yet had time to patch the critical security issue, so the vulnerability's specific technical details are being kept under wraps. The attack works on both Windows and Mac versions of Zoom, but it has not yet been tested on iOS or Android. The browser version of the videoconferencing software is not impacted.

ZDNet reports: "Critical Zoom Vulnerability Triggers Remote Code Execution Without User Input"

Researchers from Checkpoint conducted a new study where they polled 1800 customers of its Harmony Mobile device threat protection product. The researchers discovered that every global organization suffered at least one mobile malware attack in 2020. Of the near-total number that faced a mobile attack last year, 93% of incidents originated in a device network and were either phishing attempts (52%), C&C communication with malware already on the device (25%), or involved infected websites/URLs (23%). The study also revealed that nearly half (46%) of responding organizations had at least one employee download a malicious mobile application that threatened networks and data last year. Banking Trojans, mobile Remote Access Trojans (MRATs), premium diallers, clickers, and ad fraud were among the most common. Some 97% of organizations faced mobile threats originating in multiple vectors, including applications, networks, devices, and OS vulnerabilities. The researchers warned that mobile device management (MDM) is a potentially major new target for attackers.

Infosecurity reports: "Over 90% of Organizations Hit by a Mobile Malware Attack in 2020"

April is National Supply Chain Integrity Month. The National Counterintelligence and Security Center (NCSC) is partnering with government and industry partners throughout April for the 4th annual National Supply Chain Integrity Month to encourage organizations across the US to take action to bolster their supply chains against foreign adversaries and other risks. NCSC is working with the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the National Association of State Procurement Officials (NASPO), the Department of Defense's Center for the Development of Security Excellence (CDSE), the National Association of Counties (NACo), the Federal Communications Commission (FCC), and others to increase awareness among organizations about threats facing US supply chains as well as to share information on how to mitigate risks. The recent software supply chain attacks on the US industry and government have brought further attention to the importance of improving our supply chains' resilience, security, and diversity. The exploitation of vulnerabilities in US supply chains by foreign adversaries present unique security threats. State-sponsored hackers have targeted software and Information Technology service supply chains to conduct espionage, steal intellectual property, and more. NCSC encourages organizations to consider diversifying supply chains, mitigating third-party risks, identifying and prioritizing essential assets, ensuring executive-level commitment, and strengthening partnerships in order to enhance the resilience of their supply chains. This article continues to discuss the goal of National Supply Chain Integrity Month, the exploitation of US supply chains by foreign adversaries, and what organizations should do to improve the resilience of their supply chains.

HSToday reports "National Supply Chain Integrity Month: Campaign to Raise Awareness of Supply Chain Threats and Mitigation"

In yet another incident of threat actors scraping data from public profiles and slinging it online for potential cybercriminal misuse, researchers have found that personal data from more than 500 million LinkedIn users have been posted for sale online. The personal data for sale includes LinkedIn IDs, full names, professional titles, email addresses, phone numbers, and personally identifiable information (PII). The LinkedIn incident comes on the heels of a substantial leak of personal data from more than 533 million Facebook users last weekend. The researchers stated that the leaked data contains no payment card details and no passwords, so it is less valuable to attackers and will not sell for much on the Dark Web. LinkedIn officials confirmed that the platform's data was included in the database and stated that it was not due to a breach of its system but instead was scraped from the LinkedIn site.

Threatpost reports: "Data from 500M LinkedIn Users Posted for Sale Online"

ESET researchers found a new backdoor that is being used by the Lazarus hacking group in attacks against freight and logistic organizations in South Africa. The malware dubbed Vyveva performs backdoor activities such as exfiltrating files, collecting information from an infected system, and executing arbitrary code through a remote connection to a command-and-control (C2) server. The backdoor malware also connects to its C2 server via the Tor network through the use of fake TLS connections. The researchers believe Vyveva has been active since 2018 even though it was first discovered in June 2020. This article continues to discuss the capabilities and components of Vyveva malware as well as the history and recent activities of the Lazarus hacking group.

CISO MAG reports "Cybercrime Group Lazarus Upgrades its Arsenal with Vyveva Malware"

Researchers at Ohio State University have discovered how to use chaos to help create fingerprints for electronic devices that might be unique enough to thwart the most sophisticated hackers. The researchers believe these fingerprints are unique enough to require more than a lifetime of the universe to try all possible combinations. Daniel Gauthier, the senior author of the study and professor of physics at Ohio State University, has emphasized that chaos is significantly beneficial in the system developed by the team. They created new Physically Unclonable Functions (PUFs), which are built into computer chips. PUFs utilize the inherent, unique manufacturing variations in computer chips to produce digital fingerprints that can be used to authenticate and secure devices. According to Gauthier, secure ID cards could potentially be created using the new PUFs to track goods in a supply chain. They could also be used in the authentication of applications. The researchers used a web of randomly interconnected logic gates to develop a complex network in their PUFs. Logic gates create a new signal using two electronic signals. The researchers exploit the unreliable behavior created by the non-standard use of the gates to produce a form of deterministic chaos. This chaos magnifies the tiny manufacturing variations found on a computer chip. The amplification of these variations by chaos can change the secrets being produced on the chip, making it more difficult for hackers to figure them out. Chaos results in the production of an uncountably large number of secrets available on a chip. As part of the study, the researchers tested Machine Learning (ML) attacks against their PUF, and they all failed to hack it. This article continues to discuss the problem with current PUFs and the creation of new PUFs that use chaos to protect devices from hackers.

Science Daily reports "Scientists Harness Chaos to Protect Devices From Hackers"

Researchers at a fraud intelligence firm called Gemini Avirsory found that a cybercriminal has sold almost 900,000 gift cards and over 300,000 payment cards on a top-tier cybercrime forum on the dark web. The total value of the cards was claimed to be around $38 million. According to the researchers, the stolen cards originated from a 2019 breach of an online discount gift card marketplace that has since gone offline. Since they're easy to redeem and tough to track, gift cards are an increasingly popular target for fraud. One of the researchers observed offers to sell the cards in bulk on the Russian-language forum in February 2021. While the actor behind the sale didn't reveal how they obtained the cards or what their origins were, they did disclose that the loot contained more than 3,000 brand-name gift cards from as many companies, including Airbnb, Amazon, Nike, Marriott, Walmart, and others. The threat actors set up an auction with the bidding starting at US$10,000 and a buy now price of double the initial bidding price. The database was sold within a few moments of being posted. A mere day after selling the gift cards, the same cybercriminal offered to sell 330,000 payment and debit cards on the same online hacking forum. According to the posting, the information included the victims' billing address and partial payment card data such as the card number, its expiration date, and the issuing bank's name. However, the Card Verification Value (CVV) and the cardholder's name were not included.

We Live Security reports: "$38 Million Worth of Gift Cards Stolen And Sold on Dark Web"

A senior lecturer in criminology from the University of Surrey, Mike McGuire, has found in a new study that there has been a 100% increase in "significant" state-backed attacks between 2017 and 2020, and an average of over 10 publicly attributed attacks per month in 2020 alone. Although the most significant number (50%) featured surveillance tools, a worrying 14% were focused on damage or destruction, while more than 40% had a physical and digital component. Most (64%) of the experts McGuire consulted during his research claimed the escalation in tensions last year were "worrying" or "very worrying." McGuire suggests that factors such as increased weaponization and the readiness of governments to define network attacks as "acts of war" are moving the world into a "dangerous stage" and closer to what he dubs "advanced cyber-conflict" than at any time since the digital age began. The research also revealed how the lines between nation-state and cybercrime attacks are increasingly blurring. Mcguire claimed that 10-15% of dark web vendor sales now go to "atypical" purchasers, including state actors looking to stockpile zero-day exploits. In addition, half (50%) of nation-state attacks now feature low-grade tools bought from the cybercrime underground, while just 20% involve custom malware and exploits built in-house. A majority (58%) of experts consulted for the report claimed it is becoming more common for governments to recruit cyber-criminals to carry out attacks, and (65%) said some nation-states launch attacks to generate revenue.

Infosecurity reports: "Armed Conflict Draws Closer as State-Backed Cyber-Attacks Intensify"

Cybersecurity incidents faced by federal agencies are continuing to increase in volume, complexity, and impact. The massive SolarWinds hack that impacted the Departments of Treasury, Justice, Commerce, and others further indicates the growing sophistication and success of threat actors. Although investments in diverse cloud and Internet of Things (IoT) environments are intended to improve productivity at federal agencies, the expanding complexity and scale of their digital infrastructures are creating additional challenges for Security Operations Center (SOC) teams. The constant emergence of advanced threats is also making it increasingly difficult for understaffed and overworked SOC teams to be efficient and effective. Triaging alerts and responding to incidents have also become more challenging for SOC teams due to the overwhelming generation of alerts. The integration of self-learning Artificial Intelligence (AI) solutions into existing government technologies will help elevate the performance level of human security team members. Self-learning AI and automation will help security professionals better sort through the noise and focus on dangerous incidents. AI can bring SOC teams to the next level of cyber defense as the technology can enable full-range detection, accurate threat management, and more. This article continues to discuss the challenges faced by government cybersecurity teams and how self-learning AI can help SOC teams improve their effectiveness and efficiency.

GCN reports "The Superpowered SOC: How AI Can Drive Agencies to the Next Level of Cyber Defense"

Claroty researchers discovered vulnerabilities in Rockwell Automation's FactoryTalk AssetCentre software, a backup solution specifically for Industrial Control Systems (ICS). All of the vulnerabilities have been given a maximum CVSS v3 base score of 10. According to the researchers, an attacker can take over a facility's entire Operational Technology (OT) network and execute commands on server agents and automation devices like a Programmable Logic Controller (PLC) by chaining some of the vulnerabilities together. Three of the discovered flaws are described as deserialization vulnerabilities that can allow unauthenticated attackers to remotely execute arbitrary code in FactoryTalk AssetCentre. One flaw could enable an unauthenticated local attacker to gain complete access to the software's main server and agent machines, as well as remotely execute code. Another three flaws are SQL injection vulnerabilities. All of the discovered flaws impact FactoryTalk AssetCentre v10 and earlier versions. This article continues to discuss the vulnerabilities found in Rockwell Automation's FactoryTalk AssetCentre that leave industrial facilities open to attacks and the importance of ICS-specific backup solutions.

Help Net Security reports "Vulnerabilities in ICS-Specific Backup Solution Open Industrial Facilities to Attack"

A report released by the US Government Accountability Office (GAO) in March brings further attention to the increased vulnerability of the electrical grid to cyberattacks because of electric vehicles and internet-connected home appliances. Cybersecurity researchers have warned of the lack of security implemented for Internet of Things (IoT) devices for years. GAO highlights that these devices pose a significant threat to energy distribution systems, specifically parts of the electrical grid responsible for supplying electricity to homes and businesses. The problem stems from distribution utilities' limited visibility and influence on the use and security of these devices against cyberattacks as consumers are the ones that control them. Plans developed by the Department of Energy (DOE) to implement the national cybersecurity strategy for the electric grid do not fully address cyber risks facing the grid's distribution systems. The number of connected devices is a contributing factor to the problem. Researchers at Princeton University have found that it is possible to convert multiple heaters, air conditioners, and other energy-hungry devices into a botnet and use it to manipulate the power demand in the grid. This article continues to discuss key points highlighted by the March GAO report pertaining to cyber risks posed by electric cars and connected home appliances to US utilities, and notable cyberattacks on energy distribution systems that have led to power outages.

NextGov reports "Electric Cars, Smart Refrigerators Pose Cyber Risk To US Utilities, GAO Finds"

GitHub is investigating a series of attacks against its cloud infrastructure that allowed cybercriminals to use the company's servers to perform illicit operations for mining cryptocurrency. The attacks, which have been occurring since the fall of 2020, abuses a GitHub feature called GitHub Actions. This feature allows users to automate, customize, and execute software development workflows in their GitHub repository. According to Justin Perdok, a security engineer, at least one actor is targeting GitHub repositories in which GitHub Actions might be enabled. The attack involves adding malicious GitHub Actions to the original code and then filing a Pull Request with the original repository to merge the malicious code back into the original. Perdok said the attack does not require the original project owner to approve the malicious Pull Request as filing it is enough. The attackers are specifically targeting GitHub project owners with automated workflows that test incoming pull requests through automated jobs. GitHub's systems will read the attacker's code and launch a virtual machine that downloads and runs crypto-mining software on GitHub's infrastructure when a malicious Pull Request is filed. Perdok has observed attackers spin up to 100 crypto-miners in one attack, thus resulting in significant computational loads for GitHub's infrastructure. This article continues to discuss the performance of illicit crypto-mining on GitHub's server infrastructure.

The Record reports "GitHub Investigating Crypto-Mining Campaign Abusing Its Server Infrastructure"