European Businesses Admit Major Privacy Skills Gap
94% of European organizations are struggling to find skilled practitioners to take up crucial privacy-related roles, according to new research from professional association ISACA. The IT audit and governance body polled 375 privacy professionals across the region in Q4 2022, as part of a wider global study: Privacy in Practice. It found that, although European businesses recognize the importance of privacy, with 87% offering awareness training to employees, most also admit having skills gaps. The report revealed that over half (59%) of technical privacy teams in Europe are understaffed. ISACA claimed that addressing the problem is tricky, with a fifth of respondents saying it takes over six months to fill such roles, and twice that number (41%) complaining of insufficient privacy budgets.
T-Mobile admitted that personal and account information of tens of millions of customers was accessed by a malicious actor via an API. The attack began on November 25, 2022, but was not discovered until January 5, 2023. Information compromised included customer names, billing and email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information about the number of lines on the account and plan features. The company attempted to downplay the seriousness of the breach, saying nearly all of the information stolen is widely available in marketing databases or directories. T-Mobile said that passwords, payment card information, social security numbers, government ID numbers or other financial account information were not compromised.
Exploits released for two Samsung Galaxy App Store vulnerabilities
The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications.
Two vulnerabilities were uncovered with the Galaxy App Store application:
Two vulnerabilities in the Galaxy App Store, Samsung’s official repository for its devices, could enable attackers to install any app in the Galaxy Store without the user’s knowledge or to direct victims to a malicious web location.
The issues were discovered by researchers from the NCC Group between November 23 and December 3, 2022.
Hyperlink to force the GS’s webview to browse on unsafe sites (NCC Group) NCC explains that the only prerequisite for this attack is for the malicious domain to have the “player.glb.samsung-gamelauncher.com” part in it.
An attacker can register any domain and add that part as a subdomain.
The installation and automatic launch of apps from the Galaxy Store without the user’s knowledge may also lead to data or privacy breaches, especially if the attacker uploads a malicious app on the Galaxy Store beforehand.
It is important to note that CVE-2023-21433 is not exploitable on Samsung devices running Android 13, even if they use an older and vulnerable version of the Galaxy Store.
T-Mobile’s $150 Million Security Plan Isn’t Cutting It
The mobile operator just suffered at least its fifth data breach since 2018, despite promising to spend a fortune shoring up its systems. Before the breach in Nov 2022, the company had mega breach in 2021, two breaches in 2020, one in 2019, and another in 2018. Multiple breaches suggests that T-Mobile’s defenses do not utilize modern security monitoring and threat hunting teams. The 2022 breach took place soon after company committed to a two-year, $150 million initiative to improve its digital security and data defenses. Experts suggests, the information involved in the breach could be useful to attackers for SIM swap attacks, in which they take control of victims’ phone numbers and then abuse the access to take over accounts, including by capturing two-factor authentication codes sent over SMS.
On January 6, the US Federal Communication Commission proposed more stringent data-breach reporting criteria for the telecom industry.
Cybercriminals were able to access thousands of PayPal accounts. They executed Credential Stuffing Attack. PayPal itself was not hacked. The attack in which hackers stuff the login page with numerous credentials taken elsewhere until one eventually works. As per the investigation, attackers accessed the accounts between December 6 and December 8 2022. After accessing the account, attackers potentially acquire some personal information such as user’s names, address, social security number (SSN), tax identification number (TIN), and date of birth. However, the investigation till this stage it appears that there is no evidence the login credentials were taken from PayPal’s systems.
To protect users, PayPal reset the passwords for the affected users and enhanced security controls requiring users to set up a new account on their next login. Also PayPal is giving two years free identity monitoring services through Equifax to the affected users. PayPal also recommends at least 12-characters long and includes alphanumeric characters and symbols for password and also advises to active two-factor authentication protection.
Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles
Researchers find a vulnerability in the app used for remotely controlling Hyundai and Genesis vehicles. Using a CRLF (carriage return line feeds) injection at the end of an existing victim’s email address the researchers were able to bypass the JSON Web Token (JWT) and email parameter check.
They were able to retrieve the victim’s vehicle identification number and send an HTTP request to remotely unlock the car. A proof of concept script was created to automate HTTP responses and it allowed the researchers to remotely turn the engine on or off, remotely lock or unlock the vehicle, honk the horn, change the victim’s PIN, etc. The researchers aim was to highlight that application security for vehicles was lagging behind by a large margin.
Why agencies are losing the cyber battle | Federal News Network
In summary, the article covers reasons why defend against cyber-attacks is so challenging. Just because there are controls in place, doesn’t mean there is 100% protection. There is a possibility the controls haven’t been configured properly, the controls haven’t been tested and if not tested, don’t know if they are effective. Just because the controls are in compliance doesn’t mean they are optimized.
Additionally, it’s discussed in the article that the zero trust model; however, can only accomplish so much in limiting risk, but with could have analysts investigating alerts that could be scoped out. There needs to be a layer approach to defense, automation, and take advantage of optimizing control.
Costa Rica’s government has suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by hackers using the Conti ransomware.
WhatsApp Hit with €5.5 Million Fine for Violating Data Protection Laws
Meta, known for owning both Facebook and Instagram had fines imposed on their messaging application WhatsApp for violating data protection laws when processing users’ personal information. In short, Meta has already been in hot water and fined €390,000,000 for violating GDPR for serving personalized ads in Facebook and Instagram, giving the company three months to find a valid legal basis for processing personal data for behavioral advertising. This fine is for failing to clearly inform users after updates. Specifically, the article states “WhatsApp is encouraged to show how it plans to communicate any future updates to its terms of service, and to do so in a way that consumers can easily understand the implications of such updates and freely decide they want to continue using WhatsApp after these updates,”
Chick-fil-A investigates reports of hacked customer accounts.
Chick-fil-A user accounts were being breached in credential stuffing attacks. Most of the hijacked accounts are used with disposable email addresses to buy food in widespread attacks.
Some of the stolen accounts are being sold for $2 to $200, depending on the account balance, linked payment method, or Chick-fil-A One points (rewards points) balance. Although Chick-fil-A was warned about the attack, but they took too long to respond.
Vastflux is probably one of the largest ad frauds discovered so far, mainly targeting iOS devices. There are about 1,700 spoofed apps here, 120 targeted users were spoofed in this way, and the attackers send 12 billion fake ad requests per day. Device owners could have taken action against this attack, as legitimate apps and advertising processes were affected. The attackers hijack the network advertising system so that when a phone displays an ad in an affected application, there are actually as many as 25 ads overlapping, while you only see one ad on your phone. The user’s phone battery will drain faster than usual when handling all the fraudulent ads. In addition, once the ads are gone, the attack will stop, meaning that system security controls will have a hard time tracking down the attack easily. the fraudsters evaded ad verification tags, making it harder for this scheme to be found.
A new form of malicious attack has recently emerged after malicious HTML attachments used meta-refresh to redirect end users from locally hosted HTML attachments to phishing pages hosted on the public Internet. Researchers at Avanan, a Check Point Software company, found that malicious HTM attachments were placed inside normal DocuSign documents and displayed as empty images to bypass traditional scanning services. In fact, once the attachment is clicked, the target user will automatically be redirected to the wrong URL.
Mailchimp, an email marketing service provider has announced that is suffered a data breach as a result of a social engineering attack. an unauthorized actor was able to gain access to select mailchimp accounts using employee credentials that were compromised in the attack. The incident was limited to 133 accounts and there is no evidence that this compromise affected any other systems. They have apologized for the incident and stated that they are working with the users directly. This breach has come less than a year after Mailchimp has suffered a separate hack in April 2022
Recent vulnerability scans have revealed that vulnerabilities take a long time to patch. this was found to be true for data across the industries. there are on average 22 newly published vulnerabilities reported daily. vulnerability scans analyze assets in different industry areas and reveal how long any discovered vulnerability has remained unpatched on an asset. 47% of all CVEs discovered remain on an asset unpatched for five years or longer. 75% of all found vulnerabilities are 1000 days or older. it appears that older vulnerabilities are not a priority for patching. the average time it takes so page a vulnerability is 215 days.
The article I chose for this week speaks about the increase of phishing attacks and how to avoid them. Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers and is commonly used by cybercriminals.
The US despite its massive investment in security infrastructure continues to face cybersecurity threats. According to the Washington Post, one of the latest espionage threats is a Chinese spy balloon over Montana, which is the site of several nuclear missile silos. A Pentagon spokesman, Brig. Gen. Patrick Ryder said that “the U.S. government acted immediately to prevent the collection of sensitive information” once it spotted the balloon.
According to WithSecure, the hackers had one of the web shells planted by the infamous group which helped confirm their identity as the communication was found to be from a North Korean IP address.
What interests me most is the effect this could have on national security and our global allies. A former White House cybersecurity adviser Richard Clarke said that the hackers who got into the U.S. nuclear command and control system could, theoretically, “trigger a false alarm, making us think that Russian nuclear weapons were on their way” — giving the president mere minutes to decide whether to launch a retaliatory strike
Malicious actors have been setting up fake websites claiming to offer downloads of popular free or open source programs such as Notepad++, 7Zip, and CCleaner. Instead of providing the expected software, these websites are set up to provide either a hacked version of the legitimate program or a completely different bit of malware. The malicious actors then purchase Google ads for these phony websites. Google puts paid ad results higher in search results, leading unsuspecting users to click the link to the fake website and download malware thinking it is the correct site and legitimate download.
The article talks about a new financial trojan called “LobShot” that is currently being used in targeted attacks against financial institutions. The malware has complex capabilities that allow it get in through by their security software,The attackers were behind LobShot are using a combination of spear-phishing emails and social engineering ways to spread this malware. When this malware is installed, LobShot is capable of stealing sensitive financial data, including login credentials and banking information.
European Businesses Admit Major Privacy Skills Gap
94% of European organizations are struggling to find skilled practitioners to take up crucial privacy-related roles, according to new research from professional association ISACA. The IT audit and governance body polled 375 privacy professionals across the region in Q4 2022, as part of a wider global study: Privacy in Practice. It found that, although European businesses recognize the importance of privacy, with 87% offering awareness training to employees, most also admit having skills gaps. The report revealed that over half (59%) of technical privacy teams in Europe are understaffed. ISACA claimed that addressing the problem is tricky, with a fifth of respondents saying it takes over six months to fill such roles, and twice that number (41%) complaining of insufficient privacy budgets.
https://www.infosecurity-magazine.com/news/european-businesses-privacy-skills/
T-Mobile admitted that personal and account information of tens of millions of customers was accessed by a malicious actor via an API. The attack began on November 25, 2022, but was not discovered until January 5, 2023. Information compromised included customer names, billing and email addresses, phone numbers, dates of birth, T-Mobile account numbers, and information about the number of lines on the account and plan features. The company attempted to downplay the seriousness of the breach, saying nearly all of the information stolen is widely available in marketing databases or directories. T-Mobile said that passwords, payment card information, social security numbers, government ID numbers or other financial account information were not compromised.
https://www.infosecurity-magazine.com/news/api-attacker-steals-data-37/
Exploits released for two Samsung Galaxy App Store vulnerabilities
The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications.
Two vulnerabilities were uncovered with the Galaxy App Store application:
Two vulnerabilities in the Galaxy App Store, Samsung’s official repository for its devices, could enable attackers to install any app in the Galaxy Store without the user’s knowledge or to direct victims to a malicious web location.
The issues were discovered by researchers from the NCC Group between November 23 and December 3, 2022.
Hyperlink to force the GS’s webview to browse on unsafe sites (NCC Group) NCC explains that the only prerequisite for this attack is for the malicious domain to have the “player.glb.samsung-gamelauncher.com” part in it.
An attacker can register any domain and add that part as a subdomain.
The installation and automatic launch of apps from the Galaxy Store without the user’s knowledge may also lead to data or privacy breaches, especially if the attacker uploads a malicious app on the Galaxy Store beforehand.
It is important to note that CVE-2023-21433 is not exploitable on Samsung devices running Android 13, even if they use an older and vulnerable version of the Galaxy Store.
https://www.bleepingcomputer.com/news/security/exploits-released-for-two-samsung-galaxy-app-store-vulnerabilities/
T-Mobile’s $150 Million Security Plan Isn’t Cutting It
The mobile operator just suffered at least its fifth data breach since 2018, despite promising to spend a fortune shoring up its systems. Before the breach in Nov 2022, the company had mega breach in 2021, two breaches in 2020, one in 2019, and another in 2018. Multiple breaches suggests that T-Mobile’s defenses do not utilize modern security monitoring and threat hunting teams. The 2022 breach took place soon after company committed to a two-year, $150 million initiative to improve its digital security and data defenses. Experts suggests, the information involved in the breach could be useful to attackers for SIM swap attacks, in which they take control of victims’ phone numbers and then abuse the access to take over accounts, including by capturing two-factor authentication codes sent over SMS.
On January 6, the US Federal Communication Commission proposed more stringent data-breach reporting criteria for the telecom industry.
https://www.wired.com/story/tmobile-data-breach-again/
PayPal accounts breached in large-scale credential stuffing attack
https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/
Cybercriminals were able to access thousands of PayPal accounts. They executed Credential Stuffing Attack. PayPal itself was not hacked. The attack in which hackers stuff the login page with numerous credentials taken elsewhere until one eventually works. As per the investigation, attackers accessed the accounts between December 6 and December 8 2022. After accessing the account, attackers potentially acquire some personal information such as user’s names, address, social security number (SSN), tax identification number (TIN), and date of birth. However, the investigation till this stage it appears that there is no evidence the login credentials were taken from PayPal’s systems.
To protect users, PayPal reset the passwords for the affected users and enhanced security controls requiring users to set up a new account on their next login. Also PayPal is giving two years free identity monitoring services through Equifax to the affected users. PayPal also recommends at least 12-characters long and includes alphanumeric characters and symbols for password and also advises to active two-factor authentication protection.
Critical vulnerability allowed attackers to remotely unlock, control Hyundai, Genesis vehicles
Researchers find a vulnerability in the app used for remotely controlling Hyundai and Genesis vehicles. Using a CRLF (carriage return line feeds) injection at the end of an existing victim’s email address the researchers were able to bypass the JSON Web Token (JWT) and email parameter check.
They were able to retrieve the victim’s vehicle identification number and send an HTTP request to remotely unlock the car. A proof of concept script was created to automate HTTP responses and it allowed the researchers to remotely turn the engine on or off, remotely lock or unlock the vehicle, honk the horn, change the victim’s PIN, etc. The researchers aim was to highlight that application security for vehicles was lagging behind by a large margin.
https://portswigger.net/daily-swig/critical-vulnerability-allowed-attackers-to-remotely-unlock-control-hyundai-genesis-vehicles
Why agencies are losing the cyber battle | Federal News Network
In summary, the article covers reasons why defend against cyber-attacks is so challenging. Just because there are controls in place, doesn’t mean there is 100% protection. There is a possibility the controls haven’t been configured properly, the controls haven’t been tested and if not tested, don’t know if they are effective. Just because the controls are in compliance doesn’t mean they are optimized.
Additionally, it’s discussed in the article that the zero trust model; however, can only accomplish so much in limiting risk, but with could have analysts investigating alerts that could be scoped out. There needs to be a layer approach to defense, automation, and take advantage of optimizing control.
Costa Rica’s government has suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by hackers using the Conti ransomware.
https://therecord.media/costa-ricas-ministry-of-public-works-and-transport-crippled-by-ransomware-attack/?web_view=true
WhatsApp Hit with €5.5 Million Fine for Violating Data Protection Laws
Meta, known for owning both Facebook and Instagram had fines imposed on their messaging application WhatsApp for violating data protection laws when processing users’ personal information. In short, Meta has already been in hot water and fined €390,000,000 for violating GDPR for serving personalized ads in Facebook and Instagram, giving the company three months to find a valid legal basis for processing personal data for behavioral advertising. This fine is for failing to clearly inform users after updates. Specifically, the article states “WhatsApp is encouraged to show how it plans to communicate any future updates to its terms of service, and to do so in a way that consumers can easily understand the implications of such updates and freely decide they want to continue using WhatsApp after these updates,”
https://thehackernews.com/2023/01/whatsapp-hit-with-55-million-fine-for.html
Chick-fil-A investigates reports of hacked customer accounts.
Chick-fil-A user accounts were being breached in credential stuffing attacks. Most of the hijacked accounts are used with disposable email addresses to buy food in widespread attacks.
Some of the stolen accounts are being sold for $2 to $200, depending on the account balance, linked payment method, or Chick-fil-A One points (rewards points) balance. Although Chick-fil-A was warned about the attack, but they took too long to respond.
https://www.bleepingcomputer.com/news/security/chick-fil-a-investigates-reports-of-hacked-customer-accounts/
Vastflux is probably one of the largest ad frauds discovered so far, mainly targeting iOS devices. There are about 1,700 spoofed apps here, 120 targeted users were spoofed in this way, and the attackers send 12 billion fake ad requests per day. Device owners could have taken action against this attack, as legitimate apps and advertising processes were affected. The attackers hijack the network advertising system so that when a phone displays an ad in an affected application, there are actually as many as 25 ads overlapping, while you only see one ad on your phone. The user’s phone battery will drain faster than usual when handling all the fraudulent ads. In addition, once the ads are gone, the attack will stop, meaning that system security controls will have a hard time tracking down the attack easily. the fraudsters evaded ad verification tags, making it harder for this scheme to be found.
https://www.infosecurity-magazine.com/news/ad-fraud-tops-12-billion-daily-bid/
A new form of malicious attack has recently emerged after malicious HTML attachments used meta-refresh to redirect end users from locally hosted HTML attachments to phishing pages hosted on the public Internet. Researchers at Avanan, a Check Point Software company, found that malicious HTM attachments were placed inside normal DocuSign documents and displayed as empty images to bypass traditional scanning services. In fact, once the attachment is clicked, the target user will automatically be redirected to the wrong URL.
https://www.infosecurity-magazine.com/news/phishers-blank-images-hide/
Mailchimp, an email marketing service provider has announced that is suffered a data breach as a result of a social engineering attack. an unauthorized actor was able to gain access to select mailchimp accounts using employee credentials that were compromised in the attack. The incident was limited to 133 accounts and there is no evidence that this compromise affected any other systems. They have apologized for the incident and stated that they are working with the users directly. This breach has come less than a year after Mailchimp has suffered a separate hack in April 2022
https://www.infosecurity-magazine.com/news/mailchimp-hit-another-data-breach/
https://thehackernews.com/2023/01/security-navigator-research-some.html
Recent vulnerability scans have revealed that vulnerabilities take a long time to patch. this was found to be true for data across the industries. there are on average 22 newly published vulnerabilities reported daily. vulnerability scans analyze assets in different industry areas and reveal how long any discovered vulnerability has remained unpatched on an asset. 47% of all CVEs discovered remain on an asset unpatched for five years or longer. 75% of all found vulnerabilities are 1000 days or older. it appears that older vulnerabilities are not a priority for patching. the average time it takes so page a vulnerability is 215 days.
The article I chose for this week speaks about the increase of phishing attacks and how to avoid them. Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers and is commonly used by cybercriminals.
https://www.cnbc.com/2023/01/07/phishing-attacks-are-increasing-and-getting-more-sophisticated.html
The US despite its massive investment in security infrastructure continues to face cybersecurity threats. According to the Washington Post, one of the latest espionage threats is a Chinese spy balloon over Montana, which is the site of several nuclear missile silos. A Pentagon spokesman, Brig. Gen. Patrick Ryder said that “the U.S. government acted immediately to prevent the collection of sensitive information” once it spotted the balloon.
According to WithSecure, the hackers had one of the web shells planted by the infamous group which helped confirm their identity as the communication was found to be from a North Korean IP address.
What interests me most is the effect this could have on national security and our global allies. A former White House cybersecurity adviser Richard Clarke said that the hackers who got into the U.S. nuclear command and control system could, theoretically, “trigger a false alarm, making us think that Russian nuclear weapons were on their way” — giving the president mere minutes to decide whether to launch a retaliatory strike
https://www.washingtonpost.com/politics/2023/02/03/us-nuclear-sites-face-hacking-espionage-threats/
https://www.bleepingcomputer.com/news/security/hackers-push-malware-via-google-search-ads-for-vlc-7-zip-ccleaner/
Malicious actors have been setting up fake websites claiming to offer downloads of popular free or open source programs such as Notepad++, 7Zip, and CCleaner. Instead of providing the expected software, these websites are set up to provide either a hacked version of the legitimate program or a completely different bit of malware. The malicious actors then purchase Google ads for these phony websites. Google puts paid ad results higher in search results, leading unsuspecting users to click the link to the fake website and download malware thinking it is the correct site and legitimate download.
https://thehackernews.com/2023/05/lobshot-stealthy-financial-trojan-and.html
The article talks about a new financial trojan called “LobShot” that is currently being used in targeted attacks against financial institutions. The malware has complex capabilities that allow it get in through by their security software,The attackers were behind LobShot are using a combination of spear-phishing emails and social engineering ways to spread this malware. When this malware is installed, LobShot is capable of stealing sensitive financial data, including login credentials and banking information.