Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label malicious. Show all posts
VPN
Advanced Technology Cybersecurity Cyberthreats Digital Security Digital threats malicious Mobile Plugging Private Network protect Wi-Fi Public Infrastructure TSA USB VPN

TSA Cautions Passengers Against Plugging Into Public USB Charging Stations


 

Despite the Transportation Security Administration's (TSA) widespread recognition for its role in ensuring air travel security through rigorous passenger screening procedures, the agency is now drawing attention to a lesser-known, yet equally concerning, cybersecurity threat faced by airport travellers. The TSA reports that cybercriminals have been exploiting public USB charging stations in airport terminals as well as unsecured Wi-Fi networks in order to gain unauthorized access to travelers' personal information in order to gain access to their information. 

Malicious actors are using sophisticated techniques that are used to compromise devices connected to public charging ports or unprotected internet connections without the user's knowledge, many of which are used by these actors. Once the device is accessed, sensitive information can be extracted, including passwords, financial details, and personal files, potentially resulting in identity theft or financial fraud for the victim.

It is a well-known fact that even something as seemingly harmless as plugging user's phone into a public charging station carries significant risks, according to the agency. As a result of this technique, known as "juice jacking," malicious software is installed or data is stolen directly from a connected device by tampering with USB ports. In the same way, connecting to public Wi-Fi networks with inadequate security measures can expose users to a man-in-the-middle attack, where hackers intercept the communication between the device and the internet and attack the device. 

Technology is evolving rapidly, but as digital threats grow and evolve, the TSA urges travellers to take security very seriously by using personal charging equipment, portable power banks, and secure internet connections. To protect one's digital identity while on the go, it is crucial to stay informed and vigilant. Among the top concerns that the Transportation Security Administration (TSA) has expressed is the growing cybersecurity threats associated with the use of public USB charging stations at airports. 

While these charging stations are convenient for travellers who have long layovers or delays, they may also serve as a gateway for cybercriminals to gain access to their data through their smartphone, tablet, or other electronic devices. A technique known as "juice jacking," in which malicious software is installed covertly within public USB ports, is among the most concerning threats, as it allows malicious software to be installed covertly within them. 

By simply plugging in their device, an unsuspecting traveller is transferring the malware, which could potentially allow hackers to access, corrupt, or extract sensitive information that could be of great use to them. During these attacks, personal data may be accessed byunauthorisedd parties,, including emails, login credentials, financial details and even private photographs or documents stored on the deviceEven thoughat visible warning signs do not usually accompany these infections, victims are often unaware of their information being compromised until it is very late in the game. 

Travellers are strongly advised not to connect their devices directly to public USB ports located in airport terminals, lounges, or charging kiosks to minimise this risk. To minimise the risk of this occurrence, cybersecurity experts and the TSA strongly suggest travellers don't do so. Instead, passengers should carry and use their own power adapters and plug them into standard electrical outlets whenever necessary. 

The use of portable battery packs is a much more secure option since it eliminates the possibility of any potential hardware exposure occurring. While security authorities have repeatedly warned citizens about the risks associated with juice jacking, there has been a lack of awareness among the general public regarding it. Many travellers may overlook the hidden dangers associated with seemingly innocuous charging stations in pursuit of convenience. 

As technology continues to develop and digital threats become more sophisticated, air passengers need to remain vigilant and adopt preventive measures to ensure their personal and financial information remains secure during transit. As a consequence of the threat of "juice jacking" in public spaces like airports, where travellers are frequently seeking out USB charging ports for convenience, this issue is becoming a serious cybersecurity concern. 

The purpose of this type of cyberattack is to compromise any device that has access to a public USB charging station by installing malware that is discreetly installed into these charging stations with the aim of compromising the device. Suppose the malware catches hold of a device while plugged into an infected port. In that case, it can initiate harmful activities, ranging from data theft to complete control of that device, all without the user having any knowledge of it. 

According to the Federal Communications Commission (FCC), malware that is introduced through tampered USB ports can lock the user's device, collect personal information, or harvest passwords stored on that device, which can then be accessed online accounts or sold on the dark web. As a result of such breaches, individuals may experience identity theft and financial fraud as well as unauthorised surveillance of their private communications and documents. 

The risk is further compounded by the fact that there are typically no external signs that indicate a charging station has been compromised, so a traveller may be unable to detect the compromise. Furthermore, airports are also a significant risk for cybersecurity due to unsecured public Wi-Fi networks. A warning from the Transportation Security Administration (TSA) cautions passengers against using free public Wi-Fi, especially when they are conducting online transactions or accessing accounts that require sensitive information to be entered. 

In order to steal credentials or financial information, cybercriminals often exploit open networks by using methods such as man-in-the-middle attacks. These attacks intercept data exchanges between users and websites to steal data. Travellers should generally refrain from entering any confidential information-such as credit card numbers, personal identifying information, or login details-while connected to public wireless networks, as a general rule. 

Several organisations, including the TSA, the FCC, and other government agencies, recommend adopting safer charging methods to reduce the chances of becoming victims of these threats. If the travellers do not want their devices to be exposed to unknown hardware while charging, they are encouraged to carry TSA-compliant power bricks or personal battery packs that provide secure charging. Additionally, it is far safer to use personal power adapters connected to standard electrical outlets than to use public USB ports. 

Additionally, the FCC suggests that travellers invest in USB data blockers or charging-only cables that allow power to be transferred to and from the device, but do not allow data to be transferred. As the digital landscape continues to become more complex, travellers must stay informed and take precautions to stay safe. If travellers avoid high-risk behaviours, such as using public USB ports and unsecured wireless network connections, they will be able to protect their personal information and devices from harm. 

A growing number of airlines and airports are integrating advanced technologies - ranging from mobile boarding passes and biometric identifications to fully automated check-in and boarding services - into modern travel safety and security has become a crucial component of this landscape. This shift has led to the Transportation Security Administration (TSA) expanding its focus beyond physical security measures to include digital security measures in order to address the shifting landscape. 

A recent advisory issued by the agency shows that securing personal data is just as important as securing passengers and luggage in today’s hyperconnected travel environment, and that the agency is aware of this growing understanding. During this summewhenere there will be a surge in international passenger traffic and a lot of busy travel season ahead of us, the TSA's warning arrives at an extremely critical time.

Besides reminding travellers to ensure their luggage and documents are ready to go, it also serves as a timely reminder to make sure their digital defences are strong as well before leaving the country. Travellers are advised to follow several essential cybersecurity practices that will enhance their protection while they are travelling, including not charging their devices through public USB ports and connecting to unsecured Wi-Fi networks. 

In order to ensure users' devices are fully up-to-date and that they contain the latest operating system patches and antivirus software, make sure that all their devices (phones, tablets, and laptops) are updated before leaving the country. These updates often contain important security enhancements that prevent newly found threats from being exploited. 

It is important to utilise strong authentication measures, which include using strong, unique passwords for all accounts. In addition, multi-factor authentication (MFA) provides a more protective layer, making sure that even if users' login credentials are compromised, users will be significantly less likely to be accessed by unauthorised individuals. 

In order to protect their digital footprint, travellers should always keep their devices physically secure, especially in public places such as airport lounges, cafes, and rest areas where they will not be disturbed by others. They should also never share passwords or access PINs, even with acquaintances, to maintain control over their digital footprints. 

Keeping important data in backups is essential to ensure that information does not get lost if the device is stolen, damaged, or malfunctions during its transport, because data is regularly saved in secure cloud storage or external backup devices. 

It is advisable to disable automatic Wi-Fi connectivity to prevent devices from unknowingly connecting to undeclared or malicious networks, as well as joining familiar and trusted networks. For extra security, travellers ought to use a virtual private network (VPN) for online security. 

There is a lot to be said for integrating these simple yet effective practices into the travel routines of passengers, reducing the risk that they will fall victim to digital threats significantly. In an age when convenience and connectivity dominate the travel experience, people must remain aware of cybersecurity issues to ensure that technology remains a valuable asset throughout the travel rather than a vulnerability. 

Taking into consideration the blurring line between physical and digital security when travelling by air, it is becoming increasingly important for travellers to recognise that cybersecurity is now an essential part of the security process. Cyber threats to public infrastructure reinforce a bigger truth: convenience is often accompanied by a loss of caution when it comes to public infrastructure. 

Airports are constantly enhancing passengers' experiences with innovative digital services, however, it is ultimately the individual's responsibility to ensure that their data is protected. It is important for travellers to cultivate proactive digital habits to safeguard not only their device but also their digital identities. These include checking the legitimacy of charging stations, using encrypted communication channels, and staying up to date on evolving cyber tactics. 

The TSA’s advisory is not just a warning—it’s a call to action. Keeping digital hygiene is an essential part of staying connected in a world in which it is now as common as packing a passport or getting a boarding pass.T Travellers who embrace this mindset will not only enjoy a smoother trip, but they will also be able to ensure their personal data reaches their destination safely.
Read more »
TOAD
Android 16 CyberCrime CyberThreat Google In- Call Secuity malicious Phone Call Play Store Privacy Scammers TOAD

Enhanced In-Call Security in Android 16 Aims to Tackle Scammers

 


As part of a new security feature being developed by Google, users will no longer be able to modify sensitive settings when they are on a phone call. As a part of the in-call anti-scam protection, users are specifically prevented from enabling settings that allow applications to be installed from unknown sources and the grant of accessibility access as part of this in-call anti-scam protection. 

To mitigate the risk of scams exploiting these permissions during phone conversations, the developers of the app have developed several features. Android Authority was the first to report the development. As users attempt to alter their information while speaking to a customer service representative, a warning message appears stating as follows: "Scammers often request these actions during phone call conversations, so that is why it has been blocked. If users are guided to do this by someone they are not familiar with, it could be a scam." 

A new version of Android 16 Beta 2 was released this week, which introduced several new features and a modification to the phone call settings. The new features are intended to help improve not only the user experience but also to protect users against fraudulent scams. One of the features, which has just been introduced, is anti-scammer protection during phone calls, which is designed to protect the privacy and sensitive data of users during a phone call. 

The number of telephone scams has grown to an alarming level of sophistication, with scammers now employing ever-increasing sophistication to deceive unsuspecting individuals for fraudulent purposes. It is also common to install malware on individuals to gain access to sensitive information. Android 16 Beta 2 addresses this issue by implementing restrictions that prevent users from enabling certain sensitive settings, such as sideloading permissions, while a phone call is active, to reduce the risk of scams exploiting these permissions during conversations. 

The purpose of this measure is to enhance security by reducing the risk of scams. Moreover, Android 16 Beta 2 also introduces a restriction that prevents users from granting applications access to accessibility services when a phone call is currently underway. As of earlier this week, Android 16 Beta 2 now includes this feature, which was implemented by adding additional security measures to counter a technique commonly used by malicious actors to distribute malware. 

It was first introduced in Android 16 beta 2. As part of this method, which is known as telephone-oriented attack delivery (TOAD), a false sense of urgency is created and sent to potential victims to coerce them into calling a specific number. The NCSC-FI and the NCC Group reported in 2023 that cybercriminals were distributing dropper applications through SMS messages and phone calls to deceive individuals into installing malware, such as Vultr. The hacker community intended to use this technique to trick people into installing malware. 

 The company introduced several new security features as part of Android 15 when it began rolling out last year, aimed at reducing the risks caused by malicious applications as they were introduced. Google took these measures, among them was the automatic disabling of sensitive permissions for apps that weren't available in Gthe oogle Play Store or was downloaded from unverified sources that posed a threat to users. The goal of this enhancement is to better protect users from potential scams and the possibility of unauthorized access to sensitive information. 

The sideloading permission, which allows apps to install other apps, is disabled as a security measure by default to prevent malicious software from installing outside of official app stores, which poses significant risks for users. Users must be able to enable this permission manually through Settings > Apps > Special App Access > Install Unknown Apps. Furthermore, users who are enrolled in Advanced Protection Mode are not permitted to modify this permission due to the significant security risks involved. As a result, unauthorized installations can be prevented and overall device security will be enhanced. 

The Android 16 operating system offers additional security measures even if a user already allows sideloading or has installed malicious apps; the device also blocks the possibility of granting access to accessibility during phone calls when the user doesn't want it granted. This restriction is vital because applications that offer accessibility can exert a lot of control over a device, which may compromise user security and privacy. 

The misuse of such permissions can result in malicious applications stealing sensitive data or locking users out of their devices, as well as performing harmful actions. To combat scammers exploiting phone conversations as a way to install malware or gain unauthorized access to critical permissions, Google is preventing these changes during active calls. It is becoming increasingly sophisticated as cybercriminals utilize phone calls as a primary method of manipulating and defrauding individuals as online scams get more sophisticated. In particular, these scams are usually targeted at older people or those who are less familiar with digital security practices. 

Often, scammers use psychological tactics to deceive victims into following their instructions, such as inducing a false sense of urgency or fear. A scammer usually lures victims into installing applications, often under the guise of providing technical assistance with an issue that is fabricated. Once the attacker has installed the application, it gives him or her access to the victim's device, potentially allowing them to exploit it further. As part of Google's proactive efforts to mitigate these threats, it has implemented enhanced security features on Android 16. 

The Android 16 update will restrict users from sideloading applications or granting high-risk permissions during a phone call, which will help to reduce the effectiveness of such fraud schemes and improve overall user security. A significant advancement in mobile protection, especially as phone scams are becoming increasingly complex, this security feature represents a significant advance in mobile protection. 

With Google's introduction of obstacles into the scam process, Google hopes that fraudulent activity will become more difficult to carry out. Even in cases where scammers instruct victims to terminate a call and attempt the process again, the additional step required to activate certain settings may raise suspicion and may discourage the victim from trying it again. 

As part of Android 16 Beta 2, Google has implemented anti-scammer protections that allow users to access their phone while they are on a call, a proactive approach to fighting the growing threat of phone scams. By limiting access to sensitive settings while they are on a call, the company seeks to enhance user security and prevent malicious actors from exploiting them.
Read more »
Supply-chain
Cyber Attacks Cyber Hijack Cyber websites CyberCrime Cyberhackers JFrog Security malicious PyPI python Software Supply-chain

22,000 PyPI Packages Affected by Revival Hijack Supply-Chain Attack

 


It has been discovered that hackers can distribute malicious payloads easily and efficiently through the package repository on the PyPI website by using a simple and troublesome exploit. A JFrog security researcher has discovered a new supply chain attack technique using which they can attack PyPI repositories (Python Package Index) that can be used to hack them. 

Hundreds of thousands of software packages can potentially be affected by this attack technique and countless users could be affected as a result. A technique known as "Revival Hijack," exploits a policy loophole by which attackers may re-register the names of packages that have been removed from PyPI by their original developers and hijack the names themselves once the packages have been removed from PyPI. 

As part of an attack against the Python Package Index (PyPI) registry, a new supply chain attack technique has been uncovered in the wild, which is designed to infiltrate downstream organizations by exploiting the PyPI registry. There is an attack vector called "Revival Hijack" which involves the registration of a new project with a name that matches a package that has been removed from the PyPI platform which may then serve as an attack vector. 

If a threat actor manages to do this, then they will be able to distribute malicious code to developers who pull updates periodically. A software supply chain security firm named JFrog, which specializes in software supply chain security, has codenamed this attack method Revival Hijack, claiming to be able to hijack 22,000 existing PyPI packages, which in turn will result in hundreds of thousands of malicious packages being downloaded. 

There are more than 100,000 downloads or six months' worth of activity on the affected packages and are more susceptible to exploits. A very common technique used by Revival Hijack is to take advantage of the fact that victims are often unknowingly updating once-safe packages without being aware that they have been altered or compromised. Further, CI/CD machines are set up with a mechanism for automatically installing package updates so that they can be applied right away. 

A similar attack technique was discovered by Jfrog earlier this year, which is one of several different attacks that adversaries have been developing in recent years to try and sneak malware into enterprise environments using public code repositories like PyPI, npm, Maven Central, NuGet, and RubyGems, and to steal sensitive data. As a part of these attacks, popular repositories have often been cloned and infected, poisoning artifacts have been used, and leveraged leaked secrets such as private keys and database certificates have been revealed. 

According to JFrog researchers Brian Moussalli and Andrey Polkovnichenko, there is a much higher risk here than in previous software supply chain hacks that relied primarily on typosquatting and human error to distribute malicious code throughout software websites. When a developer decides to delete a project from PyPI, they are given a warning about the potential repercussions that may arise, including the Revival Hijack scenario that could occur. 

The dialogue warns that deleting this project will give the name of the project to anyone else who uses PyPI", so please refrain from doing so. In this scenario, the user will be able to issue new releases under the project name as long as the distribution files have not been renamed to match those from a previously released distribution. According to the motive of the attacker, the "Revival Hijack" attack vector can result in hundreds of thousands of increments as a result of the attack, depending on the motive. 

As far as exploiting this technique is concerned, it can be applied to exploiting abandoned package names to spread malware. Researchers observed this in action with the hijack of the "pingdomv3" package, which was detected by research teams. This package has been given the version number 0.0.0.1 to avoid a dependency confusion attack scenario, in which developer packages would be pulled by pip upgrade commands when they were run as a part of the upgrade process. 

In addition, it is worth noting that Revival Hijack has already been exploited in the wild, by an unknown threat actor called Jinnis who introduced a benign version of a package titled "pingdomv3" on March 30, 2024, just two days after the original package's owner (cheneyyan) removed it from PyPI. There has been a report that says the new developer has released an update containing a Base64-encoded payload, which checks for the presence of the "JENKINS_URL" environment variable, and if it exists, executes an unknown next-stage module retrieved from a remote server after checking for the appearance of the "JENKINS_URL." environment variable. 

Although JFrog proposed this precaution as a preventative measure, over the last three months it has received nearly 200,000 downloads both manually and automatically, proving that the Revival Hijack threat is very real, the security company announced. In making an analysis of this data, JFrog reported that there are outdated jobs and scripts out there that are still searching for the deleted packages, as well as users who manually downloaded these packages due to typosquatting. 

Depending on how the hijacked packages are hijacked, the adversaries may attach a high version number to each package, which will cause the CI/CD systems to automatically download the hijacked packages believing they are the latest version. This will ultimately cause a bug to develop, JFrog explained. As a result of the company's recommendation, PyPI has effectively prohibited the reuse of abandoned package names as well.

Some organizations use PyPI that need to be aware of this attack vector when updating to new versions of the package, JFrog warns. There is a non-public blacklist maintained by PyPI, which prevents certain names from being registered on new projects, but most deleted packages don't make it to that list because there is a non-public blacklist maintained by PyPI. It was due to this that the security firm took indirect measures to mitigate the "Revival Hijack" threat and added the most popular of the deleted and vulnerable packages to an account named security_holding under which they could be monitored. 

As a result of the researchers changing the version numbers of the abandoned packages to 0.0.0.1, they make sure that it does not affect active users while updating the packages. As a result, the package names are preserved and are not susceptible to theft by malicious actors who may want to use them for offensive purposes. The third month later, JFrog discovered that the packages in their repository seemed to have been downloaded by nearly 200,000 people due to automatic scripts or user errors. There are a lot more risks involved in "Revival Hijack" than the standard typosquatting attacks on PyPI. 

This is because users pulling updates for their selected projects for which they have permission do not make mistakes when doing so. It's best to mitigate this threat by utilizing package pinning to stay on a known secure version, verify the integrity of the package, audit its contents, and watch for any changes in package ownership or unusual updates.
Read more »
Privnote
Cryptocurrency Breach Data Breach Data Theft malicious phishing Privnote

Privnote Secure Messaging App Is Under Phishing Threat

 

Privnote.com, launched in 2008, revolutionized secure messaging with its encryption technology. It allows users to send messages with a unique link, ensuring privacy as the content self-destructs after reading. However, its popularity among cryptocurrency enthusiasts also drew the attention of malicious actors who engaged in phishing activities. 

Phishers exploit Privnote's model by creating clones, such as privnote[.]co, that mimic its functionality. These clones surreptitiously replace cryptocurrency addresses when users create notes containing crypto wallets. Thus, unsuspecting users fall victim to sending funds to the phisher's address instead of the intended recipient. 

GitHub user, fory66399, lodged a complaint last month against MetaMask, a cryptocurrency wallet, alleging wrongful flagging of privnote[.]co as malicious. Threatening legal action, fory66399 demanded evidence and compensation. However, MetaMask's lead product manager, Taylor Monahan, swiftly debunked these claims by providing screenshots showing the fraudulent activities of privnote[.]co. 

According to DomainTools.com, the domain privatenote[.]io has changed hands between two individuals: Andrey Sokol from Moscow and Alexandr Ermakov from Kiev, over two years. While these names may not be the real identities of the scammers, they provide clues to other sites targeting Privnote since 2020. 

Furthermore, Alexandr Ermakov is linked to several other domains, including pirvnota[.]com, privatemessage[.]net, privatenote[.]io, and tornote[.]io, as per DomainTools. This suggests a potential network of fraudulent activities associated with Privnote, emphasizing the need for caution in identifying phishing attempts. 

Let’s Understand Suspicious Activities on Privnote: 

Domain Registrations: The domain pirvnota[.]com saw a change in registration details from Andrey Sokol to "BPW" and "Tambov district" as the registrant's state/province. This led to the discovery of pirwnote[.]com, along with other suspicious domains like privnode[.]com, privnate[.]com, and prevnóte[.]com, all linking to the same internet address. Interestingly, pirwnote[.]com is now selling security cameras from a Hong Kong-based internet address. 

Deceptive Legitimacy: Tornote[.]io appears to have undergone efforts to establish credibility. A Medium account has published numerous blog posts endorsing Tornote as a secure messaging service. However, testing reveals its malicious intent, as it also alters cryptocurrency addresses in messages. 

Search Engine Manipulation: Phishing sites manipulate search engine results to appear prominently for terms like "privnote." Currently, a Google search for "privnote" lists tornote[.]io as the fifth result. These sites rotate cryptocurrency addresses every five days to evade detection. 

According to the Privnote website, it is a web-based service focused on privacy, allowing users to create encrypted notes shared via unique one-time-use HTTPS links. Notes and their contents are processed securely in users' browsers, with no readable data stored on Privnote's servers. 

IP addresses are processed solely for communication and promptly deleted thereafter. Personal data within notes remains encrypted and inaccessible to Privnote. The service uses cookies for functional and non-functional purposes, respecting user privacy preferences. Privnote does not target children under 16 and commits to regularly updating its Privacy Policy.
Read more »
Vulnerabilities and Exploits
Cyberattacks Cybercrimes Google Docs Google Drive malicious Vulnerabilities and Exploits

Attackers Can Hide Malicious Apps Using the Ghost Token Flaw

 


The Google Cloud Platform (GCP) has recently been patched against a zero-day vulnerability called GhostToken, which allowed attackers to infect the platform to create an invisible and irrecoverable backdoor. A malicious attacker could exploit this flaw and gain access to a victim's account. 

By exploiting this flaw, he could also manipulate their data and documents within Gmail or Google Docs. As a result, the victim is completely unaware that this is taking place. By the name GhostToken, the issue has been identified by Israeli cybersecurity startup Astrix Security. The issue affects all Google accounts, including enterprise accounts. From June 19 through June 20, 2022, this issue was discovered and reported to Google. More than nine months after the global patch was released on April 7, 2023, the company deployed a global update. 

According to a recent post by Astrix Security, the GhostToken zero-day vulnerability could allow malicious apps to be installed in the target Google Cloud via the GhostToken zero-day vulnerability. 

The flaw allows attackers to hide their malicious apps from the victim's "Application Management" page in their Google Account to hide them from view by a user logged in to their Google Account. A user is unable to revoke access by doing this. This prevents them from doing so. By doing this, it is ensured that the GCP project associated with the OAuth application that they have been authorized to use remains in a state that says "pending deletion" by deleting it. A threat actor equipped with this capability could restore the project. After restoring it, the rogue app is visible again. As well as gaining access to the victim's data, he could make it invisible again by using the access token to obtain it himself. 

An adversary or attacker could exploit the GhostToken vulnerability to access sensitive information in the target account's Google Drive, Calendar, Photos, Google Docs, Google Maps (location data), and other Google Cloud Platform services provided by the target account. The technical team discovered the vulnerability in June 2022, reported it to Google, and asked them to fix it. Despite acknowledging this problem in August 2022, Google did not release a patch until April 2023. This is despite acknowledging the flaw in August 2022. 

The bug was patched before it was exploited by an active user, enabling Google to release the fix before it was exploited. In the users’ app management option, there is an option to show OAuth application tokens for apps scheduled for deletion as part of the patch. 

Despite the tech giant's fix, Google users must also check their accounts to determine whether there are any unrecognized apps. Additionally, to prevent any risk of damage to their devices, users should ensure that third-party apps have minimal access permissions.

A patch released by Google has been rolled out to address this issue, and it now displays apps in a pending deletion state within the third-party access section of the website. As a result, users can uninstall such apps by revoking their permissions.

There was a vulnerability in Google Cloud's Cloud Asset Inventory API that led to privilege escalation, known as Asset Key Thief, which has now been fixed. Using this vulnerability, users can steal private keys for use in Service Accounts, allowing them to access valuable data they manage. The software giant patched the issue discovered by SADA earlier this month, on March 14, 2023, two months after discovery.
Read more »
Vulnerability and Exploits.
Covid IT Breach malicious Software USB User Privacy Vulnerability and Exploits.

Hackers can Overcome Air-Gapped Systems to Steal Data


What are air gaped systems?

An air gap is a safety feature that isolates a computer or network and prevents it from connecting to the outside world. A computer that is physically isolated and air-gapped is unable to communicate wirelessly or physically with some other computers or network components. 

Data must first be copied on a removable media device, like a USB drive, and then physically transported to the air-gapped system from the computer or network. Only a select group of trusted users should be able to access the air-gapped system in situations where security is of the utmost importance.

New Technique 

Researchers at Ben-Gurion University of the Negev's Department of Software and Information Systems Engineering have developed a novel method for breaching air-gapped systems that takes advantage of the computer's low-frequency electromagnetic radiation.

According to Mordechai Guri, director of research and development at the Cyber Security Research Center at Ben Gurion University, "the attack is very evasive because it executes from a regular user-level process, does not require root capabilities, and is successful even within a Virtual Machine."

The COVID-bit technique makes use of on-device malware to produce electromagnetic radiation in the 0–60 kHz frequency region, which is then transmitted and detected by a covert receiving device in close vicinity.

After SATAn, GAIROSCOPE, and ETHERLED, which are intended to hop across air-gaps and extract private data, COVID-bit is the most recent method developed by Dr. Guri this year.

By utilizing electromagnetic emissions from a component known as a switched-mode power supply (SMPS) and encoding the binary data using a technique known as frequency-shift keying (FSK), the virus uses the COVID-bit, one of these covert channels, to communicate information.

The research article advises employing antivirus software that can recognize strange CPU patterns in addition to limiting the frequencies that some CPUs can use in order to protect air-gapped computers from this kind of attack.

Read more »
Vulnerabilities
and Exploits CommanSpirit Health Cyber Attacks malicious Ransomware Vulnerabilities

Recovery From Ransomware Attack Continues At CHI Health

 


On Tuesday, CommonSpirit Health, one of the country's biggest health systems, told an unspecified "IT Security Incident" that affected multiple regions, has disrupted hospital operations across the nation. As a security measure, a few systems were taken offline in the wake of the attack which also forced patients' procedures to be rescheduled. 

In the case of a ransomware attack, malware is typically infected onto the computer by someone manually loading the infected software. This is done by clicking on a malicious link in an email or on a website. Infected software can be downloaded either manually or through malicious links embedded in emails or sites. There is a goal behind the attack, which is to take control of computer systems or files to disable them.

As soon as the attackers gain access to the network they will be able to demand a ransom. This money is then exchanged for the encryption key from the organization.

A statement issued by CHI Health on Wednesday night noted that CommonSpirit "took immediate steps to protect our systems, contain the incident, begin an investigation and ensure continuity of care upon learning about the ransomware attack. In addition to providing our patients, employees, and caregivers with relevant updates regarding the ongoing situation, we continue to provide the highest level of care for patients. Despite this, we remain committed to maintaining the highest level of patient care and apologize for any inconveniences this matter may have caused."

CHI Health has said that some appointments and procedures have had to be rescheduled or delayed since the attack was reported at the beginning of October; this is due to the unexpected nature of the attack.

There have been reports in recent years that hospitals are following protocols if there are system outages. This includes taking certain records offline including national health records. Additionally, they are taking steps to mitigate disruptions and maintain continuity of care in the wake of an outage.

"To support and assist our team with further investigation and response work, we have engaged leading cybersecurity experts as well as notified law enforcement, and we are conducting a comprehensive forensic investigation to ensure full functionality and to reconnect all of our systems," the hospital told. 

Some patients have expressed frustration with the CommonSpirit Health attack, which some patients say has led to doctors using paper charts instead of computers. This can be a frustrating experience. Making appointments and getting prescriptions from the doctor are some of the challenges that need to be addressed.

According to the Omaha World-Herald, Edward Porter, a diabetic from Omaha, was unable to reorder sensors for his continuous glucose monitor because CHI Health's systems are currently offline, posing a problem with reordering the sensors for his insulin pump.

Under the employer-provided medical insurance that he uses, the devices are considered durable medical equipment the policy. As a general rule, he gets them at a CHI Health pharmacy which is specialized in handling these kinds of devices. Buying them out-of-pocket would cost at least $75 per person, which is an expense that he has not budgeted for, and will not be able to afford.

Neither Common Spirit nor any of its affiliate companies have announced publicly whether the attack has affected all 1,000 care facilities in 21 states, which include 140 hospitals. Additionally, the hospital has not commented on whether any personal or medical data of the patients was compromised as well.

Evidently, the attack has affected the healthcare sector in a significant way; according to Brett Callow, a threat analyst with cybersecurity service provider Emsisoft, it might be the biggest-ever attack ever experienced by a hospital. 
Read more »
Vectors
attacks Bugs Cyber Attacks Flaws malicious Vectors

‘Evil PLC’ Could Turn PLCs Into Attack Vectors

 

When one thinks of someone hacking a programmable logic controller, one usually think of the PLC as the end objective of the assault. Adversaries use other systems to get at what will eventually allow them to cause industrial damage. 

However, a Claroty Team 82 DefCon presentation asks the following question: what if someone exploited a PLC as a vector rather than the destination? The researchers feel that the "Evil PLC" attack scenario is novel: infecting every engineer who interfaces with a PLC with malicious malware. 

Claroty revealed a series of 11 additional vendor-specific vulnerabilities that would allow the attack as proof of concept. These flaws have been discovered in Ovarro TBOX, B&R (ABB) X20 System, Schneider Electric Modicon M340 and M580, GE MarkVIe, Rockwell Micro Control Systems, Emerson PACSystems and Xinje XDPPro platforms. All but the Emerson were issued CVEs. Claroty came up with the notion after trying to learn more about the opponents that attack their honeypots.

“We asked ourselves, how can we actively attack the attackers? We don't know anything about them. We cannot find them,” said Claroty director of research Sharon Brizinov. “And then we kind of had a eureka moment and we thought, okay, what if the PLC was to be weaponized?”

Claroty used a ZipSlip attack against vendors (Emerson, Ovarro, B&R, GE, and Xinje), a heap overflow against Schneider, and a deserialization attack against Rockwell to create an Evil PLC. Evil PLC, according to Claroty, would be suited for two assault scenarios. The first scenario would be if the PLC was the only entry point into a secure facility. Waiting for an engineer to connect to the PLC allows the attacker to infect the engineer's workstation. This might be sped up by encouraging an early inspection using the newfound access to the PLC.

“Once the attacker weaponized the PLC, maybe they deliberately cause a fault on the PLC. The engineer would be lured to the PLC to check what's going on with it,” said Brizinov. 

Another possibility is to take use of the large number of PLCs maintained by outside professionals. One engineer is linked to one PLC could spread malicious code across several enterprises. 

“Usually PLCs are the crown jewel. When we're talking about classic attack vectors in ICS domains we're always seeing the PLC as the endpoint, the end goal; but if we're playing with those ideas and shifting our thoughts a bit, we can we can get to new ways of how to defend and attack both networks,” Brizinov said. 
Read more »
Subscribe to: Posts (Atom)