Academic researchers with universities in Australia and the United Kingdom conducted an analysis on 40 COVID-19 contact tracing applications that are available worldwide. These apps were specifically designed for Android and the results showed many security and privacy concerns. The researchers used a new tool called COVIDGuardian which assess security and privacy of the apps in four categories: manifest weakness, general security vulnerabilities, data leaks (PII), and malware detection. The results of the assessment showed 72.5% used insecure cryptographic algorithms, 55% stored sensitive information in plaintext, 55% used insecure random values, 42.5% had permissions to perform backups, and 75% included approximately 20 trackers. The researchers contacted the app developers about the concerns and some did fix the issues.
A recent disclosure from Millersville University on a breach of some PII highlighted the real security risks targeting higher education organizations. FBI issued an advisory notice on Tuesday that warned that criminals using malicious software and ransomware are on the rise targeting education institutions. Phishing emails and stolen credentials are often the root cause for the unauthorized access of the information technology systems. It was reported in 2020 the average ransomware demand hit over $300,000 and just over one year earlier the number was $115,123. Although the federal government has always advised organizations to not pay the ransom to the attackers, some of the well-known cases, such as the University of California San Francisco, paid $1.14 million in ransom and the University of Utah paid $457,000 in ransom in 2020. In 2020, there were at least 26 ransomware attacks involving colleges and universities, and at least 58 against school districts. An estimate of 1,681 schools, colleges, and universities were impacted. You can read more here: https://www.insidehighered.com/news/2021/03/19/targeting-colleges-and-other-educational-institutions-proving-be-good-business?utm_source=Inside+Higher+Ed&utm_campaign=5725ebb349-DNU_2021_COPY_02&utm_medium=email&utm_term=0_1fcbc04421-5725ebb349-197578045&mc_cid=5725ebb349&mc_eid=d362591d16
“Expert” hackers used 11 0-days to infect Windows, iOS, and Android users
A group of hackers used compromised websites to infect fully patched Windows, iOS, and Android devices, using at least 11 zero-day exploits in a span of nine months. The compromised websites were set up as watering hole attacks that installed malware on visitors’ devices. The malware was novel and carried out a complex chain of exploits. Members of Google’s Project Zero called it “highly sophisticated.”
Threatpost reports on a disclosure by SySS security consultants of a glitch in Zoom’s screen-sharing feature which allows meeting participants to briefly view program windows that have not been shared by the presenter. When a presenter chooses to only share one window on their machine, but then opens and closes another program, the glitch will reliably flash the second program into view for the participants.
Because this is difficult to directly attack, it has been classified as medium severity. However, any participant who is recording the meeting either in Zoom itself or a third-party screen recording application would be able to pause on the frames which incorrectly display the unshared program(s), which would compromise the confidentiality of any data included.
The researchers notified Zoom of this vulnerability almost four months ago, and Zoom hasn’t publicly commented on the vulnerability or patched it in any new releases.
https://threatpost.com/office-365-phishing-attack-financial-execs/164925/
Office 365 Phishing Attack Targets Financial Execs
A new type of phishing scam is on the rise. It targets senior managers, their assistants, and financial departments, and can bypass email security and Office 365 defenses. An attacker can access sensitive data of a third party through invoices and bills (often called a BEC (corporate email compromise) attack). “This allows an attacker to send a fake invoice from a legitimate email address to a supplier so that payment can be made to an account owned by the attacker. After the target submits the password, the threat actors have complete control over their email and any other systems that use the same password. Maaz Qureshi, the Threat Response Analyst with Area 1 Security, told Threatpost, “When you receive an e-mail that claims to be from within and you need to click a link or download an attachment, the best way is to confirm the authenticity of the e-mail. All employees should be proficient in basic network security, such as not clicking on external unknown links.”
Recently, a computer and electronic manufacture, Asus, headquartered in Taiwan, became a victim of a cyberattack. According to a news article from the Deccan Herald, the company sufferance a ransomware attack by a Trojan called REvil and was asked to pay $50 million in order to obtain their data back. It’s believed that the cyber attackers used vulnerabilities of the Microsoft Exchange Server. Some of the data stolen are believed to be sensitive information regarding financial spreadsheets, bank account information, and accounting transactions. The cyberattacker offered a 20% discount if the company pays in full their ransom price by 3/24/2021. This is evident that cybersecurity should be a focus to every company since it is known to be the most expensive ransom demand by a group to date.
“CopperStealer malware infected up to 5,000 hosts per day over first three months of 2021”
CopperSteal, a Chinese-based malware infected approximately 5,000 hosts per day, stealing credentials from popular platforms such as Facebook, Instagram, Apple, Amazon, Google, and Twitter. They are known to steal passwords from browsers, so it’s been made aware that storing sensitive data in those browsers is a major security risk. A threat research company called Proofpoint managed to disrupt its operations by reverse-engineering the malware and the domain generation algorithm, to block attackers from registering domains the day before they could register them.
This article was about a hack of Shell’s secure file sharing system which is the File Transfer Appliance provided by Accellion. Based upon Shell’s release/disclosure of the incident, the hack was limited, as the file sharing system was segregated from the remainder of Shell’s digital infrastructure. Despite it being limited and only affecting the file transfer system, based upon the release, there was sensitive personal information and company information breached.
The article further highlights that this was part of a series of hacks against Accellion carried out by two groups – the FIN11 Cybercrime Group and the Clop ransomware group. Accellion has indicated that only 100 of their 300 customers were affected, with only 25 being seriously impacted with “significant data theft”.
“TikTok Pays Out $11,00 Bounty for High- Impact Exploit”
TikTok has paid an 18-year-old researcher 11K after he discovered couple cross-site scripting (XSS) vulnerabilities that allows an attacker to remotely execute arbitrary code on a targeted user’s Android device simply by convincing them to click on a malicious link. The exploit could do anything TikTok could do on your device. For instance, if the victim had given storage permission to the TikTok app, the exploit could access those storage files. Cyber criminals could easily chain this exploit with an Android vulnerability to take over the whole device. TikTok launched its public bug bounty program in collaboration with HackerOne in October 2020 and it has been reported that approximately 130K has been paid out.
Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data
This article states that a glitch in Zoom’s screen-sharing feature shows parts of presenters’ screens that they did not intend to share – potentially leaking emails or passwords. The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode. Researchers found, the contents of the explicitly non-shared application window can be perceived for a brief moment by meeting participants.
This article outlines the discovery of an Iranian cyberespionage campaign that has lasted for the last six years. The campaign targeted protesters and expats with the hopes of gaining intelligence on adversaries of the Iranian regime. There was a particular focus on healthcare, government, technology, and defense industries. This article is interesting as the campaign has gone undetected for several years. The attacks have included strains of Windows info stealers for theft of personal documents, along with gaining access to KeePass (password manager) and Telegram Desktop (cloud-based instant messaging) account information, an Android backdoor to pilfer 2FA codes from SMS messages, sending malicious Telegram phishing pages, and, more recently, a campaign intended to steal critical information related to the aerospace and satellite resources and technology. A total of 5 hackers have been charged and or indicted in connection with these attacks. It’s interpreting that with all of the information, tools and resources on cybersecurity there’s still attacks that happened and go undetected of this magnitude.
“The cyber security problem we should really worry about”
This article discusses the public core, and how it is a greatly overlooked aspect of cyber security. The public core is the shared infrastructure the internet uses to operate. Whenever cyber security is discussed, it is almost never brought up to how technical and difficult it can be to understand. The fact is, much of it is outdated and very vulnerable. If this is attacked, it could cripple our country. Some cyber security activists are now petitioning to have it taken more seriously. Since it is so technical, it can be hard to describe why it is vital and important. Ideally, congress and the government will take steps to take this important piece of infrastructure more seriously.
New Malware Disguised as an APP for Android Users
There are reports of a faux version of a chat app called Clubhouse which contains malware that steals login credentials for more than 450 apps. The app has been popular in recent months and reached 13 million downloads on the Apple App Store. However, it is not yet available for Android users. Cybercriminals have taken advantage of this by creating a fake “Clubhouse” app for Android users. The app even links to a faux Clubhouse website. The malware, called Blackrock, steals user’s login data for over 458 online services. It uses an overlay attack, a common attack for android apps. n this type of attack, the malware will create a data-stealing overlay of the application that the victim is navigating to, and request the user to log in. However, while the victim believes he is logging in, he is unwittingly handing over his credentials to the cybercriminals. The app also asks the victim to enable accessibility services on the phone to grant itself permissions on the phone without the victim’s knowledge. These permissions give the malware to access contacts, cameras, SMS messages, and more. This ability to intercept SMS messages helps hackers get around SMS-based two-factor authentication (2FA) protection set up by the apps on the victims’ phone (if an app sends a 2FA code, for instance, attackers can pick it up via viewing the text messages).
This article was interesting. A hacker was willing to pay an employee ($1M) to infect Malware files into the Tesla network. Most of the items we learn in the class is related to system security architecture. This is a personal security concern that would constitute collusion if the hacker was successful. Unfortunately, Tesla, may not have been able to do anything to prevent this due to the collusion, if it had been successful.
I like this article for two reasons. First and foremost, I like that what I am learning in school can be used for legitimate good and not just padding the balance sheet of some company. Secondly, I like how this article was written from the perspective of cybersecurity and views hacktivism as an emerging threat. Full disclaimer: even if I wanted to participate in these activities, I couldn’t. Obviously, there is always a fine line when it comes to vigilantism, but usually, at least outside of state-sponsored actors, these hacks are usually done against parties that are unfavorable in public opinion. At the very least, it is information that should be known to the public.
Title: Security, Privacy Issues Found in Tens of COVID-19 Contact Tracing Apps
URL: https://www.securityweek.com/security-privacy-issues-found-tens-covid-19-contact-tracing-apps
Academic researchers with universities in Australia and the United Kingdom conducted an analysis on 40 COVID-19 contact tracing applications that are available worldwide. These apps were specifically designed for Android and the results showed many security and privacy concerns. The researchers used a new tool called COVIDGuardian which assess security and privacy of the apps in four categories: manifest weakness, general security vulnerabilities, data leaks (PII), and malware detection. The results of the assessment showed 72.5% used insecure cryptographic algorithms, 55% stored sensitive information in plaintext, 55% used insecure random values, 42.5% had permissions to perform backups, and 75% included approximately 20 trackers. The researchers contacted the app developers about the concerns and some did fix the issues.
A recent disclosure from Millersville University on a breach of some PII highlighted the real security risks targeting higher education organizations. FBI issued an advisory notice on Tuesday that warned that criminals using malicious software and ransomware are on the rise targeting education institutions. Phishing emails and stolen credentials are often the root cause for the unauthorized access of the information technology systems. It was reported in 2020 the average ransomware demand hit over $300,000 and just over one year earlier the number was $115,123. Although the federal government has always advised organizations to not pay the ransom to the attackers, some of the well-known cases, such as the University of California San Francisco, paid $1.14 million in ransom and the University of Utah paid $457,000 in ransom in 2020. In 2020, there were at least 26 ransomware attacks involving colleges and universities, and at least 58 against school districts. An estimate of 1,681 schools, colleges, and universities were impacted. You can read more here: https://www.insidehighered.com/news/2021/03/19/targeting-colleges-and-other-educational-institutions-proving-be-good-business?utm_source=Inside+Higher+Ed&utm_campaign=5725ebb349-DNU_2021_COPY_02&utm_medium=email&utm_term=0_1fcbc04421-5725ebb349-197578045&mc_cid=5725ebb349&mc_eid=d362591d16
“Expert” hackers used 11 0-days to infect Windows, iOS, and Android users
A group of hackers used compromised websites to infect fully patched Windows, iOS, and Android devices, using at least 11 zero-day exploits in a span of nine months. The compromised websites were set up as watering hole attacks that installed malware on visitors’ devices. The malware was novel and carried out a complex chain of exploits. Members of Google’s Project Zero called it “highly sophisticated.”
https://arstechnica.com/information-technology/2021/03/expert-hackers-used-11-zerodays-to-infect-windows-ios-and-android-users/
“Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data”
Threatpost reports on a disclosure by SySS security consultants of a glitch in Zoom’s screen-sharing feature which allows meeting participants to briefly view program windows that have not been shared by the presenter. When a presenter chooses to only share one window on their machine, but then opens and closes another program, the glitch will reliably flash the second program into view for the participants.
Because this is difficult to directly attack, it has been classified as medium severity. However, any participant who is recording the meeting either in Zoom itself or a third-party screen recording application would be able to pause on the frames which incorrectly display the unshared program(s), which would compromise the confidentiality of any data included.
The researchers notified Zoom of this vulnerability almost four months ago, and Zoom hasn’t publicly commented on the vulnerability or patched it in any new releases.
https://threatpost.com/zoom-glitch-leaks-data/164876/
https://threatpost.com/office-365-phishing-attack-financial-execs/164925/
Office 365 Phishing Attack Targets Financial Execs
A new type of phishing scam is on the rise. It targets senior managers, their assistants, and financial departments, and can bypass email security and Office 365 defenses. An attacker can access sensitive data of a third party through invoices and bills (often called a BEC (corporate email compromise) attack). “This allows an attacker to send a fake invoice from a legitimate email address to a supplier so that payment can be made to an account owned by the attacker. After the target submits the password, the threat actors have complete control over their email and any other systems that use the same password. Maaz Qureshi, the Threat Response Analyst with Area 1 Security, told Threatpost, “When you receive an e-mail that claims to be from within and you need to click a link or download an attachment, the best way is to confirm the authenticity of the e-mail. All employees should be proficient in basic network security, such as not clicking on external unknown links.”
Recently, a computer and electronic manufacture, Asus, headquartered in Taiwan, became a victim of a cyberattack. According to a news article from the Deccan Herald, the company sufferance a ransomware attack by a Trojan called REvil and was asked to pay $50 million in order to obtain their data back. It’s believed that the cyber attackers used vulnerabilities of the Microsoft Exchange Server. Some of the data stolen are believed to be sensitive information regarding financial spreadsheets, bank account information, and accounting transactions. The cyberattacker offered a 20% discount if the company pays in full their ransom price by 3/24/2021. This is evident that cybersecurity should be a focus to every company since it is known to be the most expensive ransom demand by a group to date.
https://www.deccanherald.com/business/technology/acer-suffers-cyber-attack-hackers-demand-50-million-ransom-964941.html
“CopperStealer malware infected up to 5,000 hosts per day over first three months of 2021”
CopperSteal, a Chinese-based malware infected approximately 5,000 hosts per day, stealing credentials from popular platforms such as Facebook, Instagram, Apple, Amazon, Google, and Twitter. They are known to steal passwords from browsers, so it’s been made aware that storing sensitive data in those browsers is a major security risk. A threat research company called Proofpoint managed to disrupt its operations by reverse-engineering the malware and the domain generation algorithm, to block attackers from registering domains the day before they could register them.
https://www.scmagazine.com/home/security-news/copperstealer-malware-infected-up-to-5000-hosts-per-day-over-first-three-months-of-2021/
Energy giant Shell discloses data breach after Accellion hack
https://www.bleepingcomputer.com/news/security/energy-giant-shell-discloses-data-breach-after-accellion-hack/
This article was about a hack of Shell’s secure file sharing system which is the File Transfer Appliance provided by Accellion. Based upon Shell’s release/disclosure of the incident, the hack was limited, as the file sharing system was segregated from the remainder of Shell’s digital infrastructure. Despite it being limited and only affecting the file transfer system, based upon the release, there was sensitive personal information and company information breached.
The article further highlights that this was part of a series of hacks against Accellion carried out by two groups – the FIN11 Cybercrime Group and the Clop ransomware group. Accellion has indicated that only 100 of their 300 customers were affected, with only 25 being seriously impacted with “significant data theft”.
“TikTok Pays Out $11,00 Bounty for High- Impact Exploit”
TikTok has paid an 18-year-old researcher 11K after he discovered couple cross-site scripting (XSS) vulnerabilities that allows an attacker to remotely execute arbitrary code on a targeted user’s Android device simply by convincing them to click on a malicious link. The exploit could do anything TikTok could do on your device. For instance, if the victim had given storage permission to the TikTok app, the exploit could access those storage files. Cyber criminals could easily chain this exploit with an Android vulnerability to take over the whole device. TikTok launched its public bug bounty program in collaboration with HackerOne in October 2020 and it has been reported that approximately 130K has been paid out.
https://www.securityweek.com/tiktok-pays-out-11000-bounty-high-impact-exploit
Zoom Screen-Sharing Glitch ‘Briefly’ Leaks Sensitive Data
This article states that a glitch in Zoom’s screen-sharing feature shows parts of presenters’ screens that they did not intend to share – potentially leaking emails or passwords. The issue occurs in a “reliably reproducible manner” when a user shares one split application window (such as presentation slides in a web browser) while opening other applications (such as a mail client) in the background, in what is supposed to be in non-shared mode. Researchers found, the contents of the explicitly non-shared application window can be perceived for a brief moment by meeting participants.
https://threatpost.com/zoom-glitch-leaks-data/164876/
Iranian Hackers Run Rampant
This article outlines the discovery of an Iranian cyberespionage campaign that has lasted for the last six years. The campaign targeted protesters and expats with the hopes of gaining intelligence on adversaries of the Iranian regime. There was a particular focus on healthcare, government, technology, and defense industries. This article is interesting as the campaign has gone undetected for several years. The attacks have included strains of Windows info stealers for theft of personal documents, along with gaining access to KeePass (password manager) and Telegram Desktop (cloud-based instant messaging) account information, an Android backdoor to pilfer 2FA codes from SMS messages, sending malicious Telegram phishing pages, and, more recently, a campaign intended to steal critical information related to the aerospace and satellite resources and technology. A total of 5 hackers have been charged and or indicted in connection with these attacks. It’s interpreting that with all of the information, tools and resources on cybersecurity there’s still attacks that happened and go undetected of this magnitude.
https://cyware.com/news/iranian-hackers-run-rampant-9c621891
“The cyber security problem we should really worry about”
This article discusses the public core, and how it is a greatly overlooked aspect of cyber security. The public core is the shared infrastructure the internet uses to operate. Whenever cyber security is discussed, it is almost never brought up to how technical and difficult it can be to understand. The fact is, much of it is outdated and very vulnerable. If this is attacked, it could cripple our country. Some cyber security activists are now petitioning to have it taken more seriously. Since it is so technical, it can be hard to describe why it is vital and important. Ideally, congress and the government will take steps to take this important piece of infrastructure more seriously.
https://www.google.com/amp/s/thehill.com/opinion/cybersecurity/544365-the-cybersecurity-problem-we-should-really-worry-about%3famp
New Malware Disguised as an APP for Android Users
There are reports of a faux version of a chat app called Clubhouse which contains malware that steals login credentials for more than 450 apps. The app has been popular in recent months and reached 13 million downloads on the Apple App Store. However, it is not yet available for Android users. Cybercriminals have taken advantage of this by creating a fake “Clubhouse” app for Android users. The app even links to a faux Clubhouse website. The malware, called Blackrock, steals user’s login data for over 458 online services. It uses an overlay attack, a common attack for android apps. n this type of attack, the malware will create a data-stealing overlay of the application that the victim is navigating to, and request the user to log in. However, while the victim believes he is logging in, he is unwittingly handing over his credentials to the cybercriminals. The app also asks the victim to enable accessibility services on the phone to grant itself permissions on the phone without the victim’s knowledge. These permissions give the malware to access contacts, cameras, SMS messages, and more. This ability to intercept SMS messages helps hackers get around SMS-based two-factor authentication (2FA) protection set up by the apps on the victims’ phone (if an app sends a 2FA code, for instance, attackers can pick it up via viewing the text messages).
https://threatpost.com/android-clubhouse-app-malware/164915/
TESLA employee cyber attack
This article was interesting. A hacker was willing to pay an employee ($1M) to infect Malware files into the Tesla network. Most of the items we learn in the class is related to system security architecture. This is a personal security concern that would constitute collusion if the hacker was successful. Unfortunately, Tesla, may not have been able to do anything to prevent this due to the collusion, if it had been successful.
https://apnews.com/article/us-news-malware-nevada-reno-russia-56df6766883bc9d228c396a3a350e715
New wave of ‘hacktivism’ adds twist to cybersecurity woes
https://www.reuters.com/article/uk-cyber-hacktivism-focus/new-wave-of-hacktivism-adds-twist-to-cybersecurity-woes-idINKBN2BH3I3
I like this article for two reasons. First and foremost, I like that what I am learning in school can be used for legitimate good and not just padding the balance sheet of some company. Secondly, I like how this article was written from the perspective of cybersecurity and views hacktivism as an emerging threat. Full disclaimer: even if I wanted to participate in these activities, I couldn’t. Obviously, there is always a fine line when it comes to vigilantism, but usually, at least outside of state-sponsored actors, these hacks are usually done against parties that are unfavorable in public opinion. At the very least, it is information that should be known to the public.