- Security researchers warn that some attackers are compromising Microsoft Teams accounts to slip into chats and spread malicious executables to participants in the conversation. More than 270 million users are relying on Microsoft Teams every month, many of them trusting the platform implicitly, despite the absence of protections against malicious files.
- Users of Monzo, one of the UK’s most popular digital-only banking platforms, are being targeted by phishing messages supported by a growing network of malicious websites. If these details are provided, the threat actors now have everything needed to begin taking over victims’ Monzo accounts.
- After enabling two-factor authentication (2 SV) by default for 150 million users, Google claims to have seen a 50% decrease in accounts being compromised.
- The master encryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released on the BleepingComputer forums by the alleged malware developer.
- The Wordfence Threat Intelligence team discovered the disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed.
- The Tehran-based cybersecurity company, Amnpardaz Software Co. discovered a mysterious piece of malicious code in a server made by Texas-based Hewlett Packard Enterprise Co. The machine had been operating normally when, seemingly by its own volition, it began repeatedly deleting its hard drives.
- The PCI Security Standards Council (PCI SSC) and the National Cybersecurity Alliance have issued a joint bulletin on the growing threat of ransomware attacks.
Cybersecurity Blog Posts
- Devan Willemburg, Director of the 4Data Solutions presented a retrospective of the Log4Shell vulnerability and summed up how it ended. The author drew conclusions about which strategies worked in the face of one of the most notable vulnerabilities of the last decade.
- Cameron Camp commented on the draft law on algorithmic responsibility, which imposes on the technology industry responsibility for vital decisions made by automated AI systems.
- Anton Chuvakin presented his findings in an article on the topic: “Who does what when detecting cloud threats?”, concerning the relationship of the model of shared responsibility in the cloud with the detection of cloud threats.
Research and analytics
- ESET published Threat Report T3 2021. ProxyLogon, the vulnerability chain at the bottom of these attacks, ended up being the second most frequent external attack vector in 2021 according to ESET telemetry, right after password-guessing attacks. As you’ll read in the ESET Threat Report T3 2021, Microsoft Exchange servers ended up under siege again in August 2021, with ProxyLogon’s “younger sibling”, named ProxyShell, exploited worldwide by several threat groups. The report also contains comments on trends observed throughout the year, as well as forecasts for 2022 made by researchers and specialists in detecting ESET malware.
- Veracode released the 12th version of the State of Software Security report, leveraged the full historical data from Veracode services and customers. Key takeaways from the report: scan cadence has grown 20x over the past decade; the number of apps tested per quarter has more than tripled; combined use of static, dynamic, and software composition analysis scans grew by 31% from 2018 to 2021; on average, organizations with Veracode Security Labs training have decreased their time to fix 50% of flaws by 35%.
- ESET industry report on retail has revealed that retail evolves even under pressure from threats and technology adoption. This report will aim to show how cybercriminals have evolved to better position themselves in the new retail landscape.
- (ISC)² released Cybersecurity Workforce Study 2021. While the pandemic has brought its share of stresses, most cybersecurity professionals report that their personal morale during the pandemic has been above average 29% or excellent 26%. Globally, 51% of respondents also described their teams’ morale as above average 31% or excellent 20%, and only 12% say that their personal morale has been below average or worse.
- The Malwarebytes Labs blog provides an overview of the latest Patchwork APT campaign. Patchwork is an Indian threat actor that has been active since December 2015 and usually targets Pakistan via spear phishing attacks. In its most recent campaign from late November to early December 2021, Patchwork has used malicious RTF files to drop a variant of the BADNEWS (Ragnatela) Remote Administration Trojan (RAT). What is interesting among victims of this latest campaign, is that the actor has for the first time targeted several faculty members whose research focus is on molecular medicine and biological science.
- Google published Vulnerability Reward Program: 2021 Year in Review. Last year was another record setter for Vulnerability Reward Programs (VRPs). Throughout 2021, company partnered with the security researcher community to identify and fix thousands of vulnerabilities – helping keep users and the internet safe. Company awarded a record breaking $8,700,000 in vulnerability rewards – with researchers donating over $300,000 of their rewards to a charity of their choice.
- According to a recent Software Supply Chaim Survey from Anchore, asked 428 executives, directors, and managers in IT, security, development, and DevOps functions about their security practices and concerns and use of technologies for securing containerized applications. The survey revealed that almost 30% of the respondents’ companies were significantly or moderately affected by the attack on the software supply chain in the past year.
- Google Project Zero specialists posted a report according to which, last year, organizations needed less time to eliminate 0-day vulnerabilities discovered by experts. In 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days 3 years ago.
- According to Proofpoint, the TA2541 hacker group from Nigeria has been attacking the aviation industry around the world for years. Her activities have been documented in previous separate campaigns. The TA2541 consistently use remote access trojan (Rat) that can be used to remotely control compromised machines.
- Sophos published Rapid Response: The Squirrelwaffle Incident Guide. This guide shows Security Operations Center and Incident Response Teams how to detect and respond to the presence of Squirrelwaffle on the network – a malicious dropper or loader used to deliver other malware onto target systems.
- Splunk published the report Accelerating Forward: The State of Cloud-Driven Transformation. This year’s research reveals how organizations are now optimizing their cloud transformations to continue unlocking innovation. The report provides a comprehensive overview of the challenges, opportunities and strategies associated with cloud transformation today.
- The annual vulnerability report surveys the threat landscape of 2021, produced by Recorded Future’s threat research team, Insikt Group. According to data from the US National Institute of Standards and Technology, National Vulnerability Database, 21,957 vulnerabilities were published to the NVD in 2021. Comparing the increase in new disclosures since 2017, 2021 showed a threefold increase in the margin of difference from 2019 to 2020. However, of the 16,473 newly disclosed vulnerabilities with a CVE designator of 2021 listed in the NVD database, only 119 of these vulnerabilities are known to have been actively exploited (per the CISA Known Exploited Vulnerabilities Catalog).
Major Cyber Incidents
- BleepingComputer has confirmed ElementVape, a prominent online seller of e-cigarettes and vaping kits was serving a credit card skimmer on its live site, likely after getting hacked. The attack was resolved but customers are advised to remain alert of any suspicious credit card transactions.
- Vodafone Portugal suffered a cyberattack causing country-wide service outages, including the disruption of 4G/5G data networks, SMS texts, and television services. The cyberattack began last night with Vodafone calling the incident “a deliberate and malicious attack intended to cause damage”.
- Unknown hackers have stolen around $1.9 million from South Korean cryptocurrency platform KLAYswap using a Border Gateway Protocol hack in the server infrastructure of one of its suppliers.
- Major Canadian banks went offline for hours blocking access to online and mobile banking as well as e-transfers for customers. The banks reportedly hit by the outage include Royal Bank of Canada (RBC), BMO (Bank of Montreal), Scotiabank, and the Canadian Imperial Bank of Commerce (CIBC).
- The International Committee of the Red Cross (ICRC) said that the hack disclosed last month against its servers was a targeted attack likely coordinated by a state-backed hacking group. During the incident, the attackers gained access to the personal information (names, locations, and contact information) of over 515,000 people in the “Restoring Family Links” program that helps reunite families separated by war, disaster, and migration.
- Cisco has addressed a high severity vulnerability that could allow remote attackers to crash Cisco Secure Email appliances using maliciously crafted email messages. The security flaw (tracked as CVE-2022-20653) was found in DNS-based Authentication of Named Entities (DANE), a Cisco AsyncOS Software component used by Cisco Secure Email to check emails for spam, phishing, malware, and other threats.
- The BlackCat ransomware group, aka ALPHV, has claimed responsibility for the recent cyberattack on Swissport that caused flight delays and service disruptions. BlackCat has now been seen by BleepingComputer to leak a minuscule set of terabytes of data supposedly obtained from the recent ransomware attack.