.png)
New phishing attack uses Morse code to hide malicious URLs
A novel new phishing approach uses a fake invoice email complete with an HTML spreadsheet attachment that includes the victim company’s name in the file name for greater credibility. The malicious script, written in Morse code is located within the HTML code of the spreadsheet along with a decodeMorse() instruction that converts it back into JavaScript. This then generates a realistic looking Microsoft session time-out screen, complete with the victim company’s logo, retrieved from logo.clearbit. Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials. According to Bleeping Computer, this is the first recorded instance of the use of Morse code in this fashion.
Hacked by SolarWinds, Mimecast lays off staff despite record profits
Last month, email security company Mimecast revealed that one of its cryptographic certificates had been purloined by the same team that smuggled a hidden backdoor into SolarWinds’ Orion network monitoring software. Mimecast offers security services that plug into Microsoft 365 accounts. Only ten of its 36,000 customers were affected by the attack, and its recent financial results announced profits of $10.8M, way up from $200,000 a year ago. Despite this, it has announced it will be trimming 4 percent of its workforce to focus on strategic growth.
Activists complain of weakened voting security standard
The US federal agency overseeing election administration has quietly tweaked a key element of proposed security standards for voting systems, removing language that would ban any voting machines that had wireless modems or chips. This has raised concern among voting-integrity experts and computer security specialists who suggest the mere presence of such wireless hardware poses risks. The election administration officials state that their rules require manufacturers disable wireless functions present in any machines, although the wireless hardware can remain.
FDA appoints its first acting director of medical device cybersecurity
The U.S. Food and Drug Administration has appointed Kevin Fu to fill this role through its Center for Devices and Radiological Health. Mr. Fu has been an associate professor of electrical engineering and computer science at the University of Michigan since 2013, and has been an adviser to a range of government agencies including the National Institute of Standards and Technology. His key priorities are medical device safety, imparting security training to manufacturers of both IoT and medical devices, and ensuring software security experts start to be included in the process of building cybersecurity into the design of medical devices, which the currently are not.
(CISOMag)
Thanks to our episode sponsor Altitude Networks
Zoom bombing is often an inside job
Research conducted jointly by Boston University and Binghamton University reveal that the scourge of zoom-bombing, in which trolls join and vandalize a video chat, is often due to legitimate participants sharing log on and password details specifically to invite the trolls in. The research recognized that there are other situations in which hackers may join a call or even brute-force the password, but they state that in many cases, especially in education related chats and lessons, the cause is students who seek to disrupt a class, thus rendering password-protection and waiting rooms completely useless.
(Wired)
Google Chrome sync feature can be abused for command-and-control and data exfiltration
Threat actors have discovered they can abuse the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses. Chrome sync is a feature of the Chrome web browser that stores copies of a user’s Chrome bookmarks, browsing history, passwords, and browser and extension settings on Google’s cloud servers. Researchers state that since the commands and stolen data are sent via Chrome’s infrastructure, they would not be inspected or blocked by most corporate networks.
(ZDNet)
Social media giants crack down on account thieves
Facebook, Instagram, TikTok, and Twitter have taken steps to crack down on groups who traffic in hijacked user accounts across their platforms. The coordinated action seized hundreds of accounts belonging to companies that broker or trade in compromised and highly sought-after usernames. Facebook representatives told KrebsOnSecurity that it has seized hundreds of accounts, mainly on Instagram, that were stolen from legitimate users by intimidation, harassment, hacking, SIM swapping, and swatting. Although this highly lucrative crime is not new, the social media companies express increasing concern about the public’s use of SMS messaging for 2FA, including for email password reset as this has been shown to be one of the primary paths toward compromise.
Plex Media servers are being abused for DDoS attacks
Security firm NetScout has announced that DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks. As a web application for Windows, Mac, and Linux usually used for video or audio streaming and multimedia asset management, Plex Media Server now shares this unwanted distinction as a DDoS mule with the Windows Remote Desktop Protocol that NetScout announced in January. There are currently 27,000 Plex Media servers exposed online that could be abused for DDoS attacks.
(ZDNet)
