WikiLeaks whistleblower Chelsea Manning has been released from prison, having been held in a detention center in Virginia for almost a year.
Former soldier Manning was scheduled to appear in court on Friday, but according to BBC News the judge ruled that it was no longer necessary for her to testify. Manning had refused to answer further questions about WikiLeaks from investigators because she said she had already given her testimony during the 2013 trial.
According to Reuters, on Wednesday, Manning’s spokesman Andy Stepanian said that in spite of her imprisonment and the imposition of financial sanctions, Manning remained “unwavering in her refusal to participate in a secret grand jury process that she sees as highly susceptible to abuse.”
She was originally charged for leaking secret military files to WikiLeaks in 2010, and was sentenced to 35 years in a military prison. However, she was granted an early release by Barack Obama at the end of his presidency in 2016.
According to the court order, “upon consideration of the court’s May 16, 2019 Order, the Motion, and the Court’s March 12, 2020 Order discharging Grand Jury 19-3, the Court finds that Ms Manning’s appearance before the Grand Jury is no longer needed, in light of which her detention no longer serves any coercive purpose.”
The order also said that the Court “further finds that the enforcement of the accrued, conditional fines would not be punitive but rather necessary to the coercive purpose of the Court’s civil contempt order.” It also said that the $256,000 in “accrued, conditional fines” was payable immediately. This includes fines imposed on her for refusal to testify.
It was reported by The Guardian earlier this week that Manning had attempted suicide.
In February, Manning’s attorney Moira Meltzer-Cohen filed a motion to release Manning, based on evidence, including an expert’s assessment of Chelsea’s personality profile, and a public condemnation of her “coercive confinement” by Nils Melzer, the United Nations Special Rapporteur on torture and other cruel, inhuman or degrading treatment or punishment.
Fraudsters have already made $1.6m from cards stolen via a Magecart supply chain attack on popular e-commerce platform Volusion, and the figure could rise more than 100-fold over the coming months, according to new research.
The attack on Volusion’s cloud platform was described by dark web intelligence firm Gemini Advisory as “one of the largest and most wide-ranging supply-chain breaches to date.”
Affected companies ranged from golf stores and clothing retailers to online vape shops and even a site dedicated to monster trucks. The vast majority of cards (99%) were US-issued, reflecting the location of these businesses.
Although the stolen card details didn’t appear on the dark web immediately, from November 2019 onwards, over 239,000 compromised CNP records were being offered for sale on the cybercrime underground, according to the research.
The $1.6m already generated by fraudsters off the back of this haul is likely to be just the tip of the iceberg, warned Gemini Advisory.
“The average CNP breach affecting small- to mid-sized merchants compromises 3000 records; scaling this figure to the 6589 merchants using Volusion affected by this breach, the potential number of compromised records is up to nearly 20 million. Given this figure, the maximum profit potential would be as high as $133.9m,” it explained.
“The overwhelming and continually rising dark web demand for CNP records indicates a staggering profit potential for the perpetrators of this security incident. As more records make their way to the dark web and more merchants are confirmed to have been compromised via Volusion, the full extent of what is likely to be one of the largest and most wide-ranging supply-chain breaches to date will become clear.”
Microsoft has been forced to patch a vulnerability in the Server Message Block (SMB) protocol which was accidentally disclosed by some of its security partners earlier this week.
The fix, KB4551762, is an update for Windows 10, versions 1903 and 1909, and Windows Server 2019, versions 1903 and 1909.
It addresses a remote code execution (RCE) vulnerability in the way SMBv3 handles certain requests, which could allow an attacker to execute code on a victim’s server or client.
“To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it,” Microsoft explained.
“The security update addresses the vulnerability by correcting how the SMBv3 protocol handles these specially crafted requests.”
According to SophosLabs, the flaw, dubbed SMBGhost, could be used in a number of different ways and is potentially wormable — i.e. it doesn’t require user interaction to spread.
That draws unhappy parallels with another wormable SMB bug which was exploited back in 2017 by the WannaCry attackers. However, the number of impacted machines in this case appears to be far fewer.
Security vendor Kryptos Logic claimed that around 48,000 servers are vulnerable to the new vulnerability, although it didn’t scan for exposed clients.
The patch was rushed out by Microsoft just days after its monthly update round, after a backroom error meant some of the tech giant’s security partners on its Microsoft Active Protections Program released details of the vulnerability.
Redmond was right to take action, as researchers are already publishing proof-of-concept exploits online.
This month’s Patch Tuesday was a big one for sysadmins, fixing 115 unique CVEs including 26 critical bugs.
The US is facing a “catastrophic cyber-attack” which could create lasting damage exceeding that of the many serious fires, floods and hurricanes the country has had to endure, according to a new analysis from a federal commission.
The US Cyberspace Solarium Commission claimed in its report that the country faces multiple threats from cyber-criminals and nation states: IP theft that hinders long-term growth, critical infrastructure attacks, cybercrime and ransomware, espionage for geopolitical advantage and attacks designed to undermined democratic institutions.
“The digital connectivity that has brought economic growth, technological dominance and an improved quality of life to nearly every American has also created a strategic dilemma. The more digital connections people make and data they exchange, the more opportunities adversaries have to destroy private lives, disrupt critical infrastructure and damage our economic and democratic institutions,” the report noted.
“The United States now operates in a cyber-landscape that requires a level of data security, resilience and trustworthiness that neither the US government nor the private sector alone is currently equipped to provide. Moreover, shortfalls in agility, technical expertise and unity of effort, both within the US government and between the public and private sectors, are growing.”
To tackle these challenges, the commission advocated a “layered cyber-deterrence” approach designed to “shape behavior, deny benefits and impose costs.”
The first requires the US to work with allies to promote responsible behavior in cyberspace, the second, to work with the private sector to enhance security, and the third, to retain the capacity to retaliate against enemies in cyberspace.
The report listed six policy pillars and 75 recommendations to help the US get there.
These include suggestions for government reform including: the establishing of a House Permanent Select and Senate Select Committees on Cybersecurity, a Senate-confirmed National Cyber Director and new powers for the Cybersecurity and Infrastructure Security Agency (CISA) that will foreground its work in government.
An Arizona teen could be sentenced to more than 600 years in prison after allegedly hacking into a computer and stealing thousands of indecent images of children.
Cameron Charles Brush, of Mohave Valley, is accused of gaining unauthorized access to a 17-year-old girl's social media account and stealing sexually explicit images of her. Brush then allegedly threatened to publish the stolen images online unless the victim sent him new lewd nudes.
An investigation into Brush's online activities was begun in August 2019 after the victim reported to the local sheriff that her social media account had been hacked and photos had been removed from her account.
The sheriff's detectives were able to recover IP addresses used by the hacker and trace them to computers linked to Brush's two residences. A subsequent search of electronic devices owned by Brush uncovered over 4,000 images of child pornography.
Evidence discovered on Brush's cell phone and computers suggest that the teen hacked into multiple social media accounts belonging to juveniles. Detectives found photos and videos depicting around 50 different underage victims.
Brush, now 18, was indicted last week on ten counts of sexual exploitation of a minor, seven counts of sexual extortion, seven counts of computer tampering, and one count of attempted sexual exploitation of a minor.
The indictments relate to offenses that Brush is accused of committing between April and September 2019 when he was aged 17. On Tuesday, the teen pleaded not guilty to 25 new felony charges brought against him in 2020.
Five more charges related to computer tampering, sexual exploitation of a minor, and attempted sexual exploitation of a minor were brought against Brush in a third case, but were later dropped by prosecutors.
If convicted of all 25 charges in the 2020 indictment, Brush could receive a maximum sentence of 395 years. He could be handed an additional consecutive jail term of 240 years if convicted of all ten counts in the 2019 indictment.
Brush is currently being held in the county jail on a bond that was initially set at $1m but later reduced to $100,000 per indictment.
An independent inquiry into child sexual abuse (IICSA) in the UK has criticized web companies for caring more about their reputation than about protecting children from harm.
The IICSA's report, published today, is the result of 247 days of public and preliminary hearings involving 505 witnesses and the examination of over 4,500 accounts of child sexual abuse.
The 114-page report found that "industry has failed to do all it can to prevent access to images of child sexual abuse" and concluded that material should be pre-screened for abusive content before it is placed on the internet.
Far from being difficult to obtain, indecent images of children were found to be accessible online "from common search engines in only three clicks."
When it came to preventing child sexual abuse, big hitters Facebook, Google, and Microsoft were criticized for taking a seemingly reactive approach motivated by protecting their reputations rather than kids' safety.
An IICSA spokesperson said: "The Inquiry repeatedly heard evidence from industry witnesses that their respective companies, including Facebook, Google and Microsoft, were committed to trying to prevent online-facilitated child sexual abuse. The response was, at times, reactive and seemingly motivated by the desire to avoid reputational damage caused by adverse media reporting.
"For example, the report questions why Facebook did not sooner deploy a tool vital to the efforts to prevent access to child sexual abuse imagery."
The report went on to highlight weaknesses in online age-verification processes that leave children vulnerable to being groomed by sexual predators and cajoled into sending self-generated sexual imagery.
"Although industry companies either prohibit or discourage children under 13 years old from accessing their platforms or services, the age verification process can be often easily subverted—simply by inputting a false date of birth," stated the IICSA.
The inquiry found that industry has failed to demonstrate awareness of the scale of underage use, and called on internet companies to do more to identify the true scale of offending.
Web companies were criticized for releasing selective transparency reports and "only telling the public what the organization wants and thinks the public should know."
An American exploit acquisition platform has been listed as one of the worst digital predators in the world by freedom of expression group Reporters Without Borders (RSF).
The group published a list of the globe's most terrible online repressors and cyber-censors yesterday to coincide with World Day Against Cyber-Censorship.
On the list are 20 companies and government agencies that RSF say "use digital technology to spy on and harass journalists and thereby jeopardize our ability to get news and information."
US zero-day exploit broker Zerodium was among the state and non-state actors considered by RSF to pose "a clear danger for freedom of opinion and expression" guaranteed under the Universal Declaration of Human Rights.
Zerodium, which operates out of offices in Washington, DC, and Europe, was founded in 2015 under the name Vupen.
The company buys evidence of high-risk and high-impact vulnerabilities in software programs that would enable a threat actor to penetrate a user's device without any action on the part of the victim.
Zero-day exploits, acquired by Zerodium for sometimes millions of dollars, are sold by the company to third parties.
RSF said: "Zerodium pays bounties to hackers and security researchers to be exclusively informed about their discoveries. The company says it then resells this information to “mainly European and North American governments.”
"One of these exploits was used to spy on Ahmed Mansoor, a blogger in the United Arab Emirates who covers human rights violations and is critical of the government. He is currently serving a ten-year jail term including on a charge of publishing false information to damage the country’s reputation."
Predators on the list are broken down into four categories according to the nature of their activities: harassment, state censorship, disinformation, and spying or surveillance. Offenders are based all over the world, from Algeria and India to Brazil and Switzerland.
RSF said: "The power of these enemies of press freedom takes many forms. They locate, identify, and spy on journalists who annoy people in positions of power and authority. They intimidate them by orchestrating online harassment. They reduce them to silence by censoring them in different ways. They even try to destabilize democratic countries by deliberately disseminating false information."
UK police prevented over £31m in mainly online fraudulent activity last year, according to UK Finance.
The banking body claimed that the Dedicated Card and Payment Crime Unit (DCPCU), staffed by officers from the Metropolitan and City of London police as well as industry fraud experts, had a bumper year.
As well as preventing an estimated £31.2m in fraud, it disrupted 23 organized crime groups (OCGs) and helped to take down 1600 social media accounts related to fraud activity. Around a third of these were used to recruit youngsters as money mules, while others were involved in the trading of stolen card details online and advertising for sale cut-price items bought fraudulently.
According to UK Finance, the DCPCU also seized £1.65m in assets from criminal gangs, over double the amount confiscated in the same period in 2018, while 75 fraudsters were convicted in 2019 following investigations by the unit.
These included a money mule gang sentenced to seven years behind bars for fraud and attempted fraud worth over £1.2m. Also placed behind bars were two scammers from London who used SMS phishing and SIM swapping techniques to make over half a million pounds. They received a combined sentence of 14 years.
UK Finance claimed that, thanks to the DCPCU’s efforts, £27m in fraud was disrupted and prevented in the latter case.
“People who have been defrauded frequently lose more than their money – they lose confidence and a sense of security. That is why preventing people from becoming victims of fraud is one of the most important things we do,” said City of London police national fraud coordinator, Karen Baxter.
“The DCPCU has shown how effective it is to disrupt criminals, intent on preying on the public. In doing so, they have safeguarded thousands of people’s money – as well as their peace of mind.”
Organizations in the UK and Netherlands are more exposed to high-risk vulnerabilities than any others in Europe, with misconfiguration a major challenge, according to new data from Outpost24.
The security provider analyzed vulnerability data collected from over two million assets across 10 markets, over a 12-month period to November 2019. It looked at various parameters across this data including OWASP Top 10 and CWE weakness information.
It found that in the Netherlands, 50% of the vulnerabilities discovered were classified as high-risk, versus 43% in the UK. These were significantly higher than most other countries, aside from Brazil (47%).
Japan had the lowest number of high-risk vulnerabilities at less than 10%.
Unfortunately, organizations are giving attackers a helping hand by failing to mitigate these risks swiftly. The average time to patch is 105 days, while the average time for a bug to be identified and exploited has dropped to just 15 days.
“This leaves a window of almost three months for hackers to exploit vulnerabilities when they are left unpatched,” warned vulnerability research manager, Srinivasan Jayaraman.
According to the research, a whopping 82% of vulnerabilities analyzed were due to misconfiguration in areas like firewalls and passwords; categorized as CWE-16.
“CWE-16 weaknesses can be introduced due to weak/default passwords, deprecated protocols, open public database instance or if the file system is exposed and not encrypted,” explained Jayaraman.
“This highlights the importance of having fundamental security configurations in place to cover your networks, applications and cloud. If this is ignored by security teams you leave yourself open to hackers and its critical to prioritize checking for misconfiguration and implementing continuous monitoring.”
In addition, misconfiguration was reported in 86% of web applications assessed in the report against the OWASP Top 10.
Security researchers are warning of a new sextortion-related campaign designed to trick the recipient into clicking on a nude image booby-trapped with malware.
The unsolicited email contains a message from ‘Red Skull’ hacking crew, who claim to have compromised the account of a contact of the recipient and found images of his naked girlfriend.
As this individual didn’t pay up, the hackers are now emailing the image to everyone in his contacts list, or so the scam goes.
To view the picture, the user is encouraged to “enable content” and in so doing execute macros on the machine. However, doing so will run a PowerShell command in the background to download and execute the Racoon information-stealing malware, according to IBM X-Force.
Fortunately, the associated domain has been taken down.
“This new take on sextortion is quite remarkable. It makes the victim believe that someone they know has been exploited in an attack that has nothing to do with them. If people do not identify as the victim, they may act much more careless, especially those curious to find out who was actually targeted,” the security vendor explained.
“Thanks to the quick removal of the domain, it is safe to say that the success of this single campaign should be less significant, despite the sophistication and creativity of its emails. Nevertheless, the threat actor distributing these emails has been very actively exploring new methods of social exploitation, so this will certainly not be the last time we write a collection about these types of emails.”
In fact, the same hackers are behind a new campaign in which malicious spam is sent to users posing as an “indictment message” sent by a court. The relevant information on the hearing is said to be included in the malicious attachment.
Other phishing emails use DocuSign as a lure to click through and unwittingly download Racoon.
BT has announced the launch of a new Security Advisory Services practice which will provide its customers with advice on navigating their cybersecurity journeys.
The new unit will be led by Tris Morgan, director at BT Security, and made up of around 300 specialist staff across the globe. It will offer strategic security guidance and solutions to organizations of all sizes to help them deal with today’s biggest security issues and prepare for the major new technologies and challenges of the future.
The Security Advisory Services practice will be supported by the wider BT Security team which protects BT against 125,000 cyber-attacks per month and provides security solutions to consumers, governments and businesses.
The services provided will be grouped into four key categories: cyber-threats, zero trust, governance, risk and compliance and cloud security, allowing customers to assess and test their defenses and select the solutions that best match their security needs.
Kevin Brown, managing director of BT Security, said: “The creation of the Advisory Services practice is the next step in BT Security’s strategy. It recognizes that the optimal way to safeguard any organization is through a continual and strategic evolution of their security posture. Tris brings a wealth of experience of providing advanced cyber-solutions and guidance to both the public and private sector, making him ideally placed to provide the strategic direction that organizations are looking for.”
New research published today has found nearly half of cybersecurity professionals believe their industry is experiencing a skills gaps because it isn't considered "cool" or "exciting."
The "Opportunity in Cybersecurity 2020" report surveyed over 200 cybersecurity professionals in the UK and the US about their personal experiences working in the industry. Of those questioned, 42% felt that public perception of the industry as being boring and full of dorks was dissuading fresh talent from pursuing a career in cybersecurity.
This opinion was found to be most prevalent among millennial respondents, 46% of whom blamed the cybersecurity skills gap on the industry's square image.
Shamla Naidoo, former CISO at IBM, said, “To many people, cybersecurity equates to—and is limited to—someone in a hoodie bent over a keyboard in a dark room. That’s not the case at all. If we don’t expand beyond that, we’ll lose out on even more people in the industry.”
The report was drawn from surveys and research conducted by the Center for Economics and Business Research, commissioned by cybersecurity firm Tessian.
According to the report, improving the industry's image to recruit more women especially could have a particularly beneficial effect for America. Researchers discovered that if the number of women working in cybersecurity in the US equaled that of men, the economy would receive a $30.4bn boost.
Fresh talent who don't give a fig about the industry's image may be put off working in cybersecurity because of the lack of equality when it comes to salary. At present, cybersecurity's reputation is tarnished by an embarrassing 17% difference in how much men and women are paid in the US, and an even more shameful gap of 19% in the UK.
Of those surveyed for the report, 45% of US respondents said offering equal pay would help with recruitment.
Researchers found that offering equal pay would also strengthen the US economy. An additional $12.7bn would be added to the US economy if women’s salaries were equal to those of their male colleagues.
A remission fund set up by Western Union to compensate the victims of money transfer scams that the business "turned a blind eye to" has made its first distribution payment.
Western Union entered into a deferred prosecution agreement (DPA) with the United States in 2017 in which the business acknowledged violating the Bank Secrecy Act and aiding and abetting wire fraud. Under the terms of the DPA, Western Union agreed to forfeit a total of $586m, which will be used to compensate victims of fraudulent transactions that were knowingly processed by the company.
“Western Union turned a blind eye to the fraudulent payments made through its money transfer system,” said Andrew Smith, director of the Federal Trade Commission’s Bureau of Consumer Protection.
“We’re glad to be returning money to those consumers who were ripped off by fraudsters exploiting the Western Union system, and we will not tolerate Western Union or other payments companies facilitating fraud.”
According to the US Department of Justice, victims were enticed into sending money to criminals through Western Union by the deployment of three main types of scam.
The first scam involved conning people into paying fees, sometimes in multiple installments, to claim fictitious lottery or sweepstake winnings.
Elderly victims were targeted with grandparent scams in which criminals would pretend to be a grandchild in desperate need of money to avoid personal harm or to pay for vital medical expenses.
The third scam lured victims into parting with their cash with the promise of romance, often preying on seniors who were seeking companionship on the internet. Victims were lulled into believing that their online love interest needed funds for a visit to the United States or some other purpose.
A Department of Justice spokesperson said: "Certain owners, operators or employees of Western Union agent locations were complicit in the schemes. Western Union aided and abetted the fraud scheme by failing to suspend or terminate complicit agents and by allowing them to continue to process fraud-induced monetary transactions."
Today, the chancellor Rishi Sunak announced his first budget as part of Boris Johnson’s Conservative Government, promising that more than £5bn will be invested into Britain’s digital infrastructure.
This investment, Sunak said, will provide gigabit-capable internet for the country’s most rural areas and increase 4G coverage to 95% within the next five years.
In response, experts have spoken of the importance of both cybersecurity and privacy as part of the Government’s tech investments.
Martin Rudd, CTO at Telesoft, said: “Broadband investments such as this in the 21st century are no longer seen as nice to have, but more of a need to have.”
Investments such as this by the UK government can only be beneficial for business and individuals alike, he added, but at the same time, the risk of cyber-threats will also grow.
“New businesses are less likely to have sufficient cybersecurity in place and as the threat landscape widens, there will no doubt be malicious actors ready to exploit it. As such, in future budgets, there should be funds ring-fenced for cybersecurity, helping ensure there is consistent awareness of the type of threats faced and how they naturally proliferate in line with any additional investments into the country’s digital infrastructure.”
Likewise, Stewart Room, head of data protection and cybersecurity at DWF, was quick to point out the growing significance of data privacy as the Government seeks to enhance the UK’s tech capabilities.
“The Government’s support for science and technology is welcome and encouraging. Our hope is that some of the new investment is targeted at growing the UK’s position in privacy enhancing technologies. This is a new market opportunity, which will scale and grow rapidly over coming years and the UK is in a great position to take its market share.”
A free secret-sharing app that touted itself as the "safest place on the internet" has exposed millions of intimate messages in a breach that involves several years' worth of data.
Social media app Whisper, which offers people a place in which to post and share photo and video messages anonymously, has attracted over 30 million users since launching in 2012.
Yesterday, the Washington Post reported that the team behind the popular app had stored users' most personal of personal data online in a non-password-protected database accessible to the public.
Whisper users' data found to be free ranging on the net included intimate confessions, fetishes, ages, ethnicities, genders, and location information. Among the viewable data were 1.3 million records involving users who had listed their age as 15.
Geolocation information attached to many users' last submitted post pointed back to specific schools, residential neighborhoods, workplaces, and international military bases, including a secure US military missile facility.
This massive breach of the kind of data blackmailers dream of finding was discovered by independent cybersecurity consultants Matthew Porter and Dan Ehrlich, who tipped off the Post.
What Porter and Ehrlich found confirmed that no one who has ever used Whisper can be confident that their secrets are still safe.
Porter and Ehrlich, who lead the advisory group Twelve Security, told the paper that they were able to access nearly 900 million users' records dating from the app's launch eight years ago right up to the present day.
The pair were also able to access any user's account and view which messages they had responded to and the time of their last login.
Ehrlich described the failure of Whisper to secure users' records as "grossly negligent."
Interestingly, the consultants learned from the breach that Whisper rates its users on the likelihood of their being sexual predators. About 9,000 users had a 100% "predator probability" score.
Federal law enforcement officers were notified of the breach by the two consultants, who also alerted the app's operators to what was going on. Access to the data has now been removed.
In a statement released on Tuesday, team Whisper said the database Porter and Ehrlich stumbled upon was “not designed to be queried directly.”
Security researchers are warning of a new ransomware campaign using malicious IQY files to spread via phishing emails.
IQY, or Internet Query files, are simple text files read by Excel that work to download data from the web.
Researchers at Lastline observed them being weaponized in attacks designed to spread a new variant of Paradise ransomware.
“This campaign attempts to entice users into opening an IQY attachment, which reaches out and retrieves a malicious Excel formula from the attacker’s C2 server. This formula, in turn, contains a command to run a PowerShell command that will download and invoke an executable,” the vendor explained.
“Since these IQYs contain no payload (just a URL), they can be challenging for organizations to detect. Organizations may have to rely on a third-party URL reputation service if they do not have appliances in place to analyze and interrogate these URLs.”
Paradise itself is not new; the variant has been around since 2017. However, this version contains some enhancements designed to improve its ability to evade detection by security filters.
These include use of the Salsa20 crypto routine algorithm, which can be implemented into the malware source code so that there’s no need to call out to a crypto library.
This makes it more difficult for security tools to detect, as many AV tools rely on spotting API calls to detect ransomware. It also makes it harder for analysts to understand exactly what type of encryption is being used, said Lastline.
The researchers tried to get a response from the ransomware support team but received none, indicating the campaign is not fully operational. However, they did ascertain that the ransomware will not activate if the user’s language is Russian, Kazakh, Belarusian, Ukranian or Tatar, which may hint at its origins.
Microsoft has issued one of the biggest security updates of recent years with a Patch Tuesday that fixes 115 unique CVEs, including 26 critical flaws.
The majority of these are found in Windows (79 CVEs) and Edge/IE (18). Experts agreed that sysadmins should prioritize CVE-2020-0684, a Remote Code Execution (RCE) vulnerability affecting versions Windows 7 to 10 and Windows Server 2008 to 2019.
The bug exists in the way Windows processes .LNK files, and to exploit it, an attacker would need to trick a victim into clicking on a .LNK file to a removable drive or remote share containing malware.
Microsoft also announced four RCE flaws in the way Word handles objects in memory: CVE-2020-8050, CVE-2020-8051, CVE-2020-8052 and CVE-2020-8055.
“To exploit these vulnerabilities an attacker would need to send a specially crafted Microsoft Word document via email and convince a victim to click on the email or get the user to visit a website with a trojanized Word document,” explained Allan Liska, senior solutions architect at Recorded Future.
“Of note, CVE-2020-8052 can be exploited just with the Microsoft Outlook Preview Pane, without ever opening the Microsoft Word Document. As Recorded Future has previously noted, Microsoft Office is among the most popular attack vectors for cyber-criminals. We expect one or more of these vulnerabilities will be weaponized sooner rather than later.”
Satnam Narang, principal research engineer at Tenable, picked out three elevation of privilege vulnerabilities as worthy of attention. CVE-2020-0788, CVE-2020-0877 and CVE-2020-0887 affect Win32k due to improper handling of objects in memory and could be used by hackers to execute code on targeted systems post-compromise, he explained.
Also this month, Microsoft appears to have leaked details of a wormable vulnerability in the Server Message Block 3.0 (SMBv3) network communication protocol, for which there is no fix.
Although no exploit details are currently circulating online, there will be concerns over the publication of the CVE, especially as SMB was the protocol leveraged to devastating effect by the WannaCry ransomware worm.
“This indicates an attack attempt to exploit a Buffer Overflow Vulnerability in Microsoft SMB Servers,” read a description of the CVE from Fortinet.
“The vulnerability is due to an error when the vulnerable software handles a maliciously crafted compressed data packet. A remote, unauthenticated attacker can exploit this to execute arbitrary code within the context of the application.”
Nearly eight million sales records containing the personal information of UK shoppers have been discovered exposed to the public-facing internet, after another cloud misconfiguration.
Noted researcher Bob Diachenko discovered the unsecured MongoDB database residing on an Amazon Web Services (AWS) server on February 3.
It was secured five days later, after Diachenko identified and notified the owner, a third-party company that helps merchants to aggregate sales data from multiple online marketplaces and VAT for cross-border sales.
According to Comparitech, around half of the eight million sales records discovered in the database related to Amazon UK and eBay, with Shopify, PayPal, Stripe and a few smaller marketplaces and payment companies accounting for the rest.
“We were made aware of an issue with a third-party developer (who works with a number of Amazon sellers), who appears to have held a database containing information from several different companies, including Amazon,” an Amazon statement explained.
“The database was available on the internet for a very short period of time. As soon as we were made aware, we ensured the third-party developer took immediate action to remove the database and secure the data. The security of Amazon’s systems was not compromised in any way.”
Exposed data included customer names, email addresses, shipping addresses, purchases and the last four digits of credit card numbers — more than enough for hackers to craft convincing follow-on phishing emails to target those customers.
If they were able to trick users into handing over their log-ins, they could theoretically hijack accounts and use stored cards and/or gift tokens to make fraudulent purchases.
Vinay Sridhara, CTO of Balbix, argued that the incident follows the pattern of countless other data leaks over recent years.
“Despite billions invested in security, enterprises are failing at the infosec equivalent of washing their hands,” he added.
“Since an organization can't improve what it can't measure, the starting point for a company to improve their cyber-hygiene is to inventory, categorize and measure the criticality of their assets. From there, basic resilience begins with identity, encryption and network segmentation.”
Two engineers who reportedly attended last month’s RSA Conference in San Francisco have tested positive for Coronavirus.
According to a statement posted on Twitter, the engineers worked for Exabeam, though the company could not confirm “whether they contracted Covid-19 prior to, at or after the conference,” but warned anyone who did come into contact with its staff to be vigilant in monitoring for symptoms.
According to a report by Bloomberg, one of the men who tested positive is a 45-year-old engineer who began experiencing symptoms when he returned home to Connecticut. His condition deteriorated the following week and he was hospitalized in respiratory distress on March 6, according to his wife.
“The man was placed into a medically induced coma and is now on a ventilator in guarded condition,” the article claimed. The individual is predisposed to pneumonia due to an underlying heart condition, according to his family.
A Go Fund Me page has so far raised more than $12,000 (at the time of writing) with the intention to assist the family with medical bills as well as necessities for his wife and two infant children.
In a statement, RSA Conference said that “there is not a known direct link or official governing body communicating back to RSA Conference that these individuals had symptoms at Conference or attended during the incubation period,” adding that is has shared the information with attendees and would continue to share information “out of an abundance of caution.”
Eleven Necurs botnets, which infected more than nine million computers since 2012, have been severely disrupted.
The botnets were dealt a blow through the joint efforts of BitSight, Microsoft's Digital Crimes Unit (DCU), and by partners across 35 countries who today took coordinated legal and technical steps to disrupt Necurs.
The disruption was the result of years of study focused on Necurs malware, its botnets, and its command and control infrastructure. Researchers performed forensic analysis, reverse engineering, malware analysis, modules updates, infection telemetry, command and control updates, and analysis of a technique used by Necurs to systematically generate new domains through an algorithm.
“We were then able to accurately predict over six million unique domains that would be created in the next 25 months,” said a Microsoft DCU spokesperson.
The domains were reported to their respective registries in countries around the world so the websites could be blocked and prevented from becoming part of the Necurs infrastructure.
Evidence found by researchers suggests that the botnets were controlled by a single group. Of the eleven Necurs botnets discovered, four were found to be responsible for approximately 95% of all infections.
Necurs was first spotted rearing its ugly head in 2012. Over the years, the malware has been used to support a wide range of illegal activities, but its main function has been to deliver other malware.
Malicious ware dropped by Necurs has included GameOver Zeus, Dridex, Locky, and Trickbot, among others.
After infecting a system, Necurs is programmed to weaken its security to protect itself and make it easier for other malware to join the party. Using its kernel mode rootkit capabilities, the malware can disable a large number of security applications, including Windows Firewall.
Necurs botnets' activity stalled in March 2019, leaving an estimated 2 million infected systems around the world in a dormant state, awaiting revival. The year-long break was an unusually long period of inactivity for Necurs.
Describing Necurs' impact on the world, BitSight researchers wrote: "Its main uses have been as a spambot, a delivery mechanism for ransomware, financial malware and for running pump and dump stock scams.
"From 2016 to 2019, it was the most prominent method to deliver spam and malware by criminals and was responsible for 90% of the malware spread by email worldwide."
Asked how he planned to celebrate the historic botnet takedown, BitSight security researcher Valter Santos told Infosecurity Magazine: "BitSight will be getting back to work—we are tracking more than 200 billion events on a daily basis. There's more malware out there."