Chrome Zero-Day Vulnerability Exploited in Korea-Linked Attacks

Chrome Zero-Day Vulnerability Exploited in Korea-Linked Attacks

Google on Thursday patched a Chrome zero-day vulnerability that has been exploited to deliver malware in a campaign that shares similarities with previous Korea-linked attacks.

Chrome 78.0.3904.87 for Windows, macOS and Linux patches two vulnerabilities. One of them is CVE-2019-13720, which Google has described as a high-severity use-after-free bug in the browser’s audio component. The tech giant says it’s aware of reports that the security flaw has been exploited in the wild.

The issue was reported to Google on October 29 by researchers from Kaspersky and it was patched quickly. The company says the update containing the fix should reach users in the coming days or weeks.

According to Kaspersky, the zero-day has been exploited in a campaign dubbed Operation WizardOpium. The company says it has not found any evidence that would allow it to confidently link the operation to a known threat actor.

However, some “very weak code similarities” suggest a possible connection to the Lazarus Group, a threat actor linked to North Korea. On the other hand, researchers believe these code similarities could be false flags meant to make attribution more difficult.

Kaspersky says one of the websites targeted by the hackers reminds of earlier attacks attributed to DarkHotel, a threat group that has been known to target entities with an interest in North Korea and which some believe may be sponsored by South Korea.

“The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks,” Kaspersky said in a blog post.

According to the cybersecurity firm, the attackers compromised a Korean-language news website as part of a watering hole attack and abused it to deliver malware via the Chrome zero-day. The compromised website loads scripts designed to check visitors’ browser and operating system to determine if the Chrome vulnerability can be exploited for arbitrary code execution.

If the exploit is successful, an encrypted payload disguised as a harmless .jpg file is delivered to the victim. The payload is then decrypted and an executable file is dropped and run.

Kaspersky has only shared limited information about the malware, but revealed that it leverages the Windows Task Scheduler for persistence and its main module is designed to download other modules from a command and control (C&C) server.

In addition to the zero-day, the latest Chrome update fixes CVE-2019-13721, a high-severity use-after-free issue in the PDFium component. This vulnerability was reported to Google by a researcher who uses the online moniker banananapenguin on October 12 and it earned the hacker a $7,500 bounty.

CVE-2019-13720 is the second Chrome zero-day patched by Google this year. The first was CVE-2019-5786, which malicious actors exploited alongside a Windows zero-day.

Related: Chrome Zero-Day Exploited to Harvest User Data via PDF Files

Related: Google Discloses Actively Exploited Windows Vulnerability

Related: Zero-Day Used in the Wild Impacts Pixel 2, Other Android Phones

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

21 Million Stolen Fortune 500 Credentials For Sale on Dark Web

21 Million Stolen Fortune 500 Credentials For Sale on Dark Web

There have been many studies and investigations into the number of stolen credentials available on the dark web. However, a new report that was just released is a bit different: it focuses on credentials belonging to global Fortune 500 organizations, and used machine learning (ML) techniques to clean and verify the collected data.

The results are more disturbing than usual because the study focuses on global corporations and the results have been cleaned — but remain shocking. Geneva, Switzerland-based firm ImmuniWeb used the OSINT elements of its Discovery product to crawl the dark places used to correlate and sell stolen credentials, gathering what it could. It then used its own ML models to “find anomalies and spot fake leaks, duplicates or default passwords set automatically – that were excluded from the research data.”

Despite this cleaning, it found more than 21 million different credentials belonging to the Fortune 500 companies; more than 16 million of which were compromised during the last 12 months. It is worth stressing that these all have cleartext passwords that were either stolen in cleartext, or have subsequently been cracked by the hackers.

“These numbers are both frustrating and alarming,” commented Ilia Kolochenko, CEO and founder of ImmuniWeb. “Cybercriminals are smart and pragmatic, they focus on the shortest, cheapest and safest way to get your crown jewels. The great wealth of stolen credentials accessible on the Dark Web is a modern-day Klondike for mushrooming threat actors who don’t even need to invest in expensive 0day or time-consuming APTs.”

One of the most disturbing aspects of the discoveries is the large number of common and simple passwords. This would not be surprising from small companies with small or even no security teams — but is hard to understand in large corporations with the resources to train their staff and implement password management processes. This is worrying.

The password ‘password’ is among the top five most popular passwords in eight of the ten industry sectors included in the survey. It is not included within the technology sector. Here the most popular password is ‘passw0rd’ — and the fifth most popular is ‘password1’. Out of the 21 million collected credentials, only 4.9 million are genuinely unique passwords, clearly suggesting that even Fortune 500 companies have very weak password policies.

Use of weak passwords (defined by ImmuniWeb as being of 8 characters or less, or found in common dictionaries and therefore easy to brute force) is rampant. From the ten sectors, retail is the worst offender with 47.29% of the passwords being weak. The energy sector is best, but still at 32.56%. While the absolute numbers are shocking, the relative percentages cannot be assumed accurate for the full complement of Fortune 500 passwords. These are cleartext credentials. Strong and complex passwords may not have been cracked so will not appear in the figures, which are necessarily biased towards the weaker ones.

This doesn’t diminish the worrying aspects of the study — like an average of 11% of all passwords from each breach being identical; or 42% of all stolen passwords being somehow related either to the company name or the third-party website service from which they were stolen.

Two interesting discoveries in the study are the number of credentials that have been exposed via breaches of adult-oriented websites, and the relationship between phishing websites and the companies breached.

Technology, financial and energy are the most common sectors with stolen credentials coming via adult websites. Here, the surprise is not the source, but that users have utilized their business rather separate personal accounts to log in. “There is no clear answer to this,” Ilia Kolochenko, CEO and founder of ImmuniWeb told SecurityWeek. But he noted that “with the Ashley Madison and AdultFriendFinder breaches, many .gov and .gov.uk emails figured amid their users.”

The second discovery is a statistical relationship between criminal phishing infrastructures and the stolen credentials. “The number of squatted domains and phishing websites per organization is proportional to the total number of exposed credentials,” says the report. “The more illegitimate resources exist, the more credentials can be found for the organization’s personnel.”

Statistically, this suggests that concerted efforts to phish a company will succeed. “I think there is a traceable nexus between cybersecurity hygiene (e.g. less vulnerable websites, timely removed phishing pages, decent SSL encryption, etc) and the data breaches,” Kolochenko told SecurityWeek. “Careless and negligent companies likely have weaker password policies, no or immature vendor risk management, nascent security awareness among its employees, and so on. All this boosts their chances to get hacked directly or via third parties.”

This report is full of facts and statistics on stolen credentials, but very light on any interpretation of those facts — even the basic implication that Fortune 500 companies have much to learn and do on their password policies. This is by design. “I would not make definitive conclusions based on the data,” Kolochenko told SecurityWeek. “First of all, many data breaches have never been detected and probably never will be; hence any research will miss some data. Moreover, one’s interpretations may consider a wide spectrum of factors but miss an essential one thereby rerouting causation into the wrong direction. Many illuminating assumptions can be made on the data, and we are keen to hear from the industry how they would construe the data.”

Related: Can You Trust Security Vendor Surveys?

Related: California to Ban Weak Passwords

Related: Why User Names and Passwords Are Not Enough

view counter

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Tags:

Source: 21 Million Stolen Fortune 500 Credentials For Sale on Dark Web

Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey

Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey

ATLANTA — SECURITYWEEK 2019 ICS CYBER SECURITY CONFERENCE — Some of the recent cybersecurity incidents involving industrial control systems (ICS) have resulted in injury and even loss of life, according to a survey conducted by Control Systems Cyber Security Association International (CS2AI).

CS2AI is a non-profit organization focused on the growth and expansion of networking opportunities and professional development of everyone involved in the field of control systems cybersecurity. The organization, which currently has over 16,000 members worldwide, is conducting a yearly analysis of the state of ICS cybersecurity through a survey that aims to help answer key questions on how critical systems can be best protected.

Roughly 300 individuals responsible for the cybersecurity of industrial and automation systems have already taken the survey and CS2AI will publish a complete report next month, but some of the data collected so far was presented this week at SecurityWeek’s 2019 ICS Cyber Security Conference in Atlanta. The survey can be taken at any time and the data collected after the first report is published will be used for the next report.

Some of the experts present at the ICS Cyber Security Conference pointed out that many industrial organizations still don’t take cybersecurity seriously, often arguing that they haven’t been or they are unlikely to be targeted by malicious actors.

However, the survey shows — assuming that the respondents answered truthfully — that OT security incidents can have serious consequences when they do occur.

When asked about the impact of ICS security incidents experienced in the past 12 months, roughly 1% of respondents admitted that it resulted in injury and 1% said the incident led to loss of life.

There is no additional information on this handful of incidents as the data was mostly collected anonymously — respondents are given the option to provide their information if they want to register for the opportunity to win a prize.

Approximately a quarter of respondents said the incident led to operational disruptions, and many could not provide an answer due to organizational policies.

Malware-infected removable media drives were named as an attack vector by 34% of respondents and nearly as many have named email (e.g. phishing). Sixteen percent have named hardware or software pre-infected with malware, 12% blamed third-party websites (e.g. watering hole attacks), and 10% blamed infected or compromised mobile devices for the incident suffered by their organization. Physical security breaches and Wi-Fi compromise have also been named by some respondents.

Some organizations have admitted having control systems accessible directly from the internet, including PLCs, HMIs, servers, workstations and historians.

ICS components accessible from the internet

Of all the respondents, 45% have an operational role, followed by individuals in management (20%), leadership (18%) and executive roles (17%). Nearly half of the respondents are from North America and a quarter are from Europe, with the rest representing the APAC, Middle East and Latin America regions.

The top priority of many organizations is risk assessment and management, followed by network perimeter security, and business continuity. Cloud security is at the bottom of the chart and is a priority to only a handful of industrial organizations.

ICS cyber security priorities

When asked about the obstacles in remediating or mitigating ICS vulnerabilities, the most common answer was insufficient expertise, followed by insufficient personnel, operational requirements (e.g. flaws cannot be addressed due to mandatory uptime), insufficient financial resources, and insufficient support from leadership.

The full report from CS2AI will also present data on spending and budgets, awareness training, organizational plans, cybersecurity programs, and security assessments.

Related: Outdated OSs Still Present in Many Industrial Organizations

Related: Many ICS Vulnerability Advisories Contain Errors

Related: Organizations Investing More in ICS Cyber Security

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Source: Some ICS Security Incidents Resulted in Injury, Loss of Life: Survey

DDoS Attack Hits Amazon Web Services

DDoS Attack Hits Amazon Web Services

Amazon Web Services (AWS) customers experienced service interruptions yesterday as the company struggled to fight off a distributed denial-of-service (DDoS) attack.

As part of such an assault, attackers attempt to flood the target with traffic, which would eventually result in the service being unreachable.

While customers were complaining of their inability to reach AWS S3 buckets, on its status page yesterday the company revealed that it was having issues with resolving AWS Domain Name System (DNS) names.

The issues, AWS said, lasted for around 8 hours, between 10:30 AM and 6:30 PM PDT. A very small number of specific DNS names, the company revealed, experienced a higher error rate starting 5:16 PM.

While reporting on Twitter that it was investigating reports of intermittent DNS resolution errors with Route 53 and external DNS providers, Amazon also sent notifications to customers to inform them of an ongoing DDoS attack.

“We are investigating reports of occasional DNS resolution errors. The AWS DNS servers are currently under a DDoS attack. Our DDoS mitigations are absorbing the vast majority of this traffic, but these mitigations are also flagging some legitimate customer queries at this time,” AWS told customers.

The company also explained that the DNS resolution issues were also intermittently impacting other AWS Service endpoints, including ELB, RDS, and EC2, given that they require public DNS resolution.

During the outage, AWS was redirecting users to its status page, which currently shows that all services are operating normally.

One of the affected companies was Digital Ocean, which has had issues with accessing S3/RDS resources inside Droplets across several regions starting October 22.

“Our Engineering team is continuing to monitor the issue impacting accessibility to S3/RDS/ELB/EC2 resources across all regions,” the company wrote on the incident’s status page at 23:25 UTC on Oct 22.

Accessibility to the impacted resources has been restored, but it was still monitoring for possible issues, the company announced yesterday.

Related: Compromised AWS API Key Allowed Access to Imperva Customer Data

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: Mirai-Based Botnet Launches Massive DDoS Attack on Streaming Service

view counter

Source: DDoS Attack Hits Amazon Web Services

Malicious Code on Mission Health Store Website Undetected for 3 Years

Malicious Code on Mission Health Store Website Undetected for 3 Years

– Malicious code embedded on Mission Health’s store website directed payment information to an unauthorized individual and went undetected for three years, according to local news outlet ABC13 WLOS.

According to officials, the malicious code was first installed in March 2016 until it was discovered in June 2019. The North Carolina health system recently began mailing notification letters to patients. However, there is no notice about the security incident displayed on the website.

The incident only impacted the online store designed for patients to purchase health products, either store.mission-health.org or shopmissionhealth.org. Attempts to reach the site are met with the message: “The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.”

Mission Health took those sites offline and is currently completely rebuilding the sites.

The notification letter stressed that the hacker did not have access to medical records. But credit card information could have been stolen at any time during the impacted timeframe. Officials did not explain how the incident went undetected for three years.

Philadelphia Department of Health Website Misconfiguration

The Philadelphia Department of Public Health recently began notifying certain patients that their data was potentially exposed due to a misconfiguration of its opioid data website, according to local news outlet Philadelphia Inquirer.

The agency created a public tool designed to track the prevalence of hepatitis infections. However, the tool left patient information exposed to the public, including names, Social Security numbers, dates of birth, contact details, test results, and other sensitive health information of thousands of Philadelphia residents. The data was primarily related to positive test results for hepatitis B and C, for patients between 2013 and 2018.

An Inquirer reporter actually discovered the breach and notified the department. The data was removed shortly after officials were notified, but there’s no indication of how long the data was exposed.

“We deeply regret the inadvertent exposure of personal health information on our website,” said Thomas Farley, Philadelphia’s health commissioner, in a statement. “We will conduct a thorough investigation of this incident, attempt to determine if any confidential information was accessed by others, take appropriate corrective actions, and do everything we can to protect the privacy and security of personal information.”

Officials are currently investigating the incident to determine the scope and whether the data was accessed during the misconfiguration.

Ransomware Attack Impacts Magnolia Pediatrics

Louisiana-based Magnolia Pediatrics fell victim to a ransomware attack in August, which potentially impacted some patient data.

The attack began August 23 and encrypted patient data stored on the network. An investigation led by a third-party computer technology vendor showed the hacker did not exfiltrate any patient information during the attack. But officials are notifying patients of the incident, out of an abundance of caution.

The virus encrypted patient information including names, dates of birth, contact details, insurance information, Social Security numbers, medical record numbers, and other clinical data, like medical histories, medications, and diagnoses.

Magnolia contacted the FBI and is currently working with their team on the ongoing information. Officials said they are also implementing improved security features to prevent a recurrence.

Monterey Health Center Ransomware Attack

Monterey Health Center recently began notifying patients that the Milwaukie, Oregon experienced a ransomware attack that potentially compromised patient information.

On August 12, Monterey Health’s electronic medical records systems was encrypted with ransomware. The server stored patient data, so officials worked quickly to restore access to the information to ensure patient care was not disrupted.

Assisted by a third-party vendor, Monterey Health was able to successfully restore the data. A forensic investigator determined no data was exfiltrated during the security incident. But officials said they could not rule out unauthorized access to data.

The server contained patient information such as names, driver’s licenses, financial account information, Social Security numbers, medications, dates of birth, diagnoses, treatments, health insurance information, and or claims data.

The provider is continuing to work its third-party team to bolster its secure and will take steps to improve its security processes.

Source: Malicious Code on Mission Health Store Website Undetected for 3 Years

Hackers Targeting Healthcare with Social Engineering, Email Spoofing

Hackers Targeting Healthcare with Social Engineering, Email Spoofing

– Hackers are increasingly targeting the healthcare sector through sophisticated malicious emails, rather than just focusing on vulnerable infrastructure, according to a recent Proofpoint report.

In the past year, nearly all healthcare organizations (95 percent) targeted by hackers saw emails spoofing their trusted domain. All organizations experienced domain spoofing to target their patients and business partners.

What’s more, targeted healthcare organizations received about 43 imposter emails during the first quarter of 2019, which increased 300 percent during the same timeframe in 2018. About 55 percent of imposter emails used subject lines, like payment, request, urgent, or other related terms.

Imposter emails are designed to mimic messages sent from a person the user knows or can trust. These emails don’t typically use malware, malicious attachments, or other phishing techniques. Researchers explained that attackers leverage social engineering attacks to trick the user into doing something the hacker wants, such as transferring money or sending sensitive information.

“These attacks can be hard to detect because they don’t exploit technical vulnerabilities. They target human nature,” researchers explained. “Social engineering is all about exploiting people. That’s why stopping it requires a cyber defense focused on people, not technology.”

READ MORE: DHS Alerts to VPN Vulnerabilities, Targeted Email Cyberattacks

“The average impostor attack spoofed (posed as) 15 healthcare staff members on average across multiple messages,” they added. “Nearly half of healthcare organizations were targeted in attacks that spoofed at least five identities; about 40 percent were targeted in attacks that spoofed two to five identities.”

Researchers explained that healthcare organizations need to stop these social engineering attempts from reaching intended targets, in addition to training employees to spot and report any attempts that make it through to the user’s inbox.

For each healthcare organizations targeted by malicious emails, 65 staff members were targeted during the campaign in the first quarter of 2019. The report showed that high-ranking employees were not always the main target. Hackers also sought those with access to the right data, people, or systems.

“In other cases, it’s someone with a public-facing email address,” researchers wrote. “These can include shared accounts and email aliases, which are usually permanent, forward email to several recipients, and hard to secure with multifactor authentication.”

“Users’ vulnerability starts with users’ digital behavior – how they work and what they click,” they continued. “Some employees may work remotely or access company email through their personal devices. They may use cloud-based file storage and install third-party add-ons to their cloud apps. Or they may be especially receptive to attackers’ email phishing tactics.”

READ MORE: Emotet Trojan Resurfaces, Hijacking Email Content from Victims

Hackers disproportionately target those employees with the most visible email addresses, including shared email accounts. Researchers explained this was likely amplified by users with public-facing contact information, long-tenured workers, their email addresses was leaked in an earlier data breach, and other profiled information.

Researchers noted these “very attacked people” for healthcare providers included clinicians, research teams, and administrative staff. For insurers, hackers targeted customer support, sales, administrative staff, and IT teams. And for pharmaceuticals, attackers targeted executives, public relations, or supply chain.

To fend off these attacks, healthcare organizations should adopt a people-centered security posture: evaluate the risk each user represents, how they’re targeted, what data they have access to, and how prone they are to falling victim to targeted attacks.

Users should be trained to detect malicious emails and report them to the security team. The researchers recommended training users with simulated attacks that mimic real-world techniques, while looking for solutions that recognize current trends and the latest threat intelligence.

However, it should be assumed that users will eventually open these malicious emails, so organizations also need technology able to detect and block email threats that target employees to keep the threat out of the inbox.

READ MORE: Hackers Targeting Healthcare with Financially Motivated Cyberattacks

Organizations should also invest in email fraud defense technology, based on custom quarantine and blocking policies. Researchers stressed the tool should analyze both external and internal email, as hackers can use compromised accounts to trick users within the same organizations.

Other recommendations include isolating risky websites and URLs and partnering with a threat intelligence vendor.

“Today’s attacks target people, not just technology,” researchers wrote. “They exploit the human factor: healthcare workers’ natural curiosity, acute time constraints and desire to serve. Protecting against these threats requires a new, people-centered approach to security.”

“Few industries can claim a mission more critical, data more sensitive, or operations more complex than healthcare. Unfortunately, few industries are finding it more challenging to keep it all protected,” they added.

Source: Hackers Targeting Healthcare with Social Engineering, Email Spoofing