Cybersecurity Digest #4: 11/05/2020 – 22/05/2020

Cybersecurity News

• The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the broader U.S. Government have published the top 10 most exploited vulnerabilities from 2016 to 2019 with recommendations for mitigation.
• Israeli researches reveal NXNSAttack, a vulnerability in DNS servers that can be abused to launch DDoS attacks of massive proportions. They say that an attacker using NXNSAttack can amplify a simple DNS query from 2 to 1,620 times its initial size, creating a massive spike in traffic that can crash a victim’s DNS server.
• Cisco Talos researchers said about a new malware, dubbed WolfRAT, that is a new variant of DenDroid, a mobile Remote Access Trojan (RAT) which targets Thai users of Whatsapp, Facebook Messenger, and Line messaging apps on the Android mobile platform. WolfRAT begins its infection chain through fake update lures abusing legitimate services including Flash and Google Play.
• Security researchers from three universities in Europe have found multiple weaknesses in the ubiquitous Bluetooth protocol that could allow attackers to impersonate a paired device and establish a secure connection with a victim. Bluetooth chips from Apple, Intel, Qualcomm, Cypress, Broadcomm, and others are all vulnerable to the attacks.
• Björn Ruytenberg, a researcher at Eindhoven University of Technology, discovered a security flaw in Intel’s Thunderbolt ports, common to many laptops produced before 2019. The attack, which hackers can propagate through the Thunderbolt connection in less than 5 minutes, is called an evil maid direct memory access (DMA) attack.
• Yarden Shafir & Alex Ionescu, cybersecurity specialists, published information about PrintDemon vulnerability in the Windows printing service. They said it impacts all Windows versions going back to Windows NT 4, released in 1996. Proof-of-concept code for PrintDemon has already published on GitHub.

Cybersecurity blogs

• Most cybersecurity vulnerabilities are created by human decisions—many of which aren’t made consciously. Here’s why understanding the mental shortcuts we use in decision-making can help strengthen cybersecurity.
• The energy and utility sector are prime candidates for cyberattacks, that’s why, cybersecurity must be a primary consideration when developing the business model, bringing on new technologies and changing the way the industry operates with external associates. Infosec Institute blog describes critical security concerns facing the energy & utility industry and their solutions.
• David Brumley had a look at the process of providing cyber defense in the context of game theory and told us why the defense is not chess, but it is a game of poker. In poker, you lack that visibility into your opponent’s position and moves which also happens in the cyber realm.

Research & Analytics

• In its report  The State of Ransomware 2020, Sophos commissioned an independent survey of 5,000 IT managers across 26 countries. The findings provide brand new insight into what actually happens once ransomware hits. Almost three quarters of ransomware attacks result in the data being encrypted. According the report, 51% of organizations were hit by ransomware in the last year. The criminals succeeded in encrypting the data in 73% of these attacks.
• Denial-of-service (DoS) attacks have spiked over the past year, while cyber-espionage campaigns have spiraled downwards. That’s according to Verizon’s 2020 Data Breach Investigations Report (DBIR), which analyzed 32,002 security incidents and 3,950 data breaches across 16 industry verticals. While DoS attacks use differing tactics, they most commonly involve sending junk network traffic to overwhelm and crash systems.
• With the help of Dimensional Research, Tripwire found out that 58% of IT security professionals were more concerned about the security of their employees’ home networks than they were before the outbreak of coronavirus 2019 (COVID-19). Slightly fewer percentages of respondents expressed concerns for an increase in ransomware, phishing and social engineering attacks as well as for secure configurations of remote systems at 45% and 41%, respectively.
• Only 51 percent of technology professionals and leaders are highly confident that their cybersecurity teams are ready to detect and respond to the rising cybersecurity attacks during COVID-19, according to new research by global association ISACA. Additionally, only 59 percent say their cybersecurity team has the necessary tools and resources at home to perform their job effectively.
• Proofpoint discovered several ready-made website templates for sale on darknet forums that spoof legitimate websites from government and nongovernment organizations that are offering financial assistance or healthcare updates during the COVID-19 pandemic.
• Part two of Eclypsium’s series on best practices for firmware updates focuses on the tools and techniques used by the enterprise IT teams tasked with implementing update processes. This paper provides a high-level comparison across multiple vendors and technologies to help IT and security teams understand the differences between some of the tools and techniques being used today.
• Sophos analyzed the malicious campaign RATicate: an attacker’s waves of information-stealing malware. In a series of malspam campaigns dating back to November of 2019, an unidentified group sent out waves of installers that drop remote administration tool (RAT) and information stealing malware on victims’ computers. In this post, the authors focused on the initial wave of campaigns, which all used Nullsoft Scriptable Install System (NSIS) installers.

Major Cyber Incidents

• The Toll Group, an Australian transportation company with a global reach, was compromised with ransomware a second time in less than six months, new information has come to light. Hackers stole 220GB of data, in addition to locking systems with ransomware.
• The criminal group behind the REvil (Sodinokibi) ransomware is extorting a New York-based law firm, threatening to release sensitive files on the company’s celebrity clients unless the firm pays a whopping $42 million ransom demand. The extortion attempt is the result of a ransomware infection that Grubman Shire Meiselas & Sacks (GSMS) suffered last week.
• British low-cost airline EasyJet admitted that the company has fallen victim to a cyber-attack, which it labeled “highly sophisticated”. It also confirmed that of the 9 million affected users, a small subset of customers, i.e., 2,208 customers, have also had their credit card details stolen, though no passport details were accessed.
• Medical data and personally identifiable information belonging to patients at a Fresenius Medical Care unit are currently available online on a paste website. Fresenius is a large private hospital operator in Europe and its systems were compromised as part of a massive campaign from Snake ransomware that targeted organizations across all verticals.
• Brazil’s biggest cosmetics company Natura accidentally left hundreds of gigabytes of its customers’ personal and payment-related information publicly accessible online without authentication. The exposed data includes personally identifiable information on 250,000 Natura customers, their account login cookies, along with the archives containing logs from the servers and users.
• Home Chef confirmed a security incident that exposed the personal information of allegedly 8 million customers. The impacted data includes email addresses, names, phone numbers, encrypted passwords and the last four digits of credit card numbers used to place orders online. A malicious group called Shiny Hunters reported that it was already selling user databases from 11 companies (including Home Chef) on the dark web for between $1,500 and $2,500.
• A new hacker group named “Hackers of Savior” defaced more than 2,000 websites to show an anti-Israeli message and with malicious code seeking permission to access visitors’ webcams. Most of the websites were hosted on uPress, a local Israeli WordPress hosting service.