News Items

According to researchers at Google LLC's Threat Analysis Group (TAG), the same North Korea-backed hackers discovered to have been targeting security researchers earlier this year are now using a fake security company called SecuriElite to continue their campaign. In January, Google researchers warned of the North Korean Advanced Persistent Threat (APT) group specifically targeting security researchers at several organizations using a research blog and multiple Twitter accounts. The blog included write-ups exploring publicly disclosed vulnerabilities and posts from legitimate security researchers who had been deceived into thinking they were posting on a legitimate site. The new website SecuriElite appears to be owned by a cybersecurity company based in Turkey. It includes a link to a PGP public key on the page that lets security researchers confidentially send messages to the fake company. This article continues to discuss the recent targeting of security researchers by a North Korea-backed hacking group through a fake offensive security company, as well as the growing sophistication of attackers' approach to email attacks.

SiliconANGLE reports "North Korean Hackers Are Now Using a Fake Security Company to Target Researchers"

Researchers during a new study discovered that retailers around the world are increasing their fraud teams and budgets because of a significant rise in all types of online fraud during the pandemic. Most (72%) of retail brands worldwide expect to grow fraud teams in the next year, while 76% predict their budget to tackle fraud will increase in the next 12 months. Almost a quarter (20%) of retail companies expect their funding to tackle fraud to be significantly increased. The researchers also found that nearly 40% of fashion and FMCG retailers see online payment fraud as their most significant fraud risk. Refund abuse, where consumers wrongly claim they never received a product they ordered online, has increased for half of the retailers. Account takeover, often the result of password reuse across multiple retailers, has also risen for 45% of retailers in the past 12 months. The researchers believe that fraud in an ecommerce world is likely to worsen before it gets better.

Help Net Security reports: "As Online Fraud Rises, 72% of Retail Brands Expect to Grow Fraud Teams"

A team of researchers at the Stanford University School of Engineering will demonstrate how an arrangement of computer-controlled drones can be managed with precision even if the 5G network that controls it is being hit with a cyberattack. The success or failure of the demonstration will depend on whether an experimental network control technology can detect the attack and defeat it within a second to protect the navigation systems. The demonstration will be observed by officials from the Defense Advanced Research Projects Agency (DARPA), the government agency that is underwriting Project Pronto. Stanford University, Cornell University, Princeton University, and the nonprofit Open Networking Foundation (ONF) are jointly collaborating on Project Pronto, which is led by Nick McKeown, a professor of electrical engineering and computer science at Stanford. Their goal is to ensure the security and reliability of 5G networks that will support autonomous vehicles, trains, and planes of the future, as the transition to 5G is expected to impact every device connected to the Internet. Project Pronto offers a solution devised by McKeown and his colleagues that uses Software-Defined Networking (SDN) technology to wrap a virtually instantaneous shield around wirelessly accessible computers. This article continues to discuss the goals of Project Pronto, the pending Pronto demonstration, the application of advanced SDN techniques to secure 5G networks, and the importance of ensuring 5G networks are reliable and secure.

Stanford reports "A New Stanford Initiative Aims to Ensure 5G Networks Are Reliable and Secure"

IBM Security researchers in a new study discovered that organizations in the financial and insurance sectors were the most targeted by threat actors in 2020. Manufacturing and energy became the second and third most targeted industries last year, respectively. Retail and professional services rounded up the top five most targeted sectors. The researchers also found that ransomware was the most popular attack method in 2020, with a market share of roughly 23%. IBM estimates that 36% of the public breaches in 2020 were ransomware-related data leaks. The researchers also found that data theft attacks went up 160% compared to 2019 but accounted for only 13% of the overall incidents in 2020. Server access came in third at 10%, marking a 233% increase year-over-year, while Business Email Compromise (BEC) dropped to the fourth position with a 9% market share (a drop from 14% in 2019).

Security Week reports: "Financial Sector Remains Most Targeted by Threat Actors: IBM"

A criminal gang hacked Broward County Public Schools' computer system, which is one of the nation's largest school districts, and encrypted district data. The cyber gang behind the attack is called Conti, and they demanded $40 million in ransom, or they would erase the files and post students' and employees' personal information online. Broward County Public Schools said in a statement Thursday that there is no indication that any personal information has been stolen and that they have made no extortion payment to the ransomware gang. As a pressure tactic, the cyber gang posted screenshots of its online negotiations with the district to its site on the dark web last week. According to the hacker's screenshots, the screenshots show that negotiations between the school district and Conti occurred over two weeks. At the end of the negotiations, the school district did offer to pay $500,000 at which point the ransomware criminals apparently ended negotiations.

ABC News reports: Large Florida School District Hit by Ransomware Attack

New research from the security firm Cisco Talos sheds light on a malware campaign targeting the systems of gamers and modders. The campaign involves malvertising and game modding-focused YouTube videos that lead users to malicious websites or downloads. According to researchers, the cybercriminals behind this campaign are using gaming tools to deploy a cryptor for various malware strains, most of which have been discovered to be Remote Access Trojans (RATs). A cryptor is a tool designed to prevent the reverse-engineering or analysis of malware. The researchers have found cheats, cheat engines, and mods that contain cryptors capable of hiding RAT code and backdoors through many layers of obfuscation. When a user downloads and installs a malicious mod or cheat on their machine, a dropper injects code to evade detection tools. From there, malware can be executed. Samples that have been tracked so far include an information stealer called XtremeRAT. This article continues to discuss the tactics and tools used in the new malware campaign targeting video gamers and modders, as well as how this attack wave can affect enterprises.

ZDNet reports "Gaming Mods, Cheat Engines Are Spreading Trojan Malware and Planting Backdoors"

The global threat hunting company Group-IB recently released a cyber intelligence report that shares findings regarding an ongoing Twitter-based fraud campaign targeting Indonesia's largest banks. The cybercriminals behind this campaign are masquerading as bank representatives or customer support team members on Twitter in order to lure and gain the trust of victims. Security analysts found that at least seven large Indonesian financial institutions have been targeted in the massive campaign. The scam starts with a customer leaving a comment on the bank's official Twitter page. They are then contacted by fraudsters using fake Twitter accounts that appear to belong to real bank staff representatives or customer support employees. After engagement occurs between the customer and the fake Twitter account, the attackers invite the customer to chat off-line on a third-party messenger, such as WhatsApp or Telegram. During the off-line chat, the attackers send a link to the customer that redirects them to a phishing website identical to the official banking website where the cybercriminals can exfiltrate entered banking credentials. This article continues to discuss the use of Twitter in a fraud campaign against Indonesia's major banks, the growing performance of multi-stage scams, and how banking customers can identify such scams.

CISO MAG reports "Cybercriminals Make Twitter a Playing Field to Target Indonesian Banks"

The Internal Revenue Service (IRS) has issued an alert about an ongoing IRS-impersonation phishing scam that primarily targets university students and employees. The IRS has received complaints about the scam over the past few weeks from people with email addresses ending in .edu. The phishing emails display the IRS logo and use subject lines relating to a tax refund payment or a tax refund payment recalculation. Recipients are urged to click a link and submit a form in order to claim their refund. The phishing website requires users to supply personal information such as their Social Security number, name, birth date, driver's license number, gross income, electronic filing PIN, and more. Cybercriminals can use this information to file fraudulent tax returns on behalf of the victim and steal identities. They can also sell the information on the dark web. This article continues to discuss the ongoing IRS-impersonation scam targeting university students and staff and how taxpayers can avoid falling victim to such scams.

TechRepublic reports "Tax Refund Phishing Scam Targets University Students and Staffers"

Security researchers at Proofpoint have recently linked a late-2020 phishing campaign aimed at stealing credentials from 25 senior professionals at medical research organizations in the United States and Israel to an advanced persistent threat group with links to Iran called Charming Kitten. The phishing campaign has been dubbed BadBlood because of its medical focus and the history of tensions between Iran and Israel. The phishing campaign aimed to steal the credentials of professionals specializing in genetic, neurology, and oncology research. Charming Kitten, believed to be an Iranian state-sponsored APT, has been operating since around 2014 and has built a "vast espionage apparatus" comprised of at least 85 IP addresses, 240 malicious domains, hundreds of hosts, and multiple fake entities. Spearphishing and custom malware are among an array of tactics the group uses against victims.

Threatpost reports: "APT Charming Kitten Pounces on Medical Researchers"

The developers who maintain the PHP programming language have decided to move the main Git repository for PHP to GitHub after hackers targeted PHP source code in a backdoor attack. Nearly 80 percent of websites on the Internet are written in PHP. Two updates were pushed to the PHP Git server under the account names of two well-known PHP developers Nikita Popov and Rasmus Lerdorf. The two malicious commits appeared to be minor typographical corrections, but upon closer look, the commits added a backdoor that enables hackers to perform remote code execution on websites running the infected version of PHP. The incident has made the PHP Group change how its code infrastructure is run as the PHP maintainers have now decided to discontinue the git.php.net server. All code changes will instead be pushed directly to GitHub. This article continues to discuss the recent targeting of the PHP Git repository by hackers to add a backdoor to PHP source code.

Dark Reading reports "Attackers Target PHP Git Server to Backdoor Source Code"

The SolarWinds cyberattackers were able to use SolarWinds' Orion network management platform to infect targets by pushing out a custom backdoor called Sunburst via trojanized product updates. Sunburst was delivered to almost 18,000 organizations around the globe, starting last March, before being discovered in December. With Sunburst embedded, the attackers were then able to pick and choose which organizations to further penetrate in a massive cyberespionage campaign that has hit nine U.S. government agencies, tech companies like Microsoft, and 100 others hard. According to anonymous government sources, it has recently been discovered that as part of the federal government infiltration, the hackers were also able to access the email accounts of then-acting Secretary Chad Wolf and his staff. It is unclear whether the information in the emails that the hackers accessed contained classified information. Tim Wade, technical director on the CTO team at Vectra, stated that the information classification protocols should have helped more sensitive details from being directly accessible and exposed without a hostile, foreign actor first finding access and exfiltration channels classified networks. However, he also stated that even unclassified communication between sensitive parties could disclose a great deal of actionable intelligence if seen by the hackers.

Threatpost reports: "SolarWinds Attackers Accessed DHS Emails, Report"

Researchers in Trend Micro's Zero Day Initiative (ZDI) team discovered two remote code execution (RCE) vulnerabilities that could lead to the takeover of SolarWinds Orion systems. The team has worked closely with SolarWinds to assist in responding to the massive hack. According to the researchers, one of the RCE vulnerabilities has a critical severity rating, while the other received a high severity rating. The exploitation of these vulnerabilities could allow remote attackers to take over an affected SolarWinds system. The critical RCE vulnerability exists in the OneTimeJobSchedulerEventsService Windows Communication Foundation (WCF) service. It stems from the inadequate validation of user-supplied data, possibly resulting in the deserialization of untrusted data. An attacker can abuse this vulnerability to escalate privileges and execute arbitrary code, thus allowing them to carry out any action that the System Account can perform. The second RCE vulnerability exists in the JobRouterService WCF service and is caused by the service's configuration, which allows unprivileged users to access a critical resource. This vulnerability lets attackers execute code as an administrator. However, an attacker would need to be authenticated to abuse this vulnerability. These vulnerabilities provide attackers with many opportunities for lateral movement, data exfiltration, and the performance of destructive actions. This article continues to discuss the new vulnerabilities impacting SolarWinds' Orion IT monitoring platform.

SC Magazine reports "New, Critical Vulnerability Discovered That Could Let Attackers Gain Entry to SolarWinds Systems"

Marcus Fowler, the director of strategic threat at the cybersecurity Artificial Intelligence (AI) company Darktrace, discusses the need for new technologies and new talent to close the cybersecurity skills gap. Although the first decrease has been recorded for the cybersecurity workforce gap, the scale and complexity of cybersecurity professionals' workloads and tasks have increased together with the sophistication of cyberattacks. For security teams across industries, the most critical gap isn't a specific skill. Rather, it is the gap between the growing number of tasks to be performed by security teams and the skilled personnel needed to carry them out. Even if more individuals enter the cybersecurity field, there are several factors that will continue to make the cybersecurity community play catch-up. The constant advancement of external attack methods like automated attacks will continue to present challenges for the cybersecurity community. In addition, security teams have to deal with the accelerated transformation of workforce practices and technological infrastructure stemming from the widespread shift toward remote working as well as the increased adoption of the software-as-a-service (SaaS) model and cloud computing platforms. With these challenges, humans alone cannot solve the cybersecurity resources gap. Instead of just hiring more humans to solve the problem, Fowler suggests the implementation of new security tools that can help human cybersecurity professionals work smarter. We need to equip professionals with AI and Machine Learning (ML)-based autonomous technologies that can help in security incident investigation, response, mitigation, and more. This article continues to discuss the cybersecurity resources and skills gap and the need for new talent and breakthrough technologies to close it.

NextGov reports "Closing the Cyber Skills Gap Will Take New Technologies in Addition to New Talent"

Researchers at Zimperium zLabs have discovered new Android malware disguised as a System Update application. The researchers detected the sample app on a third-party repository, not the official Google Play Store. Once the spyware app is installed, the victim's device is registered with a Firebase command-and-control (C2) server, which issues commands while a separate C2 manages data theft. Data exfiltration is triggered when a certain condition, such as the installation of a new app, is met. According to the team, the malware is a Remote Access Trojan (RAT) capable of stealing GPS data, SMS messages, call logs, contact lists, images, and video files. It can steal operational information like storage statistics and lists of applications installed on the device. The RAT can also take over a mobile device's camera to take photos, secretly record microphone-based audio, review browser histories, and eavesdrop on phone conversations. Zimperium researchers say the malware is part of an advanced spyware campaign with complex capabilities. This article continues to discuss the distribution and capabilities of the new advanced Android malware, and Google's recent removal of Android apps from the Play Store that carried a dropper for banking Trojans.

ZDNet reports "This Android Malware Hides as a System Update App to Spy on You"

The multi-billion-dollar brewing and beverage giant Molson Coors recently faced a cyberattack that disrupted parts of the company's business, including brewery operations, production, and shipping. Molson Coors reportedly suffered a ransomware attack. The company operates 20 brewing facilities in North America and Europe. Brewing and adult beverage companies have become increasingly common targets for cybercriminals, with Italy's Licya Campari Group, Australia's Lion, and Jack Daniel's owner Brown-Forman all having been hit in the past year. Downtime caused by a cyber incident can lead to thousands of dollars in costs per minute for such companies. This article continues to discuss the recent disruption of Molson Coors' business operations by a cyberattack, the increased targeting of high-profile organizations like Molson Coors, and the significant costs that companies can face when they experience a cyber incident.

Forbes report "Cyberattack Disrupts Operations At Molson Coors"

According to the latest research shared in the LexisNexis Risk Solutions biannual Cybercrime Report, young adults under the age of 25 and adults over 75 are the most vulnerable to falling victim to cybercrime. The report is based on the analysis of global cybercrime activity from July 2020 through December 2020. A significant flood of new-to-digital customers went online in 2020, with young adults and seniors proving to be the groups most vulnerable to online fraud attacks. Analysis revealed a 10 percent growth in customers in the under 25 age group. The youngest online users became the most vulnerable to fraud attacks over the six months. Although young adults are often considered highly tech-savvy, many of them tend to show more relaxed usage behavior patterns and willingness to share personal data online. On the other hand, adults over 75 are generally considered less informed about the latest digital technologies, making them increasingly vulnerable to scams and phishing attempts. However, fraudsters have been observed targeting the younger age group more than the older group as higher success rates compensate for lower monetary gains. These findings suggest the need for more education and layered fraud defenses to protect the full spectrum of online users. This article continues to discuss what puts younger and older adults at more risk of digital fraud and other key findings surrounding cyber fraud in 2020.

TechNewsWorld reports "Young Adults, Seniors Over 75 Most Susceptible to Cyber Fraud"

The National Security Agency's (NSA) Cybersecurity Collaboration Center, together with government and industry partners, is working to share information and strengthen cybersecurity. Morgan Adamski, the chief of NSA's Cybersecurity Collaboration Center, emphasizes the importance of establishing partnerships in support of combating cyberattacks as no one organization has the full picture. The NSA's Cybersecurity Collaboration Center's three main areas of focus include detection, innovation, and mitigation. The center detects adversaries using signals intelligence and commercial data, as well as through bidirectional threat sharing with the private sector. This article continues to discuss the three channels of focus at NSA's Cybersecurity Collaboration Center, the importance of public-private partnerships in cybersecurity, and why information sharing is essential.

MeriTalk reports "Public-Private Partnership is 'Critical' to Cybersecurity"

Researchers from Kaspersky have discovered that attacks on industrial control system (ICS) computers went up by .85 percentage points in H2 of 2020 compared to H1. The researchers also found that the variety of malware families targeting ICS computers increased by 30% in this period, with cyber-criminals significantly ramping up attacks against these sectors amid the COVID-19 lockdowns. Compared to H1, in the engineering and ICS integration sector, the proportion of ICS computers attacked grew by nearly eight percentage points to 39.3%. The proportion of ICS computers attacked in the building automation sector saw an increase of 46.7%, and the proportion of ICS computers attacked in the oil and gas sector grew by 44%. Of the countries the researchers examined, they found that 62% experienced a growth in the percentage of ICS computers targeted. The researchers also discovered that the proportion of ICS computers on which malicious email attachments were blocked went up by 73.4%. The most commonly employed malware were backdoors, spyware, other types of Trojans, and malicious scripts and documents.

Infosecurity reports: "Rise in Attacks on ICS Computers in Second Half of 2020"

Streaming services have become increasingly attractive targets in the launch of malicious bots by cybercriminals to steal customer account information. Customers often use easier password combinations for streaming services because these services do not hold a lot of personal data. A study conducted by the Pew Research Center found that 39 percent of people use the same or similar passwords for multiple online accounts. Therefore, if a consumer's sign-in credentials are stolen from a streaming service and those credentials are also used for a bank account, the hacker then has access to sensitive data and the ability to steal money. Hackers perform Account Takeover (ATO) attacks to infiltrate online accounts. In ATO attacks, malicious actors typically gain access to accounts through the use of automatic credential stuffing and credential cracking attack techniques. The likelihood of success for username and password combination testing across multiple sites is increased when hackers use bots. A bot can try different combinations at a much higher rate than humans could. In a recent attack against a streaming service, nearly 300,000 unique username and password combinations were attempted in just over five hours, during which the hackers successfully harvested 1,500 combinations. Malicious bots are also used to create fake accounts in the targeting of streaming services. Cybercriminals can use this tactic to generate spam and abuse new account promotions. This article continues to discuss how bots are used in attacks targeting streaming services and how malicious bot attacks can be prevented.

Security Magazine reports "Your Streaming Service Is Fertile Ground for Bot Attacks"

Researchers at Ponemon Institute discovered that threat data feeds could help organizations strengthen their cybersecurity posture. The researchers surveyed 1025 IT security practitioners (70% of whom were at or above the supervisory level) in the United States and the United Kingdom. Most of the professionals participating (79%) in the study said threat data feeds were essential to their organization's ability to achieve a strong cybersecurity posture, and 55% rate the quality of their threat feeds' ability to pinpoint cyberthreats as very high. Study participants said threat data feeds offer several benefits. Threat data feeds add unique data to better inform security (71%), increase preventive blocking to ensure a better defense (63%), reduces the time it takes to detect and remediate an attack (55%), and reduce the time spent researching false positives (51%). However, more than half (56%) of respondents also said threat feeds deliver data that is often too voluminous and/or complex to provide timely and actionable intelligence.

Help Net Security reports: "Challenges And Benefits of Using Threat Data Feeds"

A ransomware attack on leading internet-of-things (IoT) manufacturer Sierra Wireless this week grounded its production activity to a halt and froze various other internal operations. The Canadian multinational manufacturer creates a broad array of communications equipment from gateways to routers, cellular modems to modules, and smart connectivity solutions for IoT devices.
The ransomware attack first affected the company on March 20, pushing its IT systems offline and halting production across its manufacturing sites. The company's website (sierrawireless.com) is currently down, saying, "Site is under maintenance". The company stated that it is currently working to bring its internal IT systems back online and hopes to restart production at its facilities soon. According to Sierra Wireless, once the company learned of the attack, its IT and operations teams immediately implemented measures to counter the attack according to established cybersecurity procedures and policies developed in collaboration with third-party advisors. The company at this time does not believe its customer-facing products and services have been impacted by the attack. It is not clear whether customer data has been affected. Sierra Wireless has not yet specified how the cyber attack initially occurred, what type of ransom was demanded, and whether they considered paying.

Threatpost reports: "Ransomware Attack Foils IoT Giant Sierra Wireless"

Cyber Scene #54 -

US-China: Cyber Syndrome or War of the Worlds?

Security researchers at Check Point have observed a 300 percent increase in listings on the dark web marketplaces advertising vaccine doses, falsified vaccine certifications, negative test results, and more in the last three months. According to the researchers, there are more than 1,200 listings that are offering various vaccines, including Moderna, Pfizer, AstraZeneca, Sputnik, Johnson & Johnson, and Sinopharm. The legitimacy of the doses remains unknown. However, even if the doses were legitimate, there is no guarantee that they have been stored properly. The researchers attempted to purchase the Sinopharm vaccine from one of the dark web vendors. Negotiations for purchasing the vaccine took place on Telegram. The vendor provided reassurance that the vaccine doses were real. The researchers paid $500 in bitcoin for the vaccine then received a FedEx shipping label, but they did not receive the shipment. Dark web vendors are suspected to be having greater success with selling falsified vaccine cards and negative test results, as the researchers have seen more vaccination certificates being offered than vaccines. This article continues to discuss the researchers' observations surrounding the increase in COVID-19-related listings on dark web marketplaces.

Ars Technica reports "Dark Web Bursting With COVID-19 Vaccines, Vaccine Passports"

The Department of Energy's (DOE) Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has announced three new researcher programs aimed at strengthening the security of America's energy system against cyberattacks and physical hazards. The new schemes will address potential vulnerabilities in the global supply chains and explore ways to protect critical infrastructure from geomagnetic and electromagnetic interference. The new programs will also focus on establishing a research and talent pipeline for the next generation of cybersecurity professionals. These programs will gather experts from industry, academia, and government to help enhance the energy sector's resilience. CESER pointed out the major threats facing America's critical energy infrastructure, which include digital hazards such as cyberattacks and environmental dangers like climate change, wildfires, and extreme weather. This article continues to discuss the goals and importance of the three new cybersecurity research programs.

Infosecurity Magazine reports "New Cybersecurity Programs to Protect US Energy"