Search This Blog

Showing posts with label Security. Show all posts

Cyber Agencies: Beware of State Actors Levelling up Attacks on Managed Service Providers

 

The United States, the United Kingdom, Australia, and Canada's cybersecurity agencies issued a second advisory this week, stating that cyberattacks against managed service providers (MSPs) are expected to escalate. 

According to the advice, if an attacker is able to access a service provider's infrastructure, ransomware or espionage activity could be carried out against the provider's customers. 

The nations advised, "Whether the customer's network environment is on-premises or externally hosted, threat actors can use a vulnerable MSP as an initial access vector to multiple victim networks, with globally cascading effects." 

"NCSC-UK, ACSC, CCCS, CISA, NSA, and FBI expect malicious cyber actors -- including state-sponsored advanced persistent threat groups -- to step up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships." 

The MSP definition covers IaaS, PaaS, SaaS, process and support services, as well as cybersecurity services, for the purposes of this advice. The first piece of obvious advice is to avoid getting compromised in the first place. Beyond that, users should follow standard suggestions such as improving monitoring and logging, updating software, having backups, employing multi-factor authentication, segregating internal networks, using the least privilege approach, and removing old user accounts. Users should verify contracts for clauses that ensure MSPs have adequate security safeguards in place.

Further, the advisory stated, "Customers should ensure that they have a thorough understanding of the security services their MSP is providing via the contractual arrangement and address any security requirements that fall outside the scope of the contract. Note: contracts should detail how and when MSPs notify the customer of an incident affecting the customer's environment."
 
"MSPs, when negotiating the terms of a contract with their customer, should provide clear explanations of the services the customer is purchasing, services the customer is not purchasing, and all contingencies for incident response and recovery."

NCSC Warns Of Threats Posed By Malicious Apps

 

A new report by the UK's National Cyber Security Centre (NCSC) has alerted of the threats posed by malicious applications. While most people are familiar with apps downloaded to smartphones, they are also available on everything from smart TVs to smart speakers. 

The government is seeking input on new security and privacy guidelines for applications and app stores. Ian Levy, the NCSC's technical director, stated app stores could do more to improve security. Cybercriminals are currently exploiting vulnerabilities in app stores on all types of linked devices to cause harm,  as per Mr Levy. 

Android phone users downloaded apps containing the Triada and Escobar malware from various third-party app stores last year, according to the FBI.  "This resulted in cyber-criminals remotely taking control of people's phones and stealing their data and money by signing them up for premium subscription services," it said.

The NCSC's report noted that apps "can also be installed on laptops, computers, games consoles, wearable devices (such as smartwatches or fitness trackers), smart TVs, smart speakers (such as Alexa devices), and IoT (internet of things) devices". It includes an example of a security firm illustrating how it could construct a malicious app for a prominent fitness tracker that could be downloaded via a link that seemed legitimate because it used the company's web address. 

Spyware/stalkerware capable of stealing anything from location to personal body data was found in the app. After the security firm alerted the company, it proceeded to rectify the situation. 

 The thirst for applications grew during the pandemic, according to the NCSC research, with the UK app market currently valued at £18.6 billion ($23.2 billion). The government's proposal to ask app retailers to commit to a new code of practice outlining baseline security and privacy requirements is supported by the cyber-security centre. 

"Developers and store operators making apps available to UK users would be covered. This includes Apple, Google, Amazon, Huawei, Microsoft and Samsung," the government stated.

 A new code of practice would require retailers to set up procedures to find and repair security problems more quickly.

Conti, REvil, LockBit Ransomware Flaws Exploited to Block Encryption

 

A researcher has demonstrated how a flaw common to numerous ransomware families can be used to control and eliminate the malware before it encrypts files on vulnerable systems. Malvuln is a project created by researcher John Page (aka hyp3rlinx) that lists vulnerabilities uncovered in various types of malware. 

Early in 2021, the Malvuln project was launched. SecurityWeek covered it in January 2021, when there were only a few dozen entries, and again in June 2021, when there were 260. Malvuln had almost 600 malware vulnerabilities as of May 4, 2022. Page added ten new entries in the first several days of May, detailing vulnerabilities in the Conti, REvil, Loki Locker, Black Basta, AvosLocker, LockBit, and WannaCry ransomware families. 

The researcher discovered that DLL hijacking flaws affect these and other ransomware families. By inserting a carefully designed file in a location where it will be run before the legal DLL, these vulnerabilities can often be exploited for arbitrary code execution and privilege escalation. When it comes to ransomware, a "attacker" can build a DLL file with the same name as a DLL that the malware looks for and loads. 

The new DLL will be executed instead of the ransomware executable if it is placed next to it. This can be used to stop malware from encrypting data by intercepting it and terminating it. The DLLs can be hidden, according to the researcher, who uses the Windows "attrib +s +h" command in his PoC videos. 

Page explained, “Endpoint protection systems and/or antivirus can potentially be killed prior to executing malware, but this method cannot as there’s nothing to kill — the DLL just lives on disk waiting. From a defensive perspective, you can add the DLLs to a specific network share containing important data as a layered approach.” 

Page told SecurityWeek that while some of the ransomware versions he tested were new, the strategy works against practically all ransomware, comparing it to a "Pandora's box of vulnerabilities." The researcher has also made videos showing how to exploit the ransomware's flaws. The videos demonstrate how a specially constructed DLL file installed in the same folder as the ransomware executable prevents the malware from encrypting files. 

Authentication bypass, command/code execution, hardcoded credentials, DoS, SQL injection, XSS, XXE, CSRF, path traversal, information disclosure, insecure permissions, cryptography-related, and other forms of attacks are all stored in the Malvuln database. Page also recently released Adversary3, an open-source malware vulnerability intelligence tool for third-party attackers. The Python-based application is intended to make it easier to access data from the Malvuln database, allowing users to search for vulnerabilities by attack category. 

According to the researcher, the tool could be valuable in red teaming activities. For instance, the tester could seek for devices hosting malware and exploit vulnerabilities in that malware to gain elevated access. When the project was first announced, certain members of the cybersecurity community expressed concern that the data could be beneficial to malware makers, assisting them in fixing vulnerabilities, some of which may have been exploited for threat intelligence reasons without their knowledge. The ransomware vulnerabilities and the Adversary3 tool, on the other hand, illustrate that the project can also benefit the cybersecurity community.

Google SMTP Relay Service Exploited for Sending Phishing Emails

 

Phishers are exploiting a vulnerability in Google's SMTP relay service to send malicious emails that imitate well-known brands. Threat actors use this service to mimic other Gmail tenants, according to Avanan researcher Jeremy Fuchs. Since April 2022, they've noticed a massive rise in these SMTP relay service exploit attacks in the wild. 

Organizations utilise Google's SMTP relay service to send out promotional messages to a large number of consumers without the risk of their mail server being blacklisted. 

Fuchs explained, “Many organizations offer this service. Gmail does as well, with the ability to route outgoing non-Gmail messages through Google. However, these relay services have a flaw. Within Gmail, any Gmail tenant can use it to spoof any other Gmail tenant. That means that a hacker can use the service to easily spoof legitimate brands and send out phishing and malware campaigns. When the security service sees avanan.com coming into the inbox, and it’s a real IP address from Gmail’s IP, it starts to look more legitimate.” 

As Gmail's SMTP relay servers are usually trusted, email security solutions are circumvented, and recipients see a legitimate-looking email address in the "From:" field. Users will only know something is wrong if they inspect the message headers. 

This brand impersonation method will only work if the impersonated corporation/brand company hasn't enabled its DMARC reject policy, according to Fuchs. A DNS-based authentication standard is known as DMARC. It protects enterprises from impersonation threats by preventing malicious, spoof emails from reaching their intended recipients. 

Using tools like MXToolbox, any phisher — indeed, anyone who uses the internet – may verify whether the DMARC reject policy has been enabled for a certain domain. Trello and Venmo, for example, haven't, according to Fuchs, while Netflix has. 

On April 23rd, 2022, Fuchs claims to have warned Google about how phishers were using their SMTP relay service. “Google noted that it will display indicators showing the discrepancy between the two senders, to aid the user and downstream security systems,” he told Help Net Security. 

He also points out that any SMTP relay could be vulnerable to this type of assault. The DMARC protocol, which Google recommends, is the overarching solution to this well-known security issue. However, until that becomes the norm, recipients should verify the headers of unsolicited email messages and avoid opening attachments or clicking on links in those messages if they can't tell whether they're harmful. 

“We have built-in protections to stop this type of attack. This research speaks to why we recommend users across the ecosystem use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. Doing so will defend against this attack method, which is a well-known industry issue,” a Google spokesperson told Help Net Security.

11 High-Severity Flaws in Security Products Patched by Cisco

 

This week, Cisco released its April 2022 bundle of security advisories for Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). 

The semiannual bundled advisories include a total of 19 flaws in Cisco security products, with 11 of them being classified as "high severity." 

CVE-2022-20746 (CVSS score of 8.8) is the most serious of these, an FTD security vulnerability that occurs because TCP flows aren't appropriately handled and might be exploited remotely without authentication to generate a denial of service (DoS) condition. 

“An attacker could exploit this vulnerability by sending a crafted stream of TCP traffic through an affected device. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition,” Cisco explains in an advisory. 

With the introduction of FDT versions 6.6.5.2 and 7.1.0.1, the IT giant has addressed the problem. Fixes will also be included in FDT releases 6.4.0.15 and 7.0.2, which will be released next month. Several more DoS vulnerabilities, all rated "high severity," were fixed with the same FDT releases, including ones that affect ASA as well. They were addressed in ASA releases 9.12.4.38, 9.14.4, 9.15.1.21, 9.16.2.14, and 9.17.1.7. Other problems fixed by these software upgrades could result in privilege escalation or data manipulation when using an IPsec IKEv2 VPN channel.

Cisco also fixed an ASA-specific flaw that allowed an attacker to access sensitive information from process memory. Firepower Management Center (FMC) releases 6.6.5.2 and 7.1.0.1, as well as the future releases 6.4.0.15 and 7.0.2, resolve a remotely exploitable security protection bypass flaw, as per the tech giant. 

Cisco stated, “An attacker could exploit this vulnerability by uploading a maliciously crafted file to a device running affected software. A successful exploit could allow the attacker to store malicious files on the device, which they could access later to conduct additional attacks, including executing arbitrary code on the affected device with root privileges."

Fixes for eight medium-severity vulnerabilities in these security products are included in the company's semiannual bundled publishing of security advisories. Cisco is not aware of any attacks that take advantage of these flaws.

Dark Data: A Crucial Concern for Security Experts

 

BigID recently released a research paper that examines the current problems that businesses face in safeguarding their most critical information. A number of important findings emerged from the research:
  • Dark data is extremely concerning to 84 per cent of businesses. This is data that businesses aren't aware of, but which accounts for more than half of all data in existence and can be extremely sensitive or vital. 
  • Unstructured data is the most difficult to manage and safeguard for eight out of ten businesses. Unstructured data generally comprises a variety of sensitive information and is challenging to scan and identify due to its inherent complexity. 
  • More than 90% of businesses have trouble implementing security standards involving sensitive or important data. Data policy reach and enforcement are crucial for proper data asset management, remediation, and security. 
Data is an organization's most valuable asset, relying on it every day to make critical strategic and operational choices. Unfortunately, most of this data is highly sensitive or critical, and it can be exposed accidentally or maliciously in some instances. 

Dimitri Sirota, CEO of BigID stated, “Data is the fuel that drives a company forward. However, a lot of this data is personal and as it accumulates, so does cyber risk. You owe it to your customers, partners, and employees to keep this data safe, let alone to keep your business running. This report reinforces the fact that most continue to struggle to confidently protect their most valuable data.” 

Sensitive or essential data is being spread throughout the environment at unprecedented rates, thanks to the rapid rise of public, private, hybrid, and multi-cloud models. As the scope of this type of data grows, so does the risk to the organisation. 

The research looks into the most significant security issues, the core causes of these problems, and practical ways to improve data security so that teams can protect their most valuable data assets.

DHS Investigators: Stopped Cyberattack on Undersea Internet Cable in Hawaii

 

An apparent cyberattack on an unknown telecommunication company's servers related to an underwater cable responsible for internet, cable service, and cell connections in Hawaii and the region was "disrupted" by federal agents in Honolulu last week, the agency told in a statement on Tuesday. 

Hawaii-based agents with Homeland Security Investigations, an arm of the Department of Homeland Security, received a tip from their mainland HSI counterparts that led to the disruption of a major intrusion involving a private company's servers associated with an underwater cable. "An international hacker group" was involved in the attack, according to the probe, and HSI agents and international law enforcement partners in multiple countries were able to make an arrest.

The statement did not specify the sort of cyberattack, the hacking group responsible, other law enforcement agencies involved, or the location of any arrests. According to the statement, no damage or interruption happened, and there is no immediate threat. Investigators discovered that the attackers had gained credentials that permitted access to an unnamed company's systems, according to John Tobon, HSI's special agent in charge in Hawaii, who informed a local news station. 

“It could have been something to just create havoc, in other words, just shut down communications, or it could have been used to target individuals in ransomware-type schemes,” he stated.

According to the National Oceanic and Atmospheric Administration, hundreds of "submarine" internet cables carry up to 95 percent of intercontinental internet data. According to an Atlantic Council report, the cables are owned and operated by a mix of corporate and state-owned enterprises, and they are experiencing increasing threats to their security and resilience. 

Justin Sherman, the report's author, highlights worries about authoritarian governments' intent to restrict internet access by influencing physical infrastructure like submarine lines. The lines are also appealing targets for government or criminal parties attempting to collect sensitive data through covert surveillance. Another issue, according to Sherman, is that more cable operators are employing remote management tools for cable networks. 

He wrote, “Many of these systems have poor security, which exposes cables to new levels of cybersecurity risk. Hackers could break into these internet-connected systems from anywhere in the world and physically manipulate cable signals, causing them to drop off entirely — undermining the flow of internet data to specific parts of the world.” 

Sherman added, “One can even imagine a threat actor (state or non-state) hacking into a cable management system and trying to hold the infrastructure hostage.”

Google Strengthens Android Security With a New Set of Dev Policy Updates

 

Google has announced several important policy changes for Android app developers that will improve the security of users, Google Play, and the apps available through the service. 
These new developer requirements will be in effect from May 11th through November 1st, 2022, allowing developers plenty of time to adjust. The following are the most important policy changes related to cybersecurity and fraud that will be implemented: 
  • New API level target requirements.
  • Banning of loan apps whose Annual Percentage Rate (APR) is 36% or higher.
  • Prohibiting the abuse of the Accessibility API.
  • New policy changes for the permission to install packages from external sources.
All newly released/published apps must target an Android API level released within one year of the most recent major Android version release starting November 1, 2022. Those who do not comply with this criterion will have their apps banned from the Play Store, Android's official app store. 

Existing apps that do not target an API level within two years of the most recent major Android version will be eliminated from the Play Store and become undiscoverable. This change is intended to compel app developers to follow the tougher API regulations that underpin newer Android releases, such as better permission management and revoking, notification anti-hijacking, data privacy enhancements, phishing detection, splash screen limits, and other features. 

According to Google's blog article on the new policy: "users with the latest devices or those who are fully caught up on Android updates expect to realize the full potential of all the privacy and security protections Android has to offer." 

App developers who require extra time to migrate to more recent API levels can request a six-month extension, albeit this is not guaranteed. Many outdated apps will be forced to adopt better secure methods as a result of this policy change. 

Accessibility API abuse

The Accessibility API for Android enables developers to design apps that are accessible to people with disabilities, enabling the creation of new ways to operate the device using its applications. However, malware frequently exploits this capability to do actions on an Android smartphone without the user's permission or knowledge. As noted below, Google's new policies further restrict how this policy can be applied: 
  • Change user settings without their permission or prevent the ability for users to disable or uninstall any app or service unless authorized by a parent or guardian through a parental control app or by authorized administrators through enterprise management software; 
  • Workaround Android built-in privacy controls and notifications; or
  • Change or leverage the user interface deceptively or otherwise violates Google Play Developer Policies.
Google has also released a policy change that tightens the "REQUEST INSTALL PACKAGES" permission. Many malicious software publishers hide package-fetching technology that downloads malicious modules after installation to have their submission accepted on the Play Store. Users interpret these activities as "request to update" or "download new content," and they either authorise the action when presented with the corresponding prompt or don't notice because it occurs in the background. 

Google aims to narrow this loophole by imposing new permission requirements, bringing light to an area that was previously unregulated. Apps that use this permission must now only fetch digitally signed packages, and self-updates, code modifications, or bundling of APKs in the asset file will still require the user's authorization. For all apps using API level 25 (Android 7.1) or higher, the new REQUEST INSTALL PACKAGES policies will enter into force on July 11th, 2022.

PCI DSS Launches New Version to Tackle Cyber Security Threats

A new variant of the PCI Data Security Standard (PCI DSS) has been posted today by the PCI Security Standards Council (PCI SSC), the global payment security forum. The standard version is 4.0, it offers a baseline of operational and technical needs designed to improve payment security, replacing version 3.2.1 to assist combat surfacing threats and technologies. Besides this, the updates are built for enabling innovative methods to tackle these new threats. 

PCI SCC says these changes were motivated by feedback from the global payments industry over the past three years, including more than 6000 items from over 200 organizations. The latest changes in the PCI DSS v4.0 include the Expansion of Requirement 8 to apply multi-factor authentication (MFA) for all access to the cardholder data scenario. Up-to-date firewall terminology to network security controls, supporting a wider range of tech used to reach the security objectives earlier fulfilled by firewalls. 

 Improved flexibility for enterprises to show how they are incorporating different techniques to meet security objectives. Adding targeted threat analysis enables organizations to decide how frequently they do certain actions best suited for their organization's risk exposure and needs. The present version, v3.2.1, will remain online for two years until March 31, 2024. This will give associated organizations some time to know v4.0 and implement these updates. PCI SCC has also released some supporting documents besides the updated standard in the PCI SSC Document Library. 

It includes the summary of changes from PCI DSS v3.2.1 to v4.0, v4.0 Report on Compliance (ROC) Template, ROC FAQs, and ROC Attestations of Compliance (AOC). Additionally, Self-Assessment Questionnaires (SAQs) will be posted in the future. “The industry has had unprecedented visibility into, and impact on, the development of PCI DSS v4.0. Our stakeholders provided substantial, insightful, and diverse input that helped the council effectively advance the development of this version of the PCI Data Security Standard,” said Lance Johnson, executive director of PCI SSC.

One arrested in ₹1,200-Crore Crypto Fraud Case, 900 Investors Scammed

 

The Enforcement Directorate announced on Tuesday that it had arrested a suspect in connection with a money-laundering investigation into a Kerala-based businessman who is suspected of scamming more than 900 investors out of Rs 1,200 crore in exchange for bitcoin. 

Abdul Gafoor, one of the most prominent stockists of the 'Morris Coin Cryptocurrency,' was arrested on March 24, according to the source. The next day, he was taken into prison by the Enforcement Directorate (ED) and held until March 31. Mr Gafoor was accused of not complying with the investigation and of being extremely evasive in his responses, according to the federal investigation agency. 

The agency stated, "Considering the fact that Abdul Gafoor is one of the directors of Stoxglobal Brokers Pvt. Ltd. and has played an active role in facilitating the placement and layering of proceeds of crime, he has been placed under arrest on March 24," 

The ED case arose from an FIR filed by the Kerala Police (Malappuram crime branch unit) against the case's main accused, businessman Nishad K. The agency alleged Nishad K "cheated several investors by accepting investments, under a Ponzi scheme, through his three Bengaluru based firms-- Long Reach Global, Long Reach Technologies and Morris Trading by offering high returns of dividend such as 3-5 per cent per day." 

According to the police complaint, "more than 900 investors were cheated to the tune of ₹ 1,200 crore." The investigation discovered that "Nishad, the main accused person, had appointed those persons as pin stockists who had invested a minimum of ₹ 10 lakh in Nishad's scheme and Nishad promised them that he would give five per cent as commission on the investment.” 

The ED stated, "They made aggressive enrolment of new members into an illegal money circulation scheme under the garb of multi-level marketing, resorted to the fraudulent practice of investing the money received from the investors in the Morris Coin cryptocurrency plan run by Nishad and others". 

It alleged that this resulted in the viral growth of the scheme network, resulting in significant unjust gain at the cost of investors. It had previously stated that the deposits taken from the general public were illegal and did not require any regulatory approval. It had attached Nishad K's assets worth ₹ 36.72 crore, as well as those of his colleagues, including the Indian Rupee equivalent of cryptocurrencies purchased with proceeds of crime by a close associate, in January.

DDoS Attacks Hit Ukrainian Government Websites

 

DDoS attacks are causing havoc for the Ministry of Defense and the Armed Forces of Ukraine, as well as two of the country's state-owned banks, Privatbank (Ukraine's largest bank) and Oschadbank (the State Savings Bank). 

Bank customers got text messages saying that bank ATMs were down today, according to Ukraine's Cyberpolice, who added that the messages were "part of an information attack and do not correspond to reality." 

The Ukrainian Ministry of Defense, whose website was taken down as a result of the attacks, stated their website was most likely assaulted by DDoS: an excessive number of requests per second was observed. 

"Starting from the afternoon of February 15, 2022, there is a powerful DDOS attack on a number of information resources of Ukraine," Ukraine's State Service for Special Communication and Information Protection added. 

"In particular, this caused interruptions in the work of web services of Privatbank and Oschadbank. The websites of the Ministry of Defense and the Armed Forces of Ukraine were also attacked."

While the Ukrainian defence ministry's website is down, Oschadbank and Privatbank's websites are still up and running, albeit users are unable to access their online banking. Privatbank users have been experiencing problems with payments and the bank's mobile app, according to the Ukrainian Center for Strategic Communications and Information Security. Some stated that they couldn't get into their Privat24 internet banking accounts, while others said they observed inaccurate balances and recent transactions. 

A traffic geofencing rule was added to Privatbank's web application firewall (WAF), which automatically removed the website's contents for IP addresses outside of Ukraine and displayed a "BUSTED! PRIVATBANK WAF is watching you)" message. 

The Security Service of Ukraine (SSU) stated on Monday that the country is being targeted in a "massive wave of hybrid warfare" aimed at instilling fear in Ukrainians and undermining their faith in the state's ability to safeguard them. The SSU further stated that it has already blocked many such attempts related to hostile intelligence agencies, as well as dismantled bot farms aimed at spreading fear in Ukrainian residents through bomb threats and fake news.  

Attacks on Ukrainian authorities are being coordinated by the Gamaredon hacking organisation (connected to Russia's Federal Security Service (FSB) by Ukrainian security and secret agencies), according to the country's Computer Emergency Response Team. 

A day later, the SSU announced that it has prevented more than 120 cyberattacks aimed at Ukrainian governmental institutions in January 2022. 

Gamaredon has been directing a wave of spear-phishing emails targeting Ukrainian businesses and organisations relevant to Ukrainian issues since October 2021, according to Microsoft.

NSW Government Database Compromises 500,000+ Addresses

 

The government of New South Wales (NSW) has admitted to a data breach that exposed more than 500,000 addresses via a government website. 

According to 9News, the NSW Customer Services Department acquired hundreds of thousands of locations through its QR code registration system before making them public on a government website. The locations belonged to firms that were registered as COVID-safe businesses, which was an option offered to all NSW businesses as well as those from other jurisdictions with interests in NSW. 

Skeeve Stevens, a technology specialist in the security and intelligence space who spotted the dataset in September and stated he notified cyber security professionals, who then informed the government. Defence sites, missile maintenance facilities, domestic violence shelters, essential infrastructure networks, and correctional facilities were among the targets. Locations in Western Australia, Victoria, Queensland, South Australia, and the Australian Capital Territory were also included in the database. 

Last October, the government forwarded the matter to the privacy commissioner, who determined that the incident did not constitute a privacy breach. The issue was brought to the attention of NSW Premier Dominic Perrottet this week, and he admitted that the material had been posted incorrectly. 

Perrottet stated, "That was worked through [the] privacy commissioner. My understanding is they were satisfied that the matter was resolved and that information was taken down. It shouldn't have happened."

According to 9News, the NSW Department of Customer Services classified fewer than 1% of the 566,318 locations as sensitive. 

A department spokesperson stated, "These businesses were all contacted by telephone and letter. No issues of concern were raised by any recipients." 

The COVID-Safe Businesses and Organization dataset has been withdrawn, according to a notice on the NSW data website dated 12 October 2021. “We have identified issues with the integrity of the data with the recent increase in volume of registrations. We apologise for any inconvenience,” stated the notice, without revealing what the issue was. 

Last weekend, a marketing stunt by Coinbase used QR codes to bring potential consumers to its site, prompting experts to debate whether they pose a true cyber security danger. Some experts believe they shouldn't be trusted because of the risk of being hijacked by cyber thieves, while others believe the fear around the technology is exaggerated and the real-world threat is minimal.

ICO Struck by 2650% Rise in Email Attacks in 2021

 

The UK's Information Commissioner's Office (ICO) reported a whopping 2650% spike in email attacks in 2021, as per official numbers acquired by the Parliament Street think tank following a Freedom of Information request, 

Email attacks on the UK's privacy and data protection regulator increased from 150,317 in January to 4,135,075 in December, according to the findings. For each month last year, the data refers to the volume of phishing emails discovered, malware detected and prevented, and spam detected and blocked by the ICO. 

The majority of the attacks were caused by spam emails, which increased by 2775 % from January to December. During this time, the number of phishing emails climbed by 20%, while malware increased by 423 percent. 

In December, the statistics revealed a significant increase in email attacks, with 4,125,992 spam messages, 7886 phishing emails, and 1197 malware cases. This increase is likely to be linked to the Omicron variant's rapid spread in the UK at the end of the year, with threat actors able to use issues like testing and immunizations as bait. This is in addition to the Christmas scams that proliferate in the build-up to the holidays. 

Edward Blake, area vice president EMEA of Absolute Software, commented: “Cyber-attacks are targeting organizations across the globe at an alarming rate, once again reminding businesses of the need to re-evaluate and revamp their security protection if it is not up to scratch. Cybersecurity is not just about protecting endpoints via anti-malware or email cybersecurity solutions. While these are important, there are now a variety of access points for cyber-criminals to capitalize on that IT leaders need to be aware of. These include vulnerable unpatched applications and network vulnerabilities, stolen or illegally purchased log-in credentials or even by hacking unprotected smart devices.” 

Barracuda Networks' manager, Steven Peake, expressed similar concerns, saying: “The pandemic continues to be a catalyst for opportunistic cyber-criminals to try and prey on unsuspecting, vulnerable people. Our recent research showed a 521% surge in COVID-19 test-related phishing attacks, so it is hardly surprising to see major organizations, such as the ICO, hit by such a high volume of threats as they represent lucrative targets. Phishing emails, malware, and spam, in particular, account for a large proportion of the threats these organizations face, so they need to implement measures to protect themselves. These cyber-attackers aren’t going anywhere anytime soon.” 

As part of its plans to reform the country's data sector, the UK government announced plans to revamp the ICO's structure last year.

Attackers Revive 20-Year-Old Tactic in Microsoft 365 Phishing Attacks

 

A classic phishing tactic using mislabeled files is being used to deceive Microsoft 365 users into revealing their credentials. Malicious actors are dusting off Right-to-Left Override (RLO) attacks to fool victims into running files with altered extensions, as per cybersecurity researchers at Vade. Victims are requested to enter their Microsoft 365 login details when they open the files. 

In the previous two weeks, Vade's threat analysis team has discovered more than 200 RLO attacks targeting Microsoft 365 users. The technique of assault was: 

Within the Unicode encoding system, the RLO character [U+202e] is a special non-printing character. The symbol was created to support languages like Arabic and Hebrew, which are written and read from right to left. 

The special character, which can be found in the Windows and Linux character maps, can be used to mask the file type. The executable file abc[U+202e]txt.exe, for example, will display in Windows as abcexe.txt, misleading people to believe it is a.txt file. 

The threat has been present for more than a decade, and CVE-2009-3376 was first identified in 2008 in Mozilla Foundation and Unicode technical reports. 

"While Right-to-Left Override (RLO) attack is an old technique to trick users into executing a file with a disguised extension, this spoofing method is back with new purposes," noted researchers. 

RLO spoofing was previously a common technique for hiding malware in attachments. According to Vade researchers, the approach is currently being used to phish Microsoft 365 business users in order to gain access to a company's data. The team encountered one RLO attack in which an email was delivered with what seemed to be a voicemail.mp3 attachment. 

Researchers stated, "This kind of scam preys on the curiosity of the recipient, who is not expecting a voicemail, and who maybe intrigued enough to click the phishing link in the body of the email or the attachment, which is often an html file."
  
"Most likely attackers are taking advantage of the COVID-19 pandemic, with the expansion of remote working," hypothesized the analysts, who also noted that "RLO spoofing attachments is more convincing with the lack of interpersonal communication due to teleworking."

UK Foreign Office Suffered ‘Serious Cyber Security Incident’

 

A "serious incident" compelled the Foreign Office of the United Kingdom to seek immediate cybersecurity assistance. A recently released public tender document confirmed the incident. According to a document released on February 4, the Foreign, Commonwealth and Development Office (FCDO) sought "urgent business support" from its cybersecurity contractor, BAE Applied Intelligence, 

The FCDO paid the company £467,325.60 — about $630,000 — for its services after issuing a contract for "business analyst and technical architect support to assess an authority cyber security incident" on January 12, 2022, according to the notice. However, the incident's facts, which had not previously been made public, remain unknown. 

The document stated, “The Authority was the target of a serious cyber security incident, details of which cannot be disclosed. In response to this incident, urgent support was required to support remediation and investigation. Due to the urgency and criticality of the work, the Authority was unable to comply with the time limits for the open or restricted procedures or competitive procedures with negotiation.” 

The Stack was the first to report on the BAE contract. According to an FCDO's spokesperson who did not give their name stated that the office does not comment on security but has measures in place to detect and protect against potential cyber events. Further queries about the incident, such as whether classified information was accessed, were declined by the spokesperson. 

TechCrunch also contacted the United Kingdom's data protection authority to see if the event had been reported, but is yet to hear back. The announcement of the apparent incident came only days after the British Council, an institution that specialises in international cultural and educational opportunities, was found to have suffered a severe security breach. Clario researchers discovered 144,000 unencrypted files on an unsecured Microsoft Azure storage server, including the personal and login information of British Council students. 

Following an investigation by the UK's National Cyber Security Center, Wilton Park, a Sussex-based executive agency of the FCDO, was hit by a cyberattack in December 2020, which revealed that hackers had access to the agency's systems for six years, though there was no proof that data had been stolen.

Swissport Ransomware Attack Delays Flights, Disturbs Operations

 

Swissport International, a supplier of aviation services, was struck by a ransomware attack that disrupted its operations. 

Swissport International Ltd. is an aviation services firm controlled by an international group of investors that provides airport ground, lounge hospitality, and cargo handling services. On behalf of 850 aviation clients, the corporation manages over 282 million passengers and 4.8 million tonnes of cargo each year. Swissport employs over 66,000 people at 307 locations across 50 countries and has combined operating revenue of EUR 2.8 billion. 

Swissport International was the victim of a ransomware assault that disrupted company operations and prompted aircraft delays. As per the German website Spiegel, the ransomware attack only affected a minor section of the corporation's global IT infrastructure, and a company spokesperson verified that the security breach occurred at 6 a.m. on Thursday. 

The attack has been substantially contained, according to the company, which is attempting to rectify the situation as swiftly as possible. 

A spokeswoman for Zurich Airport added, “Due to system problems at our airport partner Swissport, 22 flights were delayed by 3 to 20 minutes yesterday.”

The company spokesman added, “The attack has now been contained and everything is being done to solve the problem as quickly as possible and limit the impact on flight operations. Swissport can continue to provide ground services for airlines safely, but there may be delays in some cases.” 

On Friday afternoon, the Swissport website was unavailable. The organisation has not yet revealed information regarding the attack, such as the ransomware family that attacked its systems or if the attack resulted in a data leak. The attack on their leak sites was not claimed by any ransomware group. 

Other recent attacks in Europe have affected key infrastructure, such as the one that crippled Oiltanking GmbH, a German petrol distributor that supplies Shell gas stations across the country. The oil provider Mabanaft GmbH was also impacted by the attack, according to the media. The Marquard & Bahls group owns both companies. As per local media, the attacks could have compromised the country's fuel supplies. 

A cyberattack was launched this week on some of the main oil terminals in Western Europe's largest ports. The Amsterdam-Rotterdam-Antwerp oil trading centre, as well as the SEA-Tank Terminal in Antwerp, are among the affected port infrastructure.

Telco Penalized €9 Million for Obscuring Cyberattack Impact from Customers

 

The Greek data protection authority imposed a fine on COSMOTE of 5,850,000 EUR ($6.55 million) and OTE was fined 3,250,000 EUR ($3.65 million) for exposing sensitive customer data due to a cyberattack. 

COSMOTE violated at least eight articles of the GDPR, according to the agency, including its responsibility to inform impacted customers of the full consequences of the incident. 

COSMOTE and OTE (Hellenic Telecommunications Organization) are both parts of the OTE Group, Greece's largest technological business, which provides fixed and mobile telephony, broadband, and network communication services. 

COSMOTE launched an internal investigation in 2020 and discovered that a hacker utilized LinkedIn to social engineer one of its employees and then used brute-forcing techniques to obtain the target's account credentials. According to the investigation's results, the attacker repeatedly utilized a Lithuanian IP address to access one of OTE's servers. On five consecutive occasions, the threat actor used the account credentials to extract database files and the data that was stolen and was 48GB in size. 

COSMOTE keeps call details on its servers for 90 days for service quality assurance and further 12 months for statistical analysis that aids in targeted service enhancement. The anonymization process wasn't done effectively, and the data holding periods weren't fully adhered to, as the data protection authority investigation discovered. 

The compromised server included sensitive subscriber information and call data for the dates September 1, 2020, to September 5, 2020. 

The following are some of the details that have been revealed: 
• Rough positional data of 4,792,869 unique COSMOTE subscribers. 
• Age, gender, plan, and ARPU of 4,239,213 unique COSMOTE subscribers. 
• MSISDN/CLI of 6,939,656 users of other telecommunication providers who communicated with customers of COSMOTE. 
• MSISDN, IMEI, IMSI, and connected tower position for 281,403 roaming subscribers of COSMOTE. 

In some circumstances, the above data could be utilised for highly targeted social engineering, phishing, and even extortion. Nonetheless, for targeted subscribers who may be high-interest personalities, the consequences of the hacking attack could be substantial.

2,77,000 Routers Vulnerable to 'Eternal Silence' Assaults via UPnP

 

'Eternal Silence,' a malicious campaign, is exploiting Universal Plug and Play (UPnP), which switches the router into a proxy server used to execute nefarious assaults while obscuring the threat actors' location. 

UPnP is a connection protocol that enables additional devices on a network to establish port forwarding rules on a router automatically and is optionally available in most modern routers. This allows remote devices to use a certain software function or device as needed, with minimal user configuration. 

However, it is another technology that compromises security for convenience, particularly when the UPnP implementation is subject to attacks that enable remote attackers to add UPnP port-forwarding entries over a device's exposed WAN connection. 

Akamai researchers discovered attackers exploiting this flaw to build proxies that conceal their harmful operations and termed the attack UPnProxy. 

277,000 of the 3,500,000 UPnP routers detected online are vulnerable to UPnProxy, with 45,113 already infected by hackers. 

Analysts at Akamai believe the perpetrators are attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. 

Exploiting these holes can result in a variety of issues, such as resource-intensive cryptominer infections, destructive worm-like attacks that quickly spread across entire corporate networks, or gaining initial access to corporate networks. 

The hackers' new rulesets include the phrase 'galleta silenciosa,' which means 'silent cookie'. 

The injections try to expose TCP ports 139 and 445 on devices connected to the targeted router, which totals around 1,700,000 machines that use SMB services. 

Although Akamai is unaware of the campaign's success rate, it did notice a methodical approach to the scans, focusing on devices that use static ports and routes for their UPnP daemons to inject port forwards.  

The perpetrators may be attempting to exploit EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, according to Akamai's experts. 

"Because there is a decent possibility that (vulnerable) machines unaffected by the first round of EternalBlue and EternalRed attacks were safe only because they weren't exposed directly to the internet. They were in a relatively safe harbor living behind the NAT," explains Akamai's report 

"The EternalSilence attacks remove this implied protection granted by the NAT from the equation entirely, possibly exposing a whole new set of victims to the same old exploits." 

'Eternal Silence' is a clever attack since it makes the practice of network segmentation ineffective and provides no sign of what is happening to the victim. 

Scanning all endpoints and auditing the NAT table entries is the best technique to see if the devices have been captured. There are a variety of ways to achieve this, but Akamai has made it simple by providing a bash script that can be used to test a potentially vulnerable URL. 

Disabling UPnP won't erase existing NAT injections if someone found a device infected with Eternal Silence. Users will have to reset or flash the device instead. 

Applying the most recent firmware update should also be a priority, since the device vendor may have resolved any UPnP implementation problems via the system update.

CRTC Inquiry Targets Dark Web Marketplace Sellers and Administrator

 

Four Canadians have been fined a total of $300,000 by the CRTC's Chief Compliance and Enforcement Officer for their engagement in the Dark Web marketplace Canadian HeadQuarters (also known as CanadianHQ). Following the execution of warrants by CRTC employees, the marketplace was taken offline. 

CanadianHQ was one of the largest Dark Web marketplaces in the world before it was closed down, and it played a pivotal role in damaging cyber operations in Canada. It specializes in the selling of spamming services, phishing kits, stolen passwords, and accessibility to infected systems, which were utilized by buyers to carry out a variety of malicious activities. 

The CRTC's inquiry centered on four people who reportedly sent emails that looked like they came from well-known companies in order to gain personal information like credit card numbers and banking information. 

The following people have been fined for violating Canada's anti-spam legislation (CASL) by sending commercial electronic messages without consent: 

• $150,000 Chris Tyrone Dracos (a.k.a. Poseidon) 
• $50,000 Marc Anthony Younes (a.k.a. CASHOUT00 and Masteratm) 
• $50,000 - Souial Amarak (a.k.a. Wealtyman and Supreme) 
• $50,000 Moustapha Sabir (a.k.a. La3sa) 

Mr. Dracos faces a harsher sentence as the marketplace's inventor and administrator for allegedly assisting in the execution of multiple CASL violations by the platform's suppliers and customers. Several other suppliers have been uncovered as part of this investigation, and enforcement measures will be taken against them in the near future, as per the sources. The Spam Reporting Centre encourages Canadians to report spam, phishing, and other suspicious practices. 

Steven Harroun, Chief Compliance and Enforcement Officer, CRTC stated, “Some Canadians are being drawn into malicious cyber activity, lured by the potential for easy money and social recognition among their peers. This case shows that anonymity is not absolute online and there are real-world consequences when engaging in these activities. 

“Canadian Headquarters was one of the most complex cases our team has tackled since CASL came into force. I would like to thank the cyber-security firm Flare Systems, the Sûreté du Québec and the RCMP’s National Division for their invaluable assistance. Our team is committed to investigating CASL non-compliance on all fronts.”

REvil Ransomware Operations Seem Unaffected by Recent Arrests

 

According to threat intelligence firm ReversingLabs, the REvil (Sodinokibi) ransomware cooperative's operation has not reduced despite Russia's recent arrest of numerous suspected members of the group. 

The Russian law enforcement agency FSB declared the takedown of the REvil organisation "at the request of US authorities" two weeks ago, yet the ransomware-as-a-service (RaaS) business is still running. 

After years of being accused of permitting malicious hackers to flourish within its borders as long as no Russian citizens or organisations are harmed, Russia appeared to be sending a distinct signal with the arrest of 14 members of the REvil group, even if some witnessed it as a political move amidst rising tensions along the Ukraine border. 

The high-profile arrests of affiliates, however, did not halt REvil operations, as ReversingLabs points out. In reality, the group is operating at the same speed as it was before the arrests. 

Europol reported the arrests of seven people engaged in the spread of REvil and GandCrab ransomware assaults in November 2021 (during seven months), at a time when ReversingLabs was seeing an average of 47 new REvil implants per day (326 per week). 

This was greater than September (43 new implants per day - 307 per week) and October (22 new daily implants - 150 per week), but far lower than July (87 per day - 608 per week) when the group went offline. Following the arrests in Russia, the number of REvil implants observed jumped from 24 per day (169 per week) to an average of 26 per day (180 per week). 

“While it's true that more time may be needed to assess the full impact of the arrests on REvil’s activity, the data so far would suggest that it is ‘business as usual’ for the ransomware gang,” ReversingLabs noted. ReversingLabs senior threat researcher Andrew Yeates stated.

“Threat groups exploit regionalised regulation and distributed organizational structure with sovereign state safe housing, all while leveraging a ‘no-rule’ borderless attack strategy. That makes it ever harder for national and international criminal policing organizations to put an end to threat groups such as REvil.” 

While synchronised action against REvil infrastructure may have had short-term repercussions on the RaaS's prevalence, much stronger action is required to truly stop the cybercrime ring's operations, especially given the group's corporation-like structure, where affiliates launch attacks and receive payments. 

As a result, removing simply affiliates does not affect the core of the RaaS, allowing it to continue operating. Affiliates, on the other hand, can either rebuild the enterprise or relocate to a new RaaS if only the core is removed, and this is relevant for other comparable cybercriminal groups as well.