NSA Advisory on Chinese Government Hacking
The NSA released an advisory listing the top twenty-five known vulnerabilities currently being exploited by Chinese nation-state attackers.
This advisory provides Common Vulnerabilities and Exposures (CVEs) known to be recently leveraged, or scanned-for, by Chinese state-sponsored cyber actors to enable successful hacking operations against a multitude of victim networks. Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks. The majority of the products are either for remote access (T1133) or for external web services (T1190), and should be prioritized for immediate patching.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Hacking Apple for Profit
Five researchers hacked Apple Computer’s networks — not their products — and found fifty-five vulnerabilities. So far, they have received $289K.
One of the worst of all the bugs they found would have allowed criminals to create a worm that would automatically steal all the photos, videos, and documents from someone’s iCloud account and then do the same to the victim’s contacts.
Lots of details in this blog post by one of the hackers.
Sidebar photo of Bruce Schneier by Joe MacInnis.
While there has been a year-over-year decrease in publicly disclosed data breaches, an Arctic Wolf report reveals that the number of corporate credentials with plaintext passwords on the dark web has increased by 429 percent since March.
For a typical organization, this means there are now, on average, 17 sets of corporate credentials available on the dark web that could be used by hackers.
With access to just one corporate account, attackers can easily execute account takeover attacks, which allow them to move laterally within an organization’s corporate network and gain access to sensitive data, intellectual property, competitive information, or funds.
Cybersecurity incidents now occur after hours
The sharp increase in corporate credential leaks underscores the need for organizations to have dedicated 24×7 monitoring of their network, endpoint, and cloud environments in order to prevent targeted attacks that could happen at any time.
Of the high-risk security incidents observed, 35% occur between the hours of 8:00 PM and 8:00 AM, and 14% occur on weekends; times when many in-house security teams are not online.
“The cybersecurity industry has an effectiveness problem. Every year new technologies, vendors, and solutions emerge. Yet, despite this constant innovation, we continue to see breaches in the headlines.
“The only way to eliminate cybersecurity challenges like ransomware, account takeover attacks, and cloud misconfigurations is by embracing security operations capabilities that fully integrate people, processes, and technology,” said Mark Manglicmot, VP Security Services, Arctic Wolf.
COVID-19 increasing the number of security operations challenges
- A 64 percent increase in phishing and ransomware attempts – Hackers have created new phishing lures around COVID-19 topics and adapted traditional lures seeking to take advantage of remote workers.
- Critical vulnerability patch time has increased by 40 days – A combination of higher common vulnerabilities and exposures (CVE) volumes, more critical CVEs, and the emergence of a remote workforce have significantly slowed the patching programs at many organizations.
- Unsecured Wi-Fi usage is up by over 240 percent – Remote workforces connecting to open and unsecured Wi-Fi networks outside of their office or home are now facing increased risks of malware exposure, credential theft, and browser session hijacking.
More than 80% of global employees do not want to return to the office full-time, despite 30% employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown, a MobileIron study reveals.
The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees are increasingly using their own personal devices to access corporate data and services.
Adding to the challenges posed by the new “everywhere enterprise” – in which employees, IT infrastructures, and customers are everywhere – is the fact that employees are not prioritizing security. The study found that 33% of workers consider IT security to be a low priority.
Mobile devices and a new threat landscape
The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks. These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. The study revealed that 43% of global employees are not sure what a phishing attack is.
“Mobile devices are everywhere and have access to practically everything, yet most employees have inadequate mobile security measures in place, enabling hackers to have a heyday,” said Brian Foster, SVP Product Management, MobileIron.
“Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks. Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”
The study found that four distinct employee personas have emerged in the everywhere enterprise as a result of lockdown, and mobile devices play a more critical role than ever before in ensuring productivity.
- Typically works in financial services, professional services or the public sector.
- Ideally splits time equally between working at home and going into the office for face-to-face meetings; although this employee likes working from home, being isolated from teammates is the biggest hindrance to productivity.
- Depends on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive.
- Believes that IT security ensures productivity and enhances the usability of devices. At the same time, this employee is only somewhat aware of phishing attacks.
- Works constantly on the go using a range of mobile devices, such as tablets and phones, and often relies on public WiFi networks for work.
- Relies on remote collaboration tools and cloud suites to get work done.
- Views unreliable technology as the biggest hindrance to productivity as this individual is always on-the-go and heavily relies on mobile devices.
- Views IT security as a hindrance to productivity as it slows down the ability to get tasks done. This employee also believes IT security compromises personal privacy.
- This is the most likely persona to click on a malicious link due to a heavy reliance on mobile devices.
- Finds being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office.
- Prefers to work on a desktop computer from a fixed location than on mobile devices.
- Relies heavily on productivity suites to communicate with colleagues in and out of the office.
- Views IT security as a low priority and leaves it to the IT department to deal with. This employee is also only somewhat aware of phishing attacks.
- Works on the frontlines in industries like healthcare, logistics or retail.
- Works from fixed and specific locations, such as hospitals or retail shops; This employee can’t work remotely.
- Relies on purpose-built devices and applications, such as medical or courier devices and applications, to work. This employee is not as dependent on personal mobile devices for productivity as other personas.
- Realizes that IT security is essential to enabling productivity. This employee can’t afford to have any device or application down time, given the specialist nature of their work.
“With more employees leveraging mobile devices to stay productive and work from anywhere than ever before, organizations need adopt a zero trust security approach to ensure that only trusted devices, apps, and users can access enterprise resources,” continued Foster.
“Organizations also need to bolster their mobile threat defenses, as cybercriminals are increasingly targeting text and SMS messages, social media, productivity, and messaging apps that enable link sharing with phishing attacks.
“To prevent unauthorized access to corporate data, organizations need to provide seamless anti-phishing technical controls that go beyond corporate email, to keep users secure wherever they work, on all of the devices they use to access those resources.”
Hacking a Coffee Maker
As expected, IoT devices are filled with vulnerabilities:
As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord.
In any event, Hron said the ransom attack is just the beginning of what an attacker could do. With more work, he believes, an attacker could program a coffee maker — and possibly other appliances made by Smarter — to attack the router, computers, or other devices connected to the same network. And the attacker could probably do it with no overt sign anything was amiss.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Documented Death from a Ransomware Attack
A Dusseldorf woman died when a ransomware attack against a hospital forced her to be taken to a different hospital in another city.
I think this is the first documented case of a cyberattack causing a fatality. UK hospitals had to redirect patients during the 2017 WannaCry ransomware attack, but there were no documented fatalities from that event.
The police are treating this as a homicide.
Sidebar photo of Bruce Schneier by Joe MacInnis.
Amazon Delivery Drivers Hacking Scheduling System
Amazon drivers — all gig workers who don’t work for the company — are hanging cell phones in trees near Amazon delivery stations, fooling the system into thinking that they are closer than they actually are:
The phones in trees seem to serve as master devices that dispatch routes to multiple nearby drivers in on the plot, according to drivers who have observed the process. They believe an unidentified person or entity is acting as an intermediary between Amazon and the drivers and charging drivers to secure more routes, which is against Amazon’s policies.
The perpetrators likely dangle multiple phones in the trees to spread the work around to multiple Amazon Flex accounts and avoid detection by Amazon, said Chetan Sharma, a wireless industry consultant. If all the routes were fed through one device, it would be easy for Amazon to detect, he said.
“They’re gaming the system in a way that makes it harder for Amazon to figure it out,” Sharma said. “They’re just a step ahead of Amazon’s algorithm and its developers.”
Sidebar photo of Bruce Schneier by Joe MacInnis.
How the FIN7 Cybercrime Gang Operates
The Grugq has written an excellent essay on how the Russian cybercriminal gang FIN7 operates. An excerpt:
The secret of FIN7’s success is their operational art of cyber crime. They managed their resources and operations effectively, allowing them to successfully attack and exploit hundreds of victim organizations. FIN7 was not the most elite hacker group, but they developed a number of fascinating innovations. Looking at the process triangle (people, process, technology), their technology wasn’t sophisticated, but their people management and business processes were.
Their business… is crime! And every business needs business goals, so I wrote a mock FIN7 mission statement:
Our mission is to proactively leverage existing long-term, high-impact growth strategies so that we may deliver the kind of results on the bottom line that our investors expect and deserve.
How does FIN7 actualize this vision? This is CrimeOps:
- Repeatable business process
- CrimeBosses manage workers, projects, data and money.
- CrimeBosses don’t manage technical innovation. They use incremental improvement to TTP to remain effective, but no more
- Frontline workers don’t need to innovate (because the process is repeatable)
Sidebar photo of Bruce Schneier by Joe MacInnis.
Hacking AI-Graded Tests
The company Edgenuity sells AI systems for grading tests. Turns out that they just search for keywords without doing any actual semantic analysis.
Sidebar photo of Bruce Schneier by Joe MacInnis.
1&1~=Umm • September 4, 2020 4:25 AM
“Batteries are made in China/India, so it’s not a ollution people see, or think about.”
Elon Musk gets bateries from where?
“From the battery manufacturing to its currently inexistant recycling.”
There is some recycling currently going on in the West. In part it’s from splitting battery packs down and pulling out bad cells and reusing the good cells. For some reason that is not understood as well as many would hope the lifetime on lithium cells is very variable and in some cases as much as 5:1. Which is why it is cost effective for people building their own “PowerWalls” to buy up both used vehicle cells and used computer cells. As for more industrial style “recycling” as with most recycling it’s actually ‘market driven’ that is currently there is no market for the recycled parts with sufficient profit for the usual Asian operations to get involved. But,
“Most electric cars take between 300.000 and 500.000km to even out their pollution with older diesel/gasoline ones, just because of the enormous initial pollution to produce the lithium, and electronics.”
I think you need to compare like with like European studies have shown that the average family car takes ~25years of usage to repay it’s “Manufacturing polution” offset. Which in the case of both iron and aluminium require a very very large electrical input for the smelting process so much so infact that for many years Aluminium smelting was only carried out in areas with lots of low cost electricity that was produced by hydroelectric generation. The studies of interest were carried out before electronic engine managment and it’s consequent ‘extra polution’ became prevalent.
The real issue between electric and IC vehicles is actually two fold. Firstly the inefficiencies of total drive chain from storage to vehical movment. Even with the old heavy lead acid batteries used in “delivery vehicles” having nearly no mechanical drive chain tipped the balance in favour of electric vehicles. Secondly though was and still remains the issues of fueling. An IC engined vehicle can be ‘charged’ in a matter of minutes, whilst batteries can take hours to sizeable fractions of a day. If you were to try to replace the current fossil fuels with another source of chemical energy the chances are you would not be alowed to do so due to health, safety, and environmental protection legislation. The ‘Petro-Chem’ industry with regards vehicle fuels would not be alowed to exist if the legislation in place today was in place a little over a century ago. Thus the IC engine is not playing on a level playing field and thus leads a ‘charmed existance’.
But talking about fuel transportation, whilst finding figures on ‘loss’ for the electrical/mains grid is not particularly difficult, finding simillar for petro-chem / fossil fuels is very difficult as it’s more or less kept ‘hidden’. The reason is most electrical grid transmission loss is ‘heat’ which whilst it is the ultimate form of pollution is nowhere near as dangerous as the chemical ‘loss’ ditectly into the environment, most chemical energy sources are toxic (including those we eat) and so just dumping them into the environment is a very bad idea.
But you mention coal etc used for electricity generation but you do not mention the refining process of fossil fuels and the immense polution issues involved.
We could endlessly bat individual parts of the ‘from sunlight to motion’ chain backwards and forwards, but in most cases that would be like arguing what effect the colour of ‘the lipstick on the pig’ has on the taste of the sausages or the quantity of squeal in the process.
You need to consider the entire chain from ‘sunlight to motion’ and compare them side by side. If you did you might find that the real joker in the pack is the petro-chem industry from ‘hole in the ground to vehicle storage’ as far as polution is concerned.
North Korea ATM Hack
The US Cybersecurity and Infrastructure Security Agency (CISA) published a long and technical alert describing a North Korea hacking scheme against ATMs in a bunch of countries worldwide:
This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme — referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”
Sidebar photo of Bruce Schneier by Joe MacInnis.
Computer scientists have developed a new artificial intelligence (AI) system that may be able to identify malicious codes that hijack supercomputers to mine for cryptocurrency such as Bitcoin and Monero.
“Based on recent computer break-ins in Europe and elsewhere, this type of software watchdog will soon be crucial to prevent cryptocurrency miners from hacking into high-performance computing facilities and stealing precious computing resources,” said Gopinath Chennupati, a researcher at Los Alamos National Laboratory and co-author of a new paper in the journal IEEE Access.
“Our deep learning artificial intelligence model is designed to detect the abusive use of supercomputers specifically for the purpose of cryptocurrency mining.”
Detect cryptocurrency miners
Legitimate cryptocurrency miners often assemble enormous computer arrays dedicated to digging up the digital cash. Less savory miners have found they can strike it rich by hijacking supercomputers, provided they can keep their efforts hidden.
The new AI system is designed to catch them in the act by comparing programs based on graphs, which are like fingerprints for software.
All programs can be represented by graphs that consist of nodes linked by lines, loops, or jumps. Much as human criminals can be caught by comparing the whorls and arcs on their fingertips to records in a fingerprint database, the new AI system compares the contours in a program’s flow-control graph to a catalog of graphs for programs that are allowed to run on a given computer.
Instead of finding a match to a known criminal program, however, the system checks to determine whether a graph is among those that identify programs that are supposed to be running on the system.
How reliable is it?
The researchers tested their system by comparing a known, benign code to an abusive, Bitcoin mining code. They found that their system identified the illicit mining operation much quicker and more reliably than conventional, non-AI analyses.
Because the approach relies on graph comparisons, it cannot be fooled by common techniques that illicit cryptocurrency miners use to disguise their codes, such as including obfuscating variables and comments intended to make the codes look like legitimate programming.
While this graph-based approach may not offer a completely foolproof solution for all scenarios, it significantly expands the set of effective approaches for cyberdetectives to use in their ongoing efforts to stifle cybercriminals.
Based on recent computer break-ins, such software watchdogs will soon be crucial to prevent cryptocurrency miners from hacking into high-performance computing facilities and stealing precious computing resources.
As the day of the U.S. presidential elections is quickly approaching, election security is again becoming a topic of more and more security discussions.
Are the polling booth systems secure? Could attackers interfere with them? What about voting by mail? Is it a secure option? Will the United States Postal Service (USPS) be able to handle a greater than usual (due to COVID-19) influx of mailed ballots?
The security of electronic voting
Prior to the 2016 U.S. presidential elections, cyber attackers that are believed to be Russian operatives succeeded in compromising websites or voter registration systems in seven U.S. states, the NBC revealed in early 2018.
Though the attackers apparently didn’t make changes to votes or voter rolls, the revelation was enough to raise doubts about voting security.
It doesn’t help that, over the intervening years, security researchers and hackers have demonstrated how electronic voting systems and polling booths can be hacked and manipulated.
In 2019, the U.S. House of Representatives passed a bill that would mandate election systems to use voter-verified paper ballots so that election interference can be avoided, for voting machines to be disconnected from the internet, and for states to get funds to enhance the security of their election systems and infrastructure. The bill was never voted on in the U.S. Senate.
In May 2020, the House again tried to allot money ($3.6 billion) for election security through the Health and Economic Recovery Omnibus Emergency Solutions (HEROES) Act, but the bill is expected to be modified and it’s possible it won’t include funds for helping states cover pandemic-related costs for the election.
In the meantime, the federal government is providing state and local officials with additional tools – endpoint detection and response software – to help defend the nation’s election systems from cyberthreats ahead of the November vote.
On Wednesday, the U.S. Department of State offered “a reward of up to $10 million for information leading to the identification or location of any person who works with or for a foreign government for the purpose of interfering with U.S. elections through certain illegal cyber activities.”
“The reward offer seeks information on the identification or location of any person who, while acting at the direction of or under the control of a foreign government, interferes with any U.S. federal, state, or local election by aiding or abetting a violation of section 1030 of title 18, which relates to computer fraud and abuse,” the State Department noted.
The reward is offered for information about individuals involved in the unauthorized accessing of election and campaign infrastructure, including voter registration databases and voting machines, and in malicious cyber operations against U.S. political organizations or campaigns to steal confidential information and then leak that information as part of influence operations to undermine political organizations or candidates.
The security of mail-in voting
As U.S. President Donald Trump claims that voting by mail opens the voting process for potential fraud and corruption, then backtracks, some voters have started doubting the security of the options.
Experts are, on the other hand, are saying that adversaries couldn’t interfere with voting by mail in any meaningful way, and the USPS assures it can handle the added volume of mail-in ballots in November’s election.
The hackers behind this month’s epic Twitter breach targeted a small number of employees through a “phone spear phishing attack,” the social media site said on Thursday night. When the pilfered employee credentials failed to give access to account support tools, the hackers targeted additional workers who had the permissions needed to access the tools.
“This attack relied on a significant and concerted attempt to mislead certain employees and exploit human vulnerabilities to gain access to our internal systems,” Twitter officials wrote in a post. “This was a striking reminder of how important each person on our team is in protecting our service. We take that responsibility seriously and everyone at Twitter is committed to keeping your information safe.”
Thursday’s update also disclosed that the hackers downloaded personal data from seven of the accounts, but didn’t say which ones.
The post was the latest update in the investigation into the July 15 hack that hijacked accounts belonging to some of the world’s best-known celebrities, politicians, and executives and caused them to tweet links to Bitcoin scams. A small sampling of the account holders included former Vice President Joe Biden, philanthropist and Microsoft founder and former CEO, and Chairman Bill Gates, Tesla founder Elon Musk, and pop star Kanye West.
It took hours for Twitter to return control of the accounts to their rightful owners. In some cases, the hackers regained control of accounts even after they had been recovered, resulting in a tug of war between the intruders and company employees.
Hours after containing the breach, Twitter said the incident was the result of it losing control of its internal administrative systems to hackers who either paid, tricked, or coerced one or more company employees. Company officials have provided regular updates since then. The most recent one came last week, when Twitter said the hackers used their access to read private messages from 36 hijacked accounts and that phone numbers and other private messages from 130 affected users were viewable.
Free employee rein
Critics said the incident showed that Twitter hasn’t implemented proper controls to prevent sensitive user information from falling into the hands of company insiders or people who target them. Twitter has vowed to investigate how the outsiders gained access to sensitive internal systems and take steps to prevent similar attacks in the future.
Thursday’s update provided more color about how internal systems and account tools work. It said:
A successful attack required the attackers to obtain access to both our internal network as well as specific employee credentials that granted them access to our internal support tools. Not all of the employees that were initially targeted had permissions to use account management tools, but the attackers used their credentials to access our internal systems and gain information about our processes. This knowledge then enabled them to target additional employees who did have access to our account support tools. Using the credentials of employees with access to these tools, the attackers targeted 130 Twitter accounts, ultimately Tweeting from 45, accessing the DM inbox of 36, and downloading the Twitter Data of 7.
The update said that since the attack, the company has “significantly” limited employees’ access to internal tools and systems while the investigation continues. The restrictions are primarily affecting a feature that lets users download their Twitter data, but other services will also be temporarily limited.
“We will be slower to respond to account support needs, reported Tweets, and applications to our developer platform,” the update said. “We’re sorry for any delays this causes, but we believe it’s a necessary precaution as we make durable changes to our processes and tooling as a result of this incident. We will gradually resume our normal response times when we’re confident it’s safe to do so. Thank you for your patience as we work through this.”
Thursday night’s post also said that the company is accelerating unspecified and “pre-existing security workstreams and improvements to our tools” and prioritizing security work across various teams. Twitter is also improving ways to detect and prevent “inappropriate” access to internal systems.
Human ingenuity supported by actionable intelligence were found to be critical ingredients to maintaining a resilient infrastructure, Bugcrowd reveals. In fact, 78% of hackers indicated AI-powered cybersecurity solutions alone aren’t enough to outmaneuver cyber attacks over the next decade.
87% of hackers say that scanners cannot find as many critical or unknown assets as humans. While 2019 was a record year for data breaches, the report found that hackers prevented $8.9B of cybercrime in 2019 and earned 38% more than they did in the previous period.
In the next five years, hackers are projected to prevent more than $55 billion in cybercrime for organizations worldwide.
“Hackers will always be one step ahead of AI when it comes to cybersecurity because humans are not confined by the logical limitations of machine intelligence,” said Jasmin Landry, top-ranked Bugcrowd hacker.
“For example, hackers can adapt four to five low-impact bugs to exploit a single high-impact attack vector that AI would likely miss without the creative flexibility of human decision-making.
“Experience allows hackers to recognize vulnerable misconfigurations that represent a true risk to organizations without all of the false positives that typically come with AI-powered solutions.”
The next generation of hackers are younger and neurologically diverse
Hacking as a profession is lucrative and highly attractive to young people, with 53% of hackers under the age of 24.
Remarkably, the report uncovered that 13% of hackers are neurodiverse and possess neurological advantages that help them provide extraordinary depth and dimension in security testing. These unique strengths include exceptional memory skills, heightened perception, a precise eye for detail, and an enhanced understanding of systems.
6% of neurodiverse hackers experience Attention-Deficit/Hyperactivity Disorder (AD/HD) and thrive in environments of rapid change, such as security research, where creativity and out-of-the-box thinking are rewarded generously.
Career hacking and the economics of security research
The research found that hackers live on six continents and reside in more than 100 countries worldwide. Most notably, the report identified an 83% growth in respondents living in India and 73% of hackers speak two or more languages.
“Having started my career as a hacker, I understand that cybersecurity is inherently a human problem. ‘The power of the crowd’ in crowdsourced cybersecurity is rooted in being able to look at the same thing as everyone else and see something else”, said Adrian Ludwig, CISO at Atlassian.
Social responsibility on the rise among businesses, hackers
A growing social responsibility trend among businesses and hackers was uncovered. 93% of hackers primarily hack out of care for the well-being of the organizations with which they work. Additionally, organizations made five-times the number of coordinated disclosures in the last twelve months.
“The exponential growth of these disclosures highlights the value of transparency to stakeholders and demonstrates organizations are taking social responsibility more seriously than ever,” said Casey Ellis, CTO of Bugcrowd.
COVID-19 increasing demand for career hackers
The FBI reported a 400% rise in cybercrime after COVID-19 was declared a pandemic and organizations are investing more in bug bounty programs as a result. 61% of hackers have noticed an increase in available bug bounty programs to participate in due to widespread remote working conditions related to the COVID-19.
“We are in unprecedented territory – and COVID-19 has forced many businesses to accelerate digital transformation efforts,” said Ashish Gupta, CEO and president of Bugcrowd.
“The rush to digitize businesses can create serious lapses in security and organizations are turning to bug bounty programs to proactively safeguard new products and applications against vulnerabilities.”
Like the larger security industry, career hackers also noted concerns about COVID-related fraud. 48% of hackers believe the healthcare industry is the most vulnerable to cybercrime during the unfolding crisis, followed by education and community support (17%) and government and military (16%).
Additionally, as the government faces the potential impact of COVID-19 on the upcoming 2020 US Presidential election, 72% of hackers independently reported that they do not trust alternative polling methods, like electronic polling or mail-in ballots.
As technology constantly advances, software development teams are bombarded with security alerts at an increasing rate. This has made it nearly impossible to remediate every vulnerability, rendering the ability to properly prioritize remediation all the more critical, according to WhiteSource and CYR3CON.
This research examines the most common methods software development teams use to prioritize software vulnerabilities for remediation, and compares those practices to data gathered from the discussions of hacker communities, including the dark web and deep web.
Key research findings
- Software development teams tend to prioritize based on available data such as vulnerability severity score (CVSS), ease of remediation, and publication date, but hackers don’t target vulnerabilities based on these parameters.
- Hackers are drawn to specific vulnerability types (CWEs), including CWE-20 (Input Validation), CWE-125 (Out-of-bound Read), CWE-79 (XSS), and CWE-200 (Information Leak/Disclosure).
- Organizations tend to prioritize “fresh” vulnerabilities, while hackers often discuss vulnerabilities for over 6 months following exploitation, with even older vulnerabilities re-emerging in hacker community discussions as they reappear in new exploits or malware.
You can’t fix everything
“As development teams face an ever-rising number of disclosed vulnerabilities, it becomes impossible to fix everything and it’s imperative that teams focus on addressing the most urgent issues first,” said Rami Sass, CEO, WhiteSource.
“All too often companies unknowingly accept risk by using out-dated methods of vulnerability prioritization – and this report sheds light on the shortcomings of those approaches. Combining threat intelligence and machine learning overcomes those shortcomings, highlighting previously unidentified risks in the process,” said CYR3CON CEO Paulo Shakarian.
Ring, Nest, SimpliSafe and eight other manufacturers of internet-connected doorbell and security cameras have been alerted to systemic design flaws discovered by Florida Tech computer science student Blake Janes that allows a shared account that appears to have been removed to actually remain in place with continued access to the video feed.
Privacy flaws in security and doorbell cameras
Janes discovered the mechanism for removing user accounts does not work as intended on many camera systems because it does not remove active user accounts. This could allow potential “malicious actors” to exploit the flaw to retain access to the camera system indefinitely, covertly recording audio and video in a substantial invasion of privacy or instances of electronic stalking.
The findings were presented in the paper, “Never Ending Story: Authentication and Access Control Design Flaws in Shared IoT Devices,” by Janes and two Florida Tech faculty members from the university’s top institute for cybersecurity research, L3Harris Institute for Assured Information, Terrence O’Connor, program chair of cybersecurity, and Heather Crawford, assistant professor in computer engineering and sciences.
Janes’ work informed vendors about the vulnerabilities and offered several strategies to remediate the underlying problem.
The flaw is concerning in cases where, for example, two partners are sharing a residence and then divorce. Each has smartphone apps that access the same camera.
Person A removes Person B’s access to the camera, but that is never relayed to Person B’s device. So Person B still has access even though it has been revoked on the camera and Person A’s smartphone and the account password has been changed.
The team found that this happens largely because the decisions about whether to grant access are done in the cloud and not locally on either the camera or the smartphones involved. This approach is preferred by manufacturers because it allows for the cameras to transmit data in a way that every camera does not need to connect to every smartphone directly.
Additionally, manufacturers designed their systems so users would not have to repeatedly respond to access requests, which could become annoying and lead them to turn off that security check, were it in place, or abandon the camera altogether.
And the security is further complicated by the fact that the potential malicious actor does not need advanced hacking tools to achieve this invasion, as the attack is achievable from the existing companion applications of the devices.
“Our analysis identified a systemic failure in device authentication and access control schemes for shared Internet of Things ecosystems,” the paper concluded. “Our study suggests there is a long road ahead for vendors to implement the security and privacy of IoT produced content.”
Devices to check
The devices where flaws were found are: Blink Camera, Canary Camera, D-Link Camera, Geeni Mini Camera, Doorbell and Pan/Tilt Camera, Merkury Camera, Momentum Axel Camera, Nest Camera Current and Doorbell Current, NightOwl Doorbell, Ring Pro Doorbell Current and Standard Doorbell Current, SimpliSafe Camera and Doorbell, and TP-Link Kasa Camera.
Though fixes will originate with the manufacturers, if you have one of the aforementioned cameras, it is important to update to the current firmware. Additionally, customers concerned about their privacy after removing additional users should always change their passwords and power cycle their cameras.
There has been an exponential growth in phishing and website scams in Q1 2020, according to a Bolster analysis of over 1 billion websites. 854,441 confirmed phishing and counterfeit pages and 4M suspicious pages were detected.
COVID-19 cybercriminal activity
Of the total number of confirmed phishing and counterfeit pages, 30% were related to COVID-19 – that is over a quarter of a million confirmed malicious websites.
Daily phishing creation soars
Over 3,142 phishing and counterfeit pages went live every day in Jan. with that number increasing to 8,342 in March — due to the COVID-19 pandemic. Over 25,000 pages were created on 3/19 — a record for the quarter.
SaaS, telecoms, and finance suffer the most from phishing
SaaS and telecoms were the industries most impacted by phishing scams, followed by finance, retail, and streaming.
COVID medical scams play on a cure
In the month of March alone, 102,676 websites related to medical scams were found, with 1,092 websites either selling Hydroxychloroquine or spreading misinformation about using it to cure COVID-19.
Stimulus checks and loans brought out the hackers
There were over 145,000 suspicious domain registrations with ‘stimulus check’ in them. The number of scam websites that claim to offer small business loans jumped 130 percent from February to March. Hackers spun up 60,707 banking websites to attempt to siphon off stimulus funds.
Hackers target remote workers and those quarantined
Collaboration and communication phishing sites saw a 50% increase from Jan to March, as a large majority of the workforce began working from home.
Streaming phishing sites saw an 85% increase from Jan to March, with over 209 websites being created per day — attempting to capitalize on those looking for entertainment during lockdowns.
Bolster discovered multiple phishing websites peddling fake COVID-19 cryptocurrencies and crypto wallets that aim to siphon data for future phishing, targeted malware, or credential stealing.
One COVID-19 cryptocurrency bills itself as “The World’s Fastest Spreading Crypto Currency” and attempts to get visitors to download suspicious files off GitHub. Another site prompts visitors to register to find out more information about a COVID coin that “gains value as more people die and get infected”.
“We anticipate phishing site creation will continue to increase, especially as we proceed further into a COVID-minded world. The phishing lures and tactics of cybercriminals will consistently evolve to keep up with the rapidly changing threat landscape, but the underlying credential theft will not,” said Abhishek Dubey, CEO, Bolster.
“Cybersecurity conscious organizations will need to work together and leverage AI, automation and security training to effectively combat phishing and online fraud during this surge and beyond.”
Advanced hackers could leverage unconventional, new attack vectors to sabotage smart manufacturing environments, according to Trend Micro.
Industry 4.0 Lab, the system that Trend Micro analyzed during this research
“Past manufacturing cyber attacks have used traditional malware that can be stopped by regular network and endpoint protection. However, advanced attackers are likely to develop Operational Technology (OT) specific attacks designed to fly under the radar,” said Bill Malik, vice president of infrastructure strategies for Trend Micro.
“As our research shows, there are multiple vectors now exposed to such threats, which could result in major financial and reputational damage for Industry 4.0 businesses. The answer is IIoT-specific security designed to root out sophisticated, targeted threats.”
Smart manufacturing equipment relying on proprietary systems
Critical smart manufacturing equipment relies primarily on proprietary systems, however these machines have the computing power of traditional IT systems. They are capable of much more than the purpose for which they are deployed, and attackers are able to exploit this power.
The computers primarily use proprietary languages to communicate, but just like with IT threats, the languages can be used to input malicious code, traverse through the network, or steal confidential information without being detected.
Though smart manufacturing systems are designed and deployed to be isolated, this seclusion is eroding as IT and OT converge. Due to the intended separation, there is a significant amount of trust built into the systems and therefore very few integrity checks to keep malicious activity out.
The systems and machines that could be taken advantage of include the manufacturing execution system (MES), human machine interfaces (HMIs), and customizable IIoT devices. These are potential weak links in the security chain and could be exploited in such a way to damage produced goods, cause malfunctions, or alter workflows to manufacture defective products.
Defense and mitigation measures
- Deep packet inspection that supports OT protocols to identify anomalous payloads at the network level
- Integrity checks run regularly on endpoints to identify any altered software components
- Code-signing on IIoT devices to include dependencies such as third-party libraries
- Risk analysis to extend beyond physical safety to automation software
- Full chain of trust for data and software in smart manufacturing environments
- Detection tools to recognize vulnerable/malicious logic for complex manufacturing machines
- Sandboxing and privilege separation for software on industrial machines
News coverage of the recent uptick in cyber threat activity is showing an incomplete picture. Despite the focus on VPN hacks and attacks at home, computers at more than 50,000 organizations in the US had been infected prior to stay-at-home orders, according to Team Cymru and Arctic Security.
Researchers say they are witnessing previously infected computers being activated now that their malicious communications are no longer being blocked by corporate firewalls.
Failure of internal security tools and processes
The number of compromised organizations in the US, Finland and across Europe has doubled, tripled or even quadrupled, between January and the end of March. Researchers believe this demonstrates a systemic problem facing organizations – a failure of internal security tools and processes and an inability to prepare for mobile workforces.
“Our analysis indicates that the employees’ computers were already hacked before COVID-19 made the news, but were lying dormant behind firewalls, blocking their ability to go to work on behalf of the threat actors,” explained Lari Huttunen, Senior Analyst at Arctic Security. “Now those zombies are outside firewalls, connected to their corporate networks via VPNs, which were not designed to prevent malicious communications.”
This analysis offers an unsettling data point that puts numbers to the foothold threat actors have gained within public and private sector organizations. The findings may also correlate with recent public warnings, such as the FBI’s advisory on March 30 alerting of increased vulnerability probing activity. The implications are serious.
Enterprise doesn’t end at the firewall
These same researchers have also found that many large companies have not managed to remedy the infrastructure vulnerabilities that have exposed them to data breaches in past years.
Experts say this research shines a light on a cyber pandemic and provides an opportunity for organizations to assess the extent of compromise within their organizations, rather than hiding behind a “block and forget” security mentality.
The only way to comprehensively identify whether an organization has been compromised is to observe internet threat traffic from outside the enterprise, monitoring these threat actors in the wild.
“Cybersecurity teams still approach security as though their enterprise ends at the firewall. This has not been the case for a long time, and this massive work-from-home movement has exposed the weakness of that approach,” stated Arctic Security CEO, David Chartier.
A team of cybersecurity researchers has discovered that a large number of mobile apps contain hardcoded secrets allowing others to access private data or block content provided by users.
Hidden behaviors within the app
The study’s findings: that the apps on mobile phones might have hidden or harmful behaviors about which end users know little to nothing, said Zhiqiang Lin, an associate professor of computer science and engineering at The Ohio State University and senior author of the study.
Typically, mobile apps engage with users by processing and responding to user input, Lin said. For instance, users often need to type certain words or sentences, or click buttons and slide screens. Those inputs prompt an app to perform different actions.
For this study, the research team evaluated 150,000 apps. They selected the top 100,000 based on the number of downloads from the Google Play store, the top 20,000 from an alternative market, and 30,000 from pre-installed apps on Android smartphones.
They found that 12,706 of those apps, about 8.5 percent, contained something the research team labeled “backdoor secrets” – hidden behaviors within the app that accept certain types of content to trigger behaviors unknown to regular users.
They also found that some apps have built-in “master passwords,” which allow anyone with that password to access the app and any private data contained within it. And some apps, they found, had secret access keys that could trigger hidden options, including bypassing payment.
“Both users and developers are all at risk if a bad guy has obtained these ‘backdoor secrets,’” Lin said. In fact, he said, motivated attackers could reverse engineer the mobile apps to discover them.
Reverse engineering is a threat
Qingchuan Zhao, a graduate research assistant at Ohio State and lead author of this study, said that developers often wrongly assume reverse engineering of their apps is not a legitimate threat.
“A key reason why mobile apps contain these ‘backdoor secrets’ is because developers misplaced the trust,” Zhao said. To truly secure their apps, he said, developers need to perform security-relevant user-input validations and push their secrets on the backend servers.
The team also found another 4,028 apps – about 2.7 percent – that blocked content containing specific keywords subject to censorship, cyber bullying or discrimination. That apps might limit certain types of content was not surprising – but the way that they did it was: validated locally instead of remotely, Lin said.
“On many platforms, user-generated content may be moderated or filtered before it is published,” he said, noting that several social media sites, including Facebook, Instagram and Tumblr, already limit the content users are permitted to publish on those platforms.
“Unfortunately, there might exist problems – for example, users know that certain words are forbidden from a platform’s policy, but they are unaware of examples of words that are considered as banned words and could result in content being blocked without users’ knowledge,” he said.
“Therefore, end users may wish to clarify vague platform content policies by seeing examples of banned words.”
In addition, he said, researchers studying censorship may wish to understand what terms are considered sensitive. The team developed an open source tool, named InputScope, to help developers understand weaknesses in their apps and to demonstrate that the reverse engineering process can be fully automated.