Welcome to second fortnight edition of CF Bytes for Dec 2020 and the final newsletter for the year 2020.

This fortnight we look into the attempts made to hack into journalists’ phones by autocratic governments in an attempt to suppress free speech by using suspected “zero-click” iMessage exploit. Side effects of technology racial bias were seen when flawed facial recognition led to a black man’s wrongful arrest. In frantic efforts to find a cure for pandemic situation for COVID-19, pharmaceutical research labs findings are leaked by attackers deployed by nation-state backed attackers. In other troubling news, new research report has found that microphones on digital assistants such as Alexa are sensitive enough to steal PINs and other sensitive info; leading to un-intended leakage of PII data.

In Security attacks and breaches, Japanese aerospace firm Kawasaki has issued a warning of a possible data breach. Dell Wyse based thin clients have been found to suffer from critical vulnerabilities that can lead to device takeover. In view of taking advantage of the growing popularity of the new open-world game CyberPunk 2077 early release rumors, ransomware disguised as a beta version of the game baits users to download from the android play store. FBI has issued a warning in rising of targeted swatting attacks done on residents using cameras and voice-capable smart devices.

Security News

Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit. Read More.

Flawed Facial Recognition Led to Man’s Wrongful Arrest; falling victim to the technology’s racial bias. Read More.

Lazarus Group nation-state actors are actively trying to steal COVID-19 research to speed up their countries’ vaccine-development efforts. Read More.

Windows Zero-Day Still Circulating After Faulty Fix. Read More.

Research shows that microphones on digital assistants are sensitive enough to steal PINs and other sensitive info. Read More.

Attacks / Breaches

A new SolarWinds flaw likely had let hackers install SUPERNOVA malware. Read More.

Swatting attacks targeting residents with camera and voice-capable smart devices. Read More.

Japanese aerospace firm Kawasaki warns of data breach. Read More.

Dell Wyse thin client models are affected by critical vulnerabilities that can be used to take over the devices. Read More.

Ransomware targeting Android devices disguised as a legitimate download of open-world game Cyberpunk 2077. Read More.

• Welcome to first fortnight edition of CF Bytes for Dec 2020 month.

This month we saw Russian hackers using VMWare bug to plant web shells inside hacked networks. They then pivoted Microsoft ADFS servers to steal sensitive data. GE Healthcare proactively reached out to help healthcare providers their reconfigure vulnerable devices at a massive scale. These hidden accounts were using the same default credentials; which could have been abused by hackers to gain access to medical equipment inside hospitals and clinics.

Law enforcement came down heavily by sentencing an ex-Cisco employee to 24 months in prison and also pay $15,000 fine. The man allegedly broke into Cisco’s cloud infrastructure, and deployed code from his Google Cloud Project which automatically deleted 456 virtual machines that hosted the WebEx Teams application. Researchers from Forescout published a report known as AMNESIA:33 which briefs how TCP/IP stacks breed Critical Vulnerabilities affecting various IoT, OT and IT Devices.

In Security attacks and breaches, US CISA released an advisory related to theft of FireEye Red Team Tools which could be abused to take control of targeted systems. Microsoft also disclosed how a malware campaign silently injected ads into search results, affecting multiple browsers.

Meanwhile, in a major attack, an attacker leveraged SolarWinds supply chain to compromise multiple global victims with SUNBURST backdoor. Cryptocurrency-mining botnet “Xanthe” compromised Cisco’s security honeypots for tracking Docker-related threats for mining purposes.

Security News

Russian hackers are using a VMWare bug to plant web shells inside hacked networks and pivot to Microsoft ADFS servers from where they steal sensitive data. Read More.

Accounts with default creds found in 100+ GE medical device models. Read More.

Forescout has released a report AMNESIA:33 which briefs how TCP/IP Stacks Breed Critical Vulnerabilities in IoT, OT and IT Devices. Read More.

Cruise Automation, the autonomous vehicle subsidiary of GM, has started testing fully driverless vehicles on public roads in San Francisco. Read More.

Ex-Cisco Employee Convicted for Deleting 16K Webex Accounts. Read More.

Attacks / Breaches

US CISA has released an advisory regarding the theft of FireEye Red Team Tools which unauthorized third-party users could abuse to take control of targeted systems. Read More.

Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Read More.

Widespread malware campaign silently injects ads into search results, affecting multiple browsers. Read More.

SideWinder Uses South Asian Issues for Spear Phishing, Mobile Attacks. Read More.

Cryptocurrency-mining botnet “Xanthe” compromises Cisco’s security honeypots for tracking Docker-related threats. Read More.

Welcome to the second fortnight edition of CF Bytes, Nov 2020.

This fortnight, US Senate passed an IoT cybersecurity bill that, pending President approval aims to improve security guidelines and protocols for the Internet of Things (IoT) devices purchased and owned by the Federal government. A joint INTERPOL, Group-IB, and Nigeria Police Force led a cybercrime investigation busted a criminal gang of Nigeria responsible for distributing malware and extensive Business Email Compromise scams. Owing to Pandemic and shortfall of HR resources, innovative companies have started to use video recordings to record potential candidates’ answers to a given set of questions. Microsoft also launched a productivity score tool called Insights which is helping employers to gather data about their employee’s productivity.

In attacks and breaches, attackers continue to abuse Minecraft sandbox success by developing Google Play apps which instead of delivering madpacks, deliver abusive ads. Due to phishing attacks, Godaddy incorrectly transferred control of the account and domain to a malicious actor for a Godaddy client, Liquid; leading to partial compromise of its infrastructure. Thankfully, the client was able to regain control of the domain. Researchers also demonstrated innovative attacks using lasers to kick start and pass inaudible commands to the voice assistant in smartphones. Ransomeware attacks on Baltimore County’s school system crippled its systems which forced a mandatory closure of the school.

Security News

US Senate passed an IoT cybersecurity bill pending President’s Approval. The bill aims to improve security guidelines and protocols for the Internet of Things (IoT) devices purchased and owned by the Federal government. Read more.

Freight trucks in the US are been equipped with machine learning algorithms to analyze drivers’ behavior to improve transport safety and saving money on insurance claims. Read more.

Microsoft 365 launches Productivity Score feature which enables the ability to find an employee by name and see the number of hours they’ve spent in meetings on Microsoft Teams over the last 28 days. Read more.

Job applicants are being asked to video record answers to set questions about their experience, skills, and personal qualities, rather than speaking with a recruiter by phone or video chat. Read more.

Three suspects have been arrested in Lagos following a joint INTERPOL, Group-IB, and Nigeria Police Force cybercrime investigation. The Nigerian crime group is responsible for distributing malware, and extensive Business Email Compromise scams. Read more.

Attacks / Breaches

Baltimore County’s school system was shut down by a ransomware attack that hit all its network systems and closed school. Until the problem is resolved, students will have no school. Read more.

Chip maker Advantech hit by a Conti ransomware attack. Read more.

Researchers were able to launch inaudible commands by shining lasers – from as far as 360 feet – at the microphones on voice assistants, including Amazon Alexa, Apple Siri, Facebook Portal, and Google Assistant. Read more.

Scammers are taking advantage of the Minecraft sandbox success by developing Google Play apps which appear to be Minecraft modpacks, but instead, deliver abusive ads. Read more.

GoDaddy temporarily handed over control of cryptocurrency service sites NiceHash and Liquid to fraudsters, exposing the personal information of users. Read more.

After a rewarding 5.5 year stint at Vodafone Idea Limited, Amit A. Pradhan has joined FireEye’s Mandiant Consulting Team as a Director for India and SARRC. 

” Cybersecurity has come a long way since I joined Vodafone Idea 5.5 years ago. Nation-state threats are no longer a problem of the West, detecting an incident is no longer about logs and SIEMs and responding to them requires more than just formatting a machine. While we as practitioners have no illusions about the threat landscape, the Management is still struggling to understand the business implications of cyber.
 
In such challenging times, I have come to believe that the success of us (CISOs) is highly dependent on the crucial communication that needs to be done with the true business owners of the company, our ability to detect and respond to advanced threats, and most importantly, the support of an experienced trusted advisor whose timely support can make all the difference between containing an incident and making the headlines.
 
Keeping these in mind, I have decided to join Mandiant, where I believe, I can pull in their global experience and expert resources with relevant competencies required to assist my CISO colleagues here in India. I intend to use my position to not only connect and deliver these services when required but to use my local experience in senior stakeholder management to enable my friends and peers to communicate more effectively and convincingly to senior executives and thereby enjoying the stature and authority of the position.
 
It has been my honor and pleasure to have worked with all of you, facing all similar challenges & wins. I have witnessed, as have you, the entire CISO/Security community mature over last few years and am grateful to all for sharing information in this forum. ” – Amit A. Pradhan

Welcome to the first-fortnight edition of Nov 2020 CF bytes. In this edition, we witnessed the surge in fake COVID-19 negative tests being sold openly to circumvent the travel formalities required as per international travel guidelines issued by various governments. The nuisance of SIM Swap attacks has pushed the emergence of App authenticators as a preferred mode of multi-factor authentication to thwart account takeover attacks. Due to Pandemic, new scams have emerged targetting heavy shopping days such as Singles Day and Black Friday deals taking advantage of the heavy rush of the holiday season. Insecurity breaches, medical records have been exposed in eyecare healthcare leading to more than 800k patients. Capcom, a Japanese game developer recently suffered a breach by hackers in its internal systems. Insecurity attacks, new attack such as SAD DNS was discovered by security researchers. NAT Slipstreaming is a new technique by which an attacker can remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s firewall.

Security News

Inrupt, the company founded by World Wide Web inventor Sir Tim Berners-Lee, released its personal data management platform “Solid” for enterprises. Read more.

Tourists are buying fake covid-19 test results on the black market to travel internationally. Read more.

Microsoft urges users to stop using SMS and voice calls for multi-factor authentication and opt for a smartphone authentication app instead. Read more.

Scammers cash in to loot people, as holiday shopping fairs go virtual due to pandemic. Read more.

Researchers recently discovered an attack on Microsoft Exchange servers at an organization in Kuwait which tied back to the known xHunt threat group. Read more.

Attacks / Breaches

Luxottica data breach has exposed the personal and protected health information of 829,454 patients at LensCrafters, Target Optical, EyeMed, and other eye care practices. Read more.

Japanese game developer Capcom has revealed that it suffered a security breach which saw malicious hackers access its internal systems. Read more.

Researchers from UC Riverside and Tsinghua University announced a new attack against the Domain Name System (DNS) called SAD DNS. Read more.

A breach at an insurance software company Vertafore has resulted in the compromise of 27.7 million personal and driver’s license details in Texas. Read more.

NAT Slipstreaming allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing the victim’s NAT/firewall (arbitrary firewall pinhole control), just by the victim visiting a website. Read more.

Welcome to the October 2020 second fortnight edition of CF Bytes.

Security misconfigurations continued to be a headache worldwide since an independent study found that more than 78% of administrators have still not configured the Multi-Factor Authentication in MS 365 solution. Zoom finally enabled End to End encryption for all of its platforms; except web client and third-party clients using Zoom SDK. Nation-state espionage continued at a brisk pace with the OKIDB database uncovered by the Australian financial newspaper which contained details on personal information of nuclear subject matter experts. Technology continued to offer solutions in difficult pandemic times by deploying Robots for burger flipping tasks freeing the employees for logistics and home deliveries. MIT researchers also were able to sense the asymptomatic people affected by COVID-19 to a high degree of accuracy by listening to their cough sounds made during the cell phone calls.

Insecurity breaches, Pfizer data for prescription drugs in the US got leaked due to an unprotected Google Cloud storage buckets. Similarly, Broadvoice database cluster holding more than 350 million records, many including personal details and voicemail transcripts of Broadvoice clients’ customers, was left open for anyone to view. Concerns were also raised due to vulnerabilities been reported in link previews in several major messaging apps such as Facebook Messenger, Instagram, Line, Reddit and LinkedIn. In addition, 100 smart irrigation systems were left exposed online without a password which allowed anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes.

Security News

Zoom’s end-to-end encryption (E2EE) lets both free and paid users secure their meetings so that only participants, not Zoom or anyone else, can access their content. E2EE is supported across its Mac, PC, iOS, and Android apps, as well as Zoom Rooms, but not its web client or third-party clients that use the Zoom SDK. Read more.

An Australian financial newspaper has uncovered a database of more than 2 million scientists and subject matters kept by the Chinese government. The Overseas Key Individuals Database (OKIDB) includes many thousands of nuclear and other strategic industry experts, their personal information, and even where their relatives live. Read more.

CoreView’s Research data report indicates that approximately 78% of Microsoft 365 administrators do not have Multi-Factor Authentication (MFA) activated. This is a huge security risk – particularly during a time where the majority of employees are remote. Read more.

White Castle burger chain installed the commercially available version of Flippy Robot-on-aRail (ROAR) into its kitchens. During pandemic times, it expects Flippy to limit staff to ensure social distancing while keeping up with the increasing demand for delivery and take out orders due to the coronavirus pandemic. Read more.

MIT researchers deduced that for people who were asymptomatic, their cough sound was different from healthy individuals. When they fed the cough sound via cellphone recordings, the model accurately identified 98.5 percent of coughs from people who were confirmed to have Covid-19, including 100 percent of coughs from asymptomatics — who reported they did not have symptoms but had tested positive for the virus. Read more.

Attacks / Breaches

The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. Even if the command and control (C2) are taken down, the DoNot team can still redirect the malware to another C2 using Google infrastructure. Read more.

More than 100 smart irrigation systems were left exposed online without a password last month, allowing anyone to access and tamper with water irrigation programs for crops, tree plantations, cities, and building complexes. Read more.

Pharma giant Pfizer has leaked the private medical data of prescription-drug users in the U.S. for months or even years, thanks to an unprotected Google Cloud storage bucket. Read more.

A Broadvoice database cluster holding more than 350 million records, many including personal details and voicemail transcripts of Broadvoice clients’ customers, was left open online for anyone to view with no authentication required for access. Read more.

Researchers Talal Haj Bakry and Tommy Mysk published a report detailing how link previews create vulnerabilities in several major messaging apps such as Facebook Messenger, Instagram, Line, Reddit, and LinkedIn. Read more.

Dear All,

Welcome to the October 2020 first fortnight edition of CF Bytes. The government agency CISA released a Telework Essentials Toolkit to help organizations strengthen their cybersecurity measures for long term remote work. Companies like Barnes and Noble proactively reached out to their customer for resetting their passwords via email, warning them that its network was breached. China as a nation is strictly keeping her kids away from addictive digital content by passing a law coming effect on June 1, 2021. Microsoft also partnered with the NIST cybersecurity division to develop and enhance standards and guidelines for best practice patch management.

Coming to security breaches, millions of customer records which included information on patients who had tested positive for COVID-19; were exposed in Dr. Lab PathLabs Ltd. a medical testing firm in India. This was due to poor configuration and not following proper IT hygiene in Cloud storage.

Blackbaud software’s ransomware attack and subsequent data breach have admitted that sensitive customer data such as bank account information, Social Security numbers, usernames were accessed by attackers.
The nuisance of credential stuffing attacks continued in Walmart-owned Sam’s Clubs, an American chain of membership-only retail warehouse clubs. The company proactively started sending the automated password reset emails and security notifications to affected customers as a result.

Meanwhile, Google and Intel released security advisories regarding a high severity vulnerability in BlueZ, the Linux Bluetooth protocol stack; called ‘Zero-Click’ Kernel Bug in Linux-Based IoT Devices.

Security News

Facebook launches Forecast, a community for crowdsourced predictions and collective insights. Forecasts will let users ask questions and predict the outcomes. Forecasts will be trackable over time and shareable on other platforms. Typical use cases can be US presidential elections 2020 or COVID -19. Read more

The Cybersecurity and Infrastructure Security Agency (CISA) released a Telework Essentials Toolkit to help organizations strengthen their cybersecurity measures as they transition to long-term remote work models. Read more

American bookselling giant Barnes & Noble is contacting customers via email, warning them that its network was breached by hackers, and that sensitive information about shoppers may have been accessed. Read more

China is implementing stricture measures in its bid to keep kids away from addictive digital content. It has plans to pass a revamped law that will ban internet products and services which “induce addiction” in kids. The updated law will take effect on June 1st, 2021. Read more

Microsoft has partnered with the NIST National Cybersecurity Center of Excellence (NCCoE) to develop clearer industry standards and guidelines for best practice patch management. Read more

Attacks / Breaches

The Clop group attacked Software AG, a German conglomerate with operations in more than 70 countries, threatening to dump stolen data if the whopping $23 million ransom isn’t paid. Read more

Blackbaud ransomware attack and subsequent data breach likely had access to more unencrypted data than previously disclosed, including bank account information, Social Security numbers, usernames, and or passwords, according to a recent Securities and Exchange Commission filing. Read more

Sam’s Club has started sending the automated password reset emails and security notifications to customers who were hacked in credential stuffing attacks. Read more

Millions of customer records belong to Dr. Lab PathLabs Ltd., one of India’s largest medical testing firms, has been found exposed online which included COVID -19 tested patients. This is in the latest case of a medical testing company failing to secure its cloud storage due to poor IT hygiene. Read more

Google and Intel are warning of a superior-severity flaw in BlueZ, the Linux Bluetooth protocol stack that supplies guidance for core Bluetooth layers and protocols to Linux-dependent internet of issues (IoT) units. Read more

Dear All,

Welcome to this fortnight edition of 16th – 30th September 2020, CF bytes. 

This fortnight edition looks at various major developments in the Security industry. NIST  released 800-53 Rev 5 guidance  update on  security and privacy controls.  FBI released warning on increase of botnet launched  credential stuffing  attacks on financial sector. McAfee went public by listing its IPO on Nasdaq. 

In attacks and breaches, Governments across the world tightened penalties on companies who had inadequate security practices in place by issuing them stiff fines. Insider Frauds involving bribes given to employees and contractors in exchange to get an unfair advantage to the third-party sellers in the Amazon marketplace were uncovered and the guilty were punished harshly following an internal investigation. Meanwhile, the first confirmed death due to the ransomware attack on the hospital was reported in Germany. State-sponsored massive espionage operations in Multiple countries by China were also uncovered during this period.

Security News

1. McAfee Corp. has filed to go public, adding to the roster of companies rushing to cash in on a hot market for U.S. initial public offerings. Read more.
2. The U.S. National Institute of Standards and Technology this week released a long-awaited guidance update, Special Publication 800-53 Revision 5, describing “next-generation security and privacy controls” and how to use them. Read more.

3. Phixius enables the secure exchange of payment-related information with connected credentialed service providers (CSPs). This helps to improve automation and reduce payment fraud in areas of onboarding customer information, payer authorization, and to enhance customer services. Read more.
4. The FBI is warning organizations in the financial sector about an increase in botnet-launched credential stuffing attacks. Many of these attacks, which target APIs, are being fed by billions of stolen credentials leaked over the last several years. Read more.
5. Musk announced on Twitter that, after a full year in the making, The Boring Company’s first operational “loop tunnel” in Las Vegas is nearing completion. Read more.

Attacks / Breaches

1. A Chinese technology company with links to Beijing’s military and intelligence agencies has been compiling personal information on millions of people from the US, UK, Australia, Canada, India, and Japan. Read more.
2. The Medisys Health Group reported a ransomware data breach involving the personal information of about 60,000 of its clients. Medisys retrieved the data by paying a ransom and went to say the risk of public disclosure of the information was low. Read more.
3. Dunkin’ Donuts breach settlement requires the company to pay $650,000 in penalties and costs to the state of New York. The company is to notify customers impacted in the attacks, reset those customers’ passwords, and provide refunds for unauthorized use of customers’ stored value cards. Read more.

4. A woman in Germany died during a ransomware attack on the Duesseldorf University Hospital, in what may be the first death directly linked to a cyberattack on a hospital. Read more.
5. Six people were indicted on allegations of paying over $100,000 in bribes to Amazon employees and contractors as part of a scheme to give third-party sellers unfair advantages on the Amazon marketplace. Read more.

Thursday, 13 August 2020 | 07:00 PM – 8:30 PM

Fact check of a tweet by US President Trump creates friction between Twitter and White House; Vietnam imposes a fine on its citizens who propagate false news on the social media; Mauritius arrests a person for posting harmful content on the social media… these and more related news are recent headlines. All these points to digital wildfires, which are broadly defined as ‘social media events in which provocative content spreads rapidly and broadly and causes harm.’

(more…)