A vulnerability was publicly disclosed this past week which described a bug in Apple’s Safari browser which was used to display malicious ads and then push malware to iOS Chrome and macOS desktop browsers. The cybergang ScamClub were exploiting this vulnerability and reached over 50 million users during a three month long campaign. This vulnerability was found in the open-source WebKit engine and the attackers were able to bypass the browser’s iframe sandboxing policy to display popups that redirected to malicious sites advertising gift card, scams, prize, and more. Lastly, Apple released a patch in December 2020 to mitigate this bug and enhance iframe sandboxing enforcement.
Cambodia’s government has setup an international gateway which seeks to exert near total control of the country’s online life. The gateway operator has been instructed to work in collaboration with the Cambodian authorities to block network connections that violates morality, customs, traditions. Further, the gateway operator will be required to submit reports about internet traffic regularly to authorities. The Cambodian government has defended the move, explaining that it will enhance revenue collection, protect national security and preserve social order. However, critics argue that this will facilitate mass surveillance by intercepting and censoring digital communications and the collection of personal data. This suppresses freedom of expression and comparisons are being drawn to China’s “Great Firewall” which employs mass surveillance techniques that rids the internet of dissent and prevents citizens from accessing sites such as Facebook and Twitter.
Breached water plant employees used the same TeamViewer password and no firewall
A few weeks ago a Florida water treatment facility experienced a computer breach that resulted in the attacker increasing the amount of lye added into the water by a factor of 100. Further investigation into the incident has revealed that the water treatment plant computer was using an unsupported version of Windows 7. It had no host-based firewall installed. Additionally, employees all shared the same password to access TeamViewer, a remote desktop application. This allowed the attacker to take remote control of a computer and increase the lye. Fortunately, an employee was currently using the computer, noticed the mouse moving, and the attacker was able to do no real harm.
An article published in ZDNet revealed that some of the Microsoft cloud products’ source code was compromised by the SolarWinds hack. The article revealed that some SolarWinds appliances were in production at Microsoft, so when the SolarWinds hack took place some of Microsoft’s internal network was also compromised. According to Microsoft, the analysis shows the source repository was accessed in late November and that the intruders viewed “only a few individual files” in the code repositories. “No case where all repositories related to any single product or service was accessed”.
Microsoft listed some of the affected products:
a small subset of Azure components (subsets of service, security, identity)
a small subset of Intune components
a small subset of Exchange components
Federal cybersecurity advisory offers new details on Oldsmar water supply cyberattack
Since someone tried to poison the city of Oldsma’s water supply through computer system hackers. Federal agencies have stated that attackers may have exploited network security vulnerabilities, including poor password security and outdated operating systems. The attacker tried to raise the chemical lye to a dangerous level, but the astute factory operator noticed suspicious activity on his computer screen and quickly reduced the level to a safe level. Florida Agriculture Specialist Nikki Fried had indicated that the attack is not only for their own network security of waters, but each city and county. They have to ensure that all systems are updated, not using old software, and constantly changing passwords.
DDoS Attacks Wane in Q4 Amid Cryptomining Resurgence
Researchers observed a corresponding spike in DDoS attacks for most of the year as people spent more time online in 2020. Online gaming services is one of the areas that suffer most from DDoS attacks as attacks spiked dramatically in response to global lockdown. To stay protected against DDoS attacks, The DDoS attack market is likely remaining high as people still highly rely on stable work of online resources, which can make DDoS attacks a common choice for malefactors. Businesses should put more resources and technology in place while validating third-party agreements and contact information, including those made with internet service providers.
The article describes what the Biden administration is doing in light of the SolarWinds hack. In the covid-19 relief package, there is $690M for the CISA in an effort to better equip themselves against threats. It is a shame to see our nation’s cyber infrastructure falling victim to politics and constantly being reactive, instead of proactive. It is clear that our government still isn’t invested enough in cybersecurity. There needs to be sweeping reform nationwide. There are so many government agencies and offices across the entire country that are extremely susceptible to an attack.
I thought this article was interesting because I know the majority of us, including myself use Spotify. Spotify has fallen victim to a second cybersecurity attack using credential-stuffing cyber attack. The first occurrence happened in November. The service has since forced password resets for over 100,000 users of the music streaming services. Credential stuffing attacks happen when attackers build automated scripts that try stolen ID and passwords taken from a breach of another company or website, or passwords they purchased online from the black market, across various accounts. For example, the automated scripts would try the same email and password combo across Spotify, Apple Music, Netflix, Hulu, etc. Spotify worked quickly to prompt password resets for all affected accounts, they also had the fraudulent database taken from by the ISP hosting it. In the first attack, researchers found a cloud database containing over 380 million individual records of login credentials and countries of residence for people, all being tested against Spotify accounts. This cloud database was owned by a malicious third party. This second attack was similar, with data exposed in a public Elastic Search instance. The dangers of credential stuffing is the cybercriminal being able to log in to someone’s account, stealing music, and hijacking the account, and stealing credit card information on file.
Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials
A new phishing operation has returned intending to steal Microsoft Outlook, Google Chrome, and instant messenger app credentials by way of an attack called MassLogger. This is a .NET-based malware attack that has the ability to obstruct static analysis; this was first identified in April 2020. The operation is currently focused on victims in Turkey, Latvia, and Italy. Similar activities were documented in November 2020 that targeted users in other parts of Europe such as Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain. Stolen information can be sent through SMTP, FTP, or HTTP networks, and information uploaded to an exfiltration server, as well as records relating to configuration options. System configuration was recommended for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its “deobfuscated format.”
I thought this was an interesting article since it affected a university and students and we are all students. The Lakehead school is in two locations in Ontario, Canada, and announced last week (during the school’s winter break) that there was a cyberattack that affected both locations. In order to limit the impact of the attack, all servers and on-campus computers were taken offline. As of today, the situation still had not been remedied, and they announced that they were extending winter break another four days due to the continued inaccessibility. Interestingly, the article also mentioned advising students not to bring their school-owned computer to campuses to prevent additional cybersecurity risks. This highlights the risks that could increase if the attack has not yet been resolved, and students return and connect their devices to the network.
“30K Macs are infected with ‘Silver Sparrow’ virus and no one knows why”
Recently, it was discovered that 30,000 Macs have a new type of malware on them. This malware is known as Silver Sparrow. The strange aspect of this malware is that researchers have not been able to identify why this malware exists. It appears to be pointless for now. Luckily, Apple has removed the developer certificate for the creator, so no new machines can be infected. In the coming weeks, we should begin to learn more about Silver Sparrow, but for now, this remains a mystery. The number of affected machines was great enough for this to be considered a serious threat, so more Info should come soon.
TDoS Attacks Take Aim at Emergency First-Responder Services
This article discusses how there’s been a recent increase in Telephony Denial of Service (TDOS) attacks on emergency first-responder lines. These attacks overwhelm 911 call centers with false alarms ultimately resulting in the inability to respond to actual emergencies. This made me think why anyone would to disrupt such systems that can impact lives. The article mentions attacks might execute a TDOS attack as a political attack for a social cause or purely monetary gain. They will execute the attack in exchange for a ransom. The article suggest users have non-emergency numbers stored in the event that an attack is underway; however, doesn’t outline any measures that are taken to prevent these kinds of attacks or what the FBI is doing in response.
In January, Experian in Brazil had a massive data leak that affected more than 220 million citizens. The breach exposed the PII which included names, data of births, credit info and address of millions. According to the article, “Experian challenged over massive data leak in Brazil”, Brazil’s consumer right foundation Procon notified the credit about the data leakage but was given an “insufficient” explanation. “No hypothesis has been ruled out, and at the moment we consider it is more likely that the leak came from inside companies rather than hackers,” said Procon’s executive director Fernando Capez. The statement from Experian will be analyzed by the board of the consumer rights body and a fine may be applied if any wrongdoing becomes evident according to the article.
Based on research by GreatHorn, Threatpost reports on a newer form of phishing attack that operates by replacing a forward-slash with a back-slack in the URL of a link included in the phishing email. This is a relatively new phenomenon, first seen in October of last year, and between January and February 2021 the incidence of this type of attack increased nearly 6000%.
The novel nature of this attack method makes it particularly effective at present, because most automated email security systems don’t flag for malformed URL prefixes yet. Additionally, researchers have seen this combined with other sophisticated attack methods, like including a captcha on phishing site the URL leads to, which further convinces the target that it is a legitimate website.
Experts are recommending that system administrators perform searches in their organization’s mailboxes for items containing these malformed URL prefixes and removing all offending messages. Additionally, email security definitions should be updated to include this new attack method as soon as possible. Finally, as always, phishing awareness training should continue to be a priority and should now incorporate this new widely-used attack method.
Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs
This article discusses “shadow attacks” in which a threat actor could gain the ability to compromise PDF documents by breaking the integrity protection of a digitally signed PDF document. The attack exploits the flexibility provided by PDF specs so the shadow documents remain standard compliant. To execute, the threat actor creates a PDF with two types of content; the content expected by the other party and a “shadow document” which is hidden content that is not displayed until the PDF document is signed. This can result in terms or conditions that the receiver, such as a vendor, did not actually agree to. This vulnerability was discovered in multiple PDF viewers and Adobe released an update to remedy the flaws.
There are Telephone DOS attacks that are occurring and they are impacting 911 call centers. The attackers are flooding the 911 with calls so that real users are not able to call in. This could cause a life or death situation to occur. Considering my colleague, is the lead for the City of Milwaukee 911 operations center i feel that this is an important and relevant topic that will be shared with them. I am learning the pressures and stresses that are occurring with a 911 operator, and know that the operators would not be happy if this was happening, because they would not be helping the public due to the prank calls.
Title: Details Tied to Safari Browser-based ‘ScamClub’ Campaign Revealed
URL: https://threatpost.com/safari-browser-scamclub-campaign-revealed/164023/
A vulnerability was publicly disclosed this past week which described a bug in Apple’s Safari browser which was used to display malicious ads and then push malware to iOS Chrome and macOS desktop browsers. The cybergang ScamClub were exploiting this vulnerability and reached over 50 million users during a three month long campaign. This vulnerability was found in the open-source WebKit engine and the attackers were able to bypass the browser’s iframe sandboxing policy to display popups that redirected to malicious sites advertising gift card, scams, prize, and more. Lastly, Apple released a patch in December 2020 to mitigate this bug and enhance iframe sandboxing enforcement.
“Cambodia sets up China-style internet firewall”
Cambodia’s government has setup an international gateway which seeks to exert near total control of the country’s online life. The gateway operator has been instructed to work in collaboration with the Cambodian authorities to block network connections that violates morality, customs, traditions. Further, the gateway operator will be required to submit reports about internet traffic regularly to authorities. The Cambodian government has defended the move, explaining that it will enhance revenue collection, protect national security and preserve social order. However, critics argue that this will facilitate mass surveillance by intercepting and censoring digital communications and the collection of personal data. This suppresses freedom of expression and comparisons are being drawn to China’s “Great Firewall” which employs mass surveillance techniques that rids the internet of dissent and prevents citizens from accessing sites such as Facebook and Twitter.
https://news.yahoo.com/cambodia-sets-china-style-internet-093032033.html
Breached water plant employees used the same TeamViewer password and no firewall
A few weeks ago a Florida water treatment facility experienced a computer breach that resulted in the attacker increasing the amount of lye added into the water by a factor of 100. Further investigation into the incident has revealed that the water treatment plant computer was using an unsupported version of Windows 7. It had no host-based firewall installed. Additionally, employees all shared the same password to access TeamViewer, a remote desktop application. This allowed the attacker to take remote control of a computer and increase the lye. Fortunately, an employee was currently using the computer, noticed the mouse moving, and the attacker was able to do no real harm.
https://arstechnica.com/information-technology/2021/02/breached-water-plant-employees-used-the-same-teamviewer-password-and-no-firewall/
An article published in ZDNet revealed that some of the Microsoft cloud products’ source code was compromised by the SolarWinds hack. The article revealed that some SolarWinds appliances were in production at Microsoft, so when the SolarWinds hack took place some of Microsoft’s internal network was also compromised. According to Microsoft, the analysis shows the source repository was accessed in late November and that the intruders viewed “only a few individual files” in the code repositories. “No case where all repositories related to any single product or service was accessed”.
Microsoft listed some of the affected products:
a small subset of Azure components (subsets of service, security, identity)
a small subset of Intune components
a small subset of Exchange components
You can read the entire article here: https://www.zdnet.com/article/microsoft-says-solarwinds-hackers-downloaded-some-azure-exchange-and-intune-source-code/
https://www.wfla.com/news/pinellas-county/federal-cybersecurity-advisory-offers-new-details-on-oldsmar-water-supply-cyberattack/
Federal cybersecurity advisory offers new details on Oldsmar water supply cyberattack
Since someone tried to poison the city of Oldsma’s water supply through computer system hackers. Federal agencies have stated that attackers may have exploited network security vulnerabilities, including poor password security and outdated operating systems. The attacker tried to raise the chemical lye to a dangerous level, but the astute factory operator noticed suspicious activity on his computer screen and quickly reduced the level to a safe level. Florida Agriculture Specialist Nikki Fried had indicated that the attack is not only for their own network security of waters, but each city and county. They have to ensure that all systems are updated, not using old software, and constantly changing passwords.
DDoS Attacks Wane in Q4 Amid Cryptomining Resurgence
Researchers observed a corresponding spike in DDoS attacks for most of the year as people spent more time online in 2020. Online gaming services is one of the areas that suffer most from DDoS attacks as attacks spiked dramatically in response to global lockdown. To stay protected against DDoS attacks, The DDoS attack market is likely remaining high as people still highly rely on stable work of online resources, which can make DDoS attacks a common choice for malefactors. Businesses should put more resources and technology in place while validating third-party agreements and contact information, including those made with internet service providers.
https://threatpost.com/ddos-attacks-q4-cryptomining-resurgence/163998/
Suspected Russian hack fuels new US action on cybersecurity
https://abcnews.go.com/Politics/wireStory/massive-breach-fuels-calls-us-action-cybersecurity-75989727
The article describes what the Biden administration is doing in light of the SolarWinds hack. In the covid-19 relief package, there is $690M for the CISA in an effort to better equip themselves against threats. It is a shame to see our nation’s cyber infrastructure falling victim to politics and constantly being reactive, instead of proactive. It is clear that our government still isn’t invested enough in cybersecurity. There needs to be sweeping reform nationwide. There are so many government agencies and offices across the entire country that are extremely susceptible to an attack.
I thought this article was interesting because I know the majority of us, including myself use Spotify. Spotify has fallen victim to a second cybersecurity attack using credential-stuffing cyber attack. The first occurrence happened in November. The service has since forced password resets for over 100,000 users of the music streaming services. Credential stuffing attacks happen when attackers build automated scripts that try stolen ID and passwords taken from a breach of another company or website, or passwords they purchased online from the black market, across various accounts. For example, the automated scripts would try the same email and password combo across Spotify, Apple Music, Netflix, Hulu, etc. Spotify worked quickly to prompt password resets for all affected accounts, they also had the fraudulent database taken from by the ISP hosting it. In the first attack, researchers found a cloud database containing over 380 million individual records of login credentials and countries of residence for people, all being tested against Spotify accounts. This cloud database was owned by a malicious third party. This second attack was similar, with data exposed in a public Elastic Search instance. The dangers of credential stuffing is the cybercriminal being able to log in to someone’s account, stealing music, and hijacking the account, and stealing credit card information on file.
https://threatpost.com/spotify-credential-stuffing-cyberattack/163672/
Masslogger Trojan Upgraded to Steal All Your Outlook, Chrome Credentials
A new phishing operation has returned intending to steal Microsoft Outlook, Google Chrome, and instant messenger app credentials by way of an attack called MassLogger. This is a .NET-based malware attack that has the ability to obstruct static analysis; this was first identified in April 2020. The operation is currently focused on victims in Turkey, Latvia, and Italy. Similar activities were documented in November 2020 that targeted users in other parts of Europe such as Bulgaria, Lithuania, Hungary, Estonia, Romania, and Spain. Stolen information can be sent through SMTP, FTP, or HTTP networks, and information uploaded to an exfiltration server, as well as records relating to configuration options. System configuration was recommended for logging PowerShell events such as module loading and executed script blocks as they will show executed code in its “deobfuscated format.”
https://thehackernews.com/2021/02/masslogger-trojan-upgraded-to-steal-all.html
Lakehead University Extends Winter Reading Break due to Cybersecurity Attack
https://globalnews.ca/news/7654808/lakehead-university-extends-reading-break-cybersecurity/
I thought this was an interesting article since it affected a university and students and we are all students. The Lakehead school is in two locations in Ontario, Canada, and announced last week (during the school’s winter break) that there was a cyberattack that affected both locations. In order to limit the impact of the attack, all servers and on-campus computers were taken offline. As of today, the situation still had not been remedied, and they announced that they were extending winter break another four days due to the continued inaccessibility. Interestingly, the article also mentioned advising students not to bring their school-owned computer to campuses to prevent additional cybersecurity risks. This highlights the risks that could increase if the attack has not yet been resolved, and students return and connect their devices to the network.
“30K Macs are infected with ‘Silver Sparrow’ virus and no one knows why”
Recently, it was discovered that 30,000 Macs have a new type of malware on them. This malware is known as Silver Sparrow. The strange aspect of this malware is that researchers have not been able to identify why this malware exists. It appears to be pointless for now. Luckily, Apple has removed the developer certificate for the creator, so no new machines can be infected. In the coming weeks, we should begin to learn more about Silver Sparrow, but for now, this remains a mystery. The number of affected machines was great enough for this to be considered a serious threat, so more Info should come soon.
https://www.macworld.com/article/3608621/30k-macs-are-infected-with-silver-sparrow-virus-and-no-one-knows-why.html
TDoS Attacks Take Aim at Emergency First-Responder Services
This article discusses how there’s been a recent increase in Telephony Denial of Service (TDOS) attacks on emergency first-responder lines. These attacks overwhelm 911 call centers with false alarms ultimately resulting in the inability to respond to actual emergencies. This made me think why anyone would to disrupt such systems that can impact lives. The article mentions attacks might execute a TDOS attack as a political attack for a social cause or purely monetary gain. They will execute the attack in exchange for a ransom. The article suggest users have non-emergency numbers stored in the event that an attack is underway; however, doesn’t outline any measures that are taken to prevent these kinds of attacks or what the FBI is doing in response.
https://threatpost.com/tdos-attacks-emergency-first-responder/164176/
In January, Experian in Brazil had a massive data leak that affected more than 220 million citizens. The breach exposed the PII which included names, data of births, credit info and address of millions. According to the article, “Experian challenged over massive data leak in Brazil”, Brazil’s consumer right foundation Procon notified the credit about the data leakage but was given an “insufficient” explanation. “No hypothesis has been ruled out, and at the moment we consider it is more likely that the leak came from inside companies rather than hackers,” said Procon’s executive director Fernando Capez. The statement from Experian will be analyzed by the board of the consumer rights body and a fine may be applied if any wrongdoing becomes evident according to the article.
https://www.zdnet.com/article/experian-challenged-over-massive-data-leak-in-brazil/
“Malformed URL Prefix Phishing Attacks Spike 6,000%”
Based on research by GreatHorn, Threatpost reports on a newer form of phishing attack that operates by replacing a forward-slash with a back-slack in the URL of a link included in the phishing email. This is a relatively new phenomenon, first seen in October of last year, and between January and February 2021 the incidence of this type of attack increased nearly 6000%.
The novel nature of this attack method makes it particularly effective at present, because most automated email security systems don’t flag for malformed URL prefixes yet. Additionally, researchers have seen this combined with other sophisticated attack methods, like including a captcha on phishing site the URL leads to, which further convinces the target that it is a legitimate website.
Experts are recommending that system administrators perform searches in their organization’s mailboxes for items containing these malformed URL prefixes and removing all offending messages. Additionally, email security definitions should be updated to include this new attack method as soon as possible. Finally, as always, phishing awareness training should continue to be a priority and should now incorporate this new widely-used attack method.
https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/
Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs
This article discusses “shadow attacks” in which a threat actor could gain the ability to compromise PDF documents by breaking the integrity protection of a digitally signed PDF document. The attack exploits the flexibility provided by PDF specs so the shadow documents remain standard compliant. To execute, the threat actor creates a PDF with two types of content; the content expected by the other party and a “shadow document” which is hidden content that is not displayed until the PDF document is signed. This can result in terms or conditions that the receiver, such as a vendor, did not actually agree to. This vulnerability was discovered in multiple PDF viewers and Adobe released an update to remedy the flaws.
https://thehackernews.com/2021/02/shadow-attacks-let-attackers-replace.html
911 calls are target to TDOS attack.
There are Telephone DOS attacks that are occurring and they are impacting 911 call centers. The attackers are flooding the 911 with calls so that real users are not able to call in. This could cause a life or death situation to occur. Considering my colleague, is the lead for the City of Milwaukee 911 operations center i feel that this is an important and relevant topic that will be shared with them. I am learning the pressures and stresses that are occurring with a 911 operator, and know that the operators would not be happy if this was happening, because they would not be helping the public due to the prank calls.
https://threatpost.com/tdos-attacks-emergency-first-responder/164176/