Updated: May 18
In the Spotlight This Week
US imposes sanctions on Russia over SolarWinds cyber attacks
NIST releases cybersecurity guide for the hospitality industry
Tax email scam bypasses Google Workspace security configurations
Global dwell time drops as ransomware attacks accelerate
New DNS vulnerabilities threaten millions of devices
Facebook mistakenly runs ‘Clubhouse’ ads ridden with malware
The US has imposed sanctions on Moscow as it accuses Russian intelligence for the 2020 “SolarWinds” attack and interference in the 2020 election. Russia denies all the allegations and says it will respond in kind.
The sanctions reaffirm the US administration's view that the Russian government is behind cyber-attacks and has been trying to "undermine the conduct of free and fair democratic elections" in the US and allied nations. It specifically blames Russia's foreign intelligence service, the SVR, for the SolarWinds attack, which gave cyber-criminals access to 18,000 government and private computer networks.
A practical cybersecurity guide from the National Institute of Standards and Technology (NIST) has been released to help hotel owners reduce the risks of a highly vulnerable and attractive target for hackers: the hotel property management system (PMS) which stores guests’ personal information and credit card data.
The three-part guide shows an approach to securing a PMS, offering how-to guidance using commercially available products, allowing hotel owners to control and limit access to their PMS and protect guest privacy and payment card information.
In recent years attackers have compromised the networks of several major hotel chains, exposing the information of hundreds of millions of guests. According to a recent industry report, hospitality ranked third among industries compromised by cybersecurity breaches in 2019, and the industry suffered 13% of the total incidents.
A W2 tax email scam is circulating in the U.S. using Typeform, a popular software that specializes in online surveys and form building. The campaign is aimed at harvesting victims’ email account credentials, researchers said. According to Armorblox, the campaign also bypasses native Google Workspace email security filters in the victims it examined.
The links included in the emails purport to lead to a document called “2020_TaxReturn&W2.pdf,” researchers found. Instead, the links take users to a Typeform page where victims are asked to enter their email account credentials before being granted access to the file.
In their 2021 M-Trends threat report, Mandiant researchers note the global median dwell time, or the number of days an attacker is in an environment before detection, has fallen to 24 days. While median dwell time has consistently dropped from 416 days in 2011, this year's number marks a notable drop, says Steven Stone, senior director of advanced practices at Mandiant.
This decline could be explained by several factors, including continued improvement in threat detection capabilities, new policies, and higher security budgets. However, the attack landscape plays a critical role. As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019.
This suggests a worrying trend as attackers spend less time inside the networks of their victims. The reason for this is because Ransomware attacks, have a shorter “dwell time” by nature and are growing more common and efficient, shrinking the average time frame for all attacks.
Forescout Research Labs, in partnership with JSOF, disclosed a new set of DNS vulnerabilities, dubbed NAME:WRECK. These vulnerabilities affect four popular TCP/IP stacks – namely FreeBSD, IPnet, Nucleus NET and NetX – which are commonly present in well-known IT software and popular IoT/OT firmware.
These vulnerabilities have the potential to impact millions of IoT devices around the world. FreeBSD is used for high-performance servers in millions of IT networks, including major web destinations such as Netflix and Yahoo. Meanwhile, IoT/OT firmware such as Siemens’ Nucleus NET has been used for decades in critical OT and IoT devices.
The NAME:WRECK vulnerabilities potentially impact organisations across all sectors, including government, enterprise, healthcare, manufacturing and retail. More than 180,000 devices in the U.S. and more than 36,000 devices in the UK are believed to be affected. If exploited, bad actors can use them to take target devices offline or assume control of their operations.
TechCrunch was alerted Wednesday to Facebook ads tied to several Facebook pages impersonating Clubhouse, the drop-in audio chat app only available on iPhones. Clicking on the ad would open a fake Clubhouse website, including a mocked-up screenshot of what the non-existent PC app looks like, with a download link to the malicious app.
When opened, the malicious app tries to communicate with a command and control server to obtain instructions on what to do next. One sandbox analysis of the malware showed the malicious app tried to infect the isolated machine with ransomware.
But overnight, the fake Clubhouse websites—which were hosted in Russia—went offline. In doing so, the malware also stopped working. Guardicore’s Amit Serper, who tested the malware in a sandbox on Thursday, said the malware received an error from the server and did nothing more.
It’s not uncommon for cybercriminals to tailor their malware campaigns to piggyback off the successes of wildly popular apps. Clubhouse reportedly topped more than 8 million global downloads to date despite an invite-only launch. That high demand prompted a scramble to reverse-engineer the app to build bootleg versions of it to evade Clubhouse’s gated walls, but also government censors where the app is blocked.
Subscribe Here to receive Blackpanda thought leadership, webinar invitations, and cyber intelligence direct to your inbox.