Project Hyphae

Information Security News 11-21-2022

Share This Post

Transportation Sector Targeted by Both Ransomware and APTs

Article Link:

  • According to a report by cybersecurity trend analysis firm, Trellix, ransomware activity on US transportation and shipping organizations has increased 100% between Q2 and Q3 of 2022. Likewise, transportation was the second most targeted sector globally.
  • The report detailed other trends including the evolution of ransomware, the prevalence of years-old vulnerabilities leading to successful exploits, and the continued malicious use of Cobalt Strike.
  • Trellix Full Report:

Misconfigurations, Vulnerabilities Found in 95% of Applications

Article Link:

  • According to findings by Synopsys in their Software Vulnerabilities Snapshot 2022 report, weak configurations for encryption and missing security headers topped the list of software issues found during a variety of penetration and application security tests. Additionally, at least 25% of issues found were rated as “high” or “critical” in terms of severity.
  • It was noted that this data suggests that while organizations may be doing well at performing static vulnerability scanning, configuration checking and dynamic scanning are being neglected. Likewise, Synopsys suggested that the data found supports the use of multiple tools to analyze software.
  • Synopsys Full Report:

Electronics Repair Technicians Snoop on Your Data

Article Link:

  • Based on research by scientists at the University of Guelph, Canada, it is difficult to trust computer and smartphone repair technicians. The small research sample tested 16 repair organizations, ranging from national stores to local businesses, and found that nearly all organizations tried to cover their tracks as to how the repairs were conducted, 6 case technicians snooped on customer data, and 2 of the 6 technicians copied data onto external devices.
  • Another component of the study involved an online survey with 112 respondents, 33% of which cited privacy as a factor in their decision on who they choose to repair their devices. It was highlighted that reputation leads to trust by consumers.
  • Last, it was noted that service providers should create (and follow) policies and adopt controls for protecting customer data.

Microsoft Warns of Hackers Using Google Ads to Distribute Royal Ransomware

Article Link:

  • According to Microsoft, a developing threat cluster has been found using Google Ads in one of its campaigns to distribute various post-compromise payloads, including the new Royal ransomware, with a stealthy dropper, known as BATLOADER.
  • The threat actor is known to rely on malvertising to point unsuspecting victims to malware downloader links that pose as software installers for legitimate apps like Adobe Flash Player, AnyDesk, LogMeIn, Microsoft Teams, and Zoom.
  • The use of Google Ads to deliver BATLOADER selectively marks a diversification of the threat actors’ distribution vectors, enabling it to reach more targets and deliver malware payloads, the company pointed out. Phishing links are also shared through spam emails, fake forum pages, blog comments and contact forms on targeted organizations’ websites.
  • Microsoft noted that since the threat actors phishing scheme abuses legitimate services, organizations can also leverage mail flow rules to capture suspicious keywords or review broad exceptions, such as those related to IP ranges and domain-level allow lists.

Russian Software Disguised as American Software Finds Its Way Into U.S. Army, CDC Apps

Article Link:

  • The CDC and U.S. Army both removed several apps that each organization used due to the developer used, Pushwoosh, falsely claiming to be an American organization despite actually being based in Siberia, Russia. In addition to the apps that Pushwoosh contributed on for the CDC and U.S. Army, they have also helped with the development of 8,000+ other mobile apps, including ones for the NRA, UEFA (European soccer organization), and the United Kingdom’s Labour Party.
  • Officially, Pushwoosh is headquartered in Siberia and is registered with the Russian government as a software company. However, on social media and in U.S. regulatory filings the company states they are based in California, Maryland, and Washington D.C., intentionally misleading customers.
  • While the leadership of Pushwoosh denies having connections with the Russian government and says they store data in the U.S. and Germany, it was noted that Russian privacy laws wouldn’t prevent the possibility of Russian intelligence agencies from compelling the organization to give up data.

Secure Offboarding in the Spotlight as Tech Layoffs Mount

Article Link:

  • Increased turnover is putting a strain on existing offboarding processes, especially manual ones, for departing employees and contractors. Likewise, efforts to limit access to sensitive company data are growing more complex as data access points multiply. Recent high-profile layoffs at major tech companies have put the spotlight on this issue.
  • A survey from Oomnitza found that a third of enterprises lose more than 10% of their technology assets when offboarding employees and 42% noted unauthorized access to SaaS applications during employee departures.
  • The article highlighted several key aspects of securing the offboarding process. These include coordinating offboarding programs (specifically between HR, IT, and security), a need for controlled urgency, and methods for detecting exfiltration and managing applications before, during, and after the offboarding process.

MITRE Engenuity Launches Evaluations for Security Service Providers

Article Link:

  • MITRE Engenuity is a tool that evaluates several security service providers. It provides this analysis by offering detailed information on how different security service providers analyze and describe adversary behavior to their clients, leaving it entirely up to security professionals and teams using the data to make any vendor comparisons they might want with it, as opposed to ranking services on performance or other statistical rankings.
  • The system also evaluated the services by allowing vendors to deploy their adversary detection and monitoring tools into a test environment, where MITRE simulated commonly used adversary tactics, including spear phishing for initial access, credential dumping, web shell installation, lateral movement, data exfiltration, and cleanup.
  • While the total number of techniques a vendor might have detected is a statistic that can be divulged from the data, it was encouraged to use the tool as a way of determining if the participating vendors detect common tactics for your industry, scenario context, as well as how the vendors communicated with MITRE and depicted their services to further aid in determining what the “best” vendors are for your organization, based on MITRE’s data.
  • MITRE’s Full Evaluations:

More To Explore

Information Security News 3-20-2023

LockBit 3.0 Ransomware: Inside the Cyberthreat That’s Costing Millions Article Link: BianLian Ransomware Crew Goes 100% Extortion After Free Decryptor Lands Article Link:

Do You Want to Shore Up Your Defenses?

We're opening our first round of threat hunting engagements to 100 organizations. Sign up or join the wait list here.