News Items

The Linux Foundation has launched a new service called "sigstore." The service was developed in collaboration with Red Hat, Google, and Purdue University. Software developers can use this service to digitally sign their releases and other software artifacts, enhancing the security of the open-source software supply chain. All signatures will be stored in a public log that is tamper-resistant and monitored for potential abuse. Sigstore ties certificates to identities through the use of the OpenID authentication protocol. Therefore, a developer can sign their software using their email address or account with an existing OpenID identity provider. Traditional code signing requires obtaining a certificate from a certificate authority (CA) trusted by the maintainers of a specific software ecosystem. In order to obtain a traditional code signing certificate, special procedures must be performed, including identity verification or joining a developer program. This article continues to discuss how sigstore works, how its process is different from traditional code signing, and the importance of signing software releases.

CSO Online reports "New Free Software Signing Service Aims to Strengthen Open-Source Ecosystem"

The European Banking Authority (EBA) had to take its email servers offline temporarily after discovering that it was compromised as part of an ongoing worldwide Microsoft Exchange hacking campaign. The agency is conducting a full investigation, which has not found any signs of sensitive data theft thus far. The malicious campaign exploits multiple zero-day vulnerabilities in Microsoft Exchange, for which Microsoft has issued emergency patches. Hackers have been using the flaws to launch wide-ranging attacks against organizations that have not patched their Microsoft Exchange servers yet. This article continues to discuss the compromise of the EBA by Microsoft Exchange hackers and other recent findings surrounding the ongoing hacking campaign.

Silicon UK reports "European Banking Authority Compromised By Exchange Hackers"

Android is the most targeted mobile operating system by malware. Researchers at the Singapore Management University (SMU) have discovered a new way to prevent cyberattacks on Android devices. The method is described as dynamic, intelligent, and non-intrusive in detecting malware on Android devices. The researchers are leveraging a side-channel for detecting sensitive and unusual behaviors on mobile apps. Their method is convenient as it does not require rooting or gaining privilege control from Android users. Android operating system upgrades do not affect the detection method. The method of detection also does not breach the Personal Data Protection Act of 2012 since it does not extract data in its performance. The research team designed the side-channel monitoring system by taking input from side-channel readings and using artificial intelligence and deep machine learning (ML) to train a deep neural network model to determine if sensitive or uncharacteristic behavior has been exhibited on mobile apps. This approach to monitoring and detection offers researchers a way to dynamically monitor apps' behaviors instead of statically analyzing each app's code. Using this method, stealthy attacks can be detected. Testing of the technique showed that it could detect sensitive behavior, with a 98.5 percent accuracy rate. This article continues to discuss the growing sophistication of cyberattacks, the heavy targeting of the Android operating system by hackers, challenges associated with designing a malware detection system for Android, and the side-channel monitoring solution designed by SMU researchers to protect Android devices from cyberattacks.

SMU reports "A New and Non-Intrusive Method for Preventing Cyber Attacks on Android Devices"

Researchers from NVIDIA and Harvard have made an enormous breakthrough in genetic research by developing a deep-learning toolkit that can significantly reduce the time and cost needed to run rare and single-cell experiments. The AtacWorks toolkit can run inference on a whole genome, a process that generally takes a little over two days, in just half an hour. It's able to do so thanks to NVIDIA's Tensor Core GPUs. AtacWorks works with ATAC-seq, a well-established method designed to find open areas in the genome of healthy and diseased cells. These "open areas" are subsections of an individual's DNA used to determine and activate specific functions. This is the part of a person's genome that could give scientists indications on whether a person could have Alzheimer's, heart disease, or cancer. ATAC-seq usually requires the analysis of tens of thousands of cells, but AtacWorks can get the same results using only tens of cells. Researchers also applied AtacWorks to a dataset of stem cells that produce red and white blood cells, subtypes that typically can't be studied using traditional methods. But with AtacWorks, they were able to identify separate parts of the DNA associated with white blood cells and red blood cells, respectively. Researchers' ability to analyze the genome faster and cheaper will go a long way in identifying the specific mutations or biomarkers that could lead to certain diseases. It could even help drug discovery by assisting researchers to figure out how a disease works.

Engadget reports: "NVIDIA and Harvard Researchers Use AI to Make Genome Analysis Faster And Cheaper"

At least 30,000 organizations across the United States, including a significant number of small businesses, towns, cities, and local governments, have been hacked by an unusually aggressive Chinese cyber-espionage unit over the past few days. The Chinese cyber-espionage unit is focused on stealing emails from victim organizations. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total remote control over affected systems. On March 2, Microsoft released emergency security updates to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from internet-facing systems running Exchange. In the three days since then, security experts say the same Chinese cyber-espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide. In each incident, the intruders have left behind a "web shell," an easy-to-use, password-protected hacking tool that can be accessed over the internet from any browser. The web shell gives the attackers administrative access to the victim's computer servers. Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed "Hafnium," and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs

Krebs on Security reports: "At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft's Email Software"

Researchers at Microsoft and the cybersecurity firm FireEye have shared details about new pieces of malware believed to be linked to the threat actors behind the SolarWinds supply chain attack. Microsoft is tracking the threat actor behind the SolarWinds attack as "NOBELIUM." The company identified three new malware strains named GoldMax, GoldFinder, and Sibot, supposedly used by the group following the compromise of the targeted organization's network. According to Microsoft, these malware strains have been used to maintain persistence and perform other specific activities. GoldMax was written in the Go programming language and is designed to act as a command-and-control (C2) backdoor, creating scheduled tasks that impersonate system management software for persistence. GoldFinder is described as a custom HTTP tracer tool. Sibot has been described as a dual-purpose malware written in VBScript that allows attackers to download and execute payload from a remote server, and maintain persistence. This article continues to discuss recent findings surrounding the three new malware strains linked to the threat actors behind the SolarWinds attack, as well as the threat groups that have targeted the software company.

Security Week reports "Three New Malware Strains Linked to SolarWinds Hackers"

The National Security Agency (NSA) strongly recommends the adoption of a Zero Trust security model for all critical networks within National Security Systems, the Department of Defense's critical networks, and Defense Industrial Base critical networks and systems. NSA recently released a guide that includes examples of how the implementation of Zero Trust could have prevented some of the methods used by attackers to compromise at least nine federal agencies and a hundred companies in the SolarWinds supply chain attack. The attackers' focus on evading detection indicates that such tactics will continue to grow in use and complexity, calling for the consideration of Zero Trust principles. Using a Zero Trust approach, devices themselves would be validated in addition to passwords. Therefore, if an attacker uses a stolen password but the device is unknown, the device will fail authentication and authorization checks, thus resulting in the denial of access and the logging of the malicious activity. The agency also recommends the use of strong multi-factor authentication. This article continues to discuss NSA's recommendation to embrace the Zero Trust security model and how the implementation of this model can help organizations prevent sophisticated hacks.

NextGov reports "NSA Pushes Zero Trust Principles to Help Prevent Sophisticated Hacks"

Dr. Basel Halak of the Cyber Security Research Group at the University of Southampton will improve the security of anti-tamper embedded devices in a new Royal Academy of Engineering Industrial Fellowship. Embedded systems have become popular targets for hacking, with smart devices vulnerable to being taken over and controlled by malicious actors. Dr. Halak emphasizes that the compromise of hardware products poses significant threats if they are used in critical infrastructure and military applications. The ever-evolving security threat landscape calls for effective and adaptive defense solutions. This fellowship aims to develop responsive and adaptive defense mechanisms to combat security threats to critical infrastructure and military electronics. The mechanism will be developed using Machine Mearning (ML) algorithms to rapidly detect malicious behaviors exhibited by embedded systems and increase the speed at which a potential attack is stopped. This article continues to discuss the Industrial Fellowship awarded to Dr. Halak to develop a mechanism that will strengthen the security of anti-tamper embedded devices.

The University of Southampton reports "AI Enhanced Design to Counter Threats to Critical Infrastructure and Military Electronics"

Researchers at Group-IB have discovered that ransomware surged by 150% in 2020, with the average extortion amount doubling. The average ransom demand stood at $170,000 last year, but groups like Maze, DoppelPaymer, and RagnarLocker averaged between $1 million and $2 million. The average ransomware victim suffered 18 days of outages last year. Maze group (20%), Egregor group (15%), and Conti group (15%) accounted for most of the attacks analyzed by Group-IB. The Ransomware-as-a-Service (RaaS) model accounted for the majority (64%) of attacks studied, and 15 new affiliate programs appeared in 2020. Over half (52%) of attacks investigated by the researchers used publicly accessible RDP servers to gain initial access, followed by phishing (29%) and exploitation of public-facing applications (17%).

Infosecurity reports: "Ransomware Attacks Soared 150% in 2020"

Security researchers at vpnMentor found an unsecured AWS S3 bucket on December 24 last year. The bucket was traced to Californian business CallX, whose analytics services are used by clients to improve their media buying and inbound marketing. The AWS S3 bucket leaked the personal details of potentially tens of thousands of consumers. The researchers found 114,000 files left publicly accessible in the leaky bucket. Most of the files were audio recordings of phone conversations between CallX clients and their customers. An additional 2000 transcripts of text chats were also viewable. Personally identifiable information (PII) contained in these files included full names, home addresses, phone numbers, and more. Unfortunately, the bucket remains open. VpnMentor has tried to contact CallX with no response. The research team first reached out to the firm on January 3, 2021, and then to AWS on January 6.

Infosecurity reports: "Telemarketing Biz Exposes 114,000 in Cloud Config Error"

Researchers at SpyCloud found nearly 1.5 billion breached login combos circulating online last year and billions of records, including personal information (PII). The researchers also found that password reuse and weak hashing algorithms were widespread. In 2020 there were 854 breaches, up a third from 2019, and each data leak leaked on average 5.4 million records. SpyCloud found that 60% of credentials were reused across multiple accounts, exposing victims to credential stuffing and other brute force tactics. Of the 270,000 .gov emails recovered, the researchers found that password reuse was even higher, at 87%. Nearly two million passwords contained "2020," while almost 200,000 featured COVID-related keywords like "corona" and "pandemic." The most common password was "123456," followed by "123456789" and "12345678." "Password" and "111111" also appeared more than 1.2 million times each. The researchers also found that a third (32%) of breached passwords used the weak MD5 algorithm, and 22% used SHA1. Only 17% of passwords were salted.

Infosecurity reports: "Password Reuse at 60% as 1.5 Billion Combos Discovered Online"

A patch was released for a critical vulnerability found in a firewall appliance made by Genua, a Germany-based cybersecurity company. The firewall called Genugate is said to be the only firewall in the world to receive a "highly resistant" rating by the German government. According to Genua, its Genugate firewall is also classified as "NATO Restricted." Genua's products have been used by industrial, government, military, and other critical infrastructure organizations. SEC Consult recently revealed that the Genugate firewall is impacted by a critical authentication bypass vulnerability contained by its administration interfaces. Once a threat actor has gained access to an organization's network, they can use the vulnerability to log in to the firewall's administration panel as any user. If an attacker has full admin/root access rights within the admin web interface, they can reconfigure the entire firewall, including the firewall ruleset, email filtering configuration, web application firewall settings, proxy settings, and more. Attackers could modify the firewall's configuration to access otherwise unreachable systems or redirect company traffic to an attacker-controlled proxy server by exploiting this vulnerability. The highly critical security vulnerability seems to affect all versions of the Genugate firewall. This article continues to discuss the use of the Genugate firewall by critical infrastructure organizations, the critical authentication bypass vulnerability affecting the firewall, and what the abuse of this flaw could allow attackers to do.

Security Week reports "Vendor Quickly Patches Serious Vulnerability in NATO-Approved Firewall"

Researchers at Veracode have discovered that about 75% of healthcare applications contain some kind of vulnerability. A quarter of healthcare apps contain high severity flaws. The researchers also found that the healthcare sector fixes 70% of the vulnerabilities found within applications, putting it behind several other industries in terms of total volume addressed. However, the vulnerabilities that are fixed are usually fixed faster than any other sector on average except for retail. Veracode claimed that this is because healthcare apps are often smaller in size, relatively new, and have a lower density of bugs than software in verticals like tech, financial services, manufacturing, and government. Researchers also found that healthcare organizations do a better job than most at handling CRLF injection and cryptography-related bugs. However, the sector is still not scanning apps for issues regularly enough and is the least likely of any vertical to scan for flaws in open source components. The researchers argued that a failure to scan frequently for flaws means many are going unfixed and could be exploited in future attacks. Data breaches in healthcare cost more than any other sector and are estimated at over $7.1 million per incident.

Infosecurity reports: "Quarter of Healthcare Apps Contain High Severity Bugs"

Researchers from Egress conducted a news study where they interviewed 500 IT leaders and 3,000 remote-working employees in the US and UK across vertical sectors, including financial services, healthcare, and legal. The researchers found that 95% of IT leaders believe that company data is at risk on email and that 83 percent of organizations have suffered a data breach via this channel in the last 12 months. The researchers also found that human error was at the root of nearly one-quarter of incidents, with 24% caused by an employee sharing data in error. Most participants (85%) stated that they are sending more emails due to remote working, heightening the risk of an email data breach. Of the participants, 59% of the IT leaders reported an increase in email data leaks since implementing remote working due to the pandemic.

Help Net Security reports: "Data is Most at Risk on Email, With 83% of Organizations Experiencing Email Data Breaches"

A canary trap in the performance of espionage is the spread of multiple versions of false documents to hide a secret. The canary trap technique can be used to detect information leaks or create distractions that conceal valuable information. A team of cybersecurity researchers developed a new data protection system called WE-FORGE that uses Artificial Intelligence (AI) to expand upon the canary trap method. The system protects intellectual property such as drug designs and military technologies by producing false documents. WE-FORGE improves upon the canary technique by using natural language processing to automatically generate multiple fake files that are sufficiently similar to the original ones to be believable but different enough to be incorrect. The system also adds randomness to prevent adversaries from identifying real documents. WE-FORGE can create many fake versions of any technical design document, thus making it significantly difficult for adversaries to determine which document is real once they have successfully hacked a system. The use of this technique causes adversaries to waste their time and resources, as well as have lower confidence. This article continues to discuss the concept of canary traps in espionage and how the WE-FORGE data protection system builds on this technique to better deceive would-be attackers.

Dartmouth College reports "Cybersecurity Researchers Build a Better 'Canary Trap'"

The US Defense Department's cyber workforce is responsible for defending nearly every system that the government agency uses to safeguard national security. John Marx, the acting principal director for cyber modernization in the office of the undersecretary of defense for research and engineering, discussed the department's cyber missions and workforce talent during Engineers Week (February 21 to 27). According to Marx, the first goal of modernizing cyber capabilities in the Department of Defense (DoD) is to advance its ability to develop and deploy cyber-resilient systems. The second goal is to create a unique capability for highly integrated cyber and electromagnetic spectrum operations. The third goal is to develop an unrivaled cyber and electromagnetic spectrum expertise, supporting the first two goals. In addition to these missions, DoD provides support to critical civilian infrastructures in case of necessity when infrastructure owners request it under authorities such as the Defense Support to Civil Authorities. DoD collaborates closely with other federal agencies and local entities to provide this support. Marx highlighted DoD's continuous search for cyber talent and talent within its workforce. DoD is always seeking individuals who know how software drives complex systems. These individuals are typically computer engineers, software engineers, and electrical engineers. Mechanical, civil, chemical, aerospace, and biomedical engineers are also encouraged to have a strong understanding of the way in which their fields of practice rely on cyber systems. This article continues to discuss DoD's cyber capability modernization goals, the department's search for cyber talent, how engineers can gain more cybersecurity knowledge, and technologies that will improve cybersecurity.

The Department of Defense reports "Cyber Workforce Vital to Protecting National Security"

A hacking group called Hotarus Corp claims to have stolen internal data from Ecuador's Ministry of Finance and Banco Pichincha, the largest private bank in Ecuador. The ransomware gang used a PHP-based ransomware strain called Ronggolawe, also known as AwesomeWare. In the attack against Ecuador's Ministry of Finance, Ronggolawe was used to encrypt the contents of a site that hosts an online course. Following the attack, the threat actors shared a text file containing more than 6,500 login names and hashed password combinations on a hacker forum. The group claims that they stole sensitive ministry information, employee information, emails, and contracts. Banco Pichincha released an official statement confirming that Hotarus Corp hacked its marketing partner, not its internal systems. According to the bank, the attackers used the marketing partner to send phishing emails to customers to steal sensitive information and perform illegitimate transactions. However, the hacking group disputes the bank's statement. They say the attack on the marketing company allowed them to infiltrate the bank's internal systems. Once they gained access to the internal systems, the actors claim that they stole data and executed a ransomware attack. The hacking group claims to have stolen over 30 million customer records and more than 50 thousand sensitive system records. They shared images of the allegedly stolen data as proof of the attack. This article continues to discuss Hotarus Corp's ransomware attacks against two financial organizations and the alleged theft of data.

Bleeping Computer reports "Ransomware Gang Hacks Ecuador's Largest Private Bank, Ministry of Finance"

The cybersecurity company Coveware released a report revealing that nearly half of the ransomware attacks that it had tracked in the third quarter included threats to leak unencrypted data. However, several of the gangs behind these attacks did not honor their agreement to delete victims' stolen data despite having received ransomware payments. For example, victims of Sodinokibi/REvil ransomware were hit again just a few weeks after paying the ransom for the same data. Such incidents pose the question as to whether victims should pay ransomware attackers. Victims are advised not to pay because there is no guarantee that they will receive a working decryption tool for their data if they give in to the attackers' demand for a ransom payment. Coveware's report also highlights that there is no way to verify whether attackers will delete stolen data. The U.S Department of Treasury's Office of Foreign Assets Control (OFAC) issued an advisory in October 2020, discussing potential sanctions risks associated with sending ransomware payments to cybercriminals. OFAC designated several malicious cyber actors responsible for the creation or distribution of ransomware. Payments to those actors encourage the launch of more ransomware attacks, potentially harming national security and foreign policy. Users and organizations are urged to focus on improving their ability to prevent ransomware infections. This article continues to discuss findings surrounding cyber gangs' dismissal of ransomware payments, the decision to pay ransomware attackers, and how ransomware infections can be prevented.

Security Intelligence reports "When Cyber Gangs Disregard Ransomware Payments, Victims Can Be Hit Twice"

Researchers at the cybersecurity firm Malwarebytes have discovered a new Advanced Persistent Threat (APT) group dubbed LazyScripter. The hacking group targets airlines that use the BSPLink financial settlement software made by the International Air Transport (IATA). LazyScripter's most recent attacks used phishing emails that mimic the IATA ONE ID, a contactless passenger processing tool. According to the researchers, the threat remained unnoticed for about two years. One of the group's earliest attacks targeted individuals seeking to immigrate to Canada. The toolset used by the group for its attacks has evolved over time. Their toolset has included Octopus remote access Trojans (RATs), Remcos RATs, PowerShell Empire, and more. This article continues to discuss the LazyScripter hacking group's targets, methods, and tools.

Security Week reports "New 'LazyScripter' Hacking Group Targets Airlines"

Every second, 127 new IoT devices are connected to the web, and experts predict that by 2025, that figure will equate to more than 75 billion connected devices overall. IoT devices are often riddled with security vulnerabilities impacting security and privacy both at a consumer and corporate level. The Internet of Things Cybersecurity Improvement Act of 2020 is the first-of-its-kind legislation that requires the creation of security standards and guidelines for IoT devices used in and purchased by the federal government. It encompasses issues such as secure development, identity management, patching processes, and configuration management. The IoT security bill also calls for guidelines in vulnerability reporting for IoT devices in government networks and those of federal contractors. The researchers stated that as the use of connected devices continues to grow exponentially over time, we must ask ourselves, "is it enough?" While intended for government parties, these new guidelines can provide manufacturers and security vendors with a general roadmap of how to bolster IoT security measures overall, which has been lacking in years past. The researchers stated that the opportunity to expand and enhance IoT security is still present and needed. The bill in its current state addresses only a portion of the larger problem at hand. The security regulations outlined in the statement only apply to IoT technologies used in federal environments, rather than being applicable across all relevant IoT-enabled devices. The researchers stated that providing secure IoT technologies is still the primary responsibility of manufacturers and that end-users must demand more security measures from the companies selling such devices. End-users demanding more security measures will create a ripple effect, sparking proactive action from manufacturers and security vendors to holistically address IoT security concerns from the start, with an all-encompassing set of guidelines required to secure IoT device manufacturing, distribution, and implementation. The researchers stated that only through this domino effect will IoT security move beyond the government and into one's own home and business environments.

Security Magazine reports: "The IoT Cybersecurity Improvement Act: A First Step in Bolstering Smart Technology Security"

Cybersecurity Snapshots #15 -

Attacks Against the Nation's Water Systems

NurseryCam, a webcam service used across 40 daycare centers in the U.K. by parents who want to keep a watchful eye on their babies, has shut down following a data breach. The breach exposed the personal data of about 12,000 users to an attacker who said they were trying to improve the service's security. The adversary notified the company on Friday, and the company sent a notice to its users about the incident. The adversary behind the attack told the company that they could get real names, usernames, email addresses, and encrypted passwords for 12,000 accounts. This latest incident comes after users, and infosec professionals gave the company repeated warnings that their internet-of-things (IoT) system's security was deeply flawed.

Threatpost reports: "Daycare Webcam Service Exposes 12,000 User Accounts"

Security researchers at Armorblox have discovered two large email phishing attacks targeting at least 10,000 victims. The targets of the two campaigns were sent phishing emails that appeared to come from the shipping companies FedEx and DHL Express. One attack impersonates a FedEx online document share, while the other pretends to share shipping details from DHL Express. The campaigns aimed to steal victims' business email account credentials. Quip and Google Firebase were used to host the phishing pages. According to the researchers, these email attacks employed various techniques to evade traditional email security filters and end users' detection. These techniques include social engineering, brand impersonation, hosting on Quip and Google Firebase, and link redirects. This article continues to discuss the aim and techniques of the FedEx and DHL Express phishing attacks.

SC Media reports "Hackers Hit 10,000 Mailboxes in Phishing Attacks on FedEx and DHL Express"