News Items

Google has open-sourced its Python fuzzing utility called Atheris. Fuzzing refers to the process of feeding a software application with invalid or random data until it reveals a flaw. The goal of fuzzing is to find and fix vulnerabilities in software applications before malicious actors exploit them. Over the years, Google's security researchers have been the greatest advocates for the use of fuzzing tools to discover common bugs and critical vulnerabilities that could pose a significant threat to security when exploited by attackers. Other fuzzing tools developed and open-sourced by Google include OSS-Fuzz, Syzkaller, ClusterFuzz, Fuzzilli, and BrokenType. Atheris differs from those tools in that it focuses on finding bugs in Python applications instead of C or C++ applications. This article continues to discuss the Atheris fuzzing tool's development and use in the discovery of bugs in Python-based codebases.

ZDNet reports "Google Open-Sources Atheris, a Tool for Finding Security Bugs in Python Code"

The Amsterdam-based European Medicines Agency (EMA) working on the approval of two COVID-19 vaccines has revealed that it has faced a cyberattack. According to the U.S. drugmaker Pfizer and its German partner BioNTech, the cyberattack on the drugs regulator resulted in unlawful access to documents related to their development of a COVID-19 vaccine. It remains unknown as to whether the personal data of trial participants had been compromised in the attack. The EMA has not yet disclosed additional details about the attack beyond the confirmation of an ongoing investigation. This incident further highlights the increased intensity of cyberattacks against organizations within the healthcare sector during the coronavirus pandemic. This article continues to discuss the cyberattack on EMA and its impact on Pfizer and BioNTech, the growth in hacking attempts against healthcare organizations during the pandemic, and the targeting of coronavirus information by nation-state hackers.

Reuters report "Hackers Steal Pfizer/BioNTech COVID-19 Vaccine Data in Europe, Companies Say"

A team of computer scientists from the National University of Singapore demonstrated how robot vacuum cleaners could be used to eavesdrop on private conversations using built-in LIDAR (Light Detection and Ranging) sensors. They used a new method, called LidarPhone, which turns the LIDAR sensor into a laser-based microphone to capture speech. Using the LidarPhone method, the team was able to collect more than 19 hours of recorded audio files. Applied signal processing and deep learning algorithms were then applied to recover speech or identify musical sequences. Sensitive information such as a victim's credit card or bank account number could be picked up, as the system detects digits when they have been spoken aloud. According to the researchers, speech can be recovered at an accuracy rate of 91% using the LidarPhone method. This article continues to discuss how the LidarPhone attack technique works, the prevention of such attacks, and the future application of ideas learned from the LidarPhone method to autonomous vehicles.

The National University of Singapore reports "Robot Vacuum Cleaners Can Spy on Private Conversations"

Researchers at cybersecurity firm ForeScout Technologies released a report discussing the discovery of vulnerabilities in software widely implemented in millions of connected devices. According to the researchers, these vulnerabilities could be exploited by hackers to infiltrate and disrupt enterprise and home computer networks. Although there is no evidence indicating network intrusion incidents through the abuse of these vulnerabilities, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory about the flaws as they exist in TCP/IP software essential to internet-connected devices. The devices potentially impacted by these vulnerabilities, come from an estimated 150 manufacturers. Affected devices include smart plugs, printers, office routers, healthcare appliances, and industrial control system components. However, researchers cite remote-controlled temperature sensors and cameras as the most affected consumer devices. This article continues to discuss the source of the vulnerabilities, which types of devices are potentially impacted by these flaws, defensive measures recommended by CISA to reduce the risk of hacking, and why open-source software makes it difficult to fix the vulnerabilities in affected devices.

AP News report "Millions of Smart Devices Vulnerable to Hacking"

According to McAfee's report, titled "The Hidden Costs of Cybercrime," the estimated global cost of cybercrime has increased more than $1 trillion since 2018. Although the monetary impact is significant, over 90% of companies have seen effects that are beyond financial losses when faced by a cyberattack. These hidden costs include system downtime, reduced efficiency, and reputational damage. Despite the increased awareness of cybercrimes, many organizations remain unprepared to handle cyber incidents. McAfee's report indicates that more than 50% of organizations surveyed have not implemented cyber incident prevention and response plans. This article continues to discuss key findings from McAfee's report on the costs of cybercrime to businesses.

TechRadar reports "Cybercrime Has Cost Us Over $1 Trillion Globally"

According to the National Security Agency (NSA), Russian state-backed hackers gained access to protection by exploiting a vulnerability contained by VMware Access and VMware Identity Manager products. The exploitation of this flaw allowed attackers to perform command injection, leading to the installation of a web shell and the generation of authentication assertions, which were sent to Microsoft's Active Directory Federation Services (ADFS) and then given access to protected data. An advisory recently issued by the NSA calls for all servers and services that depend on such products to be properly configured to ensure secure operation and integration. This article continues to discuss the abuse of a vulnerability in remote workspace platforms to access protected data, in addition to the vulnerability's mitigation and detection.

NextGov reports "NSA Warns Russian Hackers Are Targeting Virtual Workspaces"

CISA and the FBI issue warnings to think-tanks about ongoing cyberattacks. Hackers are trying to steal sensitive information and gain access to their systems that manage high value intellectual property about state-of-the-art technology and strategic planning.

#cybersecurity #ScienceofSecurity

https://threatpost.com/think-tanks-attack-apts-cisa/161807/

A new obfuscation-as-a-service platform has been discovered by researchers from GoSecure, Trend Micro, and the Stratosphere Laboratory. The fully automated service platform, developed by hackers, protects mobile malware Android Packet Kits (APKs) from being detected. According to the researchers, the service can be used once or on a recurring basis for a monthly subscription fee. The service is also available to users in English or Russian. This article continues to discuss findings from the study of the new obfuscation-as-a-service platform and how this platform differs from other similar services found being offered by cybercriminals on Dark Web forums.

Dark Reading reports "Researchers Discover New Obfuscation-As-a-Service Platform"

A team of researchers from the security firms AdvIntel and Eclypsium has announced that a new component of the TrickBot trojan now gives hackers the ability to plant a backdoor in a computer's Unified Extensible Firmware Interface (UEFI). Planting malware in the firmware would allow TrickBot to circumvent antivirus detection and software updates, as well as resist operating system reinstalls or the replacement of storage devices. This technique, dubbed TrickBoot, could corrupt a computer's firmware to the point where its motherboard would have to be replaced. This article continues to discuss the persistence of TrickBot, the new firmware-focused feature of TrickBot, what companies should do to avoid falling victim to TrickBot, and what the TrickBoot technique means for firmware hacking.

Wired reports "The Internet's Most Notorious Botnet Has an Alarming New Trick"

Researchers have found a previously undocumented backdoor, and document stealer, which is being used by the Russian-speaking Turla advanced persistent threat espionage group. The researchers are calling the malware "Crutch." The malware can bypass security measures by abusing legitimate tools, including the file-sharing service Dropbox, to hide behind normal network traffic. The Crutch toolset has been designed to exfiltrate sensitive documents and other files to Dropbox accounts, which Turla operators control.

Threatpost reports: "Turla's 'Crutch' Backdoor Leverages Dropbox in Espionage Attacks"

Researchers at the University of Maryland, Baltimore County (UMBC) and the University of Michigan-Dearborn worked together to develop a technique for detecting breaches in the security of vehicular communications networks. The Controller Area Network (CAN) is the most popular intra-vehicular communications network in the automobile industry as it is simple to use. However, the simplicity of this network that makes it appealing for consumers and manufacturers increases the risk of security incidents. Using the CAN, it is possible to remotely control a vehicle from other devices, making it both a feature and a major security concern. A malicious actor can take over the network and send new commands to the vehicle that could disable brakes or cause engine failure, posing a significant threat to consumers' safety. The method developed by the researchers to eradicate these possible threats involves the creation of graph-based anomaly detection techniques. This article continues to discuss the new graph-based statistical method designed to detect intruders or threats to vehicular communications networks and the importance of addressing the vulnerabilities associated with these networks.

ScienMag reports "New Graph-Based Statistical Method Detects Threats To Vehicular Communications Networks"

Meet the HoTSoS 2021 Team:
Social Media Chair

HoTSoS is just around the corner again, and introductions to the 2021 Program Committee are in order. First up on the docket is John Symons (KU)! John will be serving as our Social Media Chair and we are very excited to have him! 

About the Chair

The open-source security firm Sonatype found malicious NPM packages that install the njRAT remote access trojan. NPM, short for Node Package Manager, is a packet manager for the JavaScript programming language. Using njRAT, a threat actor can get full remote access to a victim's computer to perform malicious activities such as modifying the Windows Registry, deleting files, logging keystrokes, stealing passwords, killing processes, taking screenshots, executing commands, and more. This article continues to discuss the installation of the njRAT remote access trojan via NPM packages, the malicious activities that threat actors can perform using njRAT, and other findings surrounding the use of NPM packages to install malware.

BleepingComputer reports "Malicious NPM Packages Used to Install njRAT Remote Access Trojan"

Researchers at Bishop Fox have discovered four vulnerabilities in the OpenClinic application used for sharing electronic medical records. Its latest version is 0.8.2 and was released in 2016. According to researchers, the four bugs involve missing authentication, insecure file upload, cross-site scripting (XSS), and path-traversal. The most concerning flaw found would allow a remote, unauthenticated attacker to read patients' personal health information (PHI) from the application.

Threatpost reports: "Electronic Medical Records Cracked Open by OpenClinic Bugs"

AspenPointe, a nonprofit mental health and behavioral health services provider based in Colorado Springs, Colorado, experienced a cyberattack in September 2020 that resulted in the exposure of protected health information (PHI) on more than 295,000 patients. Due to the attack, the healthcare provider had to take its systems offline, which disrupted operations for several days. An investigation of the incident revealed that cybercriminals accessed patient data, including full names, dates of birth, driver's license numbers, bank account information, Social Security numbers, diagnosis codes, admission dates, and more. AspenPointe is now notifying patients about the cyberattack and offering those affected 12 months of complimentary identity theft protection services and a $1M insurance reimbursement policy. This article continues to discuss the impact of the AspenPointe data breach and the healthcare provider's response to this incident.

Infosecurity Magazine reports "Cyber-Attack Exposes Data of 295,000 Colorado Springs Patients"

Meet the HoTSoS 2021 Team:
Student Presentation Co-Chairs

The HoTSoS Program Committee is happy to have a newly created "Student Presentation Chair" position, and even happier to have Julie Haney (NIST) and Hanan Hibshi (CMU) co-serving!

About the Chairs

According to Trend Micro researchers, the hacking group dubbed APT32 or OceanLotus appears to be using an updated version of a tool that can infiltrate macOS computers. The malicious software comes as a .zip file that uses a Microsoft Word Icon. It is designed to circumvent detection by antivirus software. When the malware is activated, it works as a backdoor for other payloads capable of pulling data from the infected machine. This discovery indicates that APT32 is continuing to update its tactics in the launch of espionage campaigns against Southeast Asia. The group was recently discovered to have used fake news sites to spy on users, infect their machines with malware, and use the Google Play Store to distribute spyware apps. This article continues to discuss APT32's macOS backdoor and other recent discoveries surrounding the hacking group.

CyberScoop reports "MacOS Backdoor Appears to Be Update of Tool Previously Used by Vietnam-Linked Group"

Cybersecurity researchers from the Ben-Gurion University of the Negev demonstrated an end-to-end attack that can change data on a bioengineer's computer. As this cyberattack could meddle with DNA orders, it could lead to the development of toxins and viruses. According to the researchers, this attack works by infecting a researcher's computer with a Trojan Horse. When that researcher orders synthetic DNA, the malware then obfuscates the order to appear legitimate to the DNA shop's security software. The DNA shop fills the order, and the obfuscated DNA sub-strings go undetected by the researcher's security software. The use of this method allowed researchers to bypass security for 16 out of 50 orders they used to test the technique. This research emphasizes the importance of developing methods that can detect these types of adapted envelope attacks as it is impossible for humans to check each DNA sequence. This article continues to discuss the attack demonstrated by researchers to trick lab scientists into creating viruses and how this issue could be addressed.

TNW reports "Security Flaw Could Allow Hackers to Trick Lab Scientists Into Making Viruses"

A security researcher accidentally discovered a zero-day vulnerability that affects the Windows 7 and Windows Server 2008 R2 operating systems while working on a Windows security tool. The vulnerability stems from two misconfigured registry keys for the RPC Endpoint Mapper and DNSCache service, which are part of Windows systems. According to the researcher who found the vulnerability, an attacker can modify the registry keys to activate a sub-key that is usually used by the Windows Performance Monitoring mechanism. On Windows 7 and Windows Server 2008, performance subkeys allow developers to load custom DLLs that run with SYSTEM-level privileges. This article continues to discuss the discovery, potential exploitation, and disclosure of the zero-day vulnerability impacting Windows 7 and Windows Server 2008 R2.

ZDNet reports "Security Researcher Accidentally Discovers Windows 7 and Windows Server 2008 Zero-Day"

WatchGuard predicts that automation will shape cybersecurity attack and defense activities in 2021. According to the global leader in network security and intelligence, manual techniques will be replaced by automation tools to launch spear-phishing campaigns. Automation tools will help cybercriminals gather victim-specific data from social media sites and company websites. On the other hand, automation is expected to help cloud service providers, including Amazon, Google, and Microsoft, prevent cybercriminals from abusing their services to execute attacks. As we continue to face the COVID-19 crisis, automated spear-phishing attacks are also expected to exploit fears stemming from the pandemic, political issues, and the economy. This article continues to discuss how automation will change cybercriminal and cybersecurity activities, as well as the expected increase in the abuse of Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP) solutions, targeting of security gaps in legacy endpoints, and the importance of using Multi-Factor Authentication (MFA).

Help Net Security reports "Automation to Shape Cybersecurity Activities in 2021"

Researchers at vpnMetro have recently found an unsecured internet-facing database containing over 380 million individual records, including login credentials leveraged to break into 300,000 to 350,000 Spotify accounts. The exposed records were stored on an unsecured Elasticsearch server and included various sensitive information such as people's usernames and passwords, email addresses, and countries of residence. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify.

WeLiveSecurity reports: "Up to 350,000 Spotify Accounts Hacked in Credential Stuffing Attacks"

A ransomware attack disabled the Baltimore County Public School system's entire network. The attack occurred on the network Tuesday night. The form of ransomware used was not disclosed, but some researchers believe it is Ryuk ransomware. The group behind the attack demanded a ransom payment, and classes were canceled on Wednesday due to the attack. State auditors had just recently conducted an audit of the Baltimore County Public School System and found that the network was not being adequately secured and that sensitive personal information was not properly safeguarded, among other issues.

SiliconANGLE: "Baltimore County Schools Forced to Cancel Classes Following Ransomware Attack"

Researchers at Bolster have discovered that in Q2 of 2020, there was an alarming, rapid increase of new phishing and fraudulent sites being created. The researchers detected 1.7 million phishing and scam websites, which is a 13.3% increase from Q1 2020. Phishing and scam websites continued to increase in Q2 and peaked in June 2020 with a total of 745,000 sites detected. On average, there were more than 18,000 fraudulent sites created each day.

Help Net Security reports: "Around 18,000 Fraudulent Sites Are Created Daily"

The Information Security Forum (ISF) encourages organizations to improve employees' security behavior through the use of psychology. The group's report titled Human-Centered Security: Positively Influencing Security Behavior guides organizations on the development of psychological techniques to get employees to engage in more secure behaviors. Human-centered security programs help organizations better understand employees and create initiatives aimed at changing behaviors that would lead to a decrease in security incidents relating to human errors and acts of negligence. As the shift to remote working during the COVID-19 pandemic has increased the risk of individual errors that result in security incidents, it is important to promote secure behavior. This article continues to discuss the ISF's report aimed at establishing more secure behaviors among employees.

Infosecurity Magazine reports "Organizations Should Use Psychology to Promote Secure Behavior Among Staff"