News Items

Cybercriminals are starting to get more creative in how they are leveraging the coronavirus pandemic. Researchers at Bitdefender have found that cybercriminals are hijacking routers and changing Domain Name System (DNS) settings so that the victim is redirected to the attacker's controlled website. On the attacker's controlled website, the attackers promote fake coronavirus information applications. The site also displays a message pretending to be from the World Health Organization (WHO) and tells the users to install an app offering further coronavirus information via a download button. If an individual download one of these applications, the individual is then infected with information-stealing Oski malware. These hacks began on March 18th, and at least 1,193 victims have been affected by this cyberattack. Victims are from the United States, Germany, and France. The adversaries target routers by brute forcing remote management credentials. The adversaries are targeting Linksys routers, and also D-Link routers.

Threatpost reports: "Hackers Hijack Routers to Spread Malware Via Coronavirus Apps"

IBM X-Force researchers have released details about a variant of the TrickBot Trojan, dubbed "TrickMo," which was first discovered by the federal computer emergency response team of German (CERT-Bund) in September 2019. The malware has mainly targeted banking customers in Germany but is likely to be distributed in other countries. TrickMo is delivered via a fake security app and is designed only to be downloaded to an Android mobile device. Once the malware is installed, attackers can steal device information, lock the device, record targeted applications for one-time passwords, and more. Information collected through the execution of TrickMo can allow attackers to generate an infected Android phone's digital fingerprint. Attackers can sell this device fingerprint on the dark web or authorize fraudulent bank transactions. This article continues to discuss the discovery, distribution, and capabilities of TrickMo, as well as the TrickBot Trojan's evolution into a cybercrime-as-a-service model.

BankInfoSecurity reports "Mobile Malware Bypasses Banks' 2-Factor Authentication"

China's state-backed information operations are starting to follow Russia's playbook for spreading disinformation. The Chinese state-backed information operations usually run disinformation operations aimed at controlling a narrative. However, now they are mirroring Russian state-backed information operations behavior of spreading disinformation. Russia usually spreads disinformation to cause chaos and confusion. The disinformation China is spreading is where the coronavirus first originated. On Sunday, a state-backed Chinese outlet propagated fake news, that COVID-19 started spreading through Italy first before it was detected in China.

Cyberscoop reports: "China Borrowing Russian Tactics to Spread Coronavirus Disinformation"

A new variant of the infamous Mirai IoT botnet, called Mukashi, is exploiting vulnerabilities contained by Zyxel network-attached storage (NAS) devices to execute distributed denial-of-service (DoS) attacks. The flaw exploited by the Mukashi botnet is said to be a pre-authentication command injection vulnerability. The abuse of this security flaw allowed unauthenticated attackers to launch arbitrary code on a vulnerable device. According to Palo Alto Network's threat intelligence team, known as Unit 42, Zyxel NAS products running firmware versions up to 5.21 are affected by the flaw. Zyxel has released a patch to address the flaw designated as CVE-2020-9054. This article continues to discuss the vulnerability abused by the Mukashi botnet, the building of this new botnet, and the impact of the Mirai botnet.

GovInfoSecurity reports "New Mirai Variant Exploits NAS Device Vulnerability"

Google has recently introduced many new security measures to prevent malicious apps from appearing on the Play Store. After these measures were put into place, researchers from Check Point found malware lurking within 56 apps that had been downloaded almost one million times worldwide. The malware that the researchers found was called Tekya, which tries to imitate user's actions to click on ads and banners from apps such as AppLovin', AdMob, Facebook, and Unity. The apps that were found to be affected by this malware include cooking apps, calculators, and apps aimed at kids such as puzzles and racing games. The reason why Google was not able to detect the malware in these applications on its Play Store, is because Tekya is hidden in Android's native code. Native code is the code that is designed to run only on Android processors. Since malware was found on applications on the Play Store, it shows that Google's new security measures are not airtight.

Engadget reports: "Google's Security Measures Failed to Find Android Malware in Play Store"

Each quarter, The National Security Agency recognizes the agency's engagement with an academic institution. This quarter, the school is Carnegie Mellon University in Pittsburgh, PA. CMU has many relationships with the NSA including hosting an SoS Lablet.

To learn more about the CMU / NSA relationship, visit NSA.gov: https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/2111365/nsa-and-carnegie-mellon-university-partnering-on-cybersecurity-research-fo...

Researchers have discovered a flaw in Tesla Model 3's web interface. Tesla Model 3's web interface has a denial of service (DoS) vulnerability. To exploit the vulnerability, a user would have to go to a malicious webpage. If the user went to a webpage that was compromised, using the central display, it could allow the attackers to disable the speedometer, web browser, climate controls, turn signals, navigation, autopilot notifications, and blinker notifications along with other miscellaneous functions from the main screen. The user would still be able to drive the car. The researchers have notified Tesla, and Tesla has since patched the flaw.

SecurityWeek reports: "Vulnerability Exposed Tesla Central Touchscreen to DoS Attacks"

Despite the COVID-19 crisis, hackers are still not holding back on attacking healthcare organizations. Brno University Hospital in the city of Brno, Czech Republic, faced a cyberattack that resulted in postponed surgeries and the redirection of some patients to other hospitals. The incident further shows that malicious hacking individuals and groups will exploit any situation for their own advantage. Healthcare organizations must remain alert to ransomware attacks and COVID-19-themed phishing attacks. As nurses and other healthcare professionals have access to sensitive data, they must be educated about the increased risk of such attacks, especially during this time. This article continues to discuss recent cyberattacks on healthcare organizations, the importance of improving healthcare cybersecurity practices, and what steps should be taken by healthcare organizations to enhance their security.

Help Net Security reports "Healthcare Cybersecurity in the Time of Coronavirus"

The National Institute of Standards and Technology (NIST) and the Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Agency (CISA) are offering recommendations to organizations on how to conduct virtual meetings securely. They are also providing advice on how to ensure that connections to enterprise networks using virtual network (VPN) solutions are protected. Recommendations include using only approved virtual meeting services, requiring the use of unique PINs or passwords for each virtual meeting attendee, encrypting recordings, and applying patches. Organizations are also encouraged to alert employees about a potential increase in phishing attacks aimed at stealing their login credentials. As more people work from home because of the COVID-19 outbreak, efforts must continue to be made to raise awareness about the best security practices to follow when teleworking. This article continues to discuss recommendations from NIST and DHS regarding the security of virtual meetings and connections to enterprise networks.

Security Week reports "NIST, DHS Publish Guidance on Securing Virtual Meetings, VPNs"

Quantum computers will render current encryption algorithms obsolete. Today's encrypted data could be exposed by attackers through the use of quantum computers, posing a significant threat to the privacy of data stored and handled by the government, healthcare sector, financial firms, and more. As the era of fully developed quantum computer approaches, the exploration of post-quantum data protection methods must continue. The secure communication method, quantum key distribution (QKD), uses particles of light known as photons to encode data in qubits, which are transmitted to a sender and receiver as an encryption key. In the Optical Society's (OSA) journal for high-impact research, Optica, researchers from the University of Bristol, UK, discuss the demonstration of smaller, more robust, and less expensive chip-based QKD devices. The development of these devices brings us closer to the widespread adoption of quantum-secured communication. This article continues to discuss how the new QKD devices improve upon secure communication and how researchers demonstrated the use of these devices.

Science Daily reports "Chip-Based Devices Improve Practicality of Quantum-Secured Communication"

There has been a rise in cyberattacks on Defense Department networks as the demand on military computer networks by teleworking employees increases. To safeguard DOD networks and address the increased telework demand due to the coronavirus outbreak, the Pentagon is prohibiting users from accessing YouTube, Pandora, and other streaming services on the DoD network since they are not mission-essential. This article continues to discuss the actions being taken by the Pentagon to protect DOD networks, the significant growth in teleworking demands on the military's computer networks, and the possibility of performing classified activities outside secure facilities and secure networks.

NextGov reports "Attacks on DOD Networks Soar as Telework Inflicts 'Unprecedented' Loads"

Doug Leith, a computer scientist at Trinity College Dublin, recently published a study titled "Web Browser Privacy: What Do Browsers Say When They Phone Home?". The study compares the privacy provided by Google Chrome, Mozilla Firefox, Apple Safari, Brave, Edge, and Yandex. Leith conducted the study by examining the browsers' exchange of data, including unique identifiers and details related to typed URLs with backend servers. Data such as identifiers tied to device hardware, details of sites visited through the autocomplete function, hashed MAC addresses, and more, could be used to track users. Device identifiers raise the most concern as users cannot easily change or reset them. The examination resulted in Microsoft Edge and Yandex receiving the lowest privacy rating, and Brave getting the highest ranking. Chrome, Firefox, and Safari received a medium ranking. This article continues to discuss the transmission of unique identifiers to backend servers, browser syncing, how browsers ranked regarding privacy, and how officials have responded to the findings of this study.

Ars Technica reports "Study Ranks the Privacy of Major Browsers"

Researchers from RiskIQ found that Magecart group 8 has been targeting Nutribullet.com, which is the website of the blender manufacturer, NutriBullet. The hacking group inserted a JavaScript web skimmer code and also an exfiltration domain targeting the website's checkout page, where customers input their payment information. The adversaries started trying to steal payment information on February 20th, and the malicious code was removed on March 17th. The attackers' exfiltration domain was taken down on March 1st so that the adversaries would not receive stolen information. However, then the adversaries replaced the skimmer and new exfiltration URL on the website on March 5th. The researchers then took down the new exfiltration domain again. On March 10th, the adversaries added a new skimmer but left the old exfiltration domain. Since the adversaries kept the old exfiltration domain that had already been taken down, this means the adversaries were not able to get any information after March 10th. As of right now, it is unknown if the adversaries were able to steal any credit card information during the time they were active.

Threatpost reports: "Magecart Cyberattack Targets NutriBullet Website"

THE WHITE HOUSE
Office of Science and Technology Policy

FOR IMMEDIATE RELEASE
March 16, 2020

Today, researchers and leaders from the Allen Institute for AI, Chan Zuckerberg Initiative (CZI), Georgetown University's Center for Security and Emerging Technology (CSET), Microsoft, and the National Library of Medicine (NLM) at the National Institutes of Health released the COVID-19 Open Research Dataset (CORD-19) of scholarly literature about COVID-19, SARS-CoV-2, and the coronavirus group.

5G is the next generation of wireless technology that will increase the use of Internet of Things (IoT) devices, industrial IoT (IIoT), and cloud services, as well as the adoption of network virtualization and edge computing. The potential security vulnerabilities associated with 5G networks must be examined and addressed before the widespread implementation of 5G technology. According to a study conducted by Accenture, most businesses and technology leaders expect there to be an increase in security vulnerabilities as the adoption of 5G technology rises. This article continues to discuss the rollout of 5G networks, the anticipated increase in security vulnerabilities because of 5G networks, and how these vulnerabilities could be addressed with the help of the Federal Communications Commission (FCC) and NIST Cybersecurity Practice Guide.

Help Net Security reports "Can 5G Make You More Vulnerable to Cyberattacks?"

Researchers from the Neustar International Security Council (NISC) have discovered that many organizations are starting to get risk fatigue. Most organizations are investing in more resources in network monitoring and threat intelligence technologies, which create more alerts, and more false positives for security teams. In a new survey, the researchers found that 43 percent of the organizations surveyed experienced false positive alerts in more than 20 percent of cases. 15 percent of the organizations reported that more than 50 percent of the security alerts they receive are false positives.

InfoSecurity reports: "Over a Quarter of Security Alerts Are False Positives"

A new study conducted by researchers at the University of York suggests that fake apps could fool some commercial password managers into giving passwords away. The research shows that some password managers are weak at identifying apps and determining which username and password to suggest for autofill. Researchers created a malicious app that impersonates a legitimate app to exploit this weakness. Using this technique, they were able to trick two out of the five password managers chosen for the study. Senior author of the study, Dr. Siamak Shahandashti from the Department of Computer Science at the University of York, highlighted that studying the security of password managers is essential as they provide paths to highly sensitive information. This article continues to discuss the vulnerabilities found in password managers, how hackers could abuse the weaknesses, and the disclosure of these vulnerabilities to vendors.

EurekAlert! reports "Researchers Expose Vulnerabilities of Password Managers"

A team of scientists from the University of Sydney, Royal Melbourne Institute of Technology (RMIT), and the University of Queensland has developed a new scheme for reducing errors faced by different types of quantum hardware. The quantum error correction codes developed by researchers aim to reduce the number of physical quantum switches or qubits needed, thus potentially scaling quantum computers up to complete functional machines. According to scientists, these codes are platform agnostic, allowing them to be applied to various quantum hardware systems. Much effort is being made by universities and technology companies worldwide to develop a universal, fault-tolerant quantum computer as such technology will bring advancements in security, cryptography, and more. This article continues to discuss the need for robust qubits, the fragility of quantum superpositions, and the error-correction approach for quantum computers developed by scientists in Australia.

The University of Sydney reports "Novel Error-Correction Scheme Developed for Quantum Computers"

The security firm, Reason Labs, released a new report that reveals the recent abuse of dashboards made by organizations, including John Hopkins University, to monitor the COVID-19 outbreak. According to the report, hackers are using these dashboards to inject malware into computers and steal sensitive information such as passwords, credit card numbers, and more. Researchers have stressed that the growing panic surrounding the outbreak, as well as the increase in efforts to combat the virus, have opened doors for hackers to distribute information-stealing malware. Attackers are designing coronavirus-related websites that appear as genuine maps for tracking the virus, but are platforms for spreading malware, called AZORult. In order for users to protect their computers from this malware, they are advised only to use verified COVID-19 dashboards and to check the URL of a linked website before clicking. This article continues to discuss the use of dashboards to gain information regarding coronavirus, hackers' exploitation of fear surrounding the virus, and the distribution of AZORult malware via coronavirus-related websites created by attackers.

TechWorm reports "Hackers Are Using Coronavirus Maps To Spread Malware On Your Computer"

The Cyberspace Solarium Commission (CSC) released a report that discusses how to strengthen the security of the nation's critical infrastructure against dangerous cyberattacks. The CSC provides a comprehensive strategy to rebuild deterrence in cyberspace as well as the policies and legislative actions required to implement the plan. The report calls for the application of a layered cyber deterrence strategy aimed at changing behavior in cyberspace, ensuring that adversaries gain nothing when trying to exploit cyberspace, and enforcing consequences for those who decide to target America in the realm of cyberspace. Threats such as those posed by nation-states, including China, Russia, Iran, and North Korea, as well as non-sate actors like criminals and extremist groups, are covered in the report. The CSC also brings further attention to the unique challenges faced in protecting the nation's cyberspace. Recommendations provided by the report on how the U.S. could improve its posture in cyberspace include establishing a Senate-approved National Cyber Director to lead the federal government's efforts in cyberspace and developing a continuity plan to help national critical functions recover quickly if a significant cyberattack occurs. This article continues to discuss highlights from CSC's report on how to bolster American cyber defenses.

Homeland Security News Wire reports "'Speed and Agility,' 'Layered Cyber Deterrence' to Bolster American Cyber Defenses"

The Air Force Research Laboratory is sponsoring a sophisticated hacking challenge called "No Mr. Bond, I Expect You to Hack," which takes inspiration from spy movies. The movie-style hacking challenge is geared towards students in New York City-area colleges and universities. Participants are encouraged to apply their skills to hack into physical security systems. The challenge is structured as a capture-the-flag hacking competition with three stages, involving the performance of reverse engineering, detecting vulnerabilities, and developing exploits based on embedded and cyber-physical systems. In order to win the competition, participants must be able to gain access to a secure container by successfully bypassing remote monitoring systems, remote defense systems, and access control systems such as IP security cameras, simulated gun turrets, and RFID door locks. This article continues to discuss the structure of the hacking challenge and what participants will receive if they win the competition.

AP reports "U.S. Air Force Sponsors Spy Movie-Style Physical Hacking Challenge"

Over the past couple of years, security researchers have disclosed attacks, including Plundervolt, Zombieload, and Foreshadow, that could be executed through the exploitation of vulnerabilities in Intel processors. Although Intel has issued patches to address the vulnerabilities discovered by researchers, they are not enough to prevent a new attack developed by computer scientists at KU Leuven, called Load Value Injection (LVI). The LVI attack technique involves the exploitation of a vulnerability in the Software Gaurd Extension (SGE) enclaves. SGE uses isolation methods to protect code and data from being modified and exposed. The vulnerability allows an attacker to inject their data into a software program running on a victim's computer so that they could hijack the program and obtain sensitive data from the victim, such as passwords. This article continues to discuss the new LVI attack demonstrated against Intel processors, how Intel addressed the discovery of this attack, and other security flaws in Intel processors exposed by researchers at KU Leuven, as well as the concept behind SGX enclaves and how the LVI attack differs from previously discovered attacks.

KU Leuven reports "Intel Processors Are Still Vulnerable to Attack"

In the cybersecurity field, a significant gender gap exists. Even though there are 4 million job vacancies in the US and UK, it is hard to get more women interested in the cybersecurity field. Women occupy less than a quarter of cybersecurity roles. In a new survey, researchers found that 42 percent of respondents think the cybersecurity field is uncool and unexciting. Half of the women surveyed believe that representations of the industry in media need to change in favor of encouraging more women to explore cybersecurity professions. Since the cybersecurity field is considered uncool and unexciting, respondents between the ages of 25 and 34 said that the negative perceptions of cybersecurity are their most significant barriers to entering the cybersecurity field. Older respondents believed that cybersecurity was a cool and exciting industry. The image issue is a big reason more women do not enter the cybersecurity landscape at a young age, but instead enter later in their careers. 23% of the women in the survey said that a lack of role models was a challenge they faced at the start of their cyber careers, and 26% said more diverse role models would encourage more women into cybersecurity roles. If the number of women working in the US cybersecurity field did equal that of men, this would increase the value of the cybersecurity industry by 30.4 billion dollars.

TechRepublic reports: "Closing The Cybersecurity Gender Gap Would Boost The US Economy by $30B"

Researchers at Graz University of Technology discovered that AMD CPU microarchitectures from 2011 to 2019 are vulnerable to side-channel attacks. In a paper, titled "Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors," the researchers discuss the demonstration of two new attack techniques, called "Collide + Probe" and "Load + Reload." These techniques exploit vulnerabilities in AMD's LD1 cache way predictor, which is designed to predict where data is stored in the processor and determine when the data is accessed. Using the techniques, an attacker could access AES encryption keys. This article continues to discuss the AMD CPU infiltration approaches demonstrated by researchers and how the weaknesses exploited to perform these attacks could be addressed.

TechXplore reports "AMD Processors Susceptible to Security Vulnerabilities, Data Leaks"