News Items

Microsoft is warning organizations about new Java-based ransomware, called "PonyFinal." The tech giant considers PonyFinal to be human-operated ransomware because it is not a variant distributed in an automated manner. According to Microsoft's Security Intelligence group, the ransomware can encrypt files at a specific date and time, allowing attackers to choose the most convenient time to deploy the payload. Organizations are encouraged to conduct regular audits of vulnerabilities and ensure that their internet-facing assets, including VPNs and other remote access infrastructure, are kept up-to-date with patches in order to reduce their attack surface. This article continues to discuss the distribution, operation, and capabilities of the PonyFinal ransomware, as well as what organizations should do to prevent such attacks.

Infosecurity Magazine reports "Revealed: Advanced Java-Based Ransomware PonyFinal"

Security researchers at ESET have discovered a new strain of Android malware, called "DEFENSOR ID." The malware performs malicious activities through the abuse of a device's Accessibility Services. These services enable the malware to execute 17 commands from an attacker, such as opening an app and performing a click action remotely. The control of a device's Accessibility Services allows attackers to gain access to a victim's cryptocurrency wallet or banking account, and to read SMS text messages. This article continues to discuss the capabilities of DEFENSOR ID, other recent discoveries of Android malware that abuse Accessibility Services, and how security professionals can help defend their organizations against such malware.

Security Intelligence reports "New Android Malware Channels Malicious Activity Through Accessibility Services"

Researchers at Tel Aviv University and the Interdisciplinary Center (IDC) of Herzliya say that vulnerabilities in the Domain Name System (DNS) could have been used to execute a much more massive attack than that of the infamous Mirai botnet. A study conducted by the researchers shares new details about a technique called "NXNSAttack" (Non-Existent Name Server Attack), which abuses the vulnerabilities contained by commonly used DNS software. Malicious actors could have applied the threatening method to execute distributed denial-of-service (DDoS) attacks on a larger scale using a relatively small number of computers. Several makers of the DNS software, in addition to companies responsible for the Internet's infrastructure, including Google, Microsoft, Amazon, and Dyn, were notified about these findings, which led to software updates to address the problem. This article continues to discuss the Mirai botnet's impact in 2016, the NXNSAttack technique, and the research behind this method.

EurekAlert! "Tel Aviv University and IDC Herzliya Researchers Thwart Large-Scale Cyberattack Threat"

An analysis recently published by Risk Based Security reveals a decrease in the number of vulnerabilities reported in the first quarter of 2020 by 20%. Although the decline in reported vulnerabilities occurred in the same quarter as the surge of remote workers resulting from the coronavirus pandemic, a clear connection still has not been determined as to why there are fewer vulnerabilities. Brian Martin, vice president of intelligence for Risk-Based Security, emphasized the emergence of outliers observed by security professionals because of COVID-19. One of the reasons behind the drop in vulnerabilities could be the disruption of security operations and the reduction of security workers due to the pandemic. This article continues to discuss the decline in the number of reported vulnerabilities in Q1 2020 and why this number could be lower due to COVID-19's impact.

Dark Reading reports "Vulnerability Disclosures Drop in Q1 for First Time in a Decade"

According to the latest Verizon Data Breach Investigations Report (DBIR), the healthcare sector faced an increase in attacks last year with external threats exceeding the number of incidents caused by insiders. Verizon's DBIR highlights findings from the analysis of 3,950 data breaches and 157,252 security incidents experienced by companies across 16 sectors in four different regions. The report revealed that 51% of healthcare data breaches were caused by external actors, while 48% were insider-related. However, healthcare organizations remain the most impacted by insider threats. The report also pointed out the top patterns behind healthcare data breaches in 2019, which include web application attacks, business email compromise, and the misdelivery of emails. This article continues to discuss the insider threats faced by the healthcare sector and how healthcare organizations can prevent insider-related breaches, along with healthcare's ransomware problem and the most common patterns observed with data breaches in 2019.

HealthITSecurity reports "External Threats Outpace Insider-Related Breaches in Healthcare"

Florida Tech computer science student Blake Janes discovered systematic design flaws in internet-connected doorbells and security cameras manufactured by Ring, Nest, SimpliSafe, and eight other manufacturers. Janes found that a shared account can still have access to a video feed despite it appearing to have been removed. The mechanism implemented for removing user accounts does not function as it should because it fails to remove active user accounts. Malicious actors could exploit this flaw to maintain access to a camera system for an unlimited time. They can use this time to record audio and video, posing a significant threat to users' privacy. This invasion of privacy can be achieved using the devices' companion applications, which eliminates the need for advanced hacking tools. The devices found to contain flaws include the Blink Camera, D-Link Camera, Canary Camera, and many more. This article continues to discuss the security flaws found in connected security and doorbell cameras, as well as how vendors have responded to this discovery.

Florida Tech reports "Florida Tech Student Finds Privacy Flaws in Connected Security and Doorbell Cameras"

According to researchers at F-Secure, Android devices manufactured by Huawei, Samsung, Xiaomi, and others are being shipped and sold with significantly different levels of on-board security in different regions. The differences in Android security vulnerabilities by region emphasize the importance of increasing knowledge and understanding of Android device security globally. This discovery also highlights the value of vulnerability research. F-Secure's researchers have stressed the importance of raising awareness among device manufacturers in different countries about how problematic the growth of custom-Android builds can be in regard to security. This article continues to discuss the distribution of Android devices that offer different levels of security to users located in different regions, what different levels of on-board security by country indicate, and the security vulnerabilities contained by devices tested by F-Secure's researchers.

Computer Weekly reports "Android Security Vulnerabilities Differ by Country, Say Researchers"

SoS Musings #37 -

The Double-Edged Sword of AI and ML

Cybersecurity Snapshots #6 -

Will Biometric Authentication Soon Replace Password Authentication?

Rockwell Automation and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published advisories about vulnerabilities associated with the Electronic Data Sheet (EDS) subsystem discovered by researchers at the industrial cybersecurity firm Claroty. An EDS file holds configuration data for a device. Network management tools use EDS files for identification and commissioning. According to the Claroty researchers, the security flaws they found could be exploited by hackers to launch denial-of-service (DoS) attacks and execute malicious SQL statements. These attacks can allow hackers to write or manipulate files. The vulnerabilities impact FactoryTalk Linx, RSLinx Classic, RSNetWorx, and Studio 5000 Logix Designer. This article continues to discuss the security holes that hackers can abuse to target Rockwell industrial software.

Security Week reports "Hackers Can Target Rockwell Industrial Software With Malicious EDS Files"

Researchers at Veracode analyzed 351,000 external libraries in 85,000 applications and found that open-source libraries are widespread. Many application developers use open-source libraries to help create their applications because it allows them to add basic functionality to their applications quickly. The researchers discovered that 70 percent of applications today have at least one security flaw stemming from the use of an open-source library. The four main libraries (PHP, Go, .NET, and Swift) represent most of the open-source bugs found in applications.

Threatpost reports: "70 Percent of Mobile, Desktop Apps Contain Open-Source Bugs"

The Department of Energy (DOE) has observed a surge in cyberattacks against national laboratories and interest in U.S. coronavirus research from foreign nations. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are currently investigating attacks faced by U.S. organizations researching COVID-19. Government agencies and private experts have also brought further attention to the continued growth in cyberattacks during the coronavirus pandemic as more people work remotely because of stay-at-home restrictions. This article continues to discuss hackers' recent attempts to steal U.S. coronavirus-related research and the rise in cyberattacks during the pandemic.

SIW reports "DOE Says Supercomputers Handling COVID-19 Data Are Hacker Targets"

New research shows that more than 80% of employees with plans to leave an organization take data with them before they go. According to the 2020 Securonix Insider Threat Report based on the analysis of over 300 confirmed incidents, these employees considered "flight-risk" were involved in about 60% of insider threats. Most insider threats involved the exfiltration of sensitive data, while others included privilege misuse, data aggregation, and infrastructure sabotage. Employees exhibit flight-risk behavior between two to eight weeks before they make their exit. The most common data exfiltration methods include moving sensitive information via email, uploading the information to cloud storage websites, using data downloads, storing data on unauthorized removable devices, and snooping for data through SharePoint. Shareth Ben, director of Insider Threat and Cyber Threat Analytics with Securonix calls on IT security operations teams to be on the lookout for red flags such as web browsing activities related to job searching and attempts to access administrative accounts. Another significant flag is the movement of sensitive information via email, collaboration tools, or USB devices. Depending on the industry in which the insider works, they may steal valuable intellectual property, banking data, or personally identifiable information. This article continues to discuss key findings from the 2020 Securonix Insider Threat Report related to flight-risk behavior, the most common techniques used by insiders to exfiltrate sensitive information, why IT security operations teams struggle to draw conclusions from insider threats, ways to detect flight-risk employees, and the variation of targeted data by industry.

Dark Reading reports "60% of Insider Threats Involve Employees Planning to Leave"

The Royal United Services Institute (RUSI), an independent think tank engaged in defense and security studies, is partnering with the University of Kent (UoK) to conduct research on how cyber insurance impacts security behavior. The project, titled "Incentivising Cybersecurity through Cyber Insurance (ICCI)," will delve into the different factors that drive organizations, including small and medium-sized enterprises (SMEs), to implement adequate measures for managing cyber risk. The study will also explore why an enterprise may not feel compelled to introduce such measures to prevent cyberattacks. It will examine the use of cyber insurance to push enterprises toward better security behavior. RUSI and UoK researchers will work with practitioners and policymakers in government, industry, and academia during the project. This article continues to discuss the aim of this research.

RUSI reports "RUSI to Investigate Impact of Cyber Insurance on Secure Behaviours"

According to Joseph Turow, a Professor of Communication at the Annenberg School for Communication, sharing photos and other personal information on social media creates more opportunities for hackers to gain access to accounts. Photos posted on social media platforms, such as Facebook, can give hackers more insight into the context of a user and their relationships that may indicate their location. These kinds of posts increase users' vulnerability to hackers attempting to hijack online accounts. Scammers can scan social media posts for photo hashtags related to graduating in order to find the name of a user's high school and their graduation year, which are answers to two of the most common security questions for bank accounts, retirement funds, and other financial online accounts. The Better Business Bureau (BBB) has also expressed similar concerns about people posting personal information on social media about their vehicles, favorite athletes, favorite shows, and more as it could lead to greater success for online scams and hacks. This article continues to discuss the potential risks posed by sharing personal information on social media and what precautions users should take before engaging in social media trends involving such information.

Penn Today reports "The Dangers of Sharing Personal Information on Social Media"

The continued advancement of the Internet of Things will expand the use of biometrics. Fingerprint sensing, iris scanning, and facial recognition are biometrics commonly implemented in smartphones for authentication. Retina scanning, vein recognition, and palm print recognition are other forms of biometric authentication methods expected to grow in popularity. Research recently published in the Journal of Electronic Imaging proposes using ear recognition as an alternative biometric identification method to improve the security of smart homes via smartphones. Researchers at the University de Tunis El Manar propose an approach to ear recognition for smart home access that involves the combination of local and frequency domain features. Distinct ear features such as the helix, concha, intertragic notch, and more, can be fused into an identifying feature through a number of estimations and extractions. This article continues to discuss the most common forms of biometrics, the growing importance of incorporating biometrics into smart homes, the proposed use of the earprint as an alternative to other popular biometrics, the advantages of using the earprint, and the results from the recent study on ear recognition.

SPIE reports "Lend Me an Ear"

Hackers believed to be operating in China are targeting air-gapped military networks located in Taiwan and the Philippines. The hacking group, known as Tropic Trooper or KeyBoy, has been active since 2011, targeting government, military, healthcare, transportation, and more, in Hong Kong, Taiwan, and the Philippines with spear-phishing emails. According to Trend Micro, the group has been using stealthy USB malware, called USBferry, since December 2014. The malware is being used to steal sensitive data from military/navy agencies, government institutions, military hospitals, and banks via USB storage. This article continues to discuss the history, targets, techniques, and operations of the Tropic Trooper hacking group.

Security Week reports "Hackers Target Air-Gapped Military Networks"

Verizon recently released its annual Data Breach Investigation Report, which is based on the assessment of 157,000 security incidents faced by Verizon clients across different industries. According to the report, financially motivated data breaches grew from 71% in 2018 to 86% in 2019. Attackers are continuing to re-use usernames and passwords, and launch phishing attacks in their efforts to generate revenue. Other findings shared in the report touch on the increase in errors such as cloud misconfigurations, the growth in organized criminal groups over state-affiliated hackers, and the state of vulnerability patching. This article continues to discuss the rise in financially motivated data breaches in 2019, the growing number of misconfiguration errors, the increased involvement of organized crime groups, and improvements in patching.

CyberScoop reports "Money Is Still the Main Motivating Factor for Hackers, Verizon Report Finds"

UK budget airline easyJet recently disclosed a massive data breach affecting 9 million of its customers. The airline did not disclose when the breach occurred or how it happened. The adversaries gained access to 9 million customers' email addresses and travel details. The adversaries were also able to obtain 2,209 credit card details.

ZDNet reports: "EasyJet Hack: 9 Million Customers Hit And 2,000 Credit Cards Exposed"

Cybercriminals have been taking advantage of the coronavirus pandemic to attack individuals and companies. Recent reports have highlighted the rise in ransomware and phishing attacks based on COVID-19 information. In response to the increased exploitation of the global threat in recent cyberattacks, Microsoft has decided to open-source its coronavirus threat intelligence to help businesses and security researchers develop better solutions for safeguarding, detecting, and defending against COVID-19 themed attacks. Microsoft's list of coronavirus-related attack indicators comes from trillions of signals processed each day. These signals are generated across cloud services, applications, emails, and more. Customers who use Microsoft Threat Protection (MTP) through Defender Advanced Threat Protection (ATP) and email with Office 365 ATP are already protected against threats identified by the indicators. The list of new indicators will still be made available to those not protected by MTP. This information is available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. This article continues to discuss the importance of sharing threat information, Microsoft's open-sourcing of new COVID-19 threat intelligence, how this information can be accessed, and the use of such intelligence by the security community.

Microsoft reports "Open-Sourcing New COVID-19 Threat Intelligence"

Cryptocurrency mining malware has infected multiple supercomputers across Europe. Supercomputers housed in the UK, Germany, Switzerland, and Spain were reported to have been impacted by crypto-mining malware, forcing them to shut down for investigation. Those supercomputers hacked to mine cryptocurrency include the UK's ARCHER supercomputer, the Hawk supercomputer at the University of Stuttgart's High-Performance Computing Center Stuttgart (HLRS), and the Taurus supercomputer at the Technical University in Dresden. Findings from the examination of malware samples and network compromise indicators from some of these reported incidents suggest that attackers gained access to supercomputer clusters using stolen SSH credentials. The SHH credentials appear to have been taken from members of universities in Canada, China, and Poland. This article continues to discuss the recent infection of several supercomputers in Europe with crypto-mining malware.

ZDNet reports "Supercomputers Hacked Across Europe to Mine Cryptocurrency"

Cybercriminals are continuing to use the COVID-19 pandemic as an opportunity to steal credentials through coronavirus-themed phishing campaigns. Proofpoint researchers recently discovered that phishers are increasing their efforts to create custom COVID-19 payment phishing templates convincing enough to trick users into revealing their personal information. One template found by the researchers spoofs the legitimate Canadian government website. Another template impersonates the US Internal Revenue Service (IRS). The cybercriminals are trying to steal credentials for online account accounts, including Gmail, Office 365, and Outlook, as well as social security numbers, insurance numbers, addresses, and other sensitive information. This article continues to discuss the use of COVID-19 themed phishing templates by cybercriminals.

Help Net Security reports "Criminals Boost Their Schemes With COVID-19 Themed Phishing Templates"

A computer system's secrets can be revealed by studying its power usage patterns as it conducts operations. Therefore, researchers are working to protect AI systems' power signatures from snoopers. According to researchers, the AI systems most vulnerable to these attacks are machine learning (ML) algorithms employed by smart home devices or smart cars to identify images or sounds. The specialized computer chips embedded in such devices use a class of ML algorithms known as neural networks. As these algorithms are designed to run on chips in smart devices rather than inside a cloud computing server in a hard-to-reach location, it is easier for hackers to reverse-engineer the chip using differential power analysis. Researchers at North Carolina State University have demonstrated what they say is the first countermeasure against differential power analysis attacks targeting neural networks. The countermeasure uses an approach, called masking, which was borrowed from work on cryptography research and adapted for use in neural network security. The masking defense approach can be used on any type of computer chip that can run a neural network, such as Field Programmable Gate Arrays (FPGA) and Application-specific Integrated Circuits (ASIC). This article continues to discuss differential power analysis attacks, the first countermeasure developed for protecting neural networks from these attacks, and the need to continue research behind such countermeasures.

IEEE Spectrum reports "Preventing AI From Divulging Its Own Secrets"

As the distribution and complexity of networks continue the grow, it is becoming more difficult for IT professionals to keep track of the events that occur on their networks. However, logging network activity remains essential in detecting, tracking, and responding to suspicious users and events. IT professionals are encouraged to use audit trails to collect detailed records containing information about network events and activities as their organizations move their networks and applications to hybrid cloud and multicloud computing environments. Audit trails can help organizations discover the source of problems on their networks, thus increasing the speed at which they respond to and remediate them. This article continues to discuss the importance of audit trails, how audit trails can help IT professionals identify and address network vulnerabilities, as well as the use of forensic information gathered from an audit to identify threat actors.

GCN reports "Audit Trails Critical for Tracking Network Activity"