Cybersecurity Digest #5: 25/05/2020 – 05/06/2020

Cybersecurity News  

• Chrome software developers announced that starting with Chrome 84, releasing to stable on July 14 2020, sites with abusive permission requests or abusive notifications will be automatically enrolled in quieter notifications UI and notification enrollment prompts will advise users that the site may be trying to trick them.
• Microsoft shared threat data collected on PonyFinal, a Java-based ransomware deployed in human-operated ransomware campaigns. In these types of attacks, adversaries do their homework and choose a strategy and payload based on the target organization’s environment. Human-operated ransomware is not new, but it has been growing popular as attackers try to maximize ransom from individual victims.
• A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP “Range Requests” attribute.
• Apple recently paid Indian vulnerability researcher Bhavuk Jain a huge $100,000 bug bounty for reporting a highly critical vulnerability affecting its ‘Sign in with Apple’ system. The now-patched vulnerability could have allowed remote attackers to bypass authentication and take over targeted users’ accounts on third-party services and apps that have been registered using ‘Sign this option.

Cybersecurity Blog Posts

• Dan Virgillito showed how fake invoice and bill phishing scams work and told about common attack techniques, how to identify the potential red flags and what defensive measures are available.
• During the pandemic businesses face various challenges, such as continuity of operations and security of communications and data. Dejan Kosutic explained what standards to use and how organize processes in a company to minimize the negative impact of a pandemic.
• While investigating a malware campaign involving Netwalker ransomware, SophosLabs stumbled upon a set of files used by the criminals involved in the attacks. The trove of malware and related files reveals details about methods the attackers employed to compromise networks, elevate their privileges, and distribute the malware to workstations in very recent attacks.
• Securing an airport and securing your cloud-native applications have more in common than you may realize – and two essentials of airport threat prevention nicely illustrate why virtual and container NGFWs are vital for security in the cloud. As digital transformation drives you to move crown jewel applications to public clouds and containers, you need to use the same layered security approach airports typically provide.

Research & Analytics

• European Union Agency For Cybersecurity published report “Proactive detection – Measures and information sources”. The current project aims to provide a complete inventory of all available methods, tools, activities and information sources for proactive detection of network security incidents, which are used already or potentially could be used by incident response teams in Europe nowadays.
• Veracode published a special supplement to annual State of Software Security report that focuses exclusively on the security posture of the open source libraries found in applications. This analysis, which examined 351,000 external libraries in 85,000 applications, found that open source libraries are, as expected, ubiquitous in applications, and that they do in fact contain risky code. But it also unearthed some good news about ways to keep track of and alleviate that risk.
• For the past three years, the DoubleGuns trojan has emerged to take the crown as one of China’s largest malware botnets. Chinese antivirus vendor Qihoo 360 says DoubleGuns is exclusively found in China and is believed to have infected hundreds of thousands of Chinese users at the time of writing, with millions of historical infections over the past years.
• Verizon recently published its 2020 Data Breach Investigations Report (DBIR), which analyzed 32,002 security incidents in 16 different industries and four different world regions. Similar to last year’s findings, the majority of breaches – 86 percent – are financially motivated, and most – 70 percent – are caused by outsiders.
• PulseSecure 2020 Remote Work From Home Cybersecurity report examines how enterprises are responding to accelerated WFH adoption during the COVID-19 pandemic and shares key challenges, concerns, strategies and anticipated outcomes. 33% of U.S. companies anticipate some positions moving to permanent remote work and over half (55%) plan to increase their budget for secure remote work in the near-term.
• Only around a third of users usually change their passwords following a data breach announcement, according to a recent study published by academics from the Carnegie Mellon University’s Security and Privacy Institute (CyLab). CyLab researchers said that of the 63 users, only 21 (33%) visited the breached sites to change their passwords, and that of these 21, only 15 users changed passwords within three months after the data breach announcement.
• Veeam 2020 Data Protection Trends Report indicates global businesses are embracing Digital Transformation, but struggle with antiquated solutions to protect and manage their data. Data protection must move to a higher state of intelligence to support transformational needs and hybrid/multi cloud adoption.
• IT Governance has compiled a list of publicly disclosed incidents that affected the personal data of users of various services around the world. According to experts, 8.8 billion records were leaked last month, and 8.3 billion accounts for a single incident with a mobile operator in Thailand, which left open access databases with DNS queries and data from the Netflow network Protocol.
• Chrome engineers in a blog post revealed that nearly 70% bugs in Chrome’s codebase are memory management and safety related bugs. Nearly half of these bugs are use-after-free bugs that occur when a program uses a pointer after it has been freed. These are one of the most common classes of browser vulnerabilities and they can be used by hackers for attacking Chrome’s inner components.

Major Cyber Incidents

• More than two dozen SQL databases stolen from online shops in various countries are being offered for sale on a public website. In total, the seller provides over 1.5 million rows of records but the amount of stolen data is much larger.
• Thailand’s largest cell network AIS has pulled a database offline that was spilling 8.3 billion of real-time internet records on millions of Thai internet users. The database, containing DNS queries and Netflow data, was founded on the internet without a password.
• The REvil/Sodinokibi ransomware gang has just published what it claimed were files stolen from UK power grid middleman Elexon. The stolen data was published on REvil’s Tor webpage as a cache of 1,280 files, which we understand include documents that appeared to be passports of Elexon staff members and an apparent business insurance application form.
• The operators of the DopplePaymer ransomware infected the network of one of NASA’s IT contractors. It is unclear how deep inside DMI’s network the DopplePaymer gang made it during their breach, and how many customer networks they managed to breach.
• A U.S. military contractor involved in the maintenance of the country’s Minuteman III nuclear arsenal has been hit by the Maze ransomware, according to reports – with the hackers making off with reams of sensitive information. The cybercriminals have begun to leak documents online, which include sensitive employee data such as payroll information and other personal details, along with company emails, which may or may not include classified military information.
• Nippon Telegraph & Telephone (NTT) has suffered a data breach. Hackers breached several layers of its IT infrastructure – presumably originating from an NTT base in Singapore – and reached an internal Active Directory to steal data on 621 customers from communications subsidiary NTT Communications. The attackers then reportedly uploaded that data to a remote server in their control.
• Maze ransomware operators published credit card details stolen from the Bank of Costa Rica (BCR) threatening to leak other lots every week. The hackers claim to have compromised the Banco BCR’s network in August 2019, and had the opportunity to exfiltrate its information before encrypting the files.
• Brazilian president Jair Bolsonaro was subject to Anonymous hackers that week, with the local branch of the international band of info warriors revealing addresses, income, and other personal assets in a data dump first posted on Twitter.
• Sensitive personal data apparently belonging to more than 20 million Taiwanese citizens has appeared on a darknet marketplace, a threat intelligence outfit has claimed. The source of the leak as the Ministry of the Interior’s Department of Household Registration. The 3.5 GB database contained citizens’ full names, postal addresses, phone numbers, government IDs, genders, and dates of birth.
• Minted, a digital marketplace for independent artists, started informing its members last week about a security incident that exposed personal information of 5 million users. Apparently, the notification was sent after the company learned its user account database was being sold on the dark web. According to Minted, the information breached includes customer names, email addresses, hashed passwords, phone numbers, billing and shipping address.
• BigFooty, a popular Australian sports fan website, was found to be leaking around 132 GB (70 million records) of private information belonging to its 100,000 members. The data in some instances included “technical information relating to the company’s web and mobile sites.