Cybersecurity Digest #42: 24/01/2022 – 4/02/2022

Cybersecurity news

• Symphony Technology Group (STG) announced the launch of Trellix, a new business delivering extended detection and response (XDR) to organizations with a focus on accelerating technology innovation through machine learning and automation. Trellix emerges from the previously announced merger of McAfee Enterprise and FireEye.
• Texas, Indiana, Washington State and the District of Columbia sued Alphabet Inc’s Google over what they called deceptive location-tracking practices that invade users’ privacy.
• The European Parliament moved closer to banning targeted ads based on sensitive data. A large majority of lawmakers voted to prohibit online platforms such as Facebook and Google from showing commercials to users based on their most intimate information, in the EU’s draft content moderation bill, known as the Digital Services Act (DSA).
• Samba has addressed a critical severity vulnerability  that can let attackers gain remote code execution with root privileges on servers running vulnerable software. Samba is an open-source re-implementation of the Windows Server Message Block (SMB) networking protocol that provides file sharing and printing services across many platforms, allowing Linux, Windows, and macOS users to share files over a network.
• New FluBot and TeaBot malware distribution campaigns have been spotted, using typical smishing lures or laced apps against Android users in Australia, Germany, Poland, Spain, and Romania. The most recent FluBot campaign was tracked by researchers at Bitdefender Labs, who intercepted over 100,000 malicious SMS since December 2021, illustrating the threat actor’s massive volume of distribution.
• The Black Cat ransomware gang, also known as ALPHV, has confirmed they are former members of the notorious BlackMatter/DarkSide ransomware operation. The ransomware executable is highly customizable, with different encryption methods and options allowing for attacks on a wide range of corporate environments.

Cybersecurity Blog Posts

• Malcolm Harkins, Chief Security & Trust Officer, Epiphany Systems, told about the challenges security leaders must face when communicating with their company’s management and what to do to overcome them.
• Terry Olaes, Technical Director of Skybox Security shared reasoning why vulnerability scanners are still essential tools for defenders protecting enterprise and government networks. But given the rapidly increasing complexity of today’s cyber threat landscape, these scanners are not enough to win the fight against an increasingly overwhelming volume of vulnerability alerts. There are three specific drivers have made vulnerability scanners obsolete as standalone security tools in the contemporary threat landscape.
• Cybersecurity has come to be defined by identity, with almost every attack today revolving around gaining control of a user’s identity as a means of accessing critical data and systems. Tony Cole, CTO of Attivo Networks told about reducing the blast radius of credential theft and why AD is the key to identity attacks.

Research and analytics

• Q4 2021 DDoS attacks and BGP incidents by Qrator Labs. Analysts have recorded the largest botnet in Q4 2021 counted 160 097 devices — almost three times that compared with Q3 and more than in any other quarter of the year 2021. The most attacked industry with a significant outrunning was E-commerce, which amassed 21.75% of all attacks. The Education industry follows it with 15.5% of mitigated attacks and Payment systems with 9.75%. Banks that were in the focus of attacks in Q3 with 22.28% are now targeted by only 5% of the attacks.
• To gain a better understanding of the different types of ransomware threats, Pulse and Hitachi ID surveyed 100 IT and security executives on how hackers are approaching employees, how ransomware is impacting an organization’s cybersecurity approach, and how prepared businesses really are to combat these attacks. As a result, 65% of respondents say they or their employees have been approached to assist in aiding ransomware attacks. Interestingly, this is a 17% increase in comparison to a similar survey run in the Fall of 2021.
• The Black Kite Research team released annual report examined the impact of third-party breaches that occurred in 2021. Ransomware became the most common attack method of third-party attacks, initiating 27% of breaches analyzed in 2021. Software publishers were the most common source of third-party breaches for a third consecutive year, accounting for 23% of related incidents. The healthcare industry was the most common victim of attacks caused by third parties, accounting for 33% of incidents in 2021.
• Ivanti released a Ransomware Spotlight Year End 2021 Report. It is based on data gathered from a variety of sources, including proprietary data from Avanti and Cyber Security Works, publicly available threat databases, and threat researchers and penetration testing teams. The report revealed 29% increase in the count of vulnerabilities associated with ransomware, 25% increase in ransomware families and 35% increase in low scoring vulnerabilities tied to ransomware.
• According to the Identity Theft Resource Center report the overall number of data compromises is up 68% over 2020. Ransomware-related data breaches have doubled in each of the past two years. At the current growth rate, ransomware attacks will pass Phishing as the number one root cause of data compromises in 2022.
• As the 2022 Cost of Insider Threats: Global Report reveals, insider threat incidents have risen 44% over the past two years, with costs per incident up more than a third to $15.38 million.
• There are 277,000 devices, out of a pool of 3.5 million, running vulnerable implementations of UPnP. Of those, Akamai can confirm that more than 45,000 have been compromised in a widely distributed UPnP NAT injection campaign. These injections expose machines living behind the router to the Internet and appear to target the service ports used by SMB.
• While researching the scope of vulnerabilities exploitable to damage data centers, Cyble Research Labs found multiple DCIM software, Intelligent monitoring devices, thermal cooling management control systems, and rack power monitors vulnerable to cyberattacks. Furthermore, the Labs scanners and google dorks investigation found that globally 20000+ instances and products of various vendors dealing with data centers and their operations are public-facing. Hence, it is highly likely to experience increasing cyber threats towards data centers worldwide.
• Expel has announced Great eXpeltations 2022: Cybersecurity trends and predictions, the inaugural annual report sharing data from our security operations center (SOC) on the biggest cybersecurity threats, practical recommendations on how to handle them, and predictions for what to expect in the year ahead.
• Check Point Research released The 2022 workforce security report. As a result of the survey 94% of organizations allow remote access to corporate apps and assets from unmanaged and managed devices, while 17% reported they allow remote access only from company-managed laptops.
• Gemini Annual Report 2021: Magecart Thrives in the Payment Card Fraud Landscape. The underground payment card economy in 2021 saw new tactics enable new attack vectors, raising certain fraud schemes to higher prominence, such as attacks leveraging Google Tag Manager (GTM) and WebSockets, the Skimmer-as-a-Service model, and card checker innovations.

Major Cyber Incidents

• Qubit Finance is one of the latest decentralized finance (DeFi) protocols to be exploited by hackers. Hackers were able to access and steal over $80 million from Qubit Finance, which is based on the Binance Smart Chain, the protocol confirmed via a tweet. The addresses linked to the assault stole 206,809 Binance Coin (BNB) from Qubit’s QBridge protocol. The assets are valued at more than $80 million at the time of writing.
• Microsoft says its Azure DDoS protection platform mitigated a massive 3.47 terabits per second (Tbps) distributed denial of service (DDoS) attack targeting an Azure customer from Asia in November. Two more large size attacks followed this in December, also targeting Asian Azure customers, a 3.25 Tbps UDP attack on ports 80 and 443 and a 2.55 Tbps UDP flood on port 443.
• OpenSubtitles, one of the world’s largest online repositories of subtitle files, has confirmed a cyberattack leading to the exposure of personal data of nearly 7 million subscribers. The breach exposed the data including email and IP addresses and country of residence, usernames and passwords stored as unsalted MD5 hashes.
• Andorra Telecom, the only ISP in the principality of Andorra, suffered repeated distributed denial-of-service (DDoS) attacks during a multi-day Twitch gaming tournament. There is some suspicion that perpetrators planned the DDoS attacks on Andorra Telecom to cheat the Andorran’s of their chance to win the $100,000 pot.