InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
ENISA published a report that includes anonymised and aggregated information about major telecom security incidents in 2021.
ENISA published a report that provides anonymized and aggregated information about major telecom security incidents in 2021.
Every European telecom operator that suffers a security incident, notifies its national authorities which share a summary of these reports to ENISA at the start of every calendar year.
The reporting of security incidents has been part of the EU’s regulatory framework for telecoms since the 2009 reform of the telecoms package.
This year the report includes data related to reports of 168 incidents submitted by national authorities from 26 EU Member States (MS) and 2 EFTA countries.
The incident had a significant impact on the victim, the total user hours lost (resulted by multiplying for each incident the number of users by the number of hours) was 5,106 million user hours. Experts noticed a huge increase compared to 841 million user hours lost in 2020. The reason for this is the impact of a notable EU-wide incident that was reported separately by three MS. ENISA has published technical guidelines on incident reporting under the EECC1, including on thresholds and calculating hours lost.
Below are the takeaways from incidents that took place in 2021:
4,16% of reported incidents in 2021 refer to OTT communication services, for this reason the European Agency required further attention for security incidents related to OTT services.
This is the first time that incidents concerning confidentiality and authenticity were reported.
The number of incidents labeled as malicious actions passed from 4% in 2020 to 8% in 2021.
System failures continue to dominate in terms of impact but the downward trend continues. System failures accounted for 363 million user hours lost compared to 419 million user hours in 2020.
The number of Incidents caused by human errors is the same as in 2020.
Only 22% of incidents were reported as being related to third-party failures compared to 29%
Let me suggest reading the full report for additional information:
American investigative reporter Emma Best knows how arduous it is to ask for information from government agencies.
She made more than 5,000 such requests during her career at MuckRock, a non-profit news site that publishes original government documents and conducts investigations based on them. Best was so persistent that the FBI temporarily banned her from filing any more information requests.
She found a way to cut through the government bureaucracy. Together with an anonymous partner known as The Architect, Best founded the whistleblower site Distributed Denial of Secrets (DDoSecrets) in 2018.
Since then, it has distributed hacked and leaked data from more than 200 entities, including U.S. law enforcement agencies, fascist groups, shell companies, tax havens, and the far-right social media sites Gab and Parler.
Unlike cybercriminals who sell hacked data on the darknet for personal gain, DDoSecrets says it exposes leaked information for the public good. “Secrets can be used for extortion by threatening to make it public, while public information can’t,” Best said.
Her website has become a go-to place for whistleblowers and hackers, especially given the absence of its most famous predecessor, WikiLeaks, which has been inactive for the last two years.
This article discusses OT security and why it is essential for protecting industrial systems from cyberattacks. We will also discuss common control objectives that can help companies improve their overall cybersecurity posture by implementing effective OT security measures.
Alkira today announced it has integrated its cloud service for connecting multiple networks with firewalls from Fortinet.
Announced at the AWS re:Inforce event, the integration makes it possible to automate the configuration and deployment of Fortinet firewalls via the FortiManager platform using a control plane that integrates with the networking services provided by multiple cloud service providers.
Ahmed Datoo, chief marketing officer for Alkira, said the alliance with Fortinet is in addition to existing support for firewalls from Palo Alto Network.
Alkira is making a case for a control plane for cloud networking that integrates with the application programming interfaces (API) exposed by various cloud service providers. As a result, there is no need for an IT team to deploy agent software on each cloud service to integrate the Alkira service, noted Datoo.
As organizations increasingly deploy workloads across multiple clouds, managing and securing each of the networks that cloud service providers give them access to has become challenging. The Alkira platform is designed to provide a single pane of glass for configuring networking and security services spanning multiple clouds, said Datoo. Those organizations can either use the frameworks provided by vendors such as Fortinet to manage individual elements or use an instance of the open source Terraform tool to programmatically invoke services, he noted.
The challenge organizations face when using multiple clouds is that each one is typically managed in isolation. As a result, IT teams find themselves dedicating IT staff to mastering the various tools required to manage these platforms. Over time, however, the total cost of IT starts to rise as each cloud platform is added to the extended enterprise. Alkira reduces those costs by unifying the provisioning and management of multiple cloud networks, said Datoo. It’s up to each IT organization to decide which cloud platform to use to deploy the Alkira platform to accomplish that goal, he added.
The alliance between Alkira and Fortinet is only the latest example of the convergence of network and security operations. While cybersecurity teams are still needed to define security policies, much of the routine management of firewalls and other security platforms is now handled by network operations—in part, to make up for the chronic shortage of cybersecurity personnel. Network operations, meanwhile, are slowly being integrated with other IT operations workflows to enable organizations to programmatically manage entire IT environments without requiring as many dedicated network specialists.
In the meantime, the attack surface that security teams are being asked to secure continues to expand in the age of the cloud. The issue, of course, is that the size of most organizations’ security teams remains constrained. The only way to secure all those cloud environments at scale is to rethink the entire approach to security operations. In most cases, those approaches were defined in an era where most workloads were deployed on on-premises IT environments that, in comparison, were comparatively simple to secure.
Researchers uncovered an ongoing operation, codenamed DUCKTAIL that targets Facebook Business and Ad Accounts.
Researchers from WithSecure (formerly F-Secure Business) have discovered an ongoing operation, named DUCKTAIL, that targets individuals and organizations that operate on Facebook’s Business and Ads platform.
Experts attribute the campaign to a Vietnamese financially motivated threat actor which is suspected to be active since 2018.
“Our investigation reveals that the threat actor has been actively developing and distributing malware linked to the DUCKTAIL operation since the latter half of 2021. Evidence suggests that the threat actor may have been active in the cybercriminal space as early as late 2018.” reads the report published by the experts.
The threat actors target individuals and employees that may have access to a Facebook Business account, they use an information-stealer malware that steals browser cookies and abuse authenticated Facebook sessions to steal information from the victim’s Facebook account.
The end goal is to hijack Facebook Business accounts managed by the victims.
The threat actors target individuals with managerial, digital marketing, digital media, and human resources roles in companies. The attackers connected the victims through LinkedIn, some of the samples observed by the experts have been hosted on file or cloud hosting services, such as Dropbox, iCloud, and MediaFire.
WithSecure researchers noticed that samples employed in the DUCKTAIL operation were written in .NET Core and were compiled using its single file feature. This feature bundles all dependent libraries and files into a single executable, it also includes the main assembly. Experts pointed out that the usage of .NET Core and its single-file feature is uncommon in malware development.
The use of .Net Core allows the attackers to embed Telegram.Bot client as well as any other external dependencies into a single executable and use Telegram channels as Command and Control (C&C).
“Since late last year, the threat actor has shifted entirely to using Telegram as their C&C channel making use of the Telegram Bot functionality. Currently, the adversary only exfiltrates stolen information through the C&C channel and no commands are sent from the C&C to the victim’s machine other than potentially sending e-mail addresses for business hijacking purposes.” continues the report.
In order to steal Facebook session cookies from the victims, the malware scans the machine for popular browsers, including Google Chrome, Microsoft Edge, Brave Browser, and Firefox. For each of the browsers that it finds, it extracts all the stored cookies, including any Facebook session cookie.
The malware also steals information from the victim’s personal Facebook account, including name, email address, date of birth, and user ID, along with other data such as 2FA codes, user agents, IP address, and geolocation
Once obtained the above data, the attackers can access to the victim’s personal account, hijack it by adding their email address retrieved from the Telegram channel and grant themselves Admin and Finance editor access.
“They can edit business credit card information and financial details like transactions, invoices, account spend and payment methods. Finance editors can add businesses to your credit cards and monthly invoices. These businesses can use your payment methods to run ads.” states the report.
Countries affected by DUCKTAIL samples analyzed by the experts includes US, India, Saudi Arabia, Italy, Germany, Sweden, Finland, and the Philippines.
“WithSecure cannot determine the success, or lack thereof, that the threat actor has had in circumventing Facebook’s existing security features and hijacking businesses.” concludes the report. “However, the threat actor has continued to update and push out the malware in an attempt to improve its ability to bypass existing/new Facebook security features alongside other implemented features.”
Facebook Business administrators are recommended to check access permissions for their business accounts and remove any unknown users.
Instances of phishing attacks leveraging the Microsoft brand increased 266 percent in Q1 compared to the year prior.
The bloom is back on phishing attacks with criminals doubling down on fake messages abusing popular brands compared to the year prior. Microsoft, Facebook and French bank Crédit Agricole are the top abused brands in attacks, according to study on phishing released Tuesday.
According to the report by researchers at Vade, phishing attacks abusing the Microsoft brand increased 266 percent in the first quarter of 2022, compared to the year prior. Fake Facebook messages are up 177 percent in the second quarter of 2022 within the same timeframe.
The study by Vade analyzed unique instances of phishing URLs used by criminals carrying out phishing attacks and not the number of phishing emails associated with the URLs. The report tallied the 25 most commonly targeted companies, along with the most abused industries and days of the week for phishing emails.
Phishing By the Numbers
Other top abused brands in phishing attacks include Credit Agricole, WhatsApp, and French telecommunications company Orange. Popular brands also included PayPal, Google and Apple (see chart).
Through the first half of 2022, 34 percent of all unique phishing attacks tracked by the researchers impersonated financial services brands. The next most popular industry for criminals to abuse is cloud and the firms Microsoft, Google and Adobe. Social media was also a popular target with Facebook, WhatsApp and Instagram leading the list of brands leveraged in attacks.
The report revealed the most popular days for sending phishing emails is between Monday and Wednesday. Less than 20 percent of malicious emails are sent on the weekend.
“Phishing attacks are more sophisticated than ever,” wrote Adrien Gendre, chief tech and product officer at Vade in an email to Threatpost.
“Hackers have an arsenal of tools at their disposal to manipulate end users and evade email security, including phishing kits that can identify when they are being scanned by a vendor and trigger benign webpages to avoid detection. End users need to be continually trained to identify the latest phishing techniques,” he wrote.
Over 5.4 million Twitter users have reportedly been targeted in a major breach of personal data following revelations earlier this year that the site had a serious security flaw.
The security flaw came to light in January, when a user on HackerOne named “zhirinovskiy” pointed out that Twitter was vulnerable to hackers seeking to use information for malicious purposes.
At the time, Zhirinovskiy detailed exactly how to exploit the bug and described it as a “serious threat” even in the hands of those with only a “basic knowledge” of scripting and coding.
Twitter acknowledged the problem five days later and appeared to have fixed the problem a week after that, when it rewarded Zhirinovskiy with a $5,040 bounty for bringing the vulnerability to its attention.
A seller with the username ‘devil’ claims that “Celebrities, to Companies, randoms, OGs, etc” are included in the data set and is asking for at least $30,000, RestorePrivacy says.
A spokesperson from Twitter told Fortune: “We received a report of this incident several months ago through our bug bounty program, immediately investigated thoroughly and fixed the vulnerability.”
The spokesperson added that Twitter was “reviewing the latest data to verify the authenticity of the claims and ensure the security of the accounts in question.”
Amazon Web Services (AWS) today expanded its portfolio of cloud security tools as part of an ongoing effort to make it simpler to secure application environments running on its infrastructure.
AWS is also making it possible to assign a numeric compliance measurement value to Conformance Packs to make it easier to identify major deviations in security posture and is making available in preview an encrypted collaboration service dubbed AWS Wickr.
CJ Moses, CISO and vice president of security engineering for AWS, reminded conference attendees that they should be encrypting everything in the cloud and that they should only be providing external access to data and applications when required. Organizations should especially block access to cloud storage services, he noted.
The rollout of the latest AWS security services comes at a time of intense focus on cloud security as part of a larger effort to better secure software supply chains after a series of high-profile breaches. In general, cloud platforms are more secure than on-premises IT environments; however, the processes used to build and deploy cloud applications are often problematic and can introduce risk. Developers routinely employ open source tools like Terraform to provision cloud infrastructure and accelerate application development. Most of those developers have limited cybersecurity expertise so, inevitably, mistakes are made. The chronic shortage of cybersecurity expertise means most organizations are not able to keep pace with the rate at which workloads are being deployed in the cloud.
AWS contends its platform is more secure than rival platforms because of what it describes as automated reasoning technology that employs mathematical logic to, for example, detect entire classes of misconfigurations. As a result, AWS said it is able to empirically prove a cloud environment is secure. The issue that organizations encounter is that every cloud service provider assumes the organization using its service assumes responsibility for both configuring the infrastructure correctly and then securing the applications deployed on it. Developers, unfortunately, tend to assume more automation is being applied to secure workloads.
On the plus side, more organizations are also starting to embrace DevSecOps best practices to make software supply chains more secure. The challenge is that no matter how much time and effort is made to educate developers, there will always be a development team that makes a mistake— and cybercriminals will find a way to exploit it.
Just under a year ago, the US arm of telecomms giant T-Mobile admitted to a data breach after personal information about its customers was offered for sale on an underground forum.
At the time, VICE Magazine claimed to have communicated with the hacker behind the breach via online chat, and to have been offered “T-Mobile USA. Full customer info.”
VICE’s Motherboard reporters wrote at the time that:
The data include[d] social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver licenses information, the seller said. Motherboard has seen samples of the data, and confirmed they contained accurate information on T-Mobile customers.
IMEI is short for International Mobile Equipment Identity, a globally unique serial number burned into your phone when it’s manufactured. Because the IMEI is considered a “non-resettable identifier”, apps on both Android and iOS are restricted from accessing it unless they have been granted special device management privileges, and developers are instructed to rely on user-resettable identifiers such as advertising IDs when legitimately tracking users and devices. You can view your phone’s IMEI by dialling the special phone number *#06#.
Reuters reports that T-Mobile has agreed, in a US federal court in Missouri, to make $350,000,000 available for what are known in America as class-action settlements.
Class actions involve individuals, who would otherwise need to sue individually for impossibly small amounts, banding together with a team of attorneys to bring lawsuits that combine their individual complaints.
Part of the $350 million mega-settlement, says Reuters, is up to $105,000,000 (30% of the total amount) for the lawyers, leaving a slightly less dramatic $245 million for the individuals who joined the suit.
Apparently, more than 75 million people were affected in the breach, though with the standard payout listed by Reuters as $25 per person, it looks as though fewer than 10 million of them decided to sign up to be part of the legal action.
According to Reuters, T-Mobile will also commit to spending “an additional US$150 million to upgrade data security”, bringing its total settlement pledge to half-a-billion dollars.
In return, T-Mobile doesn’t have to admit guilt, so this isn’t a fine or a criminal penalty – it’s a civil agreement to settle the matter.
The settlement still needs approval from from the court, something that’s expected to happen by the end of 2022.
Cyber Insurance counts in a big Data Breach like this, may even be business limiting factor if you don’t have enough coverage.
You will fall into one of those levels if your organisation processes fewer than six million card transactions per year.
There are several types of questionnaire, and in this blog we help you understand which one is right for you.
What is a PCI SAQ?
Organisations that are subject to the PCI DSS must demonstrate that they have taken appropriate steps to secure the payment card data that they hold.
There are two ways to do this: with a PCI SAQ or an RoC (report on compliance). Each payment brand (American Express, Discover, JCB, MasterCard and Visa) has its own requirements, so they establish the eligibility criteria for SAQ or RoC.
The PCI SAQ is the less rigorous method and is typically used for organisations that process fewer than six million transactions annually.
Once it’s completed, the PCI SAQ is signed off by an officer of the merchant or service provider, validating the organisation’s compliance practices.
PCI SAQ types
There are several types of PCI SAQ that apply in certain circumstances. It’s essential that organisations choose the correct assessment. They are as follows:
SAQ A
For merchants that outsource their entire card data processing to validated third parties. This includes e-commerce merchants and mail/telephone order merchants.
It applies where:
The merchant’s website is hosted and managed by a PCI-compliant third-party payment processor; or
The merchant’s website provides an iframe (inline frame) or URL that redirects customers to a PCI-compliant third-party payment processor.
Nearly all online merchants aim for SAQ A, because it is the simplest, least time-consuming assessment.
SAQ A-EP
For e-commerce merchants that don’t receive cardholder data but do control the method through which data is redirected to a third-party payment processor.
It applies where:
The merchant’s website creates a payment form and “direct posts” payment data to a PCI-compliant third-party payment processor; or
The merchant’s website provides an iframe or URL that redirects a consumer to a PCI-compliant third-party payment processor, but some elements of the payment page originate from the merchant website.
SAQ B
For merchants that only process credit card data via imprint machines or via a standalone dial-out terminal.
Card imprint machines are non-electronic machines that make an imprint of the payment card, transferring the imprint onto a carbon paper receipt, which is then stored by the merchant.
Dial-out terminals are electronic machines that use chip and PIN and swipe cards, or require users to manually key in information. To be eligible for SAQ B, a merchant’s standalone dial-out terminal must be connected to a phone line and nothing else.
SAQ B-IP
For merchants that don’t store card data in electronic format but use IP-connected POI (point-of-interaction) devices. These merchants may handle either card-present or card-not-present transactions.
SAQ C-VT
For merchants that process cardholder data via a virtual payment terminal rather than a computer system. A virtual terminal provides web-based access to a third party that hosts the virtual terminal payment-processing function.
SAQ C
For merchants that process cardholder data via POS (point-of-sale) systems or other payment application systems connected to the Internet.
To be eligible for SAQ C, a merchant must operate isolated payment application systems that are connected to the Internet and don’t store electronic cardholder data.
SAQ D
For those that don’t fit into any of the above categories. It is often referred to as ‘Report on Compliance Light’, because it requires organisations to go through all 12 PCI DSS requirements, albeit on a reduced scale.
There are separate forms for merchants and service providers.
SAQ P2PE-HW
For merchants that use card-present transactions, meaning it is not applicable to organisations that deal in e-commerce.
Merchants that use a PCI-validated P2PE (point-to-point encryption) solution and have implemented it successfully are eligible for SAQ P2PE-HW.
Identify the right SAQ with IT Governance
Hopefully you’ve now identified which SAQ applies to you, but how do you go about completing the form?
That’s where our PCI DSS Documentation Toolkit can help. It contains all the template documents you need to ensure complete coverage of your PCI DSS requirements.
All you need do is fill in the sections that are relevant to your organisation.
The toolkit also contains a document checker to help you select and edit the appropriate policy, so that you can create and amend documents as needs arise.
The toolkit supports all self-assessment questionnaires, regardless of your specific payment scenario.
It’s fully aligned with the PCI DSS, so you can be sure that your policies are accurate and compliant with the Standard.
The phrase Office macros is a harmless-sounding, low-tech name that refers, in real life, to program code you can squirrel away inside Office files so that the code travels along with the text of a document, or the formulas of a spreadsheet, or the slides in a presentation…
…and even though the code is hidden from sight in the file, it can nevertheless sneakily spring into life as soon as you use the file in any way.
Those hidden macros, indeed, can be configured (by the sender, not by the recipient, you understand!) to trigger automatically when the file is opened; to override standard items in Office’s own menu bar; to run secondary programs; to create network connections; and much more.
Almost anything, in fact, that you could do with a regular .EXE file, which is the sort of file that few of us would willingly accept via email at all, even from someone we knew, and that most of us would be deeply cautious about downloading from a website we didn’t already know and trust.
Fighting back against cybercriminals
Thanks to macros and the hidden programming power they provide, Office documents have been widely used by cybercriminals for implanting malware since the 1990s.
Curiously, though, it took Microsoft 20 years (actually, closer to 25, but we’ll be charitable and round it down to two decades) to block Office macros by default in files that arrived over the internet.
As regular Naked Security readers will know, we were as keen as mustard about this simple change of heart, proclaiming the news, back in February 2022, with the words, “At last!”
To be fair, Microsoft already had an operating system setting that you could use to turn on this safety feature for yourself, but by default it was off.
Enabling it was easy in theory, but not straightforward in practice, especially for small businesses and home users.
Either you needed a network with a sysadmin, who could turn it on for you using Group Policy, or you had to know exactly where to go and what to tweak by yourself on your own computer, using the policy editor or hacking the registry yourself.
So, turning this setting on by default felt like an uncontroversial cybersecurity step forward for the vast majority of users, especially given that the few who wanted to live dangerously could use the aforementioned policy edits or registry hacks to turn the security feature back off again.
Apparently, however, these “few” turned out [a] to be more numerous than you might have guessed and [b] to have been more inconvenienced by the change than you might have expected:
Notably, many people using cloud servers (including, of course, Microsoft’s own online data storage services such as SharePoint and OneDrive) had got used to using external servers, with external servernames, as repositories that their friends or colleagues were expected to treat as if they were internal, company-owned resources.
Remember that old joke that “the cloud” is really just shorthand for “someone else’s computer”? Turns out that there’s many a true word spoken in jest.
Organisations that relied on sharing documents via cloud services, and who hadn’t taken the appropriate precautions to denote which external servers should be treated as official company sources…
…found their macros blocked by default, and voiced their displeasure loudly enough that Microsoft officially relented around the middle of 2022.
Within 20 weeks, a change that cybersecurity experts had spent 20 years hoping for had been turned off once more:
What to do?
The hows, whys and wherefores of Office macro security are now officially explained in two Microsoft documents:
Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.
A for-hire cybercriminal group is feeling the talent-drought in tech just like the rest of the sector and has resorted to recruiting so-called “cyber-mercenaries” to carry out specific illicit hacks that are part of larger criminal campaigns.
Dubbed Atlas Intelligence Group (A.I.G.), the cybergang has been spotted by security researchers recruiting independent black-hat hackers to execute specific aspects of its own campaigns. A.I.G., also known as Atlantis Cyber-Army, functions as a cyber-threats-as-a-service criminal enterprise. The threat group markets services that include data leaks, distributed denial of service (DDoS), remote desktop protocol (RDP) hijacking and additional network penetration services, according to a Thursday report by threat intelligence firm Cyberint.
“[A.I.G.] has introduced us to out-of-the-box thinking,” Cyberint’s Shmuel Gihon wrote in the report.
[FREE On-demand Event: Join Keeper Security’s Zane Bond in a Threatpost roundtable and learn how to securely access your machines from anywhere and share sensitive documents from your home office. WATCH HERE.]
A.I.G., according to researchers, is unique in its outsourcing approach to committing cybercrimes. Organized threat groups tend to recruit individuals with certain capabilities that they can reuse and incent them with profit sharing. For example, Ransomware-as-a-Service organized crime campaigns can involve multiple threat actors – each getting a cut of any extorted lucre or digital assets stolen. What makes A.I.G. different is it outsources specific aspects of an attack to “mercenaries” who have no further involvement in an attack.
The report’s author, Gihon, said only A.I.G. administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets.
Unique Business Model
This uncommon business model also allows the group, which has been operating since the beginning of May, to offer a range of cybercriminal services instead of a single core competency, he said.
“While many groups are focusing on one, maybe two, services that they offer, Atlas seems to grow rapidly and expand its operations in an efficient way which allows them to offer many services,” Gihon wrote.
A.I.G. tends to target government and state assets in countries all over the world, including the United States, Pakistan, Israel, Colombia and United Arab Emirates, researchers found.
Mr. Eagle not only leads the campaigns but also doubles as a chief marketing officer of sorts, putting a significant effort into advertising A.I.G.’s various cybercriminal services, he said.
The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists.
Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day.
The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022.
Most of the attacks uncovered by Avast researchers took place in Lebanon and threat actors used multiple attack chains to target the journalists. Other infections were observed in Turkey, Yemen, and Palestine since March 2022.
In one case the threat actors conducted a watering hole attack by compromising a website used by employees of a news agency.
The researchers noticed that the website contained artifacts associated with the attempts of exploitation for an XSS flaw. The pages contained calls to the Javascript function “alert” along with keywords like “test”, a circumstance that suggests the attackers were testing the XSS vulnerability, before ultimately exploiting it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com).
This injected code was used to route the victims to the exploit server, through a chain of domains under the control of the attacker.
Once the victim lands on the exploit server, the code developed by Candiru gathers more information the target system, and only if the collected data satisfies the exploit server the exploit is used to deliver the spyware.
“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”
The zero-day was chained with a sandbox escape exploit, but experts were not able to recover it due to the protection implemented by the malware.
After getting a foothold on the victim’s machine, the DevilsTongue spyware attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimate signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion. In order to exploit the the driver, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys), experts pointed out that this could be used as an indicator of compromise.
“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.
Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.
The relevant security bulletins, update numbers, and where to find them online are as follows:
APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346
APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345
APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344
APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343
APPLE-SA-2022-07-20-5: tvOS 15.6, details at HT213342
APPLE-SA-2022-07-20-6: watchOS 8.7, details at HT213340
APPLE-SA-2022-07-20-7: Safari 15.6, details at HT213341
As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.
But the updates for the older versions of macOS don’t include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.
Build your ISO 27001 knowledge and win new business with Advisera’s free ISO 27001 online courses. And you can be sure that you chose the right learning partner, since all Advisera’s courses are now accredited by ASIC, the internationally respected assurance body for online learning providers worldwide.
The courses’ structure is simple:
Modules that cover important topics related to ISO 27001.
Video lectures give you an opportunity to learn from ISO 27001 top experts.
Quizzes teach you how to apply what you have learned through practical examples.
Recap quiz at the end of each module helps you reinforce the acquired knowledge.
You can choose the course based on your specific needs:
ISO 27001 Foundations course – you’ll learn about all of the standard’s requirements and the best practices for compliance.
ISO 27001 Internal Auditor course – besides the knowledge about the standard, you’ll also learn how to perform an internal audit in the company.
ISO 27001 Lead Auditor course – besides the knowledge about the standard, it also includes the training you need to become certified as a certification auditor.
ISO 27001 Lead Implementer course – besides the knowledge about the standard, it also includes the training you need to become an independent consultant for Information Security Management System implementation.
The online courses are suitable both for beginners and experienced professionals.
Learn at your preferred speed from any location at any time.
“Win11 builds now have a DEFAULT account lockout policy to mitigate RDP and other brute force password vectors,” David Weston of Enterprise and OS Security at Microsoft, announced, just as the company confirmed that it will resume the rollout of the default blocking of VBA macros obtained from the internet.
Brute-forced RDP access and malicious macros have for a long time been two of the most popular tactics used by threat actors to gain unauthorized access to Windows systems.
Minimizing the RDP attack vector
The Windows Account Lockout Policy allows enterprise network admins to set a lockout threshold – a specific number of failed logon attempts – after which a user account will be locked.
Brute-forcing is a method used by attackers to take over accounts. Usually automated with the help of a software tool, the attack involved submitting many passwords in a row until the right one is “guessed”.
From Windows 11 build 22528.1000 and onwards, the account lockout threshold is, according to Bleeping Computer, set to 10 failed login attempts in 10 minutes, which should make this type of attack harder to pull off.
The revelation has set off calls for the control to be backported to older Windows and Windows Server version – a move that’s apparently in the works.
Yes it’s being backported
— David Weston (DWIZZZLE) (@dwizzzleMSFT) July 21, 2022
Welcome to our July 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.
This month, we look at a cyber attack at OpenSea, a US school district that was tricked into transferring funds to a crook and a report on the rising threat of phishing.
NFT marketplace warns users of phishing scams
Last month, the world’s largest NFT (non-fungible token) marketplace, OpenSea, disclosed a data breach in which users’ email addresses were compromised.
The organisation’s head of security, Cory Hardman, said that the breach occurred when an employee at a third-party email delivery vendor downloaded the details of OpenSea users and newsletter subscribers.
OpenSea has since warned that the information could be used to launch phishing attacks.
“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” Hardman said.
“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts.”
OpenSea warned users via an email notification
Hardman provided tips to help OpenSea users spot phishing attacks. He urged people to keep an eye out for emails that use domains replicating the genuine OpenSea.io address.
Cyber criminals could do this by using a different top-level domain (such as opensea.org), or by deliberately misspelling the domain name (such as opensae.io).
Hardman also advised users not to download or open email attachments if they believe the message is suspicious, and to never sign wallet transactions if prompted directly via email.
In addition to the theft, the cyber criminals shared a phishing link on Beeple’s Twitter account that, if clicked, took money directly from their wallets.
Incidents such as this and the OpenSea hack demonstrate the challenges that NFT trading presents. Although many people are enticed into NFTs because the market is unregulated, that also creates major security risks.
Whereas banks and other regulated trading platforms are required to take steps to protect people’s assets – and will typically have proof of unauthorised access – the crypto culture emphasises personal responsibility.
If a cyber criminal compromises a crypto wallet, victims have little recourse and will have to accept their loss.
School district accidentally wires $200,000 to fraudulent bank
The Floyd County School District in in Georgia admitted in June that it had wired $197,672.76 (about £164,000) to a bank account controlled by cyber criminals.
Officials said they received the request from an email address seemingly associated with Ben Hill Roofing, an organisation that had previously worked with a school in the district.
Floyd County Schools made the payment on 29 April, and was only alerted to its mistake after the real Ben Hill Roofing submitted an invoice.
Speaking to a local news outlet, the school district said: “Floyd County Schools has been made aware of a spear phishing incident, which is a targeted email attack pretending to be from a trusted sender. This cyber-attack resulted in funds being stolen from the school system by an outside source.”
It added: “We are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds.
“Because of the cyber security measures FCS has put in place over the past few years, school system officials believe this is an isolated incident. Due to the ongoing investigation, more details cannot be released at this time.”
Floyd County Schools has since recovered almost all of the stolen funds following a police investigation. Officers traced the stolen money to a bank in Texas, which had already flagged the account as suspicious.
It’s the highest number of phishing attacks that has ever been reported in a quarter, and it follows a steady increase in attacks throughout the past year. In April 2021, the APWG observed just over 200,000 phishing attacks. By March 2022, it almost doubled, to 384,291.
According to the report, the industry most likely to be targeted was the financial sector. It found that 23.6% of all incidents affected organisations that provide such services.
The next most frequent targets were software-as-a-service and webmail providers (20.5%) and e-commerce sites and retail stores (14.6%).
The report also found that 12.5% of phishing attacks target social media sites, while cryptocurrency platforms account for 6.6% of incidents.
According to John Wilson, Senior Fellow of Threat Research at HelpSystems, the majority of phishing attacks are conducted using BEC (business e-mail compromise).
Wilson noted that in the first quarter of 2022, 82% of BEC messages were sent from free webmail accounts. Gmail is the most popular provider, accounting for 60% of BEC scams.
Meanwhile, 18% of BEC messages used email domains owned by the attacker.
The report also found that the average sum that scammers requested in wire transfer BEC attacks in Q1 2022 was $84,512 (about €98,000). This is a significant increase over the previous quarter, in which scammers requested €50,027 (about €58,000) on average.
Can you spot a scam?
All organisations are vulnerable to phishing, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.
This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
Metasploit is the most used penetration testing framework. In this Help Net Security video, Spencer McIntyre, Lead Security Researcher at Rapid7, talks about how Metasploit enables defenders to always stay one step (or two) ahead of the game, and offers a glimpse into the future.
McIntyre is a lead security researcher at Rapid7, where he manages the Metasploit Framework’s dedicated research and development team. He has been contributing to Metasploit since 2010, a committer since 2014, and a core team member at Rapid7 since 2019.
Multiple flaws in MiCODUS MV720 Global Positioning System (GPS) trackers shipped with over 1.5 million vehicles can allow hackers to remotely hack them.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to warn of multiple security vulnerabilities in MiCODUS MV720 Global Positioning System (GPS) trackers which are used by over 1.5 million vehicles.
An attacker can exploit the flaws to remote disruption of critical functions of the impacted vehicles.
“CISA has released an Industrial Controls Systems Advisory (ICSA) detailing six vulnerabilities that were discovered in MiCODUS MV720 Global Positioning System Tracker. Successful exploitation of these vulnerabilities may allow a remote actor to exploit access and gain control the global positioning system tracker.” reads the advisory published by CISA. “These vulnerabilities could impact access to a vehicle fuel supply, vehicle control, or allow locational surveillance of vehicles in which the device is installed.”
The MiCODUS MV720 GPS Tracker is a popular vehicle GPS tracker manufactured in China, which is used by consumers for theft protection and location management, and by organizations for vehicle fleet management.
The flaws were discovered by BitSight researchers, they have been tracked as CVE-2022-2107; CVE-2022-2141; CVE-2022-2199; CVE-2022-34150; and CVE-2022-33944.
Researchers from BitSight who discovered the issues reported that threat actors could hack into the tracker to potentially cut off fuel, physically stop vehicles, or track the movement of vehicles using the device.
MiCODUS is used today by 420,000 customers in multiple industries, including government, military, law enforcement agencies, and Fortune 1000 companies.
CVE-2022-2107 (CVSS score: 9.8) – The use of hard-coded credentials may allow an attacker to log into the web server, impersonate the user, and send SMS commands to the GPS tracker as if they were coming from the GPS owner’s mobile number.
CVE-2022-2141 (CVSS score: 9.8) – Improper authentication allows a user to send some SMS commands to the GPS tracker without a password.
CVE-2022-2199 (CVSS score: 7.5) – A cross-site scripting vulnerability could allow an attacker to gain control by deceiving a user into making a request.
CVE-2022-34150 (CVSS score: 7.1) – The main web server has an authenticated Insecure Direct Object References (IDOR) vulnerability on parameter “Device ID,” which accepts arbitrary Device IDs without further verification.
CVE-2022-33944 (CVSS score: 6.5) – The main web server has an authenticated IDOR vulnerability on POST parameter “Device ID,” which accepts arbitrary Device IDs.
Experts found a sixth issued that has yet to receive a CVE (CVSS score: 8.1) – all devices ship preconfigured with the default password 123456, as does the mobile interface. There is no mandatory rule to change the password nor is there any claiming process. The setup itself does not require a password change to use the device. We observed that many users have never changed their passwords.
The analysis of the sector usage on a global scale revealed significant differences by continent in the typical user profile. Most North American organizations using flawed MiCODUS devices are in the manufacturing sector, while those in South America are government entities. MiCODUS users in Europe belong to diverse sectors, ranging from finance to energy.
BitSight recommends users immediately cease using or disable any MiCODUS MV720 GPS trackers due to the severity of the flaw, at least until the vendor will address the issues.
“If China can remotely control vehicles in the United States, we have a problem,” said Richard Clarke, internationally renowned national security expert and former presidential advisor on cybersecurity. “With the fast growth in adoption of mobile devices and the desire for our society to be more connected, it is easy to overlook the fact that GPS tracking devices such as these can greatly increase cyber risk if they are not built with security in mind. BitSight’s research findings highlight how having secure IoT infrastructure is even more critical when these vulnerabilities can easily be exploited to impact our personal safety and national security, and lead to extreme outcomes such as large-scale fleet management interruption and even loss of life.”
Researchers highlighted the risks that a nation-state actor could potentially exploit the above vulnerabilities to gather intelligence on entities operating in the military or one of its supplies. Data such as supply routes, troop movements, and recurring patrols could be revealed by exploiting these flaws-
“Although GPS trackers have existed for many years, streamlined manufacturing of these devices has made them accessible to anyone. Having a centralized dashboard to monitor GPS trackers with the ability to enable or disable a vehicle, monitor speed, routes and leverage other features is useful to many individuals and organizations. However, such functionality can introduce serious security risks. Unfortunately, the MiCODUS MV720 lacks basic security protections needed to protect users from serious security issues. With limited testing, BitSight uncovered a multitude of flaws affecting all components of the GPS tracker ecosystem.” concludes the report. “BitSight recommends that individuals and organizations currently using MiCODUS MV720 GPS tracking devices disable these devices until a fix is made available. Organizations using any MiCODUS GPS tracker, regardless of the model, should be alerted to insecurity regarding its system architecture, which may place any device at risk.”
These days security of car is very essential. Thieves are finding more ways of stealing cars and other four wheeler vehicles. In this book we have given details about the anti-theft system which will help to car owners to secure their cars. This system is efficient and affordable. This system gives more advantages than other anti-theft system. Main feature of this system is that owner will gate information if the car is being stolen and the location of car (longitude and altitude).
Russia-linked threat actors APT29 are using the Google Drive cloud storage service to evade detection.
Palo Alto Networks researchers reported that the Russia-linked APT29 group, tracked by the researchers as Cloaked Ursa, started using the Google Drive cloud storage service to evade detection.
The attackers used online storage services to exfiltrate data and drops their malicious payloads.
The use of legitimate cloud services is not a novelty to this nation-state actor, but experts pointed out that in the two most recent campaigns the hackers leveraged Google Drive cloud storage services for the first time.
“The ubiquitous nature of Google Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make their inclusion in this APT’s malware delivery process exceptionally concerning.” reads the analysis published by Palo Alto Network. “The most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador.”
The recent campaigns observed by the experts targeted multiple Western diplomatic missions between May and June 2022. The lures included in these campaigns revealed that the nation-state actors targeted a foreign embassy in Portugal as well as a foreign embassy in Brazil. The phishing messages included a link to a malicious HTML file (EnvyScout) that acted as a dropper for additional malicious payloads, including a Cobalt Strike beacon.
EnvyScout is a tool that is used to further infect the target with the other implants. Threat actors used it to deobfuscate the contents of a second state malware, which is in the form of a malicious ISO file. This technique is known as HTML Smuggling.
A threat hunting activity based on the analysis of the creation time of the phishing message, producer and PDF version metadata in the sample analyzed by Palo Alto Networks, allowed the experts to identify other suspicious documents that were uploaded to VirusTotal in early April 2022.
“Many of these documents appear to be phishing documents associated with common cybercrime techniques. This suggests that there is likely a common phishing builder being leveraged by cybercrime and APT actors alike to generate these documents.” continues the report.
The file Agenda.html employed in the attack was used to deobfuscate a payload, and also for writing a malicious ISO file to the victim’s hard drive. The payload file is an ISO file named Agenda.iso.
Once the ISO has been downloaded, the user has to click it to start the infection chain and execute the malicious code on the target system. The user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to launch the infection process.
“Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of their malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves challenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers worldwide.” concludes the report
