The Australian police have arrested a 24-year-old hacker after a lengthy investigation tied him to the widely abused Imminent Monitor remote access trojan (RAT).

The spyware tool was downloaded by more than 14,500 people across 128 countries, the police said, and reportedly generated around $400,000 AUD for the cyber-criminal.

The Australian Federal Police (AFP) also said Imminent Monitor was allegedly first created by Jacob Wayne John Keen nine years ago when he was aged 15.

During its time on sale between 2013 and 2019, it has been used by numerous individuals including domestic and child abusers, among other criminals.

The spyware’s capabilities allowed customers to steal information from victims and spy on them in various ways, including surreptitious enabling and monitoring of the webcam and microphone, logging keystrokes, and remotely controlling the device too.

Imminent Monitor could be installed through various means, including phishing, the AFP said, and it believes there have been more than 10,000 victims worldwide.

“These types of malware are so nefarious because it can provide an offender virtual access to a victim’s bedroom or home without their knowledge,’’ said Chris Goldsmid, AFP commander of cyber crime operations.

“Unfortunately there are criminals who not only use these tools to steal personal information for financial gain but also for very intrusive and despicable crimes.”

The RAT was sold for around $25 USD for a single-user lifetime licence but additional options were available for teams of users sold at higher prices.

The creation and sale of Imminent Monitor prompted a global investigation from law enforcement after the AFP was handed information about the campaign from the FBI and security company Palo Alto Networks in 2017.

More than a dozen law enforcement agencies were involved in the investigation across Europe, issuing a total of 85 search warrants, seizing 434 devices and arresting 13 individuals for using the RAT.

Simply owning the RAT is not an offence, the AFP said, but installing it on another individual’s device is a violation of computer legislation.

AFP dedicated five officers to gathering information on, and ultimately shutting down the RAT. After Imminent Monitor was taken down in 2019, all copies across the globe ceased to work also.

In the same year, the accused individual’s home was searched by authorities and his computer was found with code files consistent with the development and use of the RAT.

The 24-year-old faces 6 criminal charges under computer misuse and data misuse legislation, including two counts of dealing with the proceeds of crime with a value exceeding $100,000.

He faces a maximum potential combined prison sentence of 20 years. A 42-year-old woman of the same address later revealed to be Keen’s mother, also faces one count of dealing with the proceeds of crime with a value exceeding $100,000 and also faces up to 20 years in prison, the AFP notice read.

Source

A remote access trojan is a type of malware that allows full remote access to an infected device, including the ability to execute commands, log keystrokes, steal files and data, install additional software, take screenshots, and even record video from the device's webcam.

These types of malware are very popular among hackers due to its cheap price and the unfettered access it provided to infected devices. However, they are also popular with domestic abusers who use them to spy on their victims.

Yesterday, the Australian Federal Police (AFP) announced that they had charged an Australian man, age 24, for developing and selling the Imminent Monitor (IM5) software.

The AFP alleges that the man sold the software to more than 14,500 people across 128 countries.

"A statistically high percentage of Australia-based PayPal purchasers of IM RAT (14.2%) are named as respondents on domestic violence orders. Additionally, one of these purchasers is also registered on the Child Sex Offender Register," reads a press release by the AFP.

"Of the 14 individuals, 11 bought the RAT during the active period of their domestic violence order (DVO) or within two years a DVO was issued."

Since the operation started in 2013, law enforcement states that the developer made 300,000 to 400,000, which was predominantly used to pay for food deliveries and purchase "other consumable and disposable items."

The Australian man faces six charges with a maximum penalty of 20 years.

Almost 3 years in the making

The Imminent Monitor operation started in 2013 when the developer (then 15) began promoting the product on hacking forums and a dedicated website.

The program was marketed as a remote administrator tool that could be purchased for as little as $25 for a lifetime license, which included customer support.

While the website promoted the product as a legitimate tool, the developer provided customer support and promoted the software under the alias 'ShockWave.'

In April 2019, a member of a hacking forum warned that ShockWave had gone missing and that he was likely arrested, warning Imminent Monitor customers that they would probably be facing legal action due to their use of the software.

Seven months later, in November, Europol announced a global law enforcement operation that led to the seizure of over 430 devices involved in the Imminent Monitor operation and the imminentmethods.net website used to promote the software.

As part of this operation, law enforcement shut down the Imminent Monitor platform and arrested 13 of its most prolific users. Search warrants were also executed against the developer and an employee located in Belgium.

The Australian Police also received intelligence from Palo Alto Unit 42 that same year, allowing them to arrest the developer.

Australia charges dev of Imminent Monitor RAT used by domestic abusers

In its blog post describing this new attack, SentinelOne says:

During a recent investigation, we found that threat actors were abusing the Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

[...]

Notably, the threat actor leverages the legitimate Windows Defender command line tool MpCmdRun.exe to decrypt and load Cobalt Strike payloads.

The attack process works pretty much the same way as a previous VMware CLI case. The threat actors essentially exploit the Log4j vulnerability to download the MpCmdRun, the "mpclient" malicious DLL file and the encrypted Cobalt Strike payload file from its Command-and-Control (C2) server to infect a potential victim's system.

[...] MpCmd.exe (sic) is abused to side-load a weaponized mpclient.dll, which loads and decrypts Cobalt Strike Beacon from the c0000015.log file.

As such, the components used in the attack specifically related to the use of the Windows Defender command line tool are:

The following diagram shows the attack chain:

You can find the Indicators of Compromise as well as more technical details on the official blog post here.

Beware: LockBit actors using Microsoft Defender to infect PCs with Cobalt Strike beacon

The apps lack all of the promised functionality and push advertisements while trying to last as long as possible on the device.

To evade deletion, the apps hide on the victim's device by constantly changing icons and names, masquerading as Settings or the Play Store itself.

The adware apps abuse the Contact Provider Android component, which enables them to transfer data between the device and online services.

The subsystem is called every time a new app is installed, so the adware might be using it to initiate the ad-serving process. To the user it may look like the ads are pushed by the legitimate app they installed.

Researchers at McAfee discovered the adware apps. They note that users don't have to launch them after installation to see the ads because the adware initiates itself automatically without any interaction.

The first action from these annoying apps is to create a permanent service for displaying the advertisements. If the process is "killed" (terminated), it re-launches immediately.

The following video shows how the name and icon of the adware changes automatically and how the ad-serving occurs without any interaction from the user.

Millions of downloads on Google Play

As McAfee comments in the report, users are convinced to trust the adware apps because they see a Play Store link on Facebook, leaving little margin for doubt.

This has resulted in unusually high download numbers for the particular type of applications, as shown in the list below:

1. Junk Cleaner, cn.junk.clean.plp, 1M+ downloads
2. EasyCleaner, com.easy.clean.ipz, 100K+ downloads
3. Power Doctor, com.power.doctor.mnb, 500K+ downloads
4. Super Clean, com.super.clean.zaz, 500K+ downloads
5. Full Clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads
6. Fingertip Cleaner, com.fingertip.clean.cvb, 500K+ downloads
7. Quick Cleaner, org.qck.cle.oyo, 1M+ downloads
8. Keep Clean, org.clean.sys.lunch, 1M+ downloads
9. Windy Clean, in.phone.clean.www, 500K+ downloads
10. Carpet Clean, og.crp.cln.zda, 100K+ downloads
11. Cool Clean, syn.clean.cool.zbc, 500K+ downloads
12. Strong Clean, in.memory.sys.clean, 500K+ downloads
13. Meteor Clean, org.ssl.wind.clean, 100K+ downloads

Most affected users are based in South Korea, Japan, and Brazil, but the adware has unfortunately reached users worldwide.

The adware apps are no longer available on the Play Store. However, users that installed them have to remove them manually from the device.

System cleaners and optimizers are popular software categories despite the low benefits they provide. Cybercriminals know that a large number of users would try such solutions to prolong the life of their devices and often guise malicious apps as such.

Facebook ads push Android adware with 7 million installs on Google Play

Called Super Super Secure Mode during its experimental testing phase, Enhanced Security Mode blocks access to the Just In Time compiler; this reduces the attack surface and makes it more difficult to use exploits according to Microsoft.

When enabled, Enhanced Security Mode enables additional protections provided by the operating system, such as Hardware Enforced Stack Protection, Arbitrary Code Guard, and Control Flow Guard.

Note: WebAssembly is not supported right now. Sites that use it need to be added to the exceptions list to make sure they work in Edge after enabling the security mode.

Configuring Enhanced Security Mode

Enhanced Security Mode is disabled by default. Edge users may configure the security feature in the following way:

1. Load edge://settings/privacy in the browser's address bar; this opens the Privacy, search and services options of Edge.
2. Scroll down until you find "Enhance your security on the web".
3. Enable the toggle to turn the feature on.

Note: Enhanced Security Mode is available on Windows and Mac operating systems only.

The security feature has two different levels that you may select:

• Basic (Edge Dev only) -- Enables Enhanced Security Mode for "less visited sites" only.
• Balanced -- The default level when Enhanced Security Mode is enabled. It uses security mitigations on all sites that are not visited frequently.
• Strict -- Improves security further by enabling the enhanced protections on all sites.

Strict mode offers protections on all sites, but it may lead to more site breakage according to Microsoft.

You can disable the security mode on specific sites by selecting Exceptions in Edge Stable (in Edge Dev, it is called manage enhanced security for sites).

Microsoft is testing a new option to always use enhanced security for sites in Edge Dev currently. Exceptions are useful, for example, when a site's functionality is broken if the mode is enabled.

Administrators may use a policy to configure the security feature in the Edge browser.

Manage Enhanced Security

Microsoft Edge displays "Added security" in the browser's address bar if Enhanced Security Mode is enabled on a site.

A click on the icon and the selection of "Enhance security for this site" displays an option to turn the feature off on the site and to open the preferences to adjust them in the browser.

Now You: How useful is Edge's Enhanced Security Mode feature?

Microsoft Edge's Enhanced Security Mode explained

Such attacks are also known as smishing or robotexts (as the FCC calls them), and scammers behind them may use various lures to trick you into handing over confidential information.

"The FCC tracks consumer complaints – rather than call or text volume – and complaints about unwanted text messages have risen steadily in recent years from approximately 5,700 in 2019, 14,000 in 2020, 15,300 in 2021, to 8,500 through June 30, 2022," the US communications watchdog's Robocall Response Team said [PDF].

"In addition, some independent reports estimate billions of robotexts each month – for example, RoboKiller estimates consumers received over 12 billion robotexts in June."

False-but-believable smishing baits reported by American consumers to the FCC include claims about unpaid bills, package delivery issues, bank account problems, or law enforcement actions.

Some of the most devious and convincing lures used in text message phishing attacks are links redirecting the targets to landing pages impersonating bank websites and asking them to verify a purchase or unlock frozen credit cards.

Phishing text messages can also be spoofed to make it appear that the sends is someone you're more likely to trust, such as a government agency like the IRS or companies you may be familiar with.

While some attackers will attempt to steal payment details, others are not as picky and will be happy to steal any personal information they can get their hands on, use in subsequent scams, or sell to other malicious actors.

To defend against SMS phishing attacks, FCC recommends taking the following measures:

• Do not respond to texts from unknown numbers or any others that appear suspicious.
• Never share sensitive personal or financial information by text.
• Be on the lookout for misspellings or texts that originate with an email address.
• Think twice before clicking any links in a text message. If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren't hacked.
• If a business sends you a text you weren't expecting, look up their number online and call them back.
• Remember that government agencies almost never initiate contact by phone or text.
• Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or "SPAM").
• File a complaint with the FCC.

"If you think you're the victim of a texting scam, report it immediately to your local law enforcement agency and notify your wireless service provider and financial institutions where you have accounts," the FCC added.

"For more information about scam calls and texts, visit the FCC Consumer Help Center and the FCC Scam Glossary."

US govt warns Americans of escalating SMS phishing attacks

In a shocking incident, a hacker broke into a US college student's Snapchat account, illegally accessed nude photos and sent them to her friends, a cousin, an ex-boyfriend, and dozens of acquaintances. While most of those who received the message thought she had sent the photos, her friend Katie Yates understood she had been conned.

The woman, reported Bloomberg, was severely traumatised due to the incident. She said her ears were ringing and she was unable to breathe due to the mental trauma she faced. Yates said she removed sharp objects from her dorm room fearing she might hurt herself.

What she was facing was sextortion, a form of crime that is on the rise in the United States. The FBI said it received 18,000 cases of sextortion in 2021.

The sextortion resulted in a payout of 13.6 million dollars.

The hacker posed as a security employee and tricked her into sharing a code that allowed him to take over the account. He then blocked her out of the account. He then accessed a section called for my eyes only. The woman had stored naked photographs of herself.

He sent the photos to her contacts with the message 'flash me back if we are besties'. This was done as he wanted other people to send their nude photos.

As the authorities couldn't help them, they found a new plan. Yates contacted the victim's account saying she was sending him nudes via a link. The link was in fact software that can identify a person's IP address. As she got to know the person's identity, she reported him to the police.

The man was identified as David Mondore, a 29-year-old chef. He has been sentenced to six months in prison for hacking at least 300 Snapchat accounts.

Source

The developer implemented fixes in the stable release of the product (LibreOffice 7.2) and the unstable branch (7.3).

In total, there are fixes for three vulnerabilities. The first one is tracked as CVE-2022-26305 and allows macro code to run on the target device even if the certificate used to sign the macro doesn't match the entries in the user's configuration database.

LibreOffice features a check to determine if a macro was created and signed by someone the user trusts (i.e. a colleague) so it wouldn't execute the macro code in case of a mismatch.

"An adversary could create an arbitrary certificate with a serial number and an issuer string identical to a trusted certificate which LibreOffice would present as belonging to the trusted author, potentially leading the user to execute arbitrary code contained in macros improperly trusted," explains the advisory.

The second issue is now identified as CVE-2022-26307. It addresses a problem with the poor encoding of the master key that stores passwords for web connections in the user's configuration database.

The bad encoding of the key weakened its entropy from 128 to 43 bits, allowing an attacker to brute force it and access the stored passwords.

In the updated version of the software users with stored passwords will be prompted automatically to to re-encrypt them using the fixed method.

Finally, there's CVE-2022-26306, a flaw that allows attackers with access to the user's configuration data to retrieve passwords for web connections without knowing the master password.

Mitigation

LibreOffice offers security options for macros, ranging from "low" to "very high", which activate different sets of execution policies depending on the level of trust the user is comfortable accepting.

For example, if set to low, all macros will be executed even if they're unsigned. The medium security level displays a dialog asking the user to approve the execution of macros.

In the case of CVE-2022-26307, the flaw is not exploitable if the macro security level is set to "very high" or if the user doesn't maintain a database of trusted certificates.

To check your macro security settings, navigate to Tools → Options → LibreOffice → Security, click on "Macro Security", and set the level to "very high".

It is estimated that LibreOffice has 200 million users. Many of them are students and Linux users looking for an open-source alternative to Microsoft Office as well as a an office productivity software suite that is less targeted by threat actors.

The latest available version on the official download portal is 7.3.5.2, which features fixes for the mentioned flaws, but those appreciating a more stable performance might want to get 7.2.7 instead.

LibreOffice addresses security issues with macros, passwords

Frontpaged:   LibreOffice 7.3.5

VBA and XL4 Macros are small programs created to automate repetitive tasks in Microsoft Office applications, which threat actors abuse for loading, dropping, or installing malware via malicious Microsoft Office document attachments sent in phishing emails.

The reason for the switch is Microsoft announcing that they would end the massive abuse of the Office subsystem by automatically blocking macros by default and making it harder to activate them.

Although it took Microsoft a little longer to implement this Microsoft Office change, the block finally entered into effect last week.

However, the initial announcement alone convinced malware operators to move away from macros and begin experimenting with alternative methods to infect victims.

Hackers abandon macros

In a new report by Proofpoint, researchers looked at malicious campaign stats between October 2021 and June 2022 and identified a clear shift to other methods of payload distribution, recording a decrease of 66% in the use of macros.

At the same time, the use of container files such as ISOs, ZIPs, and RARs has grown steadily, rising by almost 175%.

The use of LNK files exploded after February 2022, the time of Microsoft’s announcement, increasing by a whopping 1,675% compared to October 2021, and being the weapon of choice of ten individual threat groups tracked by Proofpoint.

We have reported on the use of LNK files by Emotet, Qbot, and IcedID, in all cases masquerading as a Word document to trick the recipient into opening it.

However, these link files can be used to execute almost any command the user has permission to use, including executing PowerShell scripts that download and execute malware from remote sources.

Finally, Proofpoint also observed a significant increase in the use of HTML attachments adopting the HTML smuggling technique to drop a malicious file on the host system. However, their distribution volumes continue to remain small.

Shifting the threat

While seeing macros becoming an obsolete method of payload distribution and initial infection is a positive development, the threat has merely shifted rather than being addressed or reduced.

The question that needs answers now is how that change impacts the effectiveness of the malware campaigns, as convincing recipients to open .docx and .xls files was a lot easier than asking them to unpack archives and open files whose names end with .lnk.

Furthermore, to bypass detection by security software, many phishing campaigns now password-protect archive attachments, adding another burdensome step a target must take to access the malicious files.

From that perspective, threat actors relying on phishing emails might be running out of good options, and their infection rates may have dropped as a result.

Finally, email security solutions now have a narrower spectrum of potential risks to evaluate, improving their chances of catching a risky file.

As Microsoft blocks Office macros, hackers find new attack vectors

The target, a customer of cybersecurity and cloud service company Akamai, has been under constant assault, facing dozens of DDoS rounds over the past 30 days.

DDoS incidents have become more frequent since the start of the year as attackers try to deny access to the victim's digital services by flooding them with requests and traffic to overwhelm resources and render them unavailable.

In a report this week, Akamai notes that the record-breaking attack occurred on July 21 and in 14 hours it peaked at 853.7 Gbps (gigabits per second) and 659.6 Mpps (million packets per second).

The company did not disclose any details about its customer but said that it was able to mitigate the attack and said that it targeted several IP addresses and that its client was the target of 75 DDoS incidents over the past 30 days.

UDP (user datagram protocol) flood was the most popular vector and also the one observed in both record spikes.

However, other methods were used, including UDP fragmentation, ICMP flood, RESET flood, SYN requests flood, TCP anomaly, TCP fragment, PSH ACK flood, FIN push flood, and PUSH flood.

Akamai says that the DDoS attacks originated from a "highly-sophisticated global botnet" of infected devices. Powerful botnets capable of record-breaking DDoS attacks have been in the news recently.

Last September, the Mēris botnet was responsible for hitting Russian internet giant Yandex with 21.8 million RPS (requests per second). In June, cloud services company Cloudflare mitigated a DDoS attack from Mantis botnet that peaked at 26 million RPS, making it the most powerful one to date.

The reason for attacking Akamai's customer remains unclear. DDoS incidents in Eastern Europe have taken a political tint as they are frequently used as a form of hacktivism.

Akamai blocked largest DDoS in Europe against one of its customers

Third-party cookies, for those who don’t know, are very important to the online advertising ecosystem. Most content online is free because of advertisements and to ensure ads generate more revenue, third-party cookies follow you everywhere online to learn more about you so that more relevant ads can be displayed. People have cottoned on to this practice and say they don’t like it, and many firms now put privacy as one of their key selling features.

Google, a firm with its entire business model based on ads, is keenly aware that sentiment has turned against its practices and has proposed Privacy Sandbox as a replacement to third-party cookies. Due to the clout the company has, developers, publishers, marketers, and regulators want to ensure that Privacy Sandbox works for them too. With today’s announcement, Google is giving these stakeholders more time to do this.

Google said that it’s expanding the testing windows for Privacy Sandbox APIs and that developers can begin testing them today. In early August, it will expand Privacy Sandbox trials to millions of users and gradually increase the number of participants into 2023. Anyone who is about to be put in the trials will be shown a prompt to manage their participation. By Q3 2023, the API will launch generally in Chrome and third-party cookies will be phased out in the browser in the second half of 2024.

Google's plan to phase out third-party cookies by late 2023, pushed back to late 2024

The political situation in Europe and the rest of the world has degraded dramatically in 2022. This has affected the nature, intensity, and geography of DDoS attacks, which have become actively used for political purposes.

New industry trends due to the conflict in Europe

The situation in Eastern Europe has affected the entire cybersecurity industry, particularly in areas such as DDoS attacks and protection. Now, states are becoming active participants in this market while the attacks themselves are becoming more sophisticated and powerful.

Geopolitical situation changing the objectives, nature, and intensity of DDoS attacks

During the first half of 2022, several countries reported attacks on government and financial institutions:

• “This cyberattack aimed at disabling banks and government websites was the worst in the history of Ukraine. It started on Tuesday, February 15, and lasted until Wednesday, with the goal of causing widespread confusion,” according to the Ukrainian government. “This attack was prepared in advance to destabilize and sow panic and chaos in our country.” The attack targeted the website of the Ministry of Defense and the Ukrainian state services digital portal, Diia, as well as the ATM networks and mobile applications of Oschadbank and PrivatBank.
• On March 11, the Chinese state agency Xinhua claimed that cyberattacks were tracked to the United States, Germany, and the Netherlands. These attacks were carried out via computers in China and targeted Ukrainian, Belarusian, and Russian resources. Despite the state agency naming the sources of these detected cyberattacks, it did not attribute them to any particular country. The attacks could have been orchestrated by hackers who have acquired IP addresses in these countries.
• On April 8, the Finnish Ministry of Defense and Foreign Affairs websites were subject to cyberattacks. “We are investigating the matter and will provide information when we know more about the incident,” said the ministry, the suspects behind the attack haven’t been revealed.

States becoming official participants in the DDoS mitigation market

The DDoS market can often be described as spontaneous. Attacks that are powerful and costly for customers are not uncommon, but governments used to be more restrained when protecting against them. Now, rumours about the actions of state structures in this segment are often confirmed by officials. For example, at the end of February 2022, the U.S. Attorney General publicly confirmed that the FBI conducted a secret operation to eliminate Russian malware and prevent a large-scale DDoS attack.

The emergence of cyber troops in Ukraine is also well-documented, their creation last year was confirmed by the country’s government. The recruitment process began in February 2022, and they have been tasked with ensuring information security and protecting critical infrastructure. Such active government intervention in the industry may well fundamentally change the market forever.

How has DDoS attack complexity, power, and duration changed?

This has had a marked impact on the power, geography, and duration of DDoS attacks. The list of the main DDoS attack victims, for both countries and industries, has changed significantly in recent months. The company has shared its data, which you can read below.

Attacks are becoming more complex and multi vectored

There are several distinctive types of DDoS attacks:

• Ransom DDoS attacks are carried out for extortion - the attackers promise to cease their attack upon receiving the ransom.
• Application-layer DDoS attacks interfere with or even completely paralyse the operation of business applications, which causes material and reputational loss for the targets.
• Network-layer DDoS attacks sap networks’ bandwidth and disrupt the target’s interactions with partners and clients.

Each type of attack exploits different vulnerabilities in the victim’s infrastructure. Previously, attacks were based on a particular vector, but now the share of more sophisticated malicious campaigns is growing. Rather than directly attacking the victim’s server, attackers paralyse one of its key functions and conduct combined attacks along different vectors.

According to Gcore, the number of such complex multivector attacks tripled in 2022 compared to the previous year. Bots and botnets have become the most common vectors for DDoS attacks, while HTTP flood attacks are also widely used. The company shared an example of a powerful attack that was averted by Gcore Web Application DDoS Protection:

The number of ultrashort attacks and average attack power are increasing

In recent years, the number of ultrashort DDoS attacks has been growing. According to Gcore, in 2022 the average duration of such attacks was 5–10 seconds.

The longest attack was recorded by the company’s specialists on April 14–15. It lasted 24 hours with a capacity of 5 Gbps.

The average power of recorded attacks in Q1–Q2 of 2022 more than doubled - last year, it was 300 Gbps, and this year it is already 700 Gbps. Previously, the main targets of such attacks were small and medium-sized companies, but this year more and more attacks are aimed at government agencies.

Government agencies are becoming frequent targets of DDoS attacks

The beginning of 2022 was marked by some of the most powerful attacks of recent years. Most of them targeted government agencies:

1. January 15 — An attack on North Korean infrastructure. It led to a complete blackout in the country for 6 hours. As a result of the attack, all transportation in the country was paralyzed.
2. January 16 — An attack on Ukrainian government websites. The websites of the Ministry of Education, Ministry of Foreign Affairs, State Emergency Service, Cabinet of Ministers, Ministry of Energy, and Diia were paralysed.
3. February 15 — Attacks on the Ukrainian Ministry of Defense and Armed Forces, PrivatBank, and Oschadbank. As a result of the simultaneous attacks, many Ukrainian banking systems were down, as well as several government websites.
4. February 23 — An attack on the Ukrainian Ministry of Foreign Affairs and National Parliament. As a result of the large-scale attacks, several government websites went down.
5. March 10 — An attack on Ukrtelecom. For 40 minutes, the work of the national telecom operator of Ukraine and the operation of networks and essential communication channels throughout the country were disrupted.
6. March 11 — An attack on the Rostec website. The state aerospace and defence company said it has been under constant DDoS attacks since February.
7. March 14 — An attack on Israeli government websites. The websites of the Ministries of Interior, Defense, Health, Justice, and Social Services, as well as the Prime Minister’s Office, were attacked. The campaign was labelled the strongest cyberattack ever launched against Israel.
8. March 16 — An attack on the Ukrainian internet service provider Triolan. This resulted in severe internet outages for its Ukrainian users.
9. March 29 — An attack on the Bradley Airport website. Unknown hackers launched an attack on the website of the Bradley International Airport, U.S.A.
10. April 8 — An attack on the Finnish Ministries of Defense and Foreign Affairs. The departments’ websites were unavailable and malfunctioned throughout the day.

Businesses are undergoing heavy flood attacks

According to Gcore, the most-attacked business sectors in Q1–Q2 of 2022 were e-commerce, fintech, and game development. The company shared information about powerful TCP and UDP flood attacks.

Increasing DDoS protection requirements

To defend against such powerful and sophisticated attacks, businesses and government agencies need advanced security systems. This is not the first time that Gcore has experienced a sharp increase in the number of DDoS attacks and their complexity.

In 2020–2021, along with increased content consumption in online games and entertainment industry, DDoS attacks also became more frequent and sophisticated. The attacks became more devious - Instead of targeting specific servers, attackers focused on web applications (L7 of the OSI network model) and tried to legitimise the traffic.

One of the main targets of cybercriminals was our client, Wargaming. On February 18, 2021, the security system of Gcore detected a UDP Flood—an attack aimed at the servers of the game development company.

Its volume reached 253 Gbps, and it lasted 15 minutes -  we deflected it successfully. It was possible thanks to the huge bandwidth of our network and our filtering system, which detects and neutralises attacks at a speed of hundreds of gigabits per second.

Our comprehensive protection algorithms ensure that our security systems are not bypassed, even in cases where attackers try to use traffic similar to legitimate ones.

Gcore offers comprehensive protection against complex attacks: it works at the network (L3), transport (L4), and application (L7) layers, effectively protecting clients from all types of cyberthreats. The solution does not require pausing business processes for the duration of the attack, since its intelligent, real-time traffic filtering technology only cuts out specific malicious sessions.

DDoS Attack Trends in 2022: Ultrashort, Powerful, Multivector Attacks

Linux Malware Is on the Rise Despite Past Declines

VPN provider AtlasVPN has reported that new Linux malware became vastly more prevalent in the first half of 2022. Compared to the first half of 2021, the instances of new malware rose by almost 650% from January to June 2022, from 226,324 to nearly 1.7 million samples, the highest number ever recorded. It was also found by AtlasVPN that April had the highest number of malware samples - 400,931.

AtlasVPN stated in a report that this huge spike in new Linux malware samples followed a decline that was seen between the fourth quarter of 2021 and the first quarter of 2022. A drop of 2% was seen, but this decline did not last long, with AtlasVPN stating in the same report that the "cumulative number of new Linux malware samples in H1 2022 was 31% higher than the number of such samples in the whole year of 2021".

Linux Has Long-Since Been Seen as a Secure OS

This huge uptick in malware samples is somewhat surprising, as Linux is viewed by many as one of the most private and secure operating systems out there today.

In late 2021, it was even stated in a post by Linux Security that Linux is "arguably the most secure OS by design", namely due to its open-source framework, user privilege model, and built-in kernel security defenses. However, the evidently increasing number of cyberattacks experienced on Linux was also acknowledged in this post.

Windows Still Has the Highest Number of Malware Infections

Though the severe increase in new Linux malware is concerning, Windows still leads as the most malware-infected operating system. AtlasVPN acknowledged this fact in its post on Linux's malware spike, stating that "41.4 million newly-programmed Windows malware samples were identified in H1 2022". So, while Linux malware is on the rise, it has a way to go before reaching the same level as Windows.

Linux’s Uptick in Malware Samples Is a Definite Concern

The steep incline in new Linux malware samples that took in the first half of 2022 may indicate that Linux is becoming more of a target for malicious parties. It is not known if this upward curve will continue over time, or if a plateau or decline in new malware samples will be seen on this world-renowned operating system.

Source

It was recently revealed that Ring, owned by Amazon, has handed over doorbell camera footage to law enforcement at least eleven times this year — without the owners’ permission or a search warrant.

As reported by CNET, Google will allow law enforcement to access data from its Nest products — or theoretically any other data you store with Google — without a warrant.

“If we reasonably believe that we can prevent someone from dying or from suffering serious physical harm, we may provide information to a government agency — for example, in the case of bomb threats, school shootings, kidnappings, suicide prevention, and missing person cases,” reads Google’s TOS page on government requests for user information. “We still consider these requests in light of applicable laws and our policies.”

An unnamed Nest spokesperson did tell CNET that the company tries to give its users notice when it provides their data under these circumstances. Google “reserves the right” to make emergency disclosures to law enforcement even when there is no legal requirement to do so.

“A provider like Google may disclose information to law enforcement without a subpoena or a warrant ‘if the provider, in good faith, believes that an emergency involving danger of death or serious physical injury to any person requires disclosure without delay of communications relating to the emergency,'” a Nest spokesperson tells CNET.

Other Smart Doorbell Providers

While Amazon and Google have both said they would hand over a users’ data to law enforcement without a warrant. Arlo, Apple, Wyze, and Anker, owner of Eufy, all confirmed to CNET that they won’t give authorities access to a users’ smart home camera’s footage unless they’re shown a warrant or court order.

These companies would be legally bound to provide data to the authorities if they were shown a legal document. But, unlike Google and Amazon, they will not otherwise share camera footage with law enforcement, even if they had an emergency request for data.

Apple’s default setting for their doorbells is end-to-end encryption which means the company is unable to share user video at all.

Source

According to Palo Alto's 2022 Unit 42 Incident Response Report, hackers are constantly monitoring software vendor bulletin boards for new vulnerability announcements they can leverage for initial access to a corporate network or to perform remote code execution.

However, the speed at which threat actors begin scanning for vulnerabilities puts system administrators in the crosshairs as they race to patch the bugs before they are exploited.

"The 2022 Attack Surface Management Threat Report found that attackers typically start scanning for vulnerabilities within 15 minutes of a CVE being announced," reads a companion blog post.

Since scanning isn't particularly demanding, even low-skilled attackers can scan the internet for vulnerable endpoints and sell their findings on dark web markets where more capable hackers know how to exploit them.

Then, within hours, the first active exploitation attempts are observed, often hitting systems that never had the chance to patch.

Unit 42 presents CVE-2022-1388 as an example, a critical unauthenticated remote command execution vulnerability impacting F5 BIG-IP products.

The flaw was disclosed on May 4, 2022, and according to Unit 42, by the time ten hours had passed since the announcement of the CVE, they had recorded 2,552 scanning and exploitation attempts.

This is a race between defenders and malicious actors, and the margins for delays on either side are dwindling with every year that passes.

Most exploited flaws in 2022

Based on the data collected by Palo Alto, the most exploited vulnerabilities for network access in H1 2022 are the “ProxyShell” exploit chain, accounting for 55% of the total recorded exploitation incidents. ProxyShell is an attack exploited by chaining together three vulnerabilities tracked as CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207.

Log4Shell follows at second place with 14%, various SonicWall CVEs accounted for 7%, ProxyLogon had 5%, while the RCE in Zoho ManageEngine ADSelfService Plus was exploited in 3% of the cases.

As it becomes evident from these stats, the lion’s share in the exploitation volume is captured by semi-old flaws and not the most recent ones.

This happens for various reasons, including the attack surface size, exploitation complexity, and practical impact.

More valuable and better-protected systems whose admins are quick to apply security updates are targeted with zero-days or attacks that unfold immediately after the disclosure of flaws.

It is also worth noting that according to Unit 42, exploiting software vulnerabilities for initial network breaches accounts for roughly one-third of the method used.

In 37% of the cases, phishing was the preferable means for achieving initial access. Brute-forcing or using compromised credentials is how hackers penetrated networks in 15% of the cases.

Finally, using social engineering tricks against privileged employees or bribing a rogue insider to aid in network access corresponds to 10% of the incidents.

A race against the clock

With system administrators, network admins, and security professionals already under significant stress as they try to keep up with the latest security threats and OS issues, the speed at which threat actors target their devices only adds additional pressure.

Therefore, it is extremely important to keep devices off the Internet if possible, and only expose them through VPNs or other security gateways. By restricting access to servers, admins not only reduce the risk of exploits, but provide additional time to apply security updates before the vulnerabilities could be targeted internally.

Unfortunately, some servives must be publicly exposed, requiring admins to tighten security as much as possible through access lists, exposing only the necessary ports and services, and applying updates as quickly as possible.

While quickly applying a critical update may lead to downtime, this is much better than the ramifications of a full-blown cyberattack.

Hackers scan for vulnerabilities within 15 minutes of disclosure

Launched in July 2016, No More Ransom is an online portal and a public-private partnership created by law enforcement (Europol and the Dutch National Police) and IT security companies (Kaspersky and McAffee).

Today, the No More Ransom project includes 188 partners worldwide, including BleepingComputer, who joined the project in 2018.

While initially, it provided only four ransomware decryptors, it has now grown to host over 100 free decryption tools for dozens of ransomware families.

"Six years later, No More Ransom offers 136 free tools for 165 ransomware variants, including Gandcrab, REvil/Sodinokibi, Maze/Egregor/Sekhmet and more," Europol said Tuesday.

During the six years since its launch, the initiative has provided more than 10 million people with free decryptors to recover their files without paying cybercriminals.

As Europol revealed last year, when No More Ransom celebrated its fifth anniversary, "this prevented criminals from earning almost a billion euros through ransomware attacks."

How does it work?

No More Ransom's goal is to help ransomware victims recover their encrypted files, raise awareness of the threat of ransomware attacks, and provide victims with easy-to-follow links to report attacks.

No More Ransom's Crypto Sheriff tool will help you find a free decryptor by uploading two encrypted files and the ransomware note, which will try to match them against a list of available tools.

If it finds a match, it shares a suitable ransomware decryptor for your encrypted files, with detailed instructions on unlocking them.

If no decryptor is found, you'll be advised to check again for a match in the future because new unlock tools are added regularly.

Europol also provides a video on how to use the Crypto Sheriff tool to recover your files without paying a ransom.

Ransomware victims are advised never to pay ransoms because that inadvertently finances future attacks but, instead, take measures to prevent and lessen the attacks' impact:

• Regularly back up data stored on your electronic devices.
• Watch your clicks – do you know where a link will take you?
• Do not open attachments in e-mails from unknown senders, even if they look important and credible.
• Ensure that your security software and operating system are up to date.
• Use two-factor authentication (2FA) to protect your user accounts.
• Limit the possibility of exfiltrating large amounts of corporate data to external file exchange portals.
• If you become a victim, do not pay! Report the crime and check No More Ransom for decryption tools. 

No More Ransom helps millions of ransomware victims in 6 years

How big is the risk that someone will hack an EV charging network?

n July 13th, a jury of twelve New Yorkers returned a verdict in the trial of Joshua Schulte, the C.I.A. hacker accused of engineering the largest theft of classified information in the agency’s history. They found him guilty on all nine counts. Damian Williams, the U.S. Attorney for the Southern District of New York, who oversaw the case, described Schulte’s crime as “one of the most brazen and damaging acts of espionage” ever committed in America. This was Schulte’s second trial on these charges; in March, 2020, a jury had come to a deadlock on the most significant allegations against him, and a judge declared a mistrial. (I wrote about Schulte, and the revelations of that earlier case, in the magazine in June.) But members of the new jury, which was empanelled earlier this summer, were not aware that he had been tried before. Juror No. 4, Juan Flores, told me over coffee last week, “We knew nothing.” The jurors scrupulously obeyed instructions not to consult any media accounts of the case, Flores explained. “I’ve been in the city forty-seven years, and I’ve been called to jury duty twice,” he said. He feels good about the verdict: “The system worked.”

Flores has intense eyes and a gentle smile. He is a retired assistant principal who spent his career working in the public-school system in the Bronx. Testimony about Schulte’s workplace antics at the C.I.A. gave Flores occasional flashbacks to his years as an educator. “I used to conduct conflict resolution with third graders,” he recalled. “ ‘We’re going to move your desks.’ ‘O.K., you couldn’t let it go, so we’re going to move you to a different classroom.’ Schulte couldn’t drop it. He couldn’t leave it alone.” Flores said that Schulte seemed not to have ever learned “all those things you learn when you’re a kid.”

The government’s argument was that Schulte (whose penchant for disproportionate retaliation had earned him the office nickname the Nuclear Option) stole a huge trove of sensitive hacking tools and disclosed them to WikiLeaks, not because he was critical of U.S. policy but as an act of revenge against his colleagues and his superiors, who had criticized him for being incessantly obstreperous. The jury found the prosecution’s claims about Schulte’s motive convincing, Flores said.

When I was writing my article on Schulte, I reviewed the full record from the first trial, and was quite surprised that the jury had failed to convict him, because the evidence against him had seemed overwhelming and unambiguous. The hung jury in that initial case was a credit to his very capable legal team, in particular the federal public defender Sabrina Shroff. Before the retrial, however, Schulte made the bold decision to dismiss his legal counsel and represent himself. At a glance, this seemed like lunacy: it is difficult even for a team of seasoned lawyers to try a complex federal criminal case, and in this instance the secrecy surrounding the proceedings, along with the technical complexity of the evidence, presented additional challenges. Yet Schulte seemed convinced that he could do a better job than his defense attorneys. He may have felt, as a professional coder, that he was more fluent than any lawyer could be in the idiom of digital forensics, which would dominate much of the testimony. It may also have been the case that, as a hacker confined in a federal holding pen, he was attracted to one of the perquisites of serving as your own attorney: access to a computer.

Another reason for Schulte to represent himself was that the jury would get to know him. Criminal defendants sometimes decide not to testify in their own defense in order to avoid cross-examination, which leaves them playing a peculiar role in the drama of their own trial: while everybody testifies about them, they sit mute alongside their attorneys, like a spectator. In such situations, it may be easier for juries to cast judgment on them. Schulte, by serving as his own counsel, might have aimed to humanize himself in front of the jurors, letting them hear his voice, come to know his mannerisms, and feel that they had developed a relationship with him. In theory, this strategy might make it more difficult for the jury to deliver a verdict that could lead to a decades-long sentence.

It didn’t work out that way. I sat in on the trial one day, and I found Schulte to be an erratic, discomfiting presence. He is tall and lanky, with a dark, full beard, and he would lean on the lectern and badger witnesses, stubbornly asking the same question again and again until the judge in the case, Jesse M. Furman, asked him to move on. Shroff was present at his table, alongside another attorney, Deborah Colson, ostensibly to serve as “standby” counsel. But in practice, whenever Schulte was cross-examining witnesses, Shroff would feed him questions written on Post-it notes, which he would then pose to himself. The impression created was that of an unprepared actor being fed his lines.

“I think Schulte really thought he was smarter than everybody,” Flores said, adding, “There was a level of arrogance.” If Schulte’s strategy had been to humanize himself, Flores continued, then it backfired with the jury. Sure, they got to know him—but they didn’t like him. A major thrust of Schulte’s defense was that the government and its witnesses did not really understand the complex technologies at issue. And it certainly came through in the testimony that the C.I.A.’s appallingly lax digital security had helped make the leak possible in the first place. But, as Flores described it, Schulte’s caustic belittling of one witness after another came to sound like the eye-rolling derision of a smug I.T. guy lording his technical prowess over everyone he encounters. “He thinks everyone’s stupid, in the whole country,” Flores said. “He didn’t do himself a service by defending himself.”

Schulte’s affect might have done him no favors, but it was the evidence that really did him in. The crime was technically complex, but, according to Flores, the jury gamely rose to the occasion. “There was a lot of computer language and coding language that people weren’t familiar with,” he said. “It was like going to coding school and law school for four weeks in the summer.” Some of the jurors took meticulous notes, which they shared with the others once deliberations began. They broke down each of the nine charges, laying out the evidence required for conviction on large pieces of paper, which they posted on the walls of the jury room. In early votes, there was near unanimity that Schulte was guilty, but one juror held out. According to Flores, this person had sons around Schulte’s age, and hesitated to make a decision that might send a young man away to prison for the rest of his life. “We had to tell her: you have to put your empathy aside and weigh the evidence,” Flores said. As it happens, Flores, like Schulte, is a graduate of the University of Texas at Austin, but he said that he did not let this link sway him. When Schulte was in court, Flores listened to everything that he said, but he tried not to look at him directly, lest doing so compromise his ability to be dispassionate. For the same reason, he averted his eyes from Schulte’s family, who were in the courtroom every day. “As human beings, we have to have empathy,” he said. “But if you did the crime, you did the crime.” Eventually, the holdout juror was convinced that the evidence left no doubt about Schulte’s guilt. When the verdict was announced, Flores did not look at the accused. But his fellow-jurors informed him that Schulte betrayed no visible reaction.

Schulte could be given a sentence of up to eighty years. He will also face separate federal charges related to the possession of child pornography. After the jurors issued their verdict, they were finally free to read press reports about Schulte, and they learned about the earlier trial and the child-pornography charges. Flores recalled, “Then we said, ‘Oh, wow. Yes, I think we made the right decision.’ ”

At one point in the trial, Judge Furman complimented Schulte, saying, “You may have a future as a defense lawyer. Who knows?” But, after the verdict, Furman stopped by the jury room to thank the jurors for their service; according to Flores, Furman told them that everyone has the right to serve as their own defense counsel—“but I wouldn’t advise it.”

Once Schulte starts serving his sentence, Flores noted, he will likely be deprived of computer access. “We can’t trust this guy being anywhere near technology,” he reflected. And, for Josh Schulte more than most inmates, “I think that’s going to be his greatest punishment.” ♦

Source

Researchers at cybersecurity company Kaspersky called it CosmicStrand but an earlier variant of the threat was discovered by malware analysts at Qihoo360, who named it Spy Shadow Trojan.

It is unclear how the threat actor managed to inject the rootkit into the firmware images of the target machines but researchers found the malware on machines with ASUS and Gigabyte motherboards.

Mystery UEFI rootkit

The Unified Extensible Firmware Interface (UEFI) software is what connects a computer’s operating system with the firmware of the underlying hardware.

UEFI code is the first to run during a computer’s booting sequence, ahead of the operating system and the security solutions available.

Malware planted in the UEFI firmware image is not only difficult to identify but is also extremely persistent as it cannot be removed by reinstalling the operating system or by replacing the storage drive.

A report from Kaspersky today provides technical details about CosmicStrand, from the infected UEFI component to deploying a kernel-level implant into a Windows system at every boot.

The entire process consists of setting up hooks to modify the operating system loader and take control of the entire execution flow to launch the shellcode that fetches the payload from the command and control server.

Mark Lechtik, a former Kaspersky reverse engineer, now at Mandiant, who was involved in the research, explains that the compromised firmware images came with a modified CSMCORE DXE driver, which enables a legacy boot process.

“This driver was modified so as to intercept the boot sequence and introduce malicious logic to it,” Lechtik notes in a tweet on Monday.

While the CosmicStrand variant Kaspersky discovered is more recent, researchers at Qihoo360 disclosed in 2017 the first details about an early version of the malware.

The Chinese researchers got to analyzing the implant after a victim reported that their computer had created a new account out of the blue and the antivirus software kept alerting of a malware infection.

According to their report, the compromised system ran on a second-hand ASUS motherboard that the owner had purchased from an online store.

Kaspersky was able to determine that the CosmicStrand UEFI rootkit was lodged in firmware images of Gigabyte or ASUS motherboards that have in common designs using the H81 chipset.

This refers to old hardware between 2013 to 2015 that is mostly discontinued today.

It is unclear how the implant was placed on the infected computers since the process would involve either physical access to the device or through a precursor malware capable of automatically patching the firmware image.

Victims identified by Kaspersky also provide few clues about the threat actor and their objective since the identified infected systems belong to private individuals in China, Iran, Vietnam, and Russia that could not be linked to an organization or industry.

However, the researchers connected CosmicStrand to a Chinese-speaking actor based on code patterns that were also seen in the MyKings cryptomining botnet, where malware analysts at Sophos found Chinese-language artifacts.

Kaspersky says that the CosmicStrand UEFI firmware rootkit can persist on the system for the entire life of the computer and has been used in operations for years, since the end of 2016.

UEFI malware becoming more common

The first widespread report about a UEFI rootkit found in the wild, LoJax, came in 2018 from ESET and it was used in attacks by Russian hackers in the APT28 group (a.k.a. Sednit, Fancy Bear, Sofacy).

Almost four years later and accounts of UEFI malware attacks in the wild have grown more frequent, and it wasn’t just advanced hackers exploring this option:

We learned about MosaicRegressor from Kaspersky in 2020, although it was used in attacks in 2019 against non-governmental organizations.

At the end of 2020 came the news that TrickBot developers had created TrickBoot, a new module that checked compromised machines for UEFI vulnerabilities.

Another UEFI rootkit was revealed in late 2021 to be developed by the Gamma Group as part of their FinFisher surveillance solution.

The same year, details emerged from ESET about yet another bootkit called ESPecter, believed to be used mainly for espionage and with origins as far back as 2012.

MoonBounce, considered to be one of the most sophisticated UEFI firmware implants, was disclosed this year in January as being used by Winnti, a Chinese-speaking hacker group (also known as APT41).

CosmicStrand UEFI malware found in Gigabyte, ASUS motherboards

Bleeping Computer reports that the Dutch Ministry of Education has placed restrictions on the use of Chrome and ChromeOS in schools until at least August 2023. This move has been initiated due to multiple reasons including concerns over how much student data is collected and shared with advertising partners, as well as lack of transparency over where the data is actually stored.

The officials have co-signed a letter to the Dutch parliament explaining their concerns and recommended privacy and data security measures to be adopted while using the aforementioned Google products. They have also noted that they conducted meetings with various big tech companies including Google, Microsoft, and Zoom about data protection and the need to increase transparency about how user data is utilized by their respective products.

Google has agreed to roll out new versions for both Chrome and ChromeOS by next year, promising that they will be more compliant with the Dutch educational sector requirements. The Dutch watchdog will review these versions upon release before giving them the green light.

Until August 2023, schools can still use existing versions of Chrome and ChromeOS, provided that they implement the security and privacy measures recommended by the Dutch Ministry of Education.

Source: Tweede Kamer der Staten-Generaal via Bleeping Computer

Google Chrome and ChromeOS usage restricted in Dutch schools due to data privacy concerns

Announced during the Cyber Workforce and Education Summit at the White House, the program aims to provide solutions to global cybersecurity workforce challenges. Research suggests organizations that focus on recruiting and developing entry-level cybersecurity staff — including those with little or no technical experience — accelerates the invaluable hands-on training the next generation of professionals needs to start a successful cybersecurity career. 

Those who earn the (ISC)2 Certified in Cybersecurity certification — currently in the final stages of a global pilot program — will demonstrate to employers that they have the foundational knowledge, skills and abilities necessary for an entry-level cybersecurity role. 

How the program will work

Starting September 2022, (ISC)2 will open registration. Qualified individuals will receive a free exam, as well as access to the (ISC)2 Certified in Cybersecurity online self-paced education course. The course provides a review of the subject matter published in the Certified in Cybersecurity exam outline, which shares the security concepts on which certification candidates will be evaluated, including:

Security Principles 
Business Continuity (BC), Disaster Recovery (DR) and Incident Response Concepts 
Access Controls Concepts  
Network Security  
Security Operations

University students, recent graduates, career changers and other professionals wishing to expand their skills and opportunities are encouraged to participate, especially individuals employed or seeking employment within small and midsized businesses. 

(ISC)2 will work closely with new and existing partner organizations to reach historically under-represented populations and encourage greater diversity within the cybersecurity community. (ISC)² has pledged that half of the expanded commitment — 500,000 course enrollments and exams — will be directed toward students of historically black colleges and universities (HBCUs), minority-serving institutions (MSIs), tribal organizations and women’s organizations across the U.S. and the globe.

After successfully completing the exam, candidates will become (ISC)² members with access to a wide array of professional development resources to help them throughout their careers. The (ISC)² entry-level cybersecurity certification is the first step on a career-long journey that will help cybersecurity professionals gain experience and work toward advanced qualifications such as the (ISC)² CISSP and (ISC)² CCSP.

Clar Rosso, CEO, (ISC)2,  says “We are proud to announce this initiative alongside so many others who share a strong commitment to addressing our cybersecurity workforce challenges and look forward to building the public-private partnerships needed to accomplish our goal of One Million Certified in Cybersecurity.” 

For more information on the (ISC)2 Certified in Cybersecurity, visit www.isc2.org/certified-in-cybersecurity.

Source

According to Avanan, hackers are using a combination of social engineering and legitimate domains to extract money and credentials from end users, which can be done on any site trusted and used regularly by end-users. "PayPal and QuickBooks are particularly clever since they are often used for business invoices. The scam works since static Allow Lists "allow" content from these sites directly from the inbox. It's a way of condensing the internet for security scanners. You can't block the whole internet; so you try to figure out what you know is good. Trusted websites like PayPal often make the cut, even if it is an oft impersonated brand. What makes this attack scary is that the phishing invoices are created and sent through PayPal. That makes it more legitimate to the security service and to the end-user," Avanan says.
Avanan notified PayPal of this attack on July 19th.

The attack is a reminder of the genius and persistence of threat actors. They continue to build new tactics on existing ones to profit from security loopholes, says Mark Arnold, Vice President, Advisory Services at LARES Consulting. "The ingenuity of attackers reinforces the need for continuous security awareness programs that can arm end users with the knowledge to thwart existing and emerging threats like this one. The list of techniques to conduct credential harvesting will undoubtedly grow. Brand impersonation in combination with Double Spear is the latest entry. Security awareness stewards need to be creative enough and tap into relevant intelligence sources to keep training current in the face of these and similar attacks," Arnold says.

Patrick Harr, CEO at SlashNext, suggests social engineering scams need to be included in phishing training programs. "Training should include social engineering scams to demonstrate how personal interactions, such as social media interactions, can impact their work-life. However, we hear from users that making policy adjustments restricting employees' use of mobile, social, or other personal apps is not well received," Harr explains. "In fact, asking employees to install managed security on their personal devices is also a non-starter. Look for security solutions that protect BYOD users from phishing with complete privacy and the added benefit of protecting the organization."

Source

Get ready for Alexa skills pop-up ads on your Amazon Echo Show

David Weston, Microsoft OS Security and Enterprise VP, recently tweeted about Windows 11's new security measures. The operating system now uses brute force attack protection by default, effectively locking the system after ten failed attempts to guess the local password. A brute force attack is a popular way that bad actors leverage to get into systems, sometimes using Remote Desktop Protocol (RDP).

You can check out the new policies in Local Group Policy Editor by navigating to Computer Configuration > Windows Settings > Security Settings > Account Lockout Policy. By default, Windows 11 locks out after ten failed attempts to guess the password in ten minutes, and IT admins can configure these values according to their needs.

It is worth mentioning that the lockout policies are not exclusive to Windows 11; they are also present (although disabled by default) in earlier Windows versions. With Windows 11 22H2 (starting with build 22528.1000 and higher), Microsoft flipped the switch, effectively making it much harder to get into the operating system using brute force tactics.

If you are interested in consumer-facing changes in Windows 11 22H2, check out our comprehensive review.

Update: David Weston has confirmed that the new lockout policies are coming to Windows 10.

Windows 11 22H2 comes with brute force attacks protection enabled by default

With the new rules in place, users will see a security warning notification when trying to open an Office file with a macro coming from the internet. The message will show a "Learn More" button linked to a support page describing risks related to opening files with VBA macros. Also, the article provides information about enabling macros in case the user trusts the file. You can access the support page via this link.

Microsoft says negative user feedback caused the company to temporarily undo the changes and consider providing better information about such a drastic change in Office applications. The new documentation now provides all the information users and IT admins need to understand how Office determines whether to block or run macros in files from the internet, which Office versions are affected by the new rules, how to allow VBA macros in trusted files, and how to prepare for the change.

Microsoft plans to start blocking VBA macros in Office Access, Excel, PowerPoint, Visio, and Word in the Current Channel from July 27, 2022 (Office version 2206 and newer). The idea behind the decision is to eliminate an attack surface that bad actors exploit to infect systems with malware and ransomware.

Microsoft will soon start blocking Office macros once again