All of us at Tripwires Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Heres what cybersecurity news stood out to us during the week of April 18, 2022. Ive also included some comments on these stories.
On April 13, the Department of Energy (DoE), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) released a joint Cybersecurity Advisory to warn that certain industrial control systems (ICS) and supervisory control and data acquisition (SCADA) devices can be targeted by advanced persistent threat (APT) actors who have the capability to gain full system access, reports Dark Reading.
For those in the CI (Critical Infrastructure) sectors, and more specifically, for those that are responsible for the security of their respective ICS and SCADA Systems, I hope you are paying attention to the news and advisories being published, for good reason.
Mid last week, CISA and a couple of the other lettered, federal agencies (DoE, NSA, FBI) released a new advisory warning that certain ICS and SCADA systems are being targeted by APT (Advanced Persistent Threat) actors to gain full system access and control.
Vulnerable products include:
Once compromised, the threat actors can then use custom-made tools to scan for additional vulnerable devices so they can take control of them too. Noted in the article is that there is a critical issue with Windows-based engineering workstations, whereby they leverage vulnerable motherboard drivers, whether they are in the OT or IT environment. From there, they could elevate their privileges and move laterally across the environment with the potential to cause greater damage.
The Federal Bureau of Investigation (FBI) has issued an alert on a new phishing scheme aimed at tricking victims into making money transfers to accounts controlled by cybercriminals, Security Week reports. The attack moonlights as a legitimate financial institution and targets users of digital payment applications, sending them a text and asking them to confirm that they initiated an instant money transfer.
Phishing schemes and their social engineering techniques appear to be getting more and more sophisticated, which is a problem for people who are unfamiliar with these types of schemes, or for those who may be more vulnerable.
Digital banking and payment apps are beyond commonplace now (pandemic aside, I cant remember the last time I stepped foot inside a physical bank branch), so its unsurprising that phishing has made its way to them. The FBI is warning of a Reverse Instant Payment scam.
As the article notes, if a recipient of an automated text message responds, the cybercriminal will call the potential victim from a spoofed 1-800 number that appears to match that of the financial institution. Additionally, the criminals are typically speaking English with no accent.
Diving a bit deeper into how the scam is perpetrated, the attackers look to have extensive information of the victims background, including past addresses, Social Security numbers, etc. Armed with this, they claim to represent the banks fraud department and walk the victim through a process thats meant to reverse a fake instant payment transaction (that the victim did not initiate in the first place).
From there, the victim is asked to remove their email address from the digital payment app and share it with the cybercriminal, who then adds it to a bank account that is controlled by the cybercriminals.
After the email address has been changed, they ask the victim to initiate a new instant payment transaction address to themselves which will cancel or reverse the original fraudulent payment. What is happening is that the victim is now sending the payment from their bank account to the one now controlled by cybercriminal.
From the FBI:
Cryptocurrency wallet maker MetaMask has warned its 21 million monthly users to be wary of Apple iCloud backing up their apps data by default, after attackers successfully stole $650,000 of funds and NFTs. In a blog on Bitdefender, Graham Cluley explains that once your Apple ID is compromised, hackers can gain access to sensitive data from any of your apps (like MetaMask) that backed up with default settings.
This is an example of how good social engineering and phishing is getting, as well as ensuring you review the default settings on an app when you choose to install it. A cryptocurrency wallet user revealed that he had fallen victim to a social engineering scam and had $650K worth of funds and NFTs stolen.
Here is how the scam was pulled off:
So now the attacker had access to the victims iCloud account. By default, that wont automatically provide access to a users separate cryptocurrency wallet. Here is where checking the app settings to see what is being backed up to your iCloud account is critical.
The default setting of MetaMask (the cryptocurrency wallet used by the victim) is to back up data to the users iCloud account, including the secret 12-word recovery phrase, which would be used in an emergency (by the user) if they cannot remember their password or access their account. There is no warning provided by the app to inform users that data is being backed up to the users iCloud Account, which is critical in my opinion.
The article and victim do not go into detail as to how the attacker then got access to the victims MetaMask encrypted vault, but it does suggest that if they had reused a password, chose an obvious one, or one that could easily be cracked, then they could go on to access everything in the crypto wallet.
Recommendations provided by the article, which I wholeheartedly endorse:
Amazon Web Services (AWS) has fixed four security issues in its hot patch from December that addressed the critical Log4Shell vulnerability (CVE-2021-44228), reports Bleeping Computer. This particular vuln affects cloud or on-premise environments running Java applications with a vulnerable version of the Log4j logging library or containers.
AWS looks to have addressed four issues from its initial hot patch release in December, which was meant to address the Log4Shell vulnerability, which affects Java applications running a vulnerable version of Log4j logging library or containers.
It is important to note that the hot patches are not exclusive to AWS Resources, which allowed escaping a container in the environment and taking control of a host.
For those unfamiliar with containers, and escaping a container, they can be broken down as follows. Containers are:
Escaping a container involves exploiting vulnerabilities which allow an attacker to break free of a containers isolation and access the hosts resources. This presents a large problem as they may be able to elevate privileges and cause additional harm.
Security Researchers discovered that the hot-fix solutions meant to address the Log4j/Log4Shell would keep searching for Java processes and patch them on the fly, without checking to see what restrictions should be enforced by the container. An additional problem that was created because of the patches was that the host processes were all provided with elevated privileges during the Log4Shell patching processes.
AWS Users that applied the initial hot patch can review the security bulletin which details the four new issues and what to do to address them.
This is a fitting example of why vulnerability management is such an important and critical piece of risk management and cybersecurity. If security practitioners and their leadership do not have a good handle on what vulnerabilities exist within their organization and what is being done to address them, then it is only a matter of time before malicious actors exploit these gaps in your digital defenses.
Vulnerability Management is a continuous and on-going exercise, which should feed into the larger cybersecurity policies. Look at the NIST Cybersecurity Framework for starters. While this is geared towards the Critical Infrastructure sectors, it has five distinct functions in its cycle, with specific sub-categories and outputs to help define an entire plan.
Cisco on Wednesday announced the release of patches for several high-severity vulnerabilities in its products, including a bug reported by the National Security Agency (NSA). Tracked as CVE-2022-20783 (CVSS score of 7.5), the NSA-reported flaw is a denial of service (DoS) issue in TelePresence Collaboration Endpoint (CE) and RoomOS software, which could be exploited remotely, without authentication, Security Week noted on April 21.
Cisco released another round of patches of high-severity vulnerabilities. Some key patches include fixes for a denial-of-service vulnerability that the NSA reported in their TelePresence CE and RoomOS software. They also patched an elevation of privilege vulnerability in their VIM product alongside about 10 medium severity vulnerabilities.
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.
See the original post here:
VERT's Cybersecurity News for the Week of April 18, 2022 - tripwire.com
- NSA fears quantum computing surprise: 'If this black swan event happens, then we're really screwed' - Washington Times - March 27th, 2024 [March 27th, 2024]
- The NSA Warns That US Adversaries Free to Mine Private Data May Have an AI Edge - WIRED - March 27th, 2024 [March 27th, 2024]
- Five ways to implement zero-trust based on NSA's latest guidance - SC Media - March 27th, 2024 [March 27th, 2024]
- Intel analyst shared classified information on Discord, investigators say - The Washington Post - March 27th, 2024 [March 27th, 2024]
- Water Systems Vulnerable To Cyber Attacks, NSA And EPA Warn Governors - Forbes - March 27th, 2024 [March 27th, 2024]
- Amritpal Singhs mother, kin of other NSA detainees go on hunger strike, want them to be shifted to Punjab jail - The Tribune India - February 24th, 2024 [February 24th, 2024]
- Rob Joyce leaving NSA at the end of March - CyberScoop - February 24th, 2024 [February 24th, 2024]
- NSA cyber director to step down after 34 years of service - Nextgov/FCW - February 24th, 2024 [February 24th, 2024]
- Behind Khattar govts U-turn on NSA against farm leaders, fear of rural blowback, Congress gain - The Indian Express - February 24th, 2024 [February 24th, 2024]
- Payday dispute prompts maintenance worker walkout at NSA Naples - Stars and Stripes - February 24th, 2024 [February 24th, 2024]
- CISA, NSA, and FBI Warn of Chinese Cyber Hacking Army The Presidential Prayer Team - The Presidential Prayer Team - February 24th, 2024 [February 24th, 2024]
- Cyber Security Headlines: Microsoft takes another hit, Energy giant hit by ransomware, the NSA is secretly buying your ... - CISO Series - January 30th, 2024 [January 30th, 2024]
- India now cooperating with Nijjar probe: Canada's NSA - IndiaTimes - January 30th, 2024 [January 30th, 2024]
- Google, WhiteSnake, Outlook, NSA, Juniper, Jason Wood, and More SWN #358 - SC Media - January 30th, 2024 [January 30th, 2024]
- Readout of NSA Jake Sullivan's Meetings with PM Srettha and DPM/FM Parnpree - US Embassy in Thailand - USEmbassy.gov - January 30th, 2024 [January 30th, 2024]
- NSA Admits Secretly Buying Your Internet Browsing Data without Warrants - The Hacker News - January 30th, 2024 [January 30th, 2024]
- Readout of NSA Jake Sullivan's Meeting with CCP Politburo Member, Director of the Office of the Foreign Affairs ... - US Embassy & Consulates in... - January 30th, 2024 [January 30th, 2024]
- Former NSA Saint has a chance to become repeat Super Bowl champion - The Suffolk News-Herald - Suffolk News-Herald - January 30th, 2024 [January 30th, 2024]
- NSA is buying Americans internet browsing records without a warrant - TechCrunch - January 30th, 2024 [January 30th, 2024]
- As NSA buys up Americans' browser records, Uncle Sam is asked to simply knock it off - The Register - January 30th, 2024 [January 30th, 2024]
- NSA buys sensitive data on Americans without any court order - KJZZ - January 30th, 2024 [January 30th, 2024]
- NSA Veteran Teresa Shea Joins Board of Directors of Two Six Technologies - ExecutiveBiz - January 30th, 2024 [January 30th, 2024]
- How the FBI, NSA are preparing for deepfakes and misinformation issue ahead of 2024 elections - CNBC - January 14th, 2024 [January 14th, 2024]
- AI is helping US spies catch stealthy Chinese hacking ops, NSA official says - CyberScoop - January 14th, 2024 [January 14th, 2024]
- AI aids nation-state hackers but also helps US spies to find them, says NSA cyber director - TechCrunch - January 14th, 2024 [January 14th, 2024]
- NSA Director Paul Nakasone to Step Down in Early February - Bloomberg - January 14th, 2024 [January 14th, 2024]
- NSA says cybersecurity will gain many benefits with generative AI - ReadWrite - January 14th, 2024 [January 14th, 2024]
- FBI and NSA directors discuss their concerns about AI - WCBE 90.5 FM - January 14th, 2024 [January 14th, 2024]
- Looking back at 2023 with the NSA's Rob Joyce and Morgan Adamski - CyberScoop - January 14th, 2024 [January 14th, 2024]
- NSA: Benefits of generative AI in cyber security will outweigh the bad - ITPro - January 14th, 2024 [January 14th, 2024]
- AI Identified as Emerging Threat in Cyber Crime by NSA Director - CoinGape - January 14th, 2024 [January 14th, 2024]
- AI is helping China-backed hackers but it's also helping to hunt them down, NSA says - TechRadar - January 14th, 2024 [January 14th, 2024]
- Top 10 misconfigurations: An NSA checklist for CISOs - The Stack - October 20th, 2023 [October 20th, 2023]
- CISA and NSA Issues New Identity and Access Management Guidance for Vendors - TechRepublic - October 20th, 2023 [October 20th, 2023]
- How to Protect Against Evolving Phishing Attacks - National Security Agency - October 20th, 2023 [October 20th, 2023]
- NSA Shares Recommendations to Advance Device Security Within ... - National Security Agency - October 20th, 2023 [October 20th, 2023]
- Nansemond-Suffolk tennis falls to Norfolk Academy Thursday - The ... - Suffolk News-Herald - October 20th, 2023 [October 20th, 2023]
- NSA calls for a 'root and branch' review of Red Tractor - Farmers Guardian - October 20th, 2023 [October 20th, 2023]
- Israel's NSA warns of US intervention as Gaza conflict escalates - IndiaTimes - October 20th, 2023 [October 20th, 2023]
- The U.S. government is still in its Tumblr era. - Slate - October 20th, 2023 [October 20th, 2023]
- Biden's Cyber Command and NSA nominee seen as a pick for continuity - The Record from Recorded Future News - July 17th, 2023 [July 17th, 2023]
- 5 Reasons to Work for the NSA - ClearanceJobs - ClearanceJobs - July 17th, 2023 [July 17th, 2023]
- I will do my best as NSA: Ribadu promises - FRCN HQ - Federal Radio Corporation of Nigeria - July 17th, 2023 [July 17th, 2023]
- Plateau killings: Reps ask NSA to declare national emergency - TheCable - July 17th, 2023 [July 17th, 2023]
- 7th Deputy NSA Meeting of Colombo Security Conclave held in ... - ANI News - July 17th, 2023 [July 17th, 2023]
- Young shepherd from region wins NSA North Sheep trophy ... - Darlington and Stockton Times - July 17th, 2023 [July 17th, 2023]
- HBO film based on NSA leaker Reality Winner slated for May 29 ... - Military Times - May 18th, 2023 [May 18th, 2023]
- Tina Satter on why her NSA whistleblower film Reality is stranger than fiction - Financial Times - May 18th, 2023 [May 18th, 2023]
- Gen. Paul Nakasone Plans to Step Down as NSA Director ... - Executive Gov - May 18th, 2023 [May 18th, 2023]
- Readout of NSA Jake Sullivan's Meeting with CCP Politburo ... - US Embassy & Consulates in China - May 18th, 2023 [May 18th, 2023]
- Young sheep farmers to be given genetic boost by new NSA giveaway - The Scottish Farmer - May 18th, 2023 [May 18th, 2023]
- Sydney Sweeney wanted to be challenged by Reality: Its a different muscle playing someone who is real [Exclusive Video Interview] - Yahoo... - May 18th, 2023 [May 18th, 2023]
- Intercepted: The Biggest Whodunnit of the Century - The Intercept - May 18th, 2023 [May 18th, 2023]
- Personal injury + the No Surprises Act - Chiropractic Economics - May 18th, 2023 [May 18th, 2023]
- PM Narendra Modi e-inaugurating new office complexes of CBI at Shilong, Pune and Nagpur, commemorating the CBI diamond jubilee on Monday. Also seen... - April 4th, 2023 [April 4th, 2023]
- Special Collection Service - Wikipedia - March 31st, 2023 [March 31st, 2023]
- What is the NSA and how does it work? - SearchSecurity - February 5th, 2023 [February 5th, 2023]
- Watch: NSA Ajit Doval is Ambitious, Very Good at Sniffing Power and Being on the Right Side of itAS Dulat - The Wire - December 21st, 2022 [December 21st, 2022]
- Shockwaves win another championship, this time at the NSA Fresno Pilgrimfest - Lompoc Record - December 12th, 2022 [December 12th, 2022]
- EFCC secures forfeiture of N755m, luxury assets from ex-AGF, former aide to NSA The Nation Newspaper - The Nation Newspaper - November 23rd, 2022 [November 23rd, 2022]
- What is the National Security Agency? - Norwich University - October 25th, 2022 [October 25th, 2022]
- Cyber Security Today, Oct. 19, 2022 A warning from the NSA about nation-state attacks, and more - IT World Canada - October 21st, 2022 [October 21st, 2022]
- In the Alphabet Soup of Regulations, the NSA, GFE and AEOB Have Yet to Coalesce - RACmonitor - October 6th, 2022 [October 6th, 2022]
- Do not ignore any communication shared by NSCS, NSA: PM Modi to ministers - The Hindu - October 6th, 2022 [October 6th, 2022]
- NSA Announces Date of the National Cryptologic Museum Grand Opening - National Security Agency - October 2nd, 2022 [October 2nd, 2022]
- NSA and ACLU may face off in the Supreme Court over Wikipedia - Grid - October 2nd, 2022 [October 2nd, 2022]
- The NSA is Here to Help | Decipher - Duo Security - September 27th, 2022 [September 27th, 2022]
- Hollen, Raskin Join with NSA Bethesda Fire Fighters, IAFF Leaders to Highlight Progress on Efforts to Improve Base Conditions, Build New Facility |... - September 27th, 2022 [September 27th, 2022]
- CISA, FBI, NSA, Treasury, Cyber Command, and International Partners Release Advisory on Malicious Cyber Actors Affiliated with Iranian Government... - September 20th, 2022 [September 20th, 2022]
- NATFORCE: Buhari Finally Disbands Security Outfit After Senate Ignored NSA To Recognize Body The Whistler Newspaper - The Whistler Nigeria - September 20th, 2022 [September 20th, 2022]
- China Accuses NSA of Hacking Its Military Research University - VICE - September 9th, 2022 [September 9th, 2022]
- Behind the Toque: An Interview with NSA Noodle Bar Executive Chef Brooke Apfelbaum - greenpointers.com - September 9th, 2022 [September 9th, 2022]
- In the Garden: Tour gives Omahans a chance to see how a 'Bloom Box' works - Omaha World-Herald - September 9th, 2022 [September 9th, 2022]
- Three area teams pickup wins to start football season - The Suffolk News-Herald - Suffolk News-Herald - September 9th, 2022 [September 9th, 2022]
- NSA to reveal identities of big men behind oil theft in Nigeria Presidency - Daily Post Nigeria - August 22nd, 2022 [August 22nd, 2022]
- Former US Cyber Command and NSA chief makes the case for a cyber competition strategy | The Strategist - The Strategist - August 22nd, 2022 [August 22nd, 2022]
- Inaugural India-Central Asia NSA meeting to be held in December - WION - August 22nd, 2022 [August 22nd, 2022]
- Home | Open Source @ NSA - August 8th, 2022 [August 8th, 2022]
- Kennesaw State named top institution for cybersecurity outreach - Kennesaw State University - August 8th, 2022 [August 8th, 2022]
- US city of Boston to mark 75th anniversary of India's Independence with two-day extravaganza - NewsDrum - August 8th, 2022 [August 8th, 2022]