News Items

New Cybersecurity Assessment tool

KnowBe4 provides a free cybersecurity compliance tool called CARA--the Compliance Audit Readiness Assessment tool. The assessment is in line with the Cybersecurity Maturity Model Certification.

https://www.infosecurity-magazine.com/news/knowbe4-launch-free-compliance-tool/

#cybersecurity #ScienceofSecurity

Mattel, one of the largest toy manufacturers in the world, recently fell victim to a ransomware attack in July on its information technology systems. The attack temporarily impacted its business functions. However, no data regarding business operations, retail customers, suppliers, consumers, or employees was stolen by the operators behind the attack. As the holiday season approaches, the number of ransomware campaigns are expected to increase. Adversaries will see retailers' reliance on online business as an opportunity to execute more attacks. If attackers can disrupt shopping-related events such as Black Friday and Cyber Monday, organizations would be more willing to pay demanded ransoms. This article continues to discuss the ransomware attack on Mattel's systems and the expected rise in ransomware attacks against organizations during the holiday shopping season.

SC Media reports "Ransomware Attack Toys With Mattel Systems, Data"

In a new report released by McAfee researchers examining cybercriminal activity related to malware and the evolution of cyber threats in Q2 2020. The researchers found there was an average of 419 new threats per minute as overall new malware samples grew by 11.5%. The researchers also found that in Q2, there was a 605 percent increase in COVID-19 related attack detections compared to Q1. The researchers also found that Donoff played a critical role in driving the 689 percent surge in PowerShell malware in Q1 2020.

Help Net Security reports: "In Q2 2020, There Was an Average of 419 New Threats Per Minute"

Researchers in Carnegie Mellon University's CyLab have developed the fastest open-source intrusion detection system. The system achieves speeds of 100 gigabits per second using a single server with five processor cores. The success behind the performance of the CMU team's intrusion detection system is attributed to a Field-Programmable Gate Array (FPGA), which is a flexibly programmable integrated circuit. CMU researchers programmed the FPGA specifically for intrusion detection and wrote significantly fast algorithms that cannot run on traditional processors. The FPGA processes an average of 95 percent of data packets by itself when placed in the network, while the central processing units take on the other five percent when the FPGA becomes overwhelmed. As a result, the intrusion detection system saves more energy as it uses 38 times less power by using an FPGA than 100-700 processor cores would to perform the same tasks. This article continues to discuss the development, efficiency, and availability of the CMU team's intrusion detection system.

CyLab reports "World's Fastest Open-Source Intrusion Detection Is Here"

Researchers at Coveware found that recently ransomware groups are targeting larger enterprises more frequently. The average payment for ransomware attacks has increased by 31 percent in Q3 2020 (reaching $233,817). The researchers suggest that organizations never pay the ransom. The researchers also found that improperly secured Remote Desktop Protocol (RDP) connections and compromised RDP credentials are the most prevalent way for ransomware gangs to get into an organization's system, followed by email phishing and software vulnerabilities.

Help Net Security reports: "Paying a Ransom to Prevent Leaking of Stolen Data is a Risky Gamble"

During a study on the risks posed by selling Universal Serial Bus (USB) drives on the internet, cybersecurity researchers from Abertay University were able to retrieve 75,000 deleted files from pre-owned USB drives purchased on a popular online auction site. Many of the files recovered from the drives are highly sensitive in that they include passwords, contracts, bank statements, tax returns, images with embedded location data, and more. A malicious buyer could easily retrieve files from used USB drives with publicly available forensic tools. They can perform harmful activities using recovered information, such as stealing money from bank accounts or extortion. This article continues to discuss the researchers' recovery of deleted files from used USB drives, how malicious actors could use the information retrieved from these drives, and the importance of permanently wiping USB devices before selling or discarding them.

Abertay University reports "Researchers Recover 75,000 'Deleted' Files From Pre-Owned USB Drives"

The Critical Infrastructure Resilience Institute (CIRI) has been awarded $2 million by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and the Cybersecurity and Infrastructure Security Agency (CISA). CIRI is one of the DHS S&T Centers of Excellence (COEs) led by the University of Illinois at Urbana-Champaign (UIUC). Through this funding, CIRI will develop a plan for CISA to build a national network of cybersecurity institutes. These institutes will educate and train cybersecurity professionals to help reduce the cybersecurity workforce gap. CIRI will collaborate with Auburn University, Purdue University, and the University of Tulsa to develop the plan, based on an academic hub-and-spoke model, for building this network of cybersecurity institutes. This article continues to discuss the growing cybersecurity workforce shortage and the award given to CIRI to develop a plan to create a national network of institutes to cultivate the skills of cybersecurity professionals.

Homeland Security News Wire reports "Creating a National Network of Cybersecurity Institutes"

Researchers at HP Inc. have discovered attacks using the Emotet Trojan soared by over 1200 percent from Q2 to Q3 of this year. Emotet is often used as a loader, providing access to third-party threat groups to deploy secondary TrickBot and QakBot infections as well as human-operated ransomware. According to current patterns, a senior malware analyst is warning that Emotet will likely appear in weekly spam runs until early 2021.

Info Security reports: "Ransomware Alert as Emotet Detections Surge 1200%"

The Bitdefender Antispam Antispam Lab has detected a new cyber-extortion campaign targeting those using the video-conferencing Zoom while undressed. A quarter of a million people have received an email claiming to have footage of them in compromising positions while using Zoom. The email threatened victims to pay a $2,000 ransom in Bitcoin within three days to prevent the exposure of their footage to the public. The extortionist claims to have exploited a zero-day security vulnerability in the Zoom app to access the victim's camera and private data. This article continues to discuss the new sextortion scam launched by cybercriminals against Zoom users for Bitcoin payments.

Infosecurity Magazine reports "Cyber-Criminals Target Zoom Users"

According to an alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), an Iranian threat actor has accessed voter registration data. This alert follows another warning released by the United States one week ago about Democratic voters in multiple states being targeted by the same adversary with malicious emails aimed at getting them to vote for President Donald Trump. The new alert says an Iran-based adversary used open-source queries to access PDF documents from state voter sites and conducted research to find specific information that could be leveraged in exploitation attempts. Organizations are encouraged to update their applications and systems, identify and fix known vulnerabilities, implement firewalls, and apply two-factor authentication (2FA). This article continues to discuss the recent warning about the compromise of voter information by an Iranian threat actor, previous alerts about the targeting of voters by the same adversary, and what organizations should do to stay protected.

Security Week reports "U.S. Says Iranian Hackers Accessed Voter Information"

The Computer Emergency Response Team Coordination Center (CERT/CC) at the Carnegie Mellon University launched a Twitter bot named Vulnonym to assign random names to security bugs that receive a CVE identifier. The idea is to give neural names to security vulnerabilities as names assigned to bugs by companies and researchers increasingly enter the area of fearmongering and attention-seeking. Names given to vulnerabilities have resulted in severe flaws being played down or unexploitable bugs being overhyped. The Vulnonym bot will provide each newly-assigned CVE ID a two-word codename in an adjective-noun format. This article continues to discuss the problem with vulnerability names and how the Vulnonym bot addresses this problem.

ZDNet reports "CERT/CC Launches Twitter Bot to Give Security Bugs Random Names"

Researchers at Risk Based Security have found that there were 2,935 publicly reported breaches in the first three quarters of 2020, meaning breaches are down 51 percent from the year before. However, the number of records exposed since last year has increased to a staggering 36 billion. The researchers believe that the sharp increase in records exposed this year is because adversaries are using ransomware attacks much more frequently.

Help Net Security reports: "Breaches Down 51%, Exposed Records Set New Record With 36 billion So Far"

Ponemon Institute conducted a survey to which 603 US cybersecurity professionals responded. The survey asked them to share their thoughts on the effectiveness of firewalls in protecting against ransomware attacks and other security threats. More than half of the cybersecurity leaders who participated in the survey do not think most firewall technologies are effective in protecting their applications and systems from attacks. According to most of the security leaders, firewall technologies do little to help enable a zero-trust environment, require too much time for configuration, lack the necessary capabilities to block attacks, kill flexibility, and more. This article continues to discuss cybersecurity leaders' concerns and complaints surrounding firewall technologies.

Dark Reading reports "Survey Uncovers High Level of Concern Over Firewalls"

Researchers at TU/e have discovered a sophisticated Russian-based online black marketplace in which hundreds of thousands of detailed user profiles are traded among cybercriminals. These profiles are personal fingerprints, which could be used to evade state-of-the-art authentication systems and gain access to sensitive information. User fingerprints can include technical information and behavioral features. The marketplace shares over 260,000 continually updated, detailed user profiles in conjunction with passwords and other user credentials. Researchers emphasized the systematic nature of the marketplace by stating that it offers Impersonation-as-a-Service (IMPaaS). The database can be searched for specific internet users, allowing the performance of highly dangerous spear phishing attacks. In addition, customers can download software that can automatically apply selected user profiles to targeted websites. This article continues to discuss the dependence on user credentials in the online economy, the drawbacks of Multi-Factor Authentication (MFA), the concept behind Risk-Based Authentication (RBA), and the online criminal marketplace that offers IMPaaS.

TU/e reports "Researchers at TU/e Find Huge and Sophisticated Black Market for Trade in Online 'Fingerprints'"

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Department of Health and Human Services warn US healthcare providers to be on high alert over Trickot malware and ransomware targeting the sector. CISA flagged Anchor_DNS, a backdoor created by the eastern European hackers behind the multifunctional Trickbot malware. The Anchor_DNS backdoor forces infected PCs to communicate with command-and-control servers over DNS to bypass network defense products and hide malicious communications with legitimate DNS traffic. The FBI is currently investigating recent attacks against healthcare providers in Oregon, California, and New York. The US government has warned hospitals to back up systems, to disconnect systems from the internet where possible, and avoid using personal email accounts.

ZDNet reports: "FBI warning: Trickbot And Ransomware Attackers Plan Big Hit on US Hospitals"

According to the security firm Sophos, the operators behind Ryuk ransomware are using a malware-as-a-service tool called Buer to deliver the malware. Researchers have found that the Ryuk operators have been relying on this tool to deliver their ransomware for the past several months. The Buer loader allows them to compromise a target's Windows devices and set up a digital foothold into a network. This loader has been used in Trojan attacks and the deployment of other malware. This article continues to discuss the delivery of Ryuk ransomware using the Buer loader, the return of Ryuk, and the advertisement of Buer malware on underground forums.

BankInfoSecurity reports "Ryuk Ransomware Delivered Using Malware-as-a-Service Tool"

Researchers from Avast have found 21 gaming apps loaded with adware from the HiddenAds family on Google Play. The malicious gaming apps have been downloaded about 8 million times so far. The adware loaded on the malicious apps was used to serve up intrusive ads outside the applications. The adware also allowed the applications to hide so that they could not be easily deleted.

Threatpost reports: "Google Boots 21 Bogus Gaming Apps from Play Marketplace"

Independent researchers have discovered that link previews in popular chat apps on iOS and Android are a firehose of security and privacy issues. Facebook Messenger, LINE, Slack, Twitter Direct Messages, Zoom, and many others are at risk. In the case of Instagram and LinkedIn, it is even possible to execute remote code on the companies' servers through the feature. According to the researchers, link previews can leak IP addresses, expose links sent in end-to-end encrypted chats, and have been caught "unnecessarily downloading gigabytes of data quietly in the background."

Threatpost reports: "Researchers: LinkedIn, Instagram Vulnerable to Preview-Link RCE Security Woes"

Cyber Scene #49 -

Major League Strikes: Election Replays

SoS Musings #42 -

Medical Device Vulnerabilities: Healthcare is at Risk

SCRM: The Need for More Research

Georgia Election Data is a victim of a recent ransomware attack. Hall County north of Atlanta reports that parts of its election data including the county's precinct and voter-signature database were down. This ransomware attack involved critical systems across the county including government networks and phone services. So far, the voting process itself was not impacted. This is a warning to local governments to harden them systems, make sure all

KashmirBlack is a botnet focused on cryptocurrency mining, spamming, and defacement targeting popular content management systems (CMSes) such as WordPress, Joomla, and Drupal. According to researchers from the online security company Imperva, the botnet has already infected hundreds of thousands of websites running these CMSes. KashmirBlack operates using a modular infrastructure. Its features include load balancing communications with Command-and-Control (C2) servers and storing files on Dropbox and Github. This article continues to discuss KashmirBlack's high-performance architecture and victims.

Dark Reading reports "KashmirBlack Botnet Infects Hundreds of Thousands of Websites"