Cybersecurity Digest #1: 30/03/2020 – 10/04/2020

Cybersecurity News

• FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic and gives some recommendations. The FBI has received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language. Due to these problems, different companies and organizations decided not to use Zoom. For example, Elon Musk’s SpaceX recently banned its employees from using Zoom, citing “significant privacy and security concerns,” while Taiwan’s cabinet has told government agencies to stop using the app.
• Microsoft announced that its plan to disable the security protocols TLS 1.0 and TLS 1.1 in the company’s browsers has been postponed in light of current global events. Initially the company wanted to disable the security protocols in the first half of 2020 . Newer versions of the TLS protocol enable more modern cryptography and are broadly supported across modern browsers.
• Security researcher Bill Demirkapi publicly disclosed several critical vulnerabilities on most HP machines running Windows. As he said that there were still unpatched vulnerabilities after some his reports. So, a patch was released on April 1 that the HP Product Security Response Team (PSRT) said fixes “potential escalation of privilege and arbitrary file deletion” with “certain versions of HP Support Assistant.”
• In an effort to protect essential web services during the Covid-19 outbreak, Google is rolling back changes to the Chromium browser project that were designed to stop users from being tracked by websites. Justin Schuh, Google’s director of Chrome engineering, said the rollback was designed to avoid disruption to websites providing critical services such as “banking, online groceries, government services and healthcare” amid the coronavirus pandemic.
• Finastra Group Holdings Ltd., a software company that services banks, opted to take servers offline rather than give in to hackers. Hackers silently entered the computer network of London-based banking software maker Finastra in mid-March. Moving with precision and speed, they captured employee passwords and installed backdoors in dozens of servers in critical parts of Finastra’s network.

Cybersecurity Blog Posts

• Web applications get the brunt of attacks because every website is by definition exposed to the public. Many common mistakes, which are well known and have solutions, still crop up and cause big issues. Justin Boyer tells us five of those mistakes and how to get it right so you’re not the next hacking headline.
• People make mistakes, they break the rules and they can be hacked, which is why protecting people is much more challenging than protecting machines. Tim Sadler shows us why humans are phishing’s weakest link and why security leaders must consider how to apply the same level of advanced technology and resources to protecting humans as they do to protecting the rest of the enterprise.
• Expanding attack surfaces and complex cloud security environments have given rise to new advanced threats. Compliance regulations have become more rigorous and punitive. And while digital transformation accelerates the pace of doing business, its impact is often limited by budget restrictions and security talent gaps. Oliver Friedrichs told us CISO cares about in 2020.
• Strong network security is essential yet creating and maintaining bulletproof network protection remains an elusive goal for many enterprises. Many enterprises fail to take some basic actions that would keep their networks safe from infiltration and attack. John Edwards tells us 5 ways enterprises inadvertently compromise their network security.

Research & Analytics

• Kaspersky researches discovered watering hole websites that were compromised to selectively trigger a drive-by download attack with fake Adobe Flash update warnings. This campaign has been active since at least May 2019, and targets an Asian religious and ethnic group. The watering holes have been set-up on websites that belong to personalities, public bodies, charities and organizations of the targeted group. GitHub disabled this repository before Kaspersky reported it to them. The repository had been online for more than nine months.
• Guardicore Labs team has recently uncovered a long-running attack campaign which aims to infect Windows machines running MS-SQL servers. Dating back to May 2018, the campaign uses password brute force to breach victim machines, deploys multiple backdoors and executes numerous malicious modules, such as multifunctional remote access tools (RATs) and cryptominers. The campaign was dubbed Vollgar after the Vollar cryptocurreny it mines and its offensive, vulgar behaviour.
• The number of coronavirus-related cyber-attacks is on the rise. Based on ThreatCloud, Check Point’s researchers found that though cyber-attacks in general have decreased somewhat since the outbreak and economic downturn, coronavirus-related attacks have increased significantly. The pandemic has resulted in Netflix’s subscriber growth, the brand has been used as part of various web-based fraud schemes. A substantial 2x growth in the number of phishing attacks by websites posing as Netflix sites has been observed in recent weeks.
• Since the beginning of January, during the period where initial outbreaks were being reported, over 16,000 new coronavirus-related domains were registered. In three weeks, experts of CheckPoint have noticed a huge increase in the number of registered domains – the average number of new domains is almost 10 times more than the average number found in previous weeks. 0.8% of these domains were found to be malicious (93 websites), and another 19% were found to be suspicious (more than 2,200 websites).
• The Cyberspace Solarium Commission’s proposes a strategy of layered cyber deterrence. Their report consists of over 80 recommendations to implement the strategy.
• Specialists of the FireEye information security company published statistics on the exploitation of zero-day vulnerabilities by intelligence agencies around the world over the past seven years, presented as a map and a timeline. The experts used data collected by FireEye itself and other research organizations, as well as information from the Google Project Zero database.

Major Cyber Incidents

• A database containing the private information of Georgian citizens is up for grabs on a dark web forum. Researchers from Under the Breach stumbled on the data leak over the weekend and reported that it contained 4,934,863 entries.
• Marriott discloses data breach possibly affecting over 5 million customers. Hackers were able to access the birth dates, names, mailing addresses and loyalty information about guests, such as which airline programs they belonged to and their point balances. No passwords or credit card information appear to have been lost.
• A rival hacking forum has yet again hacked OGUsers – the second time in a year – and yet again doxxed its database for one and all to grab, fast on the heels of the attack. Within a few hours, a rival forum dumped OGUsers’ database of about 200,000 user records, Under the Breach reported early Friday morning. Those users’ passwords apparently weren’t encrypted, given Under the Breach’s claim that over half of them had already been converted to plaintext as of the time the service posted.
• REvil posted an internal company document from 10x Genomics online that claimed to contain information about more than 1,200 of the company’s employees and its internal computer systems. In California, the biotechnology company 10x Genomics Inc., which is part of global alliance seeking to discover antibodies for the coronavirus.
• Thousands of personal Zoom videos have been left viewable on the open Web, highlighting the privacy risks to millions of Americans as they shift many of their personal interactions to video calls in an age of social distancing.
• The data of more than 600,000 Email.it users is currently being sold on the dark web, ZDNet has learned following a tip from one of our readers. The hackers claim the databases contain plaintext passwords, security questions, email content, and email attachments for more than 600,000 users who signed up and used the service between 2007 to 2020.
• 42 million records from a third-party version of messaging app Telegram used in Iran was exposed on the web. The data was posted by a group called “Hunting system” (translated from Farsi) on an Elasticsearch cluster that required no password nor any other authentication to access.
• DarkHotel has compromised more than 200 virtual private network servers to infiltrate “many” Chinese institutions and government agencies. DarkHotel hackers used a previously unknown software vulnerability in the enterprise Sangfor SSL VPN software, then installed malicious software onto victim machines to collect user data. The timing of the attack coincides with instructions from the Chinese government forcing citizens to work from home in order to mitigate COVID-19’s spread.