image
Strong encryption is critical to protecting sensitive business and personal data. Google estimates that 95 percent of its internet traffic uses the encrypted HTTPS protocol, and most industry analyst firms conclude that between 80-90 percent of network traffic is encrypted today. This is a significant step forward for data integrity and consumer privacy. However, organizations with a commitment to data privacy aren’t the only ones who see value in obscuring their digital footprint in encrypted traffic. Cybercriminals have been quick to weaponize encryption as a means to hide their malicious activity in otherwise benign traffic. Gartner shared that 70 percent of malware campaigns in 2020 used some type of encryption. And Zscaler is blocking 733 million encrypted attacks per month this year, an increase of 260 percent over 2019. According to a Joint Cybersecurity Advisory issued by the FBI, CISA, the U.K. National Cyber Security Centre and the Australian Cyber Security Centre, encrypted protocols are used to mask lateral movement and other advanced tactics in 60 percent of attacks using the 30 most exploited network vulnerabilities. Put another way, organizations are blind to 60 percent of CISA’s most exploited vulnerabilities. Security researchers have also found sophisticated emerging attack techniques with line-rate decryption of the most commonly abused Microsoft protocols, such as SMBv3, Active Directory Kerberos, Microsoft Remote Procedure Call (MS-RPC), NTLM, LDAP,…

Source

image
Fallout from nation-state sponsored cyberattacks will no longer be covered under cyber-insurance policies issued by famed insurer Lloyd’s of London. The insurance juggernaut’s underwiring director Patrick Davidson just released four new Cyber War and Cyber Operation Exclusion Clauses, outlining the new terms. The company explained it will no longer cover losses resulting from “cyber-war,” which it defined as a cyber-operation carried out as part of a war, any retaliatory attacks between specified states, or a cyber-operation “that has a major detrimental impact on the functioning of a state.” Countries specified in the exemption language are China, France, Japan, Russia, the U.K. and the U.S. The insurer’s new definition of cyber-war leaves plenty of latitude for the insurer to refuse to pay. Under the Lloyd’s of London explanation, they can also refuse to pay on nation-state-sponsored attacks on services essential for a state to function, like financial institutions, financial market infrastructure, health services and utilities, according to the exclusion documents. “In discussion with Lloyd’s it has been agreed that, in respect of standalone cyber-insurance policies, these clauses meet the requirements set out in the Performance Management — Supplemental Requirements & Guidance (July 2020) which state that all insurance and reinsurance policies written at Lloyd’s must, except in very limited circumstances, contain a clause which excludes all losses caused by war,”…

Source

image
The Flubot banking trojan is blanketing Finland, spreading via Android phones that are sending millions of malicious text messages. On Friday, the National Cyber Security Centre (NCSC-FI) at the Finnish Transport and Communications Agency posted a “severe” alert about the malware blizzard, which it said was spreading via dozens of message variants that are sneezing out Flubot like mad. Once installed, Flubot sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information. It also sends out additional text messages to the infected device’s contact list, which allows it to “go viral” — like the flu. “An Android malware called Flubot is being spread by SMS. According to our current estimate, tens of thousands of messages have been sent to people in Finland during one day. We expect the amount to increase in the coming days and weeks,” said Aino-Maria Väyrynen, information security adviser at the NCSC-FI, in the alert. It Started Not-Slow & Continued to Grow-Grow-Grow The campaign did indeed get far more virulent, just as Väyrynen predicted: In an article published early Tuesday morning, Väyrynen was quoted by Bloomberg as saying that the daily messages now number in the millions. The country’s biggest telecom companies told the news outlet that they’ve intercepted hundreds of thousands of messages. Teemu Makela, CISO at Elisa Oyj, called the attack “extremely…

Source

image
Consumer electronics giant Panasonic’s data breach raises questions, researchers say – given that more than two weeks after the incident was discovered, it’s unclear if customers’ personal information has been impacted. On Friday, Panasonic confirmed that its “network was illegally accessed by a third party on November 11, 2021,” and that “some data on a file server had been accessed during the intrusion.” It added, “Panasonic is currently working [to] determine if the breach involved customers’ personal information and/or sensitive information related to social infrastructure.” Further details on the breach are thin, with Panasonic’s bare-bones statement offering very little in the way of technical detail or timeline. However, local reports picked up by the Record indicated that the breach had been ongoing since June, giving attackers plenty of time to knock around in the Japanese behemoth’s files. The NHK news outlet also noted that “in addition to information about the company’s technology and business partners, personal information of employees was stored on the server….the company says that the leakage of information to the outside has not been confirmed at this time,” according to its sources [translation via Google Translate]. However, Jake Williams, co-founder and CTO at BreachQuest, speculated that the intrusion could balloon into a major incident. “As is typical in these early-stage incident reports, there are many unknowns,” he said via email. “In this case…

Source

image
A threat actor previously tied to the Thieflock ransomware operation may now be using the emerging Yanluowang ransomware in a series of attacks against U.S. corporations, researchers have found. Researchers from Symantec, a division of Broadcom Software, found ties between Thieflock and Yanluowang, the latter of which they revealed in October after observing its use against a large organization. Researchers believe a threat actor has been using Yanluowang since August to target mainly financial companies in the United States, they said in a report published Tuesday. The actor also has attacked companies in the manufacturing, IT services, consultancy and engineering sectors with the novel ransomware, they said. This demonstrates how “little loyalty” there is among ransomware actors, particularly those who act as affiliates of RaaS operations, Vikram Thakur, principal research manager at Symantec, a division of Broadcom, told Threatpost in an email interview on Monday ahead of the report’s release. “Ransomware authors and affiliates pivot often,” he said. “Affiliates switch business based on profit margins offered by ransomware service operators, and in some cases [the] amount of heat from law enforcement against certain ransomware families. Little to no loyalty in their business.” Focus on Attacks, Not Development When researchers first observed Yanluowang in October, they characterized it as “somewhat under-developed.” Little has changed in that department regarding the…

Source

image
As of Friday – as in, shopping-on-steroids Black Friday – retail titan IKEA was wrestling with a then-ongoing reply-chain email phishing attack in which attackers were malspamming replies to stolen email threads. BleepingComputer got a look at internal emails – one of which is replicated below – that warned employees of the attack, which was targeting the company’s internal email inboxes. The phishing emails were coming from internal IKEA email addresses, as well as from the systems compromised at the company’s suppliers and partners. “There is an ongoing cyberattack that is targeting Inter IKEA mailboxes. Other IKEA organisations, suppliers, and business partners are compromised by the same attack and are further spreading malicious emails to persons in Inter IKEA. “This means that the attack can come via email from someone that you work with, from any external organisation, and as reply to an already ongoing conversation. It is therefore difficult to detect, for which we ask you to be extra cautious.” –IKEA internal email to employees. IKEA sent its employees an example phishing email, shown below, that was received in Microsoft Outlook. The company’s IT teams reportedly pointed out that the reply-chain emails contain links ending with seven digits. Employees were warned against opening the emails, regardless of who sent them, and were asked to immediately report the phishing emails to the IT department if they receive them. Example phishing email sent to IKEA…

Source

image
Overcoming Google Play app restrictions, attackers have successfully racked up more than 300,000 banking trojan installations over just the past four months in the official Android app marketplace. Researchers from Threat Fabric reported that these threat groups have honed their ability to use Google Play to propagate banking trojans by shrinking the footprint of their dropper apps, eliminating the number of permissions they ask for, boosting the overall quality of the attack with better code and standing up convincing companion websites. Droppers are apps that act as first-stage implants, whose job it is to fetch and install other, final payloads — in this case, banking trojans. The report offered the example of cyberattackers’ ingenuity in sneaking these onto Google Play: A dropper app disguised as a fitness service with an actual functioning back-end site to match. “To make themselves even more difficult to detect, the actors behind these dropper apps only manually activate the installation of the banking trojan on an infected device in case they desire more victims in a specific region of the world,” the Threat Fabric researchers added. “This makes automated detection a much harder strategy to adopt by any organization.” All 300,000 banking-trojan dropper installations came from four malware families, according to the report: Anatsa (200,000+ installs); Alien (95,000+) and Hydra/Ermac (15,000+). Anasta Installs Anasta threat actors were first observed by Threat Fabric…

Source

image
The North Korea-linked ScarCruft advanced persistent threat (APT) group has developed a fresh, multiplatform malware family for attacking North Korean defectors, journalists and government organizations involved in Korean Peninsula affairs. Since 2019, ScarCruft (aka APT37 or Temp.Reaper) has been using spyware dubbed Chinotto to target victims for espionage purposes, according to an analysis from Kaspersky, although the code only recently came to the attention of researchers. Chinotto is triple-pronged, with the ultimate double-pronged goal of surveilling victims across mobile and desktop. “The actor utilized three types of malware with similar functionalities: Versions implemented in PowerShell, Windows executables and Android applications,” researchers noted in a Monday blog posting. “Although intended for different platforms, they share a similar command-and-control scheme based on HTTP communication. Therefore, the malware operators can control the whole malware family through one set of command-and-control scripts.” ScarCruft specifically controls the malware using a PHP script on a compromised web server, directing the binaries based on HTTP parameters. Inside the Chinotto Backdoor Chinotto has various tricks up its sleeve, researchers said, including detection evasion (i.e., employing garbage code to impede analysis) and establishing persistence via the registry key. And as far as the actual spyware functionality goes, it “shows fully fledged capabilities to…

Source

image
An unpatched Windows security vulnerability could allow information disclosure and local privilege escalation (LPE), researchers have warned. The issue (CVE-2021-24084) has yet to get an official fix, making it a zero-day bug – but a micropatch has been rolled out as a stop-gap measure. Security researcher Abdelhamid Naceri originally reported the vulnerability as an information-disclosure issue in October 2020, via Trend Micro’s Zero-Day Initiative (ZDI). Though Microsoft had told him it was planning a fix for last April, the patch has not yet been forthcoming. Then, this month, Naceri discovered that CVE-2021-24084 could also be exploited for LPE, so that non-admin Windows users can read arbitrary files even if they do not have permissions to do so. In a proof-of-concept exploit, he demonstrated that it’s possible to copy files from a chosen location into a Cabinet (.CAB) archive that the user can then open and read. I mean this is still unpatched and allow LPE if shadow volume copies are enabled; But I noticed that it doesn't work on windows 11 https://t.co/HJcZ6ew8PO — Abdelhamid Naceri (@KLINIX5) November 15, 2021 The process for doing so is very similar to the LPE exploitation approach for the HiveNightmare bug, CVE-2021-36934, which affects the Security Accounts Manager (SAM) database in all versions of Windows 10. The SAM component in Windows houses user account credentials and network domain information – a juicy target for attackers. “As…

Source

image
An APT has attacked two separate vaccine manufacturers this year using a shape-shifting malware that appears at first to be a ransomware attack but later shows to be far more sophisticated, researchers have found. Dubbed Tardigrade by the Bioeconomy ​​Information Sharing and Analysis Center (BIO-ISAC), the attacks used malware that can adapt to its environment, conceal itself, and even operate autonomously when cut off from its command-and-control server (C2), according to a recent advisory released by BIO-ISAC. The first attack was detected at a “large biomanufacturing facility” in April, with investigators identifying a malware loader “that demonstrated a high degree of autonomy as well as metamorphic capabilities,” according to the advisory. In October 2021, the malware was detected at a second facility as well. However, for now, “biomanufacturing sites and their partners are encouraged to assume that they are targets and take necessary steps to review their cybersecurity and response postures,” the center warned. Indeed, there have already been a number of attacks targeting the COVID-19 vaccine efforts since the pandemic began, and they are likely to continue, security researchers warned. In October 2020, Dr. Reddy’s, the contractor for Russia’s “Sputinik V” COVID-19 vaccine and a major generics producer, had to close plants and isolate its data centers after a cyberattack. Two months later, in December, threat actors broke into the European Medicines Agency (EMA)…

Source