News Items

Engineers from Southern Methodist University's (SMU) Darwin Deason Institute for Cybersecurity have developed new software to detect ransomware attacks. SMU's software differs from existing methods, such as antivirus software or other intrusion detection systems, in that it detects zero-day ransomware. Their software works through the use of sensors rather than signatures. According to the researchers, their software detects zero-day ransomware over 90% of the time at a significantly faster speed than other detection software. The new software searches for small changes in computer sensors, such as those that measure temperature, power consumption, voltage levels, and other characteristics, to detect when files are being scrambled. This article continues to discuss SMU's ransomware detection software in relation to its sensor-based technique and effectiveness.

SMU Research reports "Software Developed by SMU Stops Ransomware Attacks"

Magellan Health has recently discovered that it has suffered a data breach. An unauthorized adversary gained access to Magellan's systems after sending a phishing email on April 6th. The adversaries sent the phishing email impersonating as a Magellan client. The company discovered the incident on April 11th. The adversaries were able to steal names, addresses, employee ID numbers, login credentials, and passwords. The adversaries were also able to obtain a small number of social security numbers and taxpayer ID numbers.

Threatpost reports: "Healthcare Giant Magellan Struck with Ransomware, Data Breach"

Microsoft researchers are working with Intel Labs on a project, called STAMINA (Static Malware-as-Image Network Analysis). The project explores a new approach to detecting and classifying malware that involves the application of deep learning techniques. The method proposed by Microsoft and Intel converts malware samples into grayscale images, which are then scanned for textual and structural patterns associated with malware samples. The steps involved in STAMINA include preprocessing, transfer learning, validation, and classification. According to the research team, STAMINA has identified and classified malware samples at an accuracy rate of 99.07%. These results highlight the importance of exploring the use of machine learning techniques in malware classification. This article continues to discuss how STAMINA works, the concept of deep learning, the current limitations of the STAMINA project, and Microsoft's increased reliance on machine learning for detecting emerging threats.

ZDNet reports "Microsoft and Intel Project Converts Malware Into Images Before Analyzing It"

Cisco Talos discovered a new variant of the Astaroth Trojan family that applies evasion checks and anti-analysis processes through the use of YouTube channels as its command-and-control (C&C) infrastructure. The new Astaroth attack campaign primarily targets users in Brazil to steal passwords and personal information. Another variant detected by Cybereason in 2019 used JPEG, GIF, and extensionless files to disguise its payload and evade detection. Security professionals are encouraged to explore the use of machine learning (ML) models to defend their organizations against Astaroth and other evasive malware. This article continues to discuss the operation of the new Astaroth attack campaign, other previously detected variants of the Astaroth Trojan family, as well as the training of ML models and the use of relevance scoring by security professionals to defend their organizations against evasive malware.

Security Intelligence reports "Astaroth Trojan Employed YouTube Channels as C&C to Evade Detection"

The Intelligence and National Security published a new study conducted by a multi-disciplinary team of researchers at the University of New South Wales that brings further attention to the importance of developing training programs and enforcing stricter regulations to bolster the security of health systems against cyberattacks. Although the study focusses on strengthening the cybersecurity of Australian health systems, it does highlight the rise in vulnerabilities and attacks faced by US healthcare organizations. The researchers cite the use of outdated legacy operating systems, the increasing interconnectivity of health systems, and lack of more stringent patient data protection regulations as some of the reasons behind the growth in attacks against hospitals and public health data. This article continues to discuss important points highlighted by the study regarding the vulnerability of health systems to hacking and how healthcare cybersecurity can be improved.

TechXplore reports "Strained Health Systems Struggle to Keep up With Hackers"

Hackers from a group called Shiny Hunters have claimed to have stolen 500 GB of data from Microsoft's GitHub account. The information stolen does not seem to include any sensitive or critical information. The hacking group planned to sell the data at first, but then later posted it onto a hacker forum for users to gain access to the information for free. Security researchers have discovered that most of the data published were code samples, eBooks, and test projects.

Threatpost reports: "Report: Microsoft's GitHub Account Gets Hacked"

Group-IB's Computer Emergency Response Team (CERT-GIB) observed a significant growth in the number of phishing attacks launched last year. CERT-GIB blocked 5,939 more phishing web resources in 2019 than in 2018. According to the response team, there has been a surge in the number of blockages because cybercriminals are no longer stopping their malicious campaigns immediately after their web pages are blocked. Instead, they continuously replace blocked web pages with new phishing pages. Cybercriminals also no longer need to be highly-skilled to create phishing pages as tools for operators of web phishing campaigns have become increasingly available. Figures revealed that the top three targets of web phishers in 2019 were cloud storage providers, financial organizations, and online services such as online streaming services, e-commerce, client software, and more. Email remains the top vector of choice for distributing ransomware, spyware, and other malware, with attachments being used more than links to deliver malicious items. This article continues to discuss findings on the increased persistence in phishing attacks, the shift in web phishers' targets, and malware delivery methods.

Help Net Security reports "H2 2019: Duration of Phishing Attacks Grows, Use of Banking Trojans Wanes"

Trustwave's Global OT/IoT security research team discovered security flaws in two Schneider Electric industrial control systems (ICS) products. Trustwave analysts demonstrated the possibility of malicious actors exploiting the vulnerabilities found in Schneider's SoMachine Basic v1.6 and Schneider Electric M221, firmware version 1.6.2.0, Programmable Logic Controller (PLC) to take control over a device by preventing, changing, then resending commands. This article continues to discuss the potential impact of the Schneider Electric vulnerabilities, where the security flaws come from, how these vulnerabilities are reminiscent of Stuxnet, and recommendations for hardening networks to protect ICS assets.

SC Media reports "Vulnerabilities in Two Schneider Electric ICS Products Reminiscent of Stuxnet"

GoDaddy recently discovered a data breach that affected about 28,000 of its customers' web hosting accounts. The company believes that no data was altered or stolen. The security incident occurred in October 2019 but was not discovered until April 23rd. Once discovered, the security team removed the affected SSH file and began resetting their customer's credentials as a precaution.

Bank Info Security reports: "GoDaddy Confirms Breach Affecting 28,000 Accounts: Report"

Recent studies by Palo Alto Networks and Mimecast highlight threat actors' continued exploitation of fear and interest surrounding the coronavirus outbreak to increase the success of phishing and social engineering attacks. According to Palo Alto Networks, there has been a significant rise in the registration of malicious domains, with almost 1,800 coronavirus-related domain names being registered every day. Mimecast found that the number of COVID-19-themed spam messages increased by 26% within the first 100 days of the outbreak, while impersonation attacks related to the disease surged by 30%. In addition, since more employees have been working from home and overlooking proper cybersecurity practices, the success of attackers has grown as indicated by the increased number of clicked URLs blocked by Mimecast. This article continues to discuss observations made by cybersecurity firms of changes in techniques used by attackers during the pandemic.

Dark Reading reports "Attackers Adapt Techniques to Pandemic Reality"

A new cybersecurity study by researchers at New York University shows that when people assess their exposure to risk, they believe they are less likely than others to engage in activities that would increase their vulnerability to online attacks. Researchers say this perception creates a false sense of security, thus making people more susceptible to online attacks. According to researchers, this perception derives from differences in how people use base rate information or data on the number of people who have fallen for online scams. Such information is often overlooked, which makes it difficult for people to assess their behavior when it comes to risk. However, when base rate information is considered, it is applied to make judgments about others' actions. The results of this study emphasize the importance of ensuring that people are well-informed about the risk posed by not following cybersecurity best practices. It is especially important to raise awareness about cyber risk among those who are now working from home during the COVID-19 crisis as remote work has created more cyber vulnerabilities. This article continues to discuss key findings from the study aimed at capturing how people perceive their vulnerability to online attacks in relation to others'.

Science Daily Reports "We Believe We're Less Likely Than Others Are to Fall for Online Scams"

Mordechai Guri, researcher at the Ben-Gurion University of the Negev, has demonstrated another method to steal data from an air-gapped system that involves the abuse of the power supply. The attack method, called POWER-SUPPLaY, is performed by infecting a device with malware to control its CPU workload. This control leads to the generation of both audible and inaudible sounds by the device's power supply, which can then be picked up by a nearby smartphone. Attackers can use this method to steal passwords, encryption keys, and files from machines that do not have any audio hardware. This article continues to discuss the demonstration of the POWER-SUPPLaY data exfiltration attack and other methods for stealing data from air-gapped devices.

Security Week reports "Power Supply Can Turn Into Speaker for Data Exfiltration Over Air Gap"

The UK's National Cyber Security Centre (NCSC) and the US Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued a joint warning about the targeting of healthcare organizations by state-sponsored hacking groups. In addition to the healthcare sector, organizations in academia, medical research, and local government are being targeted. According to the advisory, these sophisticated hacking groups are seeking to obtain information about COVID-19 responses, research, and other sensitive information concerning the infectious disease. The security agencies also pointed out the use of international supply chains as an entry point for attacks. Advanced Persistent Threat (APT) groups targeting healthcare services are also launching brute force attacks and abusing unpatched software to infiltrate systems. This article continues to discuss findings surrounding state-backed hackers' attempts at stealing coronavirus research and recommendations for organizations on the mitigation of these attacks.

ZDNet reports "Security Warning: State-Backed Hackers Are Trying to Steal Coronavirus Research"

Recent reports show that the frequency and sophistication of data breaches are continuing to grow. Studies show that data breaches compromise an average of more than 3.8 million records every day. New research from the University of Notre Dame suggests that a firm's social performance is a contributing factor to its likelihood of facing a cyberattack that leads to a data breach. A firm's social performance is measured by its engagement in socially responsible or irresponsible activities. Evidence shows that not all hackers are financially-motivated. Recent attacks against the World Health Organization (WHO), National Institutes of Health, and others due to responses to the coronavirus pandemic have been cited as examples that support this notion. The study also shows that firms considered bad actors regarding corporate social responsibility (CSR) are usually no more likely to experience a breach than firms with a strong record of CSR. This article continues to discuss the study on how a firm's CSR presentation, strengths, and weaknesses impact its risk of facing a breach.

The University of Notre Dame reports "Firms Perceived to Fake Social Responsibility Become Targets for Hackers, Study Shows"

Coveware's Q1 ransomware market report has revealed that the average ransomware payment has increased to $111,605 in Q1 2020, which is a 33% increase from Q4 of 2019. According to the report, 14% of ransomware attacks in Q1 2020 targeted organizations within the healthcare sector. The report also highlighted that a ransomware attack causes an average of 15 days of electronic health record (EHR) downtime, with hospitals being at the most risk of downtime given the potential impact on patient care. Coveware's analysis of over 1,000 ransomware cases impacted by clients in Q1 2020 found that ransomware attacks executed against larger organizations were the most successful because of the increased possibility of higher ransom demand payments. Sodinokibi and Ryuk remain the most prevalent types of ransomware, contributing to the rise in ransomware attacks. The most common ransomware attack vector continues to be inadequately secured Remote Desktop Protocol (RDP) access points. This article continues to discuss recent findings surrounding ransomware attacks relating to the increase in the average ransom payment from Q4 2019, attack types in Q1 2020, ransomware attack vectors, targeted companies, data recovery, and the costs of ransomware attacks.

Security Boulevard reports "Ransomware Payments Up 33% As Maze and Sodinokibi Proliferate in Q1 2020"

Oracle has recently released its April 2020 Critical Patch update, which fixed 405 flaws, including 286 that were remotely exploitable across nearly two dozen product lines. One major vulnerability named CVE-2020-2883 affected Oracle's WebLogic server, which is a popular application server that is used in building and deploying enterprise Java EE applications. CVE-2020-2883 is a remote code execution flaw, which could have been exploited by unauthenticated attackers to take over unpatched systems. Since this vulnerability was patched, Oracle has received numerous reports that adversaries are still targeting CVE-2020-2883. Attackers have been successful in exploiting this patched vulnerability because some targeted customers have failed to apply the available Oracle patches. Oracle is strongly recommending that customers remain on actively-supported versions and should apply Critical Patch Update security patches right when they are released, and without delay.

Threatpost reports: "Oracle: Unpatched Versions of WebLogic App Server Under Active Attack"

According to the Healthcare Information Sharing and Analysis Center (H-ISAC), healthcare organizations have observed a 30% increase in coronavirus-themed phishing websites. Still, they have not seen as many successful security breaches. Although there has been an increase in fraud attempts targeting healthcare organizations' businesses and suppliers, the attacks are less sophisticated. The potential reason behind this mix of more but less sophisticated attacks might be that the current state of the global economy is leading some people to commit cybercrime for financial gain. Other reasons cited by security researchers as to why healthcare organizations are facing an increase in attempted cyberattacks include the continued use of medical equipment that run unpatched operating systems and the exploitation of vulnerabilities contained by commonly used virtual private network (VPN) devices and software. The healthcare industry is also increasingly targeted in ransomware attacks due to its reputation for paying ransoms. This article continues to discuss the increase in cyberattacks against the healthcare industry, the lack of sophistication in recent attacks, and other observations surrounding healthcare cybersecurity.

Dark Reading reports "Healthcare Targeted By More Attacks But Less Sophistication"

Researchers have discovered that Apple's iOS Mail app has two severe security vulnerabilities. The security flaws allow adversaries to remotely compromise a device by sending an email that will consume high amounts of the device's memory. The vulnerabilities can be triggered before the whole email is downloaded, and the trigger varies depending on the iOS version the device is running. Through successful exploitation of these vulnerabilities adversaries, can modify, leak, and delete emails from a user's device.

Researchers from Barracuda Networks, have discovered that adversaries are starting to use legitimate reCaptcha walls to disguise malicious content from email security systems. reCAPTCHA walls are usually used to verify human users before allowing access to web content. Sophisticated scammers are starting to use the Google-owned service to prevent automated URL analysis systems from accessing the actual content of the phishing pages. The researchers observed one email credential phishing campaign that sent out more than 128,000 emails to various organizations and employees using reCAPTCHA walls to conceal fake Microsoft login pages.

Help Net Security reports: "Surge in Phishing Attacks Using Legitimate reCAPTCHA Walls"

The international nonprofit membership association (ISC)2 recently surveyed 256 cybersecurity professionals responsible for maintaining the security of their companies' digital assets. More than 80% of the respondents said that the coronavirus pandemic has altered their job assignments in some way. Many of the respondents are now being tasked to perform non-security-related IT activities, such as equipping remote workers. This change in duties derives from the institution of work-from-home (WFH) policies by many organizations to slow the spread of COVID-19. Over 20% of the respondents said their organizations have observed a rise in cybersecurity incidents since the enforcement of WFH policies. Challenges cited by infosec professionals include a lack of resources to support remote work, helping end-users understand security policies and policy compliance. This article continues to discuss the change in cybersecurity professionals' roles during the COVID-19 pandemic, the growth of remote work, and challenges faced in supporting the remote workforce.

SC Media reports "COVID-19 Has Changed Cyber Pros' Roles, Increased Incident Totals"

According to a new report released by Security Research Labs, there has been a significant improvement in Android smartphone manufacturers' patching hygiene. Improvements have been seen in the frequency and speed at which vendors are delivering security patches. However, the Android ecosystem remains fragmented as only 30% of the devices observed by Security Research Labs were running Android 9 or newer in 2019, while 40% ran Android 8, and 30% ran Android 7. The security firm finds that vendors still patch their most widely deployed Android versions faster than less-widely deployed versions. While improvements have been made to patching practices, a patch gap still exists due to the complexity of the Android ecosystem and the number of Android versions that each vendor supports. This article continues to discuss findings from the patching analysis of major Android vendors.

Security Week reports "Android Phone Makers Improve Patching Practices"

Computer scientists at the University of Liverpool have discovered a new threat posed by smartphones, smart doorbells, virtual assistants, and other Internet of Things (IoT) devices that can allow attackers to access and combine device identification with biometric information. The computer scientists collected and examined more than 30,000 biometric samples, such as facial images or voices, from over 50 users and over 100,000 different device IDs, like smartphone MAC addresses, in a month. They discovered that the leakage of identity information from different devices can allow attackers to profile users by matching device IDs with biometric information, posing a threat to the privacy and security of users. The computer scientists were able to de-anonymize most of the device IDs and collect device users' biometric information, using the samples, with a high accuracy rate. This article continues to discuss the new privacy issue of cross-modal identity leakage, the growth of IoT devices, the rise in sensors contained by such devices, and the importance of improving the security and privacy of IoT technology.

Planet Biometrics report "University Reveals New Biometric Security Threat"

Since the beginning of COVID-19, consumer behavior has changed across the industries, and fraudsters are also shifting their focus accordingly. In a new study, researchers from Arkose Labs found that the attack rate against retail and travel industries has doubled from 13 percent of transactions to 26 percent. The gaming industry has been hard hit with a 23 percent increase in attack rates because of the 30 percent rise in gaming traffic. Attacks on tech platforms have risen 16 percent since personal and professional collaboration and communication have shifted online. Fraudsters also ramped up their attacks by 25 percent on new account registrations.

Help Net Security reports: "445 Million Attacks Detected Since The Beginning of 2020, COVID-19 Wreaks Havoc"

Social media bots are social media accounts that use artificial intelligence to automate the performance of activities such as aggregating news, assisting customers for online retailers, and more. They are also used to amplify the spread of misinformation and shape public opinion. Since these bots continue to improve at mimicking human behavior, it is getting increasingly harder for them to be detected. Much research on social media bots has focussed on bot detection rather than bot characteristics and behavior in comparison to that of humans. A new study examined the behavior of bots and humans throughout an activity session using a Twitter dataset correlated with recent political developments. The results from this analysis were used to inform a classification system for bot detection. The researchers looked at tweet length, replies, mentions, amount of tweets, and other indicators of the quantity and quality of a users' social interactions to capture differences in behavior between bots and humans. One trend present in humans that were not present among bots is tiredness, which was shown by the decrease in humans' production of content and illustrated by the decline in the average tweet length as sessions progressed. This article continues to discuss the concept of social media bots, the growing advancement of bots, and findings from the study aimed at examining the differences in behavior between bots and humans to improve bot detection.

Science Daily reports "Who's a Bot and Who's Not"