Cyber Security Headlines: Disneyland phishing, Ukraine’s IT army in action, NSA goes low-key with private researchers

Disneyland phishes with Punycode

The internet standard Punycode allows browsers to render domain names in Cyrillic and other non-Latin alphabets. But it’s also being used to aid in phishing campaigns. Security researcher Brian Krebs highlighted its use by the financial cybercrime group Disneyland Team in phishing campaigns. The group uses diacritic marks under letters produced by Punycode to register domains that otherwise look very close to banking sites, where users might not notice a small mark or think it was something on their screen. Alex Holden of Hold Security obtained access to a control panel used by the group, and found it operated dozens of these phishing domains throughout 2022. The group uses the domains to perform man-in-the-middle attacks against banking sites, obtaining passwords and any multi-factor authentication codes the user tries to log in with. 

(Krebs on Security)

The effectiveness of Ukraine’s IT army

At the G20 Summit’s “Digital Transformation” panel, Ukrainian President Volodymyr Zelensky said the country’s “IT army” successfully stopped over 1,300 Russian cyberattacks since the start of Russia’s invasion. He also pointed to lessons other countries could adopt to deal with modern cyber warfare. This ranged from shifting to cloud-hosted public registers to keep up benefits to those displaced by the war, to how it kept its Diia state site operational with over 100 contactless public services. This allowed Ukraine to keep offering things like digital passports, tax services, and other critical infrastructure . 

(Dark Reading)

NSA seeks to lower barriers to work with private sector

CyberScoop profiled the NSA’s Cybersecurity Collaboration Center, which is the agency’s attempt to create an environment to reduce bureaucratic barriers to working with private sector security researchers. Typically the NSA’s cyber teams operate out of Fort Meade in a highly secured area. In contrast, the Collaboration Center operates out of an unsecured suburban office park in Maryland. The center works with over 250 partner organizations and facilitates over 10,000 “analytic exchanges” with outside analysts in 2022. Director Morgan Adamski said this facilitates quick exchanges between NSA staff and outside threat researchers that can pay huge dividends. 

(CyberScoop)

Researchers find flaws in new space networking standard

NASA successfully launched its Orion spacecraft. Among the notable things about it, it’s the first spacecraft to rely on time-triggered Ethernet, or TTE for mixed-criticality traffic over a single network. It’s key for spacecraft networks to prioritize navigational or safety data while being able to deprecate non-critical flows. In the past spacecrafts maintained separate networks for critical and non-critical traffic. However, researchers at the University of Michigan, the University of Pennsylvania, and NASA’s Johnson Space Center published a paper showing an approach called PCspooF, which can break TTE’s traffic isolation guarantees. This would allow a single non-critical device to disrupt communications between other TTE devices. This could lead to “uncontrolled maneuvers that threaten safety and mission success.” The attack requires a small 2.5cm square printed circuit board physically on the spacecraft. NASA said its aware of the findings and taking proactive measures to mitigate it.

(Ars Technica)

Thanks to today’s episode sponsor, AppOmni

Can you name all the third party apps connected to your major SaaS platforms like Salseforce and Microsoft? What about the data these apps can access? After all, one compromised third party app could put your entire SaaS ecosystem at risk. 

With AppOmni, you get visibility to all third party apps, including which end users have enabled them, and the level of data access they’ve been granted. Visit AppOmni.com to request a free risk assessment.

Twitter to relaunch Blue subscriptions

Twitter owner Elon Musk announced that Twitter Blue subscriptions will relaunch on November 29th in order “to make sure that it is rock solid.” The company removed signup for the revamped subscription on November 11th after a not-so-rock-solid debut led to many verified accounts impersonating brands and people. To combat this behavior, Musk said changing your verified name will cause a loss of the blue verified check mark until it is confirmed by Twitter. After the company laid off roughly 8,000 employees and contractors, it’s unclear what capacity it will have for this kind of confirmation. No word on if Twitter will keep the subscription iOS only or add Android support. 

App researcher Jane Manchun Wong also reported that source code for Twitter for Android mentions “encryption keys.” This indicates the platform plans to introduce end-to-end encrypted direct messages. 

(The Verge, Bleeping Computer)

DuckDuckGo expands App Tracking Protection

The makers of the privacy-focused search engine launched a public beta of its App Tracking Protection feature on Android. The feature began as a waitlisted limited beta of the feature last year. When enabled, the feature blocks third-party trackers in apps even when not actively being used. DuckDuckGo maintains a blocklist of trackers for the feature. Since launching it last year, it reduced the number of excluded trackers by 50%. DuckDuckGo claims the typical Android users maintains 35 apps on their phone and can experience up to 2,000 tracking attempts from over 70 different tracking companies per day. 

(The Verge)

Ten new ransomware families on the scene in the last six months 

That finding comes from Ivanti’s “Ransomware Report from Q2/Q3.” Overall, those ten new families led to a total of 170 documented ransomware families actively seeking to exploit targets. It also found some troubling gaps in ransomware prevention. 18 ransomware vulnerabilities did not get surfaced by popular scanners. The rise in ransomware vulnerabilities also saw a lag in government response, with 124 vulnerabilities not added to CISA’s mandatory patch list. The report corroborates anecdotal reports that healthcare, energy, and critical manufacturing remain the most targeted industries. 

(Dark Reading)

Google announces rollout for Android Privacy Sandbox

The search giant announced its Android Privacy Sandbox back in February, designed to provide more private advertising solutions to mobile devices. Now the company says an initial beta will come to Android 13 devices early next year. Developers need to enroll for the beta, which will see them verify their identity. Once enrolled, developers will gain access to new ad-related APIs and start testing with their apps on their own devices. Google says it hopes the Privacy Sandbox will allow developers to remain profitable with their current business models while letting consumers reduce being tracked across sites without consent. 

(InfoSecurity Magazine)

Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.