Information Security News: 10/17/2022

Check out what's trending in information security news with this week's infosec news roundup!

Share This Post

Weakness in Microsoft Office 365 Message Encryption Could Expose Email Contents

Article Link: https://www.helpnetsecurity.com/2022/10/14/weakness-office-365-encryption/

  • WithSecure researchers are warning organizations of a security weakness in Microsoft Office 365 Message Encryption (OME) that could be exploited by attackers to obtain sensitive information. OME, which organizations use to send encrypted emails internally and externally, utilizes the Electronic Codebook (ECB) implementation, a mode of operation known to leak certain structural information about messages, which can be used to infer message contents.
  • “Attackers who are able to get their hands on multiple messages can use the leaked ECB info to figure out the encrypted contents. More emails make this process easier and more accurate, so it’s something attackers can perform after getting their hands on e-mail archives stolen during a data breach, or by breaking into someone’s email account, email server, or gaining access to backups,” said WithSecure’s Harry Sintonen, who discovered the issue.
  • According to the advisory, the analysis can be done offline, meaning an attacker could compromise backlogs or archives of previous messages. Likewise, there doesn’t appear to be a way to prevent the contents from being compromised. WithSecure notified Microsoft in January 2022; however, they have opted not to fix the issue at this time.
  • WithSecure’s Full Report: https://labs.withsecure.com/advisories/microsoft-office-365-message-encryption-insecure-mode-of-operation

Here Are 5 of the World’s Riskiest Connected Devices

Article Link: https://www.helpnetsecurity.com/2022/10/13/riskiest-connected-devices/

  • The growing number and diversity of connected devices in every industry present new challenges for organizations to understand and manage the risks they are exposed to. The attack surface now encompasses IT, IoT, and OT in almost every organization, with the addition of IoMT (Internet of Medical Things) in healthcare.
  • It is not enough to focus defenses on risky devices in one category since attackers can leverage devices of different types to carry out attacks.
  • The article highlights the top five riskiest connected devices for IT, IoT, OT, and IoMT according to the security company, Forescout. The riskiest for each are routers for IT, IP cameras for IoT, programmable logic controllers (PLCs) for OT, and DICOM workstations (medical images) for IoMT.

A Big Threat for SMBs: Why Cybersecurity is Everyone’s Responsibility

Article Link: https://www.spiceworks.com/it-security/cyber-risk-management/guest-article/why-cybersecurity-is-everyones-responsibility/

  • To avoid becoming a statistic, organizations need to develop a security culture that reinforces the idea that cybersecurity is the responsibility of every team member. From leadership to associates, it’s a collective effort to stay aware. All individuals need to be trained, vigilant, and engaged.
  • Four ways to achieve this goal include: committing to ongoing education and awareness, explaining the “why” behind your policies and controls, knowing where your assets live and who is responsible for them, and running a company-wide risk assessment.
  • To keep your organization out of harm’s way, focus on building security into the very DNA of your operations, and don’t leave it up to your IT team alone. Empower the entire organization with knowledge and leverage employees as your first line of defense against cyber threats.

Venus Ransomware Targets Publicly Exposed Remote Desktop Services

Article Link: https://www.bleepingcomputer.com/news/security/venus-ransomware-targets-publicly-exposed-remote-desktop-services/

  • Threat actors behind the relatively new Venus Ransomware are hacking into publicly exposed Remote Desktop services to encrypt Windows devices. Venus Ransomware appears to have begun operating in the middle of August 2022 and has since encrypted victims worldwide.
  • When executed, the Venus Ransomware will attempt to terminate thirty-nine processes associated with database servers and Microsoft Office applications as well as event logs, shadow copy volumes, and will disable data execution prevention. Likewise, when encrypting files, each file will have a “.venus” extension and each encrypted file will have a “goodgamer” file marker at the end of the file.
  • As the ransomware appears to be targeting publicly exposed Remote Desktop services, even those running on non-standard TCP ports, it is vital to put these services behind a firewall or VPN.

Google Rolling Out Passkey Passwordless Login Support to Android and Chrome

Article Link: https://thehackernews.com/2022/10/google-rolling-out-passkey-passwordless.html

  • Google officially rolled out support for passkeys, the next-generation authentication standard, to both Android and Chrome. Passkeys, established by the FIDO Alliance and backed by Apple and Microsoft, aim to replace standard passwords with unique digital keys that are stored locally on devices.
  • The underlying principle that powers passkeys are public-key cryptography, wherein the “secret” private key is stored on the user’s device while the public key is stashed by the online service. During a login process, a platform that supports passkeys uses the public key to verify a signature from the private key to confirm the authenticity of the user.
  • Google noted that the private keys being on local machines protect user passkeys against Google itself, or more specifically, a malicious actor inside Google.

Researchers Warn of New Phishing-as-a-Service Being Used by Cyber Criminals

Article Link: https://thehackernews.com/2022/10/researchers-warn-of-new-phishing-as.html

  • Cybercriminals are using a previously undocumented and relatively low-cost phishing-as-a-service (PhaaS) toolkit called Caffeine to effectively scale up their attacks and distribute nefarious payloads.
  • Some of the core features offered by the platform comprise the ability to craft customized phishing kits, manage redirect pages, dynamically generate URLs that host the payloads, and track the success of the campaigns. All this is available for unvetted subscribers as the PhaaS service has an open registration process that only requires a valid email address, lowering the barrier to entry. The subscriptions range from $250 a month to $850 for six months, with varying levels of feature access.
  • The ultimate goal of the phishing campaigns is to facilitate the theft of Microsoft 365 credentials through rogue sign-in pages hosted on legitimate WordPress sites, indicating that the Caffeine actors are leveraging compromised admin accounts, misconfigured websites, or flaws in web infrastructure platforms to deploy the kits.

Care and Feeding of the SOC’s Most Powerful Tool: Your Brain

Article Link: https://www.darkreading.com/vulnerabilities-threats/care-and-feeding-of-the-soc-s-most-powerful-tool-your-brain

  • Our minds can do amazing things, but we must be aware of cognitive overload. When our working memory is overloaded, we can no longer process information effectively, we experience decreased performance, we can make detrimental mistakes and judgments, and even the simplest of routine tasks can seem foreign.
  • Cognitive overload goes even further in that it can affect our emotional well-being. When we are emotionally well, we can produce positive thoughts and adapt to challenging situations. This is imperative when facing the dynamic cybersecurity domain where the stakes are incredibly high.
  • Tips to avoid cognitive overload include knowing when to ask for help, speaking up for yourself, looking at tasks with fresh eyes, focusing on one task at a time, and taking time to self-reflect and attend to your needs.

All Windows Versions Can Now Block Admin Brute-Force Attacks

Article Link: https://www.bleepingcomputer.com/news/microsoft/all-windows-versions-can-now-block-admin-brute-force-attacks/

  • Microsoft announced that IT admins can now configure any Windows system still receiving security updates to automatically block brute force attacks targeting local admin accounts via a group policy.
  • Admins who want to toggle on this additional defense against brute force attacks can find the “Allow Administrator account lockout” policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\Account Lockout Policies.
  • Microsoft also announced that it now requires local admin accounts to use complex passwords that must have at least 3 of the 4 basic character types (lower case, upper case, numbers, and symbols).

CISA Releases Open-Source ‘RedEye’ C2 Log Visualization Tool

Article Link: https://www.bleepingcomputer.com/news/security/cisa-releases-open-source-redeye-c2-log-visualization-tool/

  • CISA has announced RedEye, an open-source analytic tool for operators to visualize and report command and control (C2) activity. RedEye is for both red and blue teams, providing an easy way to gauge data that leads to practical decisions based on the logs from attack frameworks and presents them in a digestible format. RedEye currently only parses logs from the Cobalt Strike framework.
  • RedEye includes features that allow for the uploading of campaign data to review information like beacons and commands, the graphical viewing of historical records from each campaign correlating to servers and hosts, as well as the ability to explore key events in campaigns.
  • RedEye can also generate presentations that can be shared with stakeholders and clients. All data collected from a campaign and the comments from analysts can be exported so clients can review them.
  • Blue teams can also use RedEye to better understand the raw data received from an assessment and view the attack path and the compromised hosts so they can take appropriate action.

Consumers Want More Transparency on How Companies Manage Their Data

Article Link: https://www.helpnetsecurity.com/2022/10/13/consumer-data-privacy/

  • Cisco published its 2022 Consumer Privacy Survey, an annual global review of consumers’ perceptions and behaviors on data privacy, highlighting the critical need for further transparency as consumers say their top priority is for organizations to be more transparent on how they use their personal data.
  • 81% of respondents agreed that the way an organization treats personal data is indicative of how it views and respects its customers, the highest percentage since Cisco began tracking it in 2019.
  • Additional statistics from the report included the following: 76% of respondents say they would not buy from a company who they do not trust with their data, 37% indicated they had indeed switched providers over consumer data privacy practices, and 53% say they manage their cookie settings from a website before accepting.
  • Cisco 2022 Consumer Privacy Survey and Analysis: https://newsroom.cisco.com/c/r/newsroom/en/us/a/y2022/m10/consumers-want-more-transparency-on-how-businesses-handle-their-data-cisco-survey.html


Reach out to our incident response team for help

More To Explore

Information Security News 9-30-2024

NIST Drops Password Complexity, Mandatory Reset Rules Article Link: https://www.darkreading.com/identity-access-management-security/nist-drops-password-complexity-mandatory-reset-rules Hacker Plants False Memories in ChatGPT to Steal User Data in Perpetuity Article Link: https://arstechnica.com/security/2024/09/false-memories-planted-in-chatgpt-give-hacker-persistent-exfiltration-channel/

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.