News Items

A new report from Accurics, titled "The State of DevSecOps," reveals that the misconfiguration of storage services in over 90 percent of cloud deployments have led to more than 200 breaches in the past two years. These breaches have exposed more than 30 billion records. The velocity and scale of cloud breaches are predicted to continue increasing as public cloud adoption grows. According to the report, about 91 percent of the evaluated cloud deployments had at least one significant data breach, and 50 percent of the deployments had unprotected credentials stored in container configuration files. This article continues to discuss key findings from Accurics' report on the impact of cloud misconfiguration on organizations' security.

SC Media reports "Misconfigured Servers Contributed to More Than 200 Cloud Breaches"

After 2015 when Russian hackers were able to hack three Ukrainian power companies, some security experts took it on themselves to show how protocol gateways could be exploited at other utilities. New research has been conducted by researchers at Trend Micro, where they tested five protocol gateways, which are small boxes that translate communications between different devices at industrial facilities, including those that monitor temperatures and interact with machinery. They found multiple vulnerabilities, the most critical of which, if exploited, could allow an adversary to disable sensors for monitoring a facility's temperature and performance. Other issues found by the researchers include a weak encryption implementation and a bug that could allow an attacker to send malicious packets to the gateways, forcing them to reboot.

CyberScoop reports: "Researchers Uncover Vulnerabilities in Devices Used at Industrial Facilities"

The international criminal police organization Interpol has warned of the significant rise in cybercrime during the coronavirus pandemic. An assessment conducted by the organization has revealed that cybercriminals have shifted their focus from individuals and small businesses to major corporations, governments, and critical infrastructure. According to Interpol's Secretary-General Juergen Stock, the fear stemming from the unpredictable social and economic situation created by the pandemic has led to an increased rate at which cybercriminals are developing and enhancing their attacks. The increased dependence on the internet has also created new opportunities for cybercriminals to execute attacks. This article continues to discuss the growth in cybercrime during the COVID-19 pandemic.

Security Week reports "Interpol Warns of 'Alarming' Cybercrime Rate During Pandemic"

A team of researchers from Ben-Gurion University of the Negev (BGU) and the National University of Singapore (NUS) developed a new method that Telecommunications Service Providers (TSPs) and Internet Service Providers (ISPs) can use to detect vulnerable smart home devices before they are used in cyberattacks. A study published in Computers & Security emphasizes the growing risk of distributed denial-of-service (DDoS) attacks via botnets composed of compromised Internet of Things (IoT) devices. As customers often lack awareness and knowledge about the protection of vulnerable smart home devices from attacks, the responsibility of attack prevention and handling falls on TSPs and ISPs. The method developed by the researchers enables TSPs and ISPs to monitor traffic from each smart home device in order to verify whether vulnerable devices are connected to the home network and take preventive actions. This article continues to discuss the growing risk of IoT-based DDoS attacks, the difficulty in detecting IoT devices from outside the home network, and the new method developed to defend smart home devices against attacks.

BGU reports "New Method to Defend Against Smart Home Device (IoT) Attacks Developed by BGU Researchers"

The ARCH 2020 Best Result Award goes to Luis Benet, Marcelo Forets, Daniel Freire, David P. Sanders, and Christian Schilling (in alphabetical order) for their verification tool JuliaReach. The award comes with a 500 Euro prize. Congratulations!

A team of researchers from the Georgia Institute of Technology discovered a new method for exploiting Node.js applications. The technique involves the abuse of hidden properties used to track internal program states. A remote attacker can use the technique, called Hidden Property Abusing, to inject new values into Node.js programs by passing objects that the framework, under certain conditions, will consider as internal data. The researchers analyzed a sample of 60 major Node.js components, using a tool they developed dubbed Lynx. The tool helped them identify 13 vulnerabilities, including SQL injection and the ability to circumvent input validation. This article continues to discuss the Hidden Property Abusing attack technique that could be used against Node.js applications, the discovery of vulnerabilities in Node.js components, and the Lynx tool created to help developers identify potential attack vectors in their Node.js programs.

Dark Reading reports "'Hidden Property Abusing' Allows Attacks on Node.js Applications"

According to reports, Minnesota-based business travel company CWT has been affected by a ransomware attack. The reports show that the adversaries claimed they had scrambled files on 30,000 computers and uploaded 2 terabytes of company data. Researchers believe those high numbers sound doubtful, but it was enough pressure that CWT paid the adversaries $4,500,000 in Bitcoin. The adversaries originally asked for $10,000,000. CWT received the cryptographic material to decrypt the scrambled files, and the adversaries "promised" that they did not have access to the stolen data anymore.

Naked Security reports: "Travel Company CWT Avoids Ransomware Derailment by Paying $4.5m Blackmail Demand"

Researchers from Cyber R&D Lab conducted an experiment in which they examined how 11 banks from the US, the UK, and the EU implement EMV (Europay, Mastercard, and Visa) chip cards on their networks. The researchers used tools similar to those used by cybercriminal groups to copy information from EMV cards and their magnetic stripes. The data copied from the EMV card was then used to create a magnetic stripe version of the same card but without the chip. This technique, known as EMV-Bypass Cloning, was first described in 2008. However, fears surrounding this technique's abuse had been dismissed due to the expectation of banks to move all users to EMV cards and remove magstripe cards. Banks have not met these expectations or performed a set of security checks before approving inter-technology payments. Therefore, the loop first described in 2018 remains. A report recently published by the security firm Gemini Advisory reveals that the EMV-Bypass Cloning technique has been abused in the wild this year. This article continues to discuss new research on the EMV-Bypass Cloning method and evidence showing the abuse of this technique by criminals.

ZDNet reports "Theoretical Technique to Abuse EMV Cards Detected Used in the Real World"

A threat actor, named ShinyHunters, has leaked stolen databases of 18 web sites on a hacker forum. Most of the companies affected by this massive leak are startups. One of the leaked databases belongs to Drizly, an alcohol delivery startup. Drizly's database contained 2.5 million records that include customers' emails, names, hashed passwords, addresses, phone numbers, and other personal information. Another leaked database belonging to Scentbird, a fragrance subscription service, contained personal information such as names, encrypted account passwords, dates of birth, gender, and more. This article continues to discuss the disclosure and impact of data breaches recently faced by startup companies.

Bleeping Computer reports "Startups Disclose Data Breaches After Massive 386M Records Leak"

According to Jens Monrad, head of Mandiant Threat Intelligence for EMEA at FireEye, nation-state attackers such as those from Russia, Iran, and China have shifted their focus to credential theft. Monrad revealed an increase in the detection of credential-stealing malware observed by FireEye customers. He emphasized that stolen credentials allow cybercriminals to increase the stealth of their entry into systems and the operations that follow once they have successfully gained access to the systems. Organizations are encouraged to improve the management of their credentials, increase monitoring for stolen credentials, enforce multi-factor authentication, and more, in order to mitigate credential theft. This article continues to discuss why nation-state attackers are focussing more on credential theft.

Infosecurity Magazine reports "Nation-State Attackers Shift to Credential Theft"

An alert issued by the United States Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom's National Cyber Security Centre (NCSC) warns of the infection of more than 62,000 QNAP network-attached storage (NAS) devices by a piece of malware, called QSnatch. The malware was first discovered last year and was observed to be capable of harvesting confidential information, such as login credentials and system configuration, from compromised QNAP devices. According to the joint alert from CISA and NCSC, all NAS devices from QNAP may be vulnerable to QSnatch. The alert states that the malware has infected thousands of devices, mostly in North America and Europe. Attackers can prevent administrators from successfully activating firmware updates through the infection of a QNAP NAS device. The two agencies identified two QSnatch campaigns, one of which ran between 2014 and 2017, and the other between late 2018 and late 2019. Users are advised to apply the newest security patches to avoid this threat. This article continues to discuss the impact and capabilities of the QSnatch malware, and how recommendations for organizations on how to protect against this malware.

Security Week reports "US, UK Warn of Malware Targeting QNAP NAS Devices"

Most people would say they care about their personal information being shared online. However, a smaller percentage of people take the necessary steps to protect their online privacy. This phenomenon is known as the "privacy paradox" in which people express privacy concerns, but fail to take action to preserve their privacy. A team of researchers conducted a new study to examine the privacy paradox further. They found that participants were willing to give up some of their privacy in order to take advantage of the services and convenience provided by an Internet of Things (IoT) device. One of the suggested reasons behind the privacy paradox is that people find it difficult to determine the value of their privacy, thus resulting in the failure to consider the importance of protecting it. Another reason may be that people lack awareness and understanding of their privacy rights or privacy issues. People believe that their personalized experience via an internet-connected device outweighs the potential risks. IoT device users are encouraged to read privacy policies, assume that their personal information is highly valuable, change the default password on any new IoT device, and more. This article continues to discuss a recent study of the privacy paradox and how it applies to IoT devices, as well as how people can match their privacy concerns with their protective behaviors.

The Conversation reports "The Privacy Paradox: We Claim We Care About Our Data, So Why Don't Our Actions Match?"

In a new study conducted by Orca Security, they found that organizations across industries are rapidly deploying more assets in the public cloud with Amazon, Microsoft, and Google, leaving numerous paths open for exploitation. The study found that more than 80 percent of organizations have at least one neglected, internet-facing workload, meaning it's running on an unsupported operating system or has remained unpatched for 180 days or more. More than half of the organizations had at least one neglected internet-facing workload that has reached its end of life and is no longer supported by manufacturer security updates. Almost half of the organizations (44 percent) have internet-facing workloads containing secrets and credentials that include clear-text passwords, API keys, and hashed passwords that allow lateral movement across their environment. Almost a quarter of the organizations have at least one cloud account that doesn't use multi-factor authentication for the super admin user. Five percent of the organizations have cloud workloads that are accessible using either a weak or leaked password.

Help Net Security reports: "Public Cloud Environments Leave Numerous Paths Open For Exploitation"

Industrial companies have been advised to secure their Virtual Private Network (VPN) connections used by employees for remote connectivity in order to avoid providing entry points for hackers seeking sensitive data. This advice is even more essential now with the rise in remote work during the COVID-19 pandemic. Researchers from the cybersecurity company, Claroty, recently published data on multiple remote-connectivity products widely used in oil, gas, and other industrial sectors, highlighting the importance of securing VPN connections. The researchers discovered new vulnerabilities in VPN servers and devices that could be exploited by attackers to gain access to industrial computers used to connect to machinery. The three vendors whose products were discovered to contain the vulnerabilities are HMS Networks, Moxa, and Secomea. This article continues to discuss notable attacks faced by industrial organizations involving the abuse of remote-access technology, the increased targeting of civilian infrastructure by foreign powers, and the discovery of new flaws in VPN products.

CyberScoop reports "New VPN Flaws Highlight Proven Pathway for Hackers Into Industrial Organizations"

Researchers have discovered source code from dozens of companies that have been published online on public repositories. Some of the companies affected include Microsoft Corp., Adobe Systems Inc., Lenovo Group Ltd., Advanced Microsoft Devices Inc., Qualcomm Inc., Mediatek Inc., GE Appliances, Nintendo Co. Ltd. and the Walt Disney Co. There is some concern that the leaked code may be used for nefarious purposes. Tom Guide, a security specialist, stated that "losing control of the source code on the internet is like handing the blueprints of a bank to robbers." The published code from Nintendo gives an inside look at the source code behind a range of classic games, including Mario, Mario Kart, Zelda, F-Zero, and Pokemon series. The Nintendo code also includes pre-release art, fully playable prototypes of some games, and even references to projects that were never completed.

siliconANGLE reports: "Source Code From 50+ Companies, Including Nintendo, Microsoft and Adobe, Published Online"

Researchers have discovered that an unauthenticated file read vulnerability (CVE-2020-3452) is now being exploited in the wild. The vulnerability affects the Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) software. Devices are vulnerable only if they are running a vulnerable release of the software and are configured with WebVPN or AnyConnect features. The vulnerability can be exploited by remote unauthenticated attackers to read sensitive files within the targeted device's web services file system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit the vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.

Help Net Security reports: "Attackers Are Exploiting Cisco ASA/FTD Flaw in Search For Sensitive Data"

SoS Musings #39 -

Cryptographers Prepare for the Arrival of Quantum Computers

Cybersecurity Snapshots #8 -

Is Your Home Router Secure?

Barracuda Networks released a report on how cybercriminals are gaining access to email accounts, how they use compromised accounts, and how organizations can protect their accounts against attacks. The report also highlights a specialized economy emerging around email account takeover. One finding suggests that cybercriminals are getting better at remaining undetected in compromised accounts for long periods of time. This article continues to discuss key findings from the report.

Help Net Security reports "Attackers Have Created a Specialized Economy Around Email Account Takeover"

A team of researchers discovered 18 different ways to undermine the authentication that is supposed to be provided by the three email technologies - Domain Keys Identified Mail (DKIM), Sender Policy Framework (SPF), and Domain-based Message Authentication, Reporting and Conformance (DMARC). According to the research team, DKIM, SPF, and DMARC have critical implementation differences that could be exploited to allow an email sent from an attacker's mail server to be verified as sent from a different legitimate-looking address. The research brings further attention to the problem with component-based software design. This article continues to discuss the failure of the three standards for email security to verify the actual source of a message.

Dark Reading reports "Email Security Features Fail to Prevent Phishable 'From' Addresses"

Researchers at TransUnion surveyed 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. between June 30 and July 6, 2020, to better understand the top global online COVID-19 scams targeting consumers. Of the participants, 32% said they had been targeted by digital fraud related to COVID-19. More than a quarter (27 percent) of the consumers reported that they had been targeted with pandemic-themed phishing scams.

Help Net Security reports: "27% of Consumers Hit With Pandemic-Themed Phishing Scams"

The Federal Bureau of Investigation (FBI) has warned of the increase in distributed denial-of-service (DDoS) attacks against U.S. organizations. According to the FBI, threat actors have been trying to use built-in network protocols to increase the size and intensify the effects of DDoS attacks over the last several months. This article continues to discuss the FBI's alert to U.S. organizations about the rise in disruptive DDoS attacks and the advancement of techniques used to execute these attacks, along with another warning from A10 Networks about the use of botnets to deliver DDoS attacks.

BankInfoSecurity reports "FBI Alert Warns of Increase in Disruptive DDoS Attacks"

Researchers at Trustwave have discovered two flaws in ASUS routers that allow man-in-the-middle attacks that would give an attacker access to all data flowing through the router. The bugs are found in the RT-AC1900P whole-home Wi-Fi model, within the router's firmware update functionality. The first issue (CVE-2020-15498) stems from a lack of certificate checking. The second bug (CVE-2020-15499) is a cross-site scripting (XSS) vulnerability in the Web Management interface related to firmware updates. ASUS has issued patches for the bugs, and owners are urged to apply the updates as soon as possible.

Threatpost reports: "ASUS Home Router Bugs Open Consumers to Snooping Attacks"

Researchers at Osano found that organizations with inadequate data privacy practices are 80 percent more likely to suffer a data breach than those with the highest-ranked privacy practices. Companies with the lowest privacy scores lost 600% more records than high-scoring companies. The researchers also found that of the organizations that get breached, governments have the worst privacy scores. Educational and government websites are 15x more likely to experience a breach than commercial sites.

Help Net Security reports: "Organizations With Poor Privacy Practices 80% More Likely to Suffer Data Breach"