A collection point
...and some of my own.
AESDDoS botnet malware target Docker containers
Robert Abel: A newly discovered botnet malware exploits an API misconfiguration in the open-source version of the DevOps tool, Docker Engine-Community, to infiltrate containers and run a variant of the Linux botnet malware AESDDoS, according to a Trend Micro blog post. “Docker APIs that run on container hosts allow the hosts to receive all container-related commands that the daemon, which runs with root permission, will execute,” Trend Micro researchers wrote. “Allowing external access — whether intentionally or by misconfiguration — to API ports allows attackers to gain ownership of the host, giving them the ability to poison instances running within it with malware and to gain remote access to users’ servers and hardware resources." ThreatList: Ransomware Trojans Picking Up Steam in 2019 When it comes to ransomware, “the share of ransomware Trojans will remain high so long as there are people willing to pay a ransom,” researchers said. In particular, ransomware attackers are looking in 2019 to reinvent the game with new tricks and tactics. CryptoMix hackers, for example, tricked victims by promising to donate ransom payments to a children’s charity. ransomware webinar malware trends And, “a new version of ransomware offers PayPal as a payment option,” researchers said. “If users choose to pay using PayPal, they are taken to a fake PayPal page. All credentials and payment information entered on the fake page are then stolen by attackers, who can withdraw money from victims’ accounts or sell this data on the Dark Web.” In addition to these new ploys, ransomware threat actors are also looking for larger targets with deeper pockets – and more personal data that they could lose. That includes institutions (such as Jackson County, Georgia, which paid $400,000 to restore IT infrastructure) and healthcare firms (including Columbia Surgical Specialists which paid $15,000 for file recovery). ACLU warns security cameras could lead to surveillance Millions of security cameras become equipped with “video analytics” and other AI-infused technologies that allow computers not only record but “understand” the objects they’re capturing, they could be used for both security and marketing purposes, the American Civil Liberties Union (ACLU) warned in a recent report ,“The Dawn of Robot Surveillance.” As they become more advanced, the camera use is shifting from simply capturing and storing video “just in case” to actively evaluating video with real-time analytics and for surveillance. Mysterious Iranian group is hacking into DNA sequencers Ankit Anubhav, a security researcher with NewSky Security, says the group, which operates from an Iran-based IP address, has been scanning the internet for dnaLIMS, a web-based application installed by companies and research institutes to handle DNA sequencing operations. The hack exploits CVE-2017-6526, a vulnerability in dnaLIMS that has not been patched to this day after the vendor was notified back in 2017. Anubhav says the attackers are using this vulnerability to plant shells that allow them to control the underlying web server from remote locations. The attacker may be looking to exfiltrate hashes of DNA sequences from the application's database. "DNA theft in specific cases can be fruitful," Anubhav said. "Either it can be sold on the black market, or a high profile attacker can actually be looking for a specific person's data." alternately and probably the more plausible of the theories, the hackers are probably just using the shell to plant cryptocurrency miners on the hijacked systems. Evite data breach No numbers yet but the attack which ran Feb 22nd,. 2019 until its discovery in April disclosed: names, usernames, email addresses, passwords, dates of birth, phone numbers, and mailing addresses. 2 years after the Equifax breach 67% of US federal agencies still don't use 2fa. The Government Accountability Office (GAO) investigated six agencies that store valuable personal information—the Social Security Administration (SSA), the General Services Administration (GSA), the Department of Veterans Affairs (VA), the Internal Revenue Service (IRS), the Centers for Medicare and Medicaid Services (CMS), and the United States Postal Service (USPS) and found that only the GSA and IRS offer two factor/multi-factor authentication (2FA/MFA) internally. Go Feds! XENOTIME, a destructive APT linked to Russia, has broadened its target set beyond Middle East oil and gas. XENOTIME, the advanced persistent threat (APT) group behind the TRISIS industrial control system (ICS) event, has expanded its focus beyond the oil and gas industries, according to researchers. The group has recently been seen probing the networks of electric utility organizations in the U.S. and elsewhere – perhaps a precursor to a dangerous attack on critical infrastructure that could cause physical damage or loss of life. “Offensive government programs worldwide are placing more emphasis and resources into attacking and disrupting industrial processes like oil, power and water,” said Sergio Caltagirone, vice president of threat intelligence at Dragos. “This means more attacks are coming. People will die, we just don’t know when.” “XENOTIME, the most dangerous cyberthreat in the world, provides a prime example of threat proliferation in ICS. WWhat was once considered an ‘oil and gas threat’ is now an electric threat too. XENOTIME is now targeting dozens of electric power utilities in at least the North American and Asia-Pacific regions, and continues to target oil and gas worldwide." US Lawmakers Hear Testimony on Concerns of Deepfakes Kacy Zurkus: Former FBI special agent and senior fellow for Alliance for Securing Democracy at the German Marshall Fund, Clint Watts was part of a four-person panel that testified before the lawmakers on the potential for foreign adversaries to craft synthetic media capabilities that could be used against the US. “The falsification of audio and video allows manipulators to dupe audience members in highly convincing ways, provoking emotional responses that can lead to widespread mistrust,” Watts warned. "Of great concern is that deepfakes could have the power to disrupt the democratic process, particularly the presidential race of 2020.” Malware still a top threat for industrial organizations During Q1 2019, Cryptolocker malware spiked to account for 24% of all malware used, up from only 9% in Q4 2018, according to a new report from Positive Technologies. “This malware is often used in combination with phishing, with hackers constantly inventing new ways of deceiving users and making them pay a ransom. Healthcare has proved to be a favorite target of cryptolockers. Medical institutions are more likely to pay a ransom compared to other businesses, perhaps because of patients' lives and health being at stake,” the report stated. “Phishing remains an effective way of delivering malware. But email is far from the only channel of malware distribution. For example, users frequently download files from torrent trackers, on which the risk of malware infection grows exponentially. Under the guise of a movie, attackers distributed malware used for spoofing addresses of bitcoin and Ethereum wallets when the information is copied to/from the clipboard.” Security researcher finds critical XSS bug in Google's Invoice Submission Portal Described as a cross-site scripting (XSS) vulnerability, the security flaw impacted the Google Invoice Submission Portal, a public website where Google redirects business partners to submit invoices, based on contractual agreements. A malicious threat actor could upload malformed files in the Google Invoice Submission Portal, via the Upload Invoice field. Then using a proxy, the attacker could intercept the uploaded file immediately after the form submission and validation operation took place, and modify the documents from a PDF to HTML, to the XSS malicious payload. Filed in February and patched in April this XSS bug was just announced last week. Canadian City Fell Prey to a $375K Phish Kacy Zurkus: Yet another city has fallen victim to a "a complex phishing email." The scam cost Burlington, Ontario, Canada, C$503,000 – the equivalent of nearly US$375,000. “On Thursday, May 23, the City of Burlington discovered it was a victim of fraud. A single transaction was made to a falsified bank account as a result of a complex phishing email to City staff requesting to change banking information for an established City vendor. The transaction was in the form of an electronic transfer of funds made to the vendor...and was processed on May 16," the city announced. “Cyber-attacks are on the rise, and phishing emails that involve the human factor are responsible for a great number of these breaches. Organizations globally are realizing the need to invest in employee training and deploy different training solutions in hope to mitigate the risk of data breaches.” The French Ministry of Interior has released a free decryption tool for the PyLocky ransomware to help victims recover their data. Initially spotted in attacks in July and August last year, the malware was posing as the infamous Locky ransomware that dominated the threat scene in 2016. Written in Python, the malware has been mainly active in Europe, and particularly in France. Once installed on a victim’s machine, the threat targets around 150 file types for encryption, including image, video, document, sound, program, game, database, and archive files, among others. The malware also gathers system information and features anti-sandbox capabilities. Usually spreading via spam emails, the ransomware has been actively targeting both businesses and home users, the French authorities reveal. Now, victims of the ransomware can recover their files for free, courtesy of the newly released tool, now available on France’s national platform Cybermalveillance.gouv.fr. “Please note that the decryption of the files doesn’t clean the infected computer of the ransomware,” the French Ministry of Interior points out. Amazon Alexa Secretly Records Children, Lawsuits Allege “Alexa routinely records and voice-prints millions of children without their consent or the consent of their parents,” reads the complaint, which is seeking class-action status. It was filed in Seattle this week on behalf of a 10-year-old girl. Meanwhile, another, almost identical suit was filed this week in California Superior Court in Los Angeles, on behalf of an 8-year-old boy. “It takes no great leap of imagination to be concerned that Amazon is developing voiceprints for millions of children that could allow the company (and potentially governments) to track a child’s use of Alexa-enabled devices in multiple locations and match those uses with a vast level of detail about the child’s life, ranging from private questions they have asked Alexa to the products they have used in their home,” the California suit states. Google is taking action on deceptive installation tactics for Chrome Browser Extensions
The additional changes are part of the Project Strobe presented by Google in October 2018 in the aftermath of the data breach that exposed data of over 500,000 users of its Google+. Google aims to ensure all Chrome extensions are trustworthy by default. Deceptive installation tactics that trigger removal from the Chrome extension store include: 1. Unclear, inconspicuous disclosures or marketing. 2. Misleading interactive elements. 3. The Chrome Web Store item listing withholding or hiding the capture of extension metadata from the user.“ Changes take place July 1st. Something strange happened last week, as dozens of US-based cryptocurrency users hit are with SIM swapping attacks. While SIM swapping attacks have been trending downward, a rash of T-mobile and ATT based thefts last week may have been precipitated by the recent rise in the value of crypto currencies. The big takeaway? Switch to using Google Authenticator, Authy, Duo (to name a few) or hardware security tokens to protect accounts, instead of the classic SMS-based 2FA system. Lawsuit Accuses Apple of Illegally Sharing iTunes Data Three iTunes customers have filed suit against Apple, claiming the company violated state privacy laws by sharing data about their iTunes purchases and other music preferences to third parties without their knowledge or consent. The plaintiffs, who are seeking class action status, allege that Apple sold iTunes data directly to data brokers, who then turned around and sold it to advertisers, and that it allowed developers access to iTunes libraries, which developers turned around and sold to data brokers. The first allegation could be tricky to prove in court, since data brokers have many sources for information (like, say, app developers). As Variety notes, it’s the second allegation that could be the most damning if true. It would also be in violation of Apple’s rules for developers, as pointed out by the Verge. The North Face Defaced Wikipedia to Get Free Advertising The North Face did some very dumb things recently. First, it partnered with an ad agency to upload photos of North Face gear at famous outdoorsy locations to those places’ Wikipedia pages, in order to push those photos high up on Google’s image results. The move was disrespectful, entitled, and generally against Wikipedia’s rules. To make matters worse, the company then produced a video ad in which it bragged about how easily it had “hacked the results to reach one of the most difficult places: the top of the world’s largest search engine.” Needless to say, the Wikimedia Foundation was none too pleased. It issued a statement calling the stunt “unethical,” and compared it to defacing public property. After news of the advertising prank landed to jeers not cheers, the North Face apologized. Google Will Block Ad-Blocking for Most Chrome Users After All When the internet giant announced a major change to the way its Chrome browser would handle extensions back in January, people were upset. The proposed changes would disrupt ad-blockers, making them work not well or at all. Five months later, the backlash hasn’t deterred anyone. Google announced that the functionality of current popular ad blockers won’t be supported when it rolls out the new extension system. Developers will need to change the back-end, and even then the extensions still likely won’t work as well. There is one exception: Google will be letting paid “enterprise” clients have access to the old system, though 9to5Google notes the purpose of this exception likely has nothing to do with ad-blocking; it’s probably to allow paid customers to make bespoke extensions that do all sorts of other things. GandCrab ransomware operation says it's shutting down The creators of the GandCrab ransomware announced yesterday they were shutting down their Ransomware-as-a-Service (RaaS) operation. The GandCrab RaaS is an online portal where crooks sign up and pay to get access to custom builds of the GandCrab ransomware, which they later distribute via email, exploit kits, or other means. When an infected user pays a ransom demand, the original GandCrab author earns a small commission, while the rest of the money goes to the crook who distributed the ransomware. The announcement was made in an official thread on a well-known hacking forum, where the GandCrab RaaS has advertised its service since January 2018, when it formally launched. In the forum message, the GandCrab authors bragged about the ransomware having earned over $2 billion in ransom payments, with the operators making roughly $2.5 million per week and $150 million per year. "We successfully cashed this money and legalized it in various spheres of white business both in real life and on the Internet," the GandCrab crew bragged. Russian military plans to replace Windows with Astra Linux “Astra Linux is a Russian Linux-based computer operating system developed to meet the needs of the Russian army, other armed forces and intelligence agencies. It provides data protection up to the level of “top secret” in Russian classified information grade.” reads the Wikipedia page. “It has been officially certified by Russian Defense Ministry, Federal Service for Technical and Export Control and Federal Security Service.” The Astra Linux distribution was initially used only by private companies, later Russian government agencies started using it after it was certified to handle classified information. In the past, Russian Army officials raised concerns about the possible presence of hidden backdoors in the Windows operating system installed by U.S. intelligence agencies. The announcement of a move to Astra OS was made in January 2018 by the Russian Ministry of Defence. A similar decision was also announced by the Chinese government that also plans to stop using the Microsoft operating system, especially after the recent ban of Chinese 5G technologies imposed by many western countries. Gen Z Interns and Social Media: A Perfect Security Storm Researchers are warning of a new security Achilles’ heel for enterprises, and it may not be what they expect. That threat is interns. According to researchers, interns are unwittingly posting confidential and valuable company insights via social media that pose a security risk to the companies that hire them. More disturbingly, the level of information posted online – including details about office layout, company data, and even badge information – was enough to allow researchers with IBM X-Force Red to actually create their own spoofed badge and physically breach an office while purporting to be an employee. Stephanie Carruthers, global social engineering expert with X-Force Red, in a recent post. When it comes to collecting data for social engineering, “social media is a goldmine,” said Carruthers – and between Snapchat, Instagram, YouTube and Facebook, Generation Z is the most avid users of social media to date. “About 75 percent of the time, a social media search turns up the information I’m seeking within just a few hours,” she said. “This is especially true for large companies, where these posts are most often from interns or new employees.” Google Project Zero researcher unearths a bug in Microsoft’s Notepad Windows application. A memory corruption bug in the Microsoft’s Windows Notepad application can be used to open remote shell access – typically a first step for attackers infiltrating a system. The bug was found by Tavis Ormandy, a bug hunter with Google’s Project Zero team. In a tweet he indicated that the bug was tied to a memory corruption flaw in Notepad, a basic text editor that has shipped on all versions of Windows since 1985. The researcher said more details of the bug would be revealed in 90 days, as part of Google’s Project Zero’s disclosure policy, or after Microsoft patches the bug. Hacking accusations debunked after leak of New Zealand budget plan Bradley Barth: Accusations from New Zealand’s Treasury department that someone had hacked the agency’s website and stole budget plans that were later leaked to the public turned out to be premature, after investigators reportedly determined that individuals were able to access the documentation due to website error. “Police have advised the Treasury that, on the available information, an unknown person or persons appear to have exploited a feature in the website search tool but that this does not appear to be unlawful,” the Treasury reportedly said. Oops! M&A time in Cybersecurity. The cybersecurity sector saw three major acquisitions announced this week, with Insight Partners acquiring CIA and Alphabet backed, Recorded Future (They collate data from a wide variety of sources, including dark web forums, company infrastructure and international news alerts, and turn it into information that can be used to predict new attacks.) for $780M, Palo Alto buying Twistlock (container security) and PureSec (Server-less security) for $410M and FireEye snapping up Verodin (security control validation) for $250M. |
Linking the world
Sharing is caring Archives
May 2024
Categories |