News Items

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) is warning of critical-severity security flaws in GE's Universal Relay (UR) family of power management devices. GE's UR devices are computing devices that allow users to control the amount of electrical power consumed by various devices. GE has issued patches for the following affected UR device families: B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, and T60. CISA warned that if not updated, the affected products could be exploited to allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition. GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10 or greater to resolve these vulnerabilities. Overall, nine vulnerabilities were patched across the affected devices. The most serious of these (CVE-2021-27426) has a CVSS score of 9.8 out of 10, making it critical. The flaw stems from insecure default variable initialization.

Threatpost reports: "CISA Warns of Security Flaws in GE Power Management Devices"

Researchers from the University of Oxford, WMG, University of Warwick, Abertay University, University of Kent, and the University of Strathclyde worked together in a study titled, "Cyber Security in the Age of COVID-19: A Timeline and Analysis of Cyber-Crime and Cyber-Attacks during the Pandemic," which has been published in the Computers and Security journal. The study reveals a clear connection between cybercrime campaigns and governmental policy announcements. This pattern has been suspected for a while, but this is the first study on it that involves hundreds of cases globally to make this direct connection. There have been many reports of scams involving the impersonation of public authorities like the World Health Organization, as well as organizations such as supermarkets and airlines, since the outbreak of the COVID-19 pandemic in 2019. These scams have also targeted members of the public, who are now spending more time online. Many of the COVID-19 cyberattacks analyzed in this study begin with a phishing campaign that fools victims into downloading a file or accessing a URL. The file or the URL act as the carrier of malware, which then acts as the vehicle for fraud when installed. The analysis showed that the likelihood of the attack's success increased when the phishing campaign leverages media and governmental announcements. The researchers observed a surge in cyberattacks targeting critical infrastructures, governments, organizations, and end-users, influenced by governmental announcements. The researchers observed targeted attacks, the selling of counterfeited medical equipment to hospitals, the denial of essential services via ransomware attacks, the sale of fake online COVID-19 testing equipment, and more. This article continues to discuss the performance and key findings from the collaborative study.

The University of Oxford reports "COVID-19 Related Cyber-Attacks Leveraged Government Announcements"

Researchers at McAfee Labs Advanced Threat Research discovered critical vulnerabilities in the Netop Vision Pro system that could allow attackers to hijack school networks, deliver malware, determine students' IP addresses, eavesdrop, and more. Netop, the company behind the popular software tool designed to let teachers remotely access student computers, has fixed four security bugs in its platform. The flaws were disclosed to Netop on Dec. 11. By late February, the company had issued an update addressing several of the concerns (in Netop Vision Pro version 9.7.2). The researchers disclosed that the new update fixed the local privilege escalations, encrypted formerly plaintext Windows credentials, and mitigated the arbitrary read/writes on the remote filesystem within the MChat client. The researchers stated that the network traffic is still unencrypted, including the screenshots of the student computers. Netop has assured the researchers that it is working on implementing encryption on all network traffic for a future update.

Threatpost reports: "Critical Security Bugs Fixed in Virtual Learning Software"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

Security researcher and programmer David Buchanan has discovered a new steganography method that involves hiding up to three MB of data inside a Portable Networks Graphics (PNG) image file posted on Twitter. Cybercriminals can use steganography to hide malware and communicate secretly with other criminals. Hackers practice steganography by hiding malicious data in image files, video clips, audio files, and other unsuspected formats. Steganography is an attractive method to hackers because most users would not suspect that such files would be used to execute attacks. Buchanan demonstrated how malicious actors could use this technique on a popular website like Twitter by hiding MP3 audio files and ZIP archives within PNG images hosted on the social media platform. The PNG files on Twitter represent valid images when previewed. However, by downloading the images and changing their file extension, different content can be obtained from the same files. Buchanan posted an example 6 KB image file on Twitter that contains an entire ZIP archive, which includes his source code. Anyone can use this source code to pack miscellaneous contents into a PNG image. In another example, Buchanan tweeted an image that plays a song when downloaded, renamed to .mp3, and opened in the VLC media player. Twitter attempts to strip unnecessary metadata from PNG uploads but does not remove the data appended to the end of the DEFLATE stream, which is the part of the file that stores the compressed pixel data. This article continues to discuss the new steganography method that cybercriminals could use to hide malicious commands, payload, and other content inside photos posted on Twitter, as well as other steganographic techniques recently discovered by researchers.

Bleeping Computer reports "Twitter Images Can Be Abused to Hide ZIP, MP3 Files"

More and more organizations are adopting passwordless authentication. Researchers at Gartner predict that, by 2022, 60% of large and global enterprises and 90% of midsize enterprises will implement passwordless methods in more than half of use cases. Passwordless authentication can be used both for personal and business purposes. When it comes to personal use almost, every user has multiple online accounts, making it hard to create and even harder to remember all passwords. Therefore, a device with fingerprint or face recognition is handy. For enterprises, the need for passwordless authentication is even more crucial, as it provides the ability to implement more granular access control with a stricter zero-trust policy. Passwordless authentication also allows enterprises to eliminate the burden of remembering new passwords every three months for users and reduces the cost of supporting IT departments' whole system. The researchers argue that although passwordless represents a more secure authentication method, there are still challenges in deploying this model. The most significant issues are associated with the total budget and migration complexity. The budget should include costs for buying hardware and expenses for setup and configuration. There is also the challenge of overcoming the old-school mentality when employees and IT leadership are resistant to a move away from familiar and conventional security methods.

Help Net Security reports: "The Benefits And Challenges of Passwordless Authentication"

Security researchers found a security blip in the current version of Zoom, which could inadvertently leak users' data to other meeting participants on a call. The data is only leaked briefly, making a potential attack difficult to carry out. The flaw (CVE-2021-28133) stems from a glitch in the video conferencing platform Zoom's screen sharing function. When a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode, researchers found that the contents of the explicitly non-shared application window can be perceived for a "brief moment" by meeting participants. While this would only occur briefly, researchers warn that other meeting participants who are recording the Zoom meeting (either through Zoom's built-in recording capabilities or via screen recording software like SimpleScreenRecorder) can go back to the recording and fully view any potentially sensitive data leaked through that transmission. Because this bug would be difficult to exploit intentionally (an attacker would need to be a participant in a meeting where the bug inadvertently leaks data), the flaw is only medium-severity (5.7 out of 10) on the CVSS scale.

Threatpost reports: "Zoom Screen-Sharing Glitch 'Briefly' Leaks Sensitive Data"

In 2020 researchers from Palo Alto Networks found that manufacturing, healthcare, and construction companies suffered 39% of ransomware attacks in 2020. The average ransom paid by companies jumped 171% to more than $312,000. The highest ransom demand was $30 million, and the highest-known paid ransom was $10 million. The researchers stated that as organizations shifted to remote workforces due to the COVID-19 pandemic, ransomware operators adapted their tactics accordingly. Adversaries started to increase the use of malicious emails containing pandemic-based subjects and even malicious mobile apps claiming to offer information about the virus. Researchers at Chainalysis found that ransoms paid using cryptocurrency surged 311% in 2020 and approached a grand total of $350 million.

Dark Reading reports: "Ransom Payments Have Nearly Tripled"

Facebook has supported hardware security keys on desktops since 2017. The social media giant has now expanded its support for hardware security keys to iOS and Android devices. Hardware security keys add an extra layer of security to online accounts. The use of these keys is considered a top authentication method that bolsters the protection of users' online data. Those who are frequently targeted by hackers, such as politicians, activists, and other high-profile entities, are encouraged to use them. This article continues to discuss Facebook's expanded support for hardware security keys to mobile devices, the concept of security keys, and who should use them.

Engadget "Facebook Adds Hardware Security Key Support for Android and iOS"

Studies have revealed significant security flaws in some of the most advanced human biometric identification systems, including those based on fingerprints and retina scans. Researchers at Brigham Young University (BYU) developed an improved and more secure method for using facial recognition for access control. They created a technique called Concurrent Two-Factor Identity Verification (C2FIV) that requires both facial identity and a unique facial motion to gain access. A user must record a short 1-2 second video of a special facial motion or a lip movement while facing the camera and reading a secret phrase. The video is then used as input for the device. The facial features and the features of the facial movement are extracted and stored for later ID verification. This method ensures that the identity verification process is intentional since the verification cannot occur if the user is unconscious. With other biometric identification systems like fingerprint recognition technologies, a user's finger can still be used to unlock their device even if they are unconscious. C2FIV learns facial features and actions like blinking, smiling, eyebrow-raising, and more, simultaneously using an integrated neural network framework that models dynamic, sequential data such as facial motions. This framework considers all frames in a recording. In the preliminary study, the trained neural network verified identities with a 90 percent accuracy rate. D.J. Lee, an electrical and computer engineering professor at BYU and leader in the development of the new facial recognition technology, says the C2FIV system's application could go beyond smartphone access into ATM use, online banking, hotel room entry, safe deposit box access, keyless vehicle access, and more. This article continues to discuss the study, goal, capabilities, potential applications, and future of the C2FIV system.

BYU reports "New BYU Algorithm Making ID Verification More Secure by Tracking Facial Movements"

Researchers at Cofense have discovered that cybercriminals have wasted no time in hopping on the COVID-19 relief legislation just signed into law (American Rescue Plan) as a lure for email-based scams. A campaign began circulating in March that capitalized on Americans' interest in the forthcoming $1,400 relief payments and other aid. The emails impersonate the IRS, using the agency's official logo and a spoofed sender domain of IRS[.]gov. The email claims to offer an application for financial assistance. In reality, the emails provide the Dridex banking trojan. The email says, "It is possible to get aid from the federal government of your choice," and then offers "quotes" such as a $4,000 check, the ability to skip the queue for vaccination, and free food. There is a button in the email that says, "Get apply form," and if the user clicks the button, then users are taken to a Dropbox account where they see an Excel document that says, "Fill this form below to accept Federal State Aid." However, to see this supposed IRS form in its entirety, victims are prompted to enable content. If they do, they trigger macros that set off the infection chain indirectly. The researchers stated that the macros used by the .XLSM files drop an .XSL file to disk, and then use a Windows Management Instrumentation (WMI) query to gather system information. The WMI query employed in this case demands that the dropped .XSL file is used to format the response to the query. This formatting directive allows JavaScript contained in the .XSL file to be executed via WMI and download malware, avoiding the more commonly seen methods via PowerShell.

Threatpost reports: "$4,000 COVID-19 'Relief Checks' Cloak Dridex Malware"

The FBI sent out an alert on Wednesday that malicious actors "almost certainly" will be using deepfakes to advance their influence or cyber-operations in the coming weeks. The FBI anticipates that foreign and criminal cyber actors will increasingly use deepfakes for spearphishing and social engineering attacks. The main fear is that if manipulated media is allowed to proliferate unabated, conspiracy theories and maligned influence will become mainstream. A pro-Chinese government influence operation used profile images generated with artificial intelligence (AI) to lend authenticity to their campaign in one recent disinformation case. In another recent case, researchers found that the Russian Internet Research Agency used Generative Adversarial Networks-generated images for fake profile accounts used to push divisions ahead of the U.S. elections in 2020. To catch synthetic media or deepfakes, the FBI suggests users be alert for warping, distortions, syncing issues, or other inconsistencies in images or videos.

Cyberscoop reports: "FBI Alert Warns of Russian, Chinese Use of Deepfake Content"

A new URL phishing campaign that uses Morse code was discovered in February 2021. Morse code was invented by Samuel Morse and Alfred Vail in the 19th century. It is a communication method that uses dots and dashes to transmit messages. Phishers are now using this method to hide malicious URLs in email attachments and circumvent detection. According to Bleeping Computer, the URL phishing attack begins with a user receiving an email appearing to be an invoice. Once the recipient opens the attachment, it activates in HTML. The attached URL phishing file includes JavaScript code that maps letters and numbers to the dots and dashes of Morse code. When the JavaScript code runs, it uses a decodeMorse() function to translate the Morse code into a hexadecimal string. This hexadecimal string is then decoded into JavaScript tags that are injected into the HTML page. The tags create an image of a fake Excel spreadsheet that prompts the recipient to sign into their Office 365 account. When the user enters their credentials, the login form will send them to a remote site where the attackers can collect them. The attack falls under the umbrella of spear phishing as it involves sending an email to a specific company. This article continues to discuss the use of Morse code in a new URL phishing campaign, other evasion methods used by phishers, and how organizations can defend themselves against URL phishing attacks.

Security Intelligence reports "URL Phishing Campaign Hides Attack Behind Morse Code"

Researchers at SonicWall discovered that ransomware threats in 2020 spiked 62% globally and 158% in North America as more sophisticated variants like Ryuk targeted larger organizations with multi-staged attacks. The retail sector saw a 365% increase in ransomware threats in 2020, followed by the healthcare sector (123%) and the government sector (21%). There were nearly 82 million cryptojacking detections, a 28% increase from 2019 figures. The researchers also found that IoT malware detections surged 66% as attackers targeted home networks and remote workers, and overall there was a 74% increase in previously undetected malware variants.

Infosecurity reports: "Ransomware and IoT Malware Detections Surge by Over 60%"

Researchers at the Skolkovo Institute of Science and Technology have demonstrated the use of Turing-like patterns to cause neural networks to make errors in the recognition of images. Turing patterns refer to patterns found in nature, such as stripes and spots on animals. The results of this research can be used to develop solutions for defending pattern recognition systems against attacks. Although deep neural networks are considered smart and highly capable at recognizing and classifying images, they are still vulnerable to adversarial perturbations, which are small unique details in images that can lead to incorrect neural network output. Studies have brought attention to the threat that adversarial perturbations pose to safety. For example, another team of researchers described how self-driving vehicles could be tricked into seeing innocuous advertisements and logos as traffic signs. The problem is worsened as most known defenses implemented for networks against such attacks can easily be evaded by malicious actors. Researchers still find the nature and roots of adversarial perturbations mysterious. The lack of theory is one of the reasons why adversarial attacks are difficult to combat. This work is a step towards explaining the properties of universal adversarial perturbations (UAPs) by Turing patterns, which will help build a theory of adversarial examples in the future. This study has allowed the team to show ways in which new attacks can be generated against neural networks. This article continues to discuss the performance and purpose of this study on the use of Turing-like patterns to fool neural networks.

Skoltech reports "Skoltech Team Shows How Turing-Like Patterns Fool Neural Networks"

Researchers at the security company GRIMM discovered three vulnerabilities in the Linux kernel's Internet Small Computer Systems Interface (iSCSI). The exploitation of the vulnerabilities could allow local attackers with basic user privileges to become root users on unpatched Linux systems. Since the security bugs can only be exploited locally, potential attackers need to exploit another flaw or use an alternative attack vector to gain access to vulnerable devices. The bugs are 15 years old, as they were introduced in 2006 when the iSCSI kernel subsystem was in its initial development stages. According to Adam Nichols, the Principal of Software Security at GRIMM, the vulnerabilities impact all Linux distributions. Attackers can abuse the bugs to circumvent exploit-blocking security features, including Supervisor Mode Execution Protection (SMEP), Supervisor Mode Access Prevention (SMAP), Kernel Page-Table Isolation (KPTI), and Kernel Address Space Layout Randomization (KASLR). In addition to local elevation of privileges, the three vulnerabilities can result in information leaks and Denial-of-Service (DoS) attacks. This article continues to discuss the discovery, potential exploitation, and impact of the 15-year-old Linux kernel bugs.

Bleeping Computer reports "15-Year-Old Linux Kernel Bugs Let Attackers Gain Root Privileges"

IBM has announced the establishment of a cloud marketplace that was built as part of an initiative for securely developing dual-use microelectronics for the commercial industry and the Department of Defense (DoD). The Marketplace for Advanced, Rapid, Quantifiably-assured, Trusted Semiconductors (MARQTS), supports the DoD initiative geared towards advancing design methods with measurable security. The MARQTS has been announced amid growing concerns surrounding the microelectronics supply chain. Last week, the House Armed Services Committee announced the development of a new bipartisan task force that will explore and identify vulnerabilities and threats facing the defense supply chain. The co-chairs of the task force highlighted chips as a significant supply chain vulnerability. This article continues to discuss the goal, creation, and future of the MARQTS, as well as other efforts to bolster supply chain security.

NextGov reports "IBM Announces Cloud Marketplace For Secure Chip Design"

The Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and the Cybersecurity and Infrastructure Security Agency (CISA) jointly announced the final two research and development (R&D) awards for the Secure and Resilient Mobile Network Infrastructure (SRMNI) project. The project, managed by S&T's Mobile Security and Emergency Communications R&D program, aims to address CISA's top mobile-focused priorities, which are to secure the information and communications technology (ICT) supply chain and critical mobile network infrastructure, including 5G, the fifth generation of wireless technology. William N. Bryan, the S&T Acting Under Secretary, stresses that the security of mobile devices and enterprise networks is critical to the federal workforce's capability to perform government business functions securely. The S&T-led R&D projects will support the development of innovative solutions for analyzing mobile network traffic, improving the protection of government-provided mobile devices, and strengthening the security of enterprise networks. The new SRMNI projects awards focus on the development of solutions to improving the government's ability to identify malware, attacks, and more, in mobile device network traffic. GuidePoint Security will receive $915,000 for its Mobile Network Traffic Visibility for the Enterprise project. AppCensus, Inc. will receive $1.2 million for its Mobile Traffic Intelligence at Scale project. This article continues to discuss the SRMNI project, the two R&D awards announced for the project, and the earlier round of seven SRMNI R&D projects.

Homeland Security News Wire reports "Two R&D Projects to Enhance Mobile Network Traffic Security"

Software-as-a-Service (SaaS) apps are attractive targets for bad actors as they contain a lot of information and support business processes and decision-making. Many enterprises assume that SaaS vendors protect their customer's data in those apps, when in reality, most of the vendors do not. The responsibility of protecting SaaS app data should be that of the organizations. Critical SaaS app data can be protected and preserved by having the right backup plan implemented. Organizations should make sure that their SaaS app backup system can limit external access points to their data and preserve all SaaS data, as well as ensure traceability and accountability. This article continues to discuss the importance of protecting SaaS app data and how this data can be backed up.

Help Net Security reports "Two New Ways Backup Can Protect Enterprise SaaS Data"

Threat intelligence experts warn of a new version of the Darkside ransomware variant that its creators claim will feature faster encryption speeds, VoIP calling, and virtual machine targeting. The Russian-speaking hacking group claims that the Windows version of Darkside 2.0 encrypts files faster than any other ransomware-as-a-service (RaaS) and is twice as speedy as the previous iteration. Darkside 2.0 now also features multithreading in both Windows and Linux versions. The Linux version of the ransomware can now target VMware ESXi vulnerabilities, meaning it can hijack virtual machines and encrypt their virtual hard drives. The new version of the ransomware is also redesigned to target network-attached storages (NAS), including Synology and OMV, for even more pervasive encryption of victim systems. Darkside 2.0 also features a "call on us" function enabling affiliates to make VoIP calls for free to victims. This allows adversaries to exert extra pressure on victims to pay up.

Infosecurity reports: "Darkside 2.0 Ransomware Promises Fastest Ever Encryption Speeds"

A cybercriminal hacking group is distributing new malware called NimzaLoader that is written in the programming language Nim. According to researchers, this programming language is rarely used to compile malicious code. Cybersecurity researchers at Proofpoint believe the malware was written in this programming language to make it more difficult to detect and analyze. NimzaLoader allows attackers to gain access to Windows computers and execute commands that give them the ability to take control of the machine, steal sensitive information, and more. The malware is suspected to be the work of the TA800 threat group that has targeted a wide range of industries in North America. This article continues to discuss the use of the Nim programming language to develop NimzaLoader malware and the group believed to be behind the malware, as well as the capabilities and distribution of NimzaLoader.

ZDNet reports "This Malware Was Written in an Unusual Programming Language to Stop It From Being Detected"

FIN8, the financially-motivated criminal hacking group, has returned after a year-and-a-half hiatus with updated backdoor malware, known as BADHATCH. The gang typically attacks point-of-sale (PoS) systems to steal payment card data. According to researchers, the new and improved backdoor has capabilities such as screen capturing, proxy tunneling, and fileless execution. The backdoor is also now likely capable of stealing credentials. The gang has been using the new version of the BADHATCH backdoor in attacks primarily against companies in the retail, technology, chemical, and insurance industries. Research conducted by Bitdefender reveals that these attacks have hit organizations in the US, Canada, South Africa, Puerto Rico, Panama, and Italy. An earlier version of BADHATCH, observed by researchers at Gigamon and Trend Micro in 2019, enabled the delivery of other malware payloads such as ShellTea and PoSlurp to scrape for credit card data, delete files, and more. This article continues to discuss the return of the FIN8 cybercrime group with an updated version of the BADHATCH backdoor, the new capabilities of this backdoor, the earlier version of BADHATCH, and the history of the FIN8 group.

CyberScoop reports "FIN8 Cybercrime Group Resurges With Improved Hacking Tool"

A new chip, called "MORPHEUS," developed by researchers at the University of Michigan (U-M), was able to thwart sustained attacks from more than 500 cybersecurity experts as part of the Defense Advanced Research Agency's (DARPA) 'Finding Exploits to Thwart Tampering' (FETT) bug bounty program. The bug bounty program was organized jointly by DARPA, the Defense Digital Service (DDS), and the crowdsourced security platform Synack. According to the U-M researchers, MORPHEUS rapidly randomizes elements of code and data, which makes it more difficult for hackers to compromise chips as they need such components to take over the hardware. The team has been able to make the chip's code churn once every 50 milliseconds, allowing it to foil hacking attempts from the most sophisticated automated tools significantly faster than required. Through the use of this chip, the information needed to exploit a discovered vulnerability disappears almost immediately. MORPHEUS' capabilities had previously been demonstrated in a lab environment, but the FETT program was the first time that a group of external cybersecurity experts explored the chip. The researchers are adapting the chip to safeguard medical data, genomic data, biometrics, financial credentials, and other sensitive information in the cloud. DARPA has given an A rating: 'Approved for Public Release, Distribution Unlimited' to the MORPHEUS chip for its success at foiling every attack launched against it. This article continues to discuss the techniques and successful demonstration of the MORPHEUS chip.

Computing reports "MORPHEUS Chip Foils Attacks From 500 Cybersecurity Experts"

It is suggested that government agencies consider hardware-enabled approaches in addition to software-based solutions to bolstering security against cybercriminals. The number of shipments for hardware supporting digital authentication and embedded security in 2024 will double that of 2019, as it is expected to reach 5.3 billion. The market for hardware security modules will exceed $2 billion by 2027, an increase from nearly $828.3 million two years ago. However, these advancements have primarily been considered for uses such as protecting classified networks through cross-domain solutions. However, state-sponsored attacks target more than just classified networks, which calls for more powerful tactics to combat them. Hardware-enabled security alternatives can help significantly, but there are myths that hinder the widespread adoption of hardware security. The myths are that hardware security is too niche, difficult, and expensive. This article discusses the myths associated with hardware security and the need for government agencies to pursue alternative security solutions to counter rapid advancements in attack methods.

NextGov reports "Debunking Three Myths about Hardware Security"