image
An unpatched Domain Name System (DNS) bug in a popular standard C library can allow attackers to mount DNS poisoning attacks against millions of IoT devices and routers to potentially take control of them, researchers have found. Researchers at Nozomi Networks Labs discovered the flaw affecting the implementation of DNS in all versions of uClibc and uClibc-ng, popular C standard libraries found in numerous IoT products, they revealed in a blog post this week. “The flaw is caused by the predictability of transaction IDs included in the DNS requests generated by the library, which may allow attackers to perform DNS poisoning attacks against the target device,” Nozomi’s Giannis Tsaraias and Andrea Palanca wrote in the post. In a DNS poisoning attack– also known as DNS spoofing and DNS cache poisoning–an attacker deceives a DNS client into accepting a forged response. This forces a program to perform network communications with an arbitrarily defined endpoint instead of the legitimate one. Numerous Affected Devices The scope of the flaw is vast, as major vendors such as Linksys, Netgear and Axis, as well as Linux distributions such as Embedded Gentoo, use uClibe in their devices. Meanwhile, uClibc-ng is a fork specifically designed for OpenWRT, a common OS for routers deployed throughout various critical infrastructure sectors, researchers said. Specific devices impacted by the bug were not disclosed as part of this research. Moreover, if an attacker mounts a successful DNS…

Source

image
While they have good intentions to foster mental health and spiritual wellness, the majority of mental-health and prayer apps can harm their users in other ways by exposing personal and intimate data due to a severe lack of security and privacy protections, researchers from Mozilla have found. Of 32 mental-health and prayer mobile apps investigated by the open-source organization, 28 were found to be inherently insecure and slapped with a “Privacy Not Included” label, according to a report of the same name published online this week. Moreover, 25 apps failed to meet Mozilla’s Minimum Security Standards, such as requiring strong passwords and managing security updates and vulnerabilities, researchers said. “They track, share, and capitalize on users’ most intimate personal thoughts and feelings, like moods, mental state, and biometric data,” she said. “Turns out, researching mental health apps is not good for your mental health, as it reveals how negligent and craven these companies can be with our most intimate personal information.” Overall, Mozilla researchers spent 255 hours, or about eight hours per product, peering under the hood of the security of a variety of mental health and prayer apps. The apps that they investigated have functionality such as connecting users with therapists and offering AI chat bots, community support pages, and prayers. They also offer mood journals and well-being assessment, among other features that require collecting sensitive data about…

Source

image
Image: Proxima Studios, via Shutterstock. Faced with a brain drain of smart people fleeing the country following its invasion of Ukraine, the Russian Federation is floating a new strategy to address a worsening shortage of qualified information technology experts: Forcing tech-savvy people within the nation's prison population to perform low-cost IT work for domestic companies. Multiple Russian news outlets published stories on April 27 saying the Russian Federal Penitentiary Service had announced a plan to recruit IT specialists from Russian prisons to work remotely for domestic commercial companies. Russians sentenced to forced labor will serve out their time at one of many correctional centers across dozens of Russian regions, usually at the center that is closest to their hometown. Alexander Khabarov, deputy head of Russia's penitentiary service, said his agency had received proposals from businessmen in different regions to involve IT specialists serving sentences in correctional centers to work remotely for commercial companies. Khabarov told Russian media outlets that under the proposal people with IT skills at these facilities would labor only in IT-related roles, but would not be limited to working with companies in their own region. "We are approached with this initiative in a number of territories, in a number of subjects by entrepreneurs who work in this area," Khabarov told Russian state media organization TASS. "We are only at the initial stage. If this is in…

Source

image
The rise of remote work and learning opened new opportunities for many people – as we’ve seen by the number of people who have moved to new places or adapted to “workcations.” Cybercriminals are taking advantage of the same opportunities – just in a different way. Evaluating the prevalence of malware variants by region reveals a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector. What Malware Trends are Showing Our FortiGuard Labs research team dug into the prevalence of malware variants by region for the second half of 2021. What they found shows a sustained interest by cyber adversaries in maximizing the remote work and learning attack vector. The team found that various forms of browser-based malware were prevalent. Often, this takes the form of phishing lures or scripts that inject code or redirect users to malicious sites. Detections vary across regions, of course, but can be largely grouped into three broad distribution mechanisms: Microsoft Office executables (MSExcel/, MSOffice/), PDF files and browser scripts (HTML/, JS/). Files packed with the Microsoft Intermediate Language (MSIL) are another common feature. It’s worthy of note that some kinds of browser-based malware occupy the top spots in all regions. Such techniques have gained prominence recently as a way to exploit peoples’ desire for the latest news about COVID-19, politics, sports or any current headline. And since many are browsing from their home networks…

Source

image
Containers are self-contained pods representing complete, portable application environments. They contain everything an application needs to run, including binaries, libraries, configuration files and dependencies (Docker and Amazon Elastic, for instance, are two of the more well-known offerings). Multiple containers can run on a shared infrastructure and use the same operating system kernel, but they’re abstracted from that layer and have little contact with the underlying hosting resources (which could be, for example, a public cloud instance). [Editor’s Note: This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story] The benefits of running cloud-based containers are varied and include the ability to easily spin applications up and down for users (think “write once, run everywhere” – a big boon for companies managing pandemic-related remote footprints). They also offer major infrastructure cost savings compared with managing applications on owned-and-operated servers or on virtual machines. They also provide increased agility by supporting DevOps goals. Containers are also easy to manage, thanks to orchestration engines such as Kubernetes. Admins can use orchestration to manage…

Source

image
Google said this week it is expanding the types of data people can ask to have removed from search results, to include personal contact information like your phone number, email address or physical address. The move comes just months after Google rolled out a new policy enabling people under the age of 18 (or a parent/guardian) to request removal of their images from Google search results. Google has for years accepted requests to remove certain sensitive data such as bank account or credit card numbers from search results. In a blog post on Wednesday, Google's Michelle Chang wrote that the company's expanded policy now allows for the removal of additional information that may pose a risk for identity theft, such as confidential log-in credentials, email addresses and phone numbers when it appears in Search results. "When we receive removal requests, we will evaluate all content on the web page to ensure that we're not limiting the availability of other information that is broadly useful, for instance in news articles," Chang wrote. "We'll also evaluate if the content appears as part of the public record on the sites of government or official sources. In such cases, we won't make removals." Google says a removal request will be considered if the search result in question includes the presence of "explicit or implicit threats" or "explicit or implicit calls to action for others to harm or harass." The company says if it approves your request, it may respond by removing the…

Source

image
Over the past 15 years, the cloud has blown business into a new age of networking, for solid reasons: Small businesses can get online fast, using the same tools as the big companies; large companies can scale up and down to match demand; and organizations of all sizes can quickly react to business fluctuations in terms of allocating resources and onboarding applications. Click to Expand As well, of course, over the past few years, the pandemic has made cloud resources crucial when it comes to supporting remote workforces. [Editor’s Note: This article was originally published in the free Threatpost eBook “Cloud Security: The Forecast for 2022.” In it we explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists. Please download the FREE eBook for the full story] However, the mad dash to set up shop in the cloud can sometimes lead to stormy weather: There are, after all, beaucoup security challenges hidden behind the cloud’s promise of blue skies. As Prevailion CTO Nate Warfield enumerates, cloud marketplaces “are rife with pre-built virtual machine (VM) images containing unpatched vulnerabilities, overly permissive firewall settings, and even malware and coin miners. Cloud providers don’t take a proactive stance towards breach and compromise monitoring and, in many cases, won’t even pass on notifications to their customers which they have received from…

Source

image
A threat group responsible for sophisticated cyberespionage attacks against U.S. utilities is actually comprised of three subgroups, all with their own toolsets and targets, that have been operating globally since 2018, researchers have found. TA410 is a cyberespionage umbrella group loosely linked to APT10, a group tied to China’s Ministry of State Security. The group is known not only for targeting U.S. organizations in the utilities sector, but also diplomatic organizations in the Middle East and Africa, according to a report published this week by researchers at security firm ESET. Though it’s apparently been active since 2018, TA410 first came up on researchers’ radar in 2019, when Proofpoint uncovered a phishing campaign targeting three U.S. companies in the utilities sector that used a novel malware then dubbed LookBack. About a year later, the threat group resurfaced by deploying a sophisticated RAT against Windows targets in the United States’ utilities sector. Dubbed FlowCloud and believed to be the evolution of Lookback, the RAT can access installed applications and control the keyboard, mouse, screen, files, services and processes of an infected computer. The tool also can exfiltrate information to a command-and-control (C2) provider. Now ESET researchers have found that TA410 is not one but actually three subgroups of threat actors—FlowingFrog, LookingFrog and JollyFrog—each “using very similar tactics, techniques, and procedures (TTPs) but different toolsets…

Source

image
GitHub revealed details tied to last week’s incident where hackers, using stolen OAuth tokens, downloaded data from private repositories. “We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in their original, usable formats,” said Mike Hanley, chief security officer, GitHub. OAuth doesn’t share credentials instead uses the authorization token to prove identity and acts as an intermediary to approve one application interacting with another. Incidents of stolen or found OAuth tokens commandeered by adversaries are not uncommon. Microsoft suffered an OAuth flaw in December 2021, where applications (Portfolios, O365 Secure Score, and Microsoft Trust Service) were vulnerable to authentication issues that enables attackers to takeover Azure accounts. In order to abuse, the attacker first registers their malicious app in the OAuth provider framework with the redirection URL points to the phishing site. Then, the attacker would send the phishing email to their target with a URL for OAuth authorization. Analysis of The Attacker’s Behavior GitHub analysis the incident include that the attackers authenticated to the GitHub API using the stolen OAuth tokens issued to accounts Heroku and Travis CI. It added, most most of those affected authorized Heroku or Travis CI OAuth apps in their GitHub accounts. Attacks were selective and attackers listed the private repositories of interest….

Source

image
Cyberattacks against Ukraine have been used strategically to support ground campaigns, with five state-sponsored advanced persistent threat (APT) groups behind attacks that began in February. According to research published by Microsoft on Wednesday, the APTs involved in the campaigns are state-sponsored by Russia. Separate reports published this week also shed new light on the wave of cyberattacks against Ukrainian digital assets by APTs with ties to Russia. Microsoft researchers believe six separate Russia-aligned threat actors carried out 237 cyber operations that resulted in threats to civilian welfare and attempted to carry out dozens of cyberespionage attacks against Ukrainian targets. Moreover, Russia is believed to be using cyberattacks in a type of “hybrid war”, according to a blog post by Tom Burt, corporate vice president of Customer Security and Trust at Microsoft. That correlates “with its kinetic military operations targeting services and institutions crucial for civilians,” he said. “The attacks have not only degraded the systems of institutions in Ukraine but have also sought to disrupt people’s access to reliable information and critical life services on which civilians depend, and have attempted to shake confidence in the country’s leadership,” Burt wrote. Meanwhile, researchers at Computer Emergency Response Team of Ukraine (CERT-UA) have been doing analysis of their own on the cyber-attacks that have been hampered the country in the lead up to and during…

Source