New phishing attack uses Morse code to hide malicious URLs

A novel new phishing approach uses a fake invoice email complete with an HTML spreadsheet attachment that includes the victim company’s name in the file name for greater credibility. The malicious script, written in Morse code is located within the HTML code of the spreadsheet along with a decodeMorse() instruction that converts it back into JavaScript. This then generates a realistic looking Microsoft session time-out screen, complete with the victim company’s logo, retrieved from logo.clearbit. Once a user enters their password, the form will submit the password to a remote site where the attackers can collect the login credentials. According to Bleeping Computer, this is the first recorded instance of the use of Morse code in this fashion.

(Bleeping Computer)

Hacked by SolarWinds, Mimecast lays off staff despite record profits

Last month, email security company Mimecast revealed that one of its cryptographic certificates had been purloined by the same team that smuggled a hidden backdoor into SolarWinds’ Orion network monitoring software. Mimecast offers security services that plug into Microsoft 365 accounts. Only ten of its 36,000 customers were affected by the attack, and its recent financial results announced profits of $10.8M, way up from $200,000 a year ago. Despite this, it has announced it will be trimming 4 percent of its workforce to focus on strategic growth.

(The Register)

Activists complain of weakened voting security standard

The US federal agency overseeing election administration has quietly tweaked a key element of proposed security standards for voting systems, removing language that would ban any voting machines that had wireless modems or chips. This has raised concern among voting-integrity experts and computer security specialists who suggest the mere presence of such wireless hardware poses risks. The election administration officials state that their rules require manufacturers disable wireless functions present in any machines, although the wireless hardware can remain.

(Associated Press)

FDA appoints its first acting director of medical device cybersecurity

The U.S. Food and Drug Administration has appointed Kevin Fu to fill this role through its Center for Devices and Radiological Health. Mr. Fu has been an associate professor of electrical engineering and computer science at the University of Michigan since 2013, and has been an adviser to a range of government agencies including the National Institute of Standards and Technology. His key priorities are medical device safety, imparting security training to manufacturers of both IoT and medical devices, and ensuring software security experts start to be included in the process of building cybersecurity into the design of medical devices, which the currently are not.

(CISOMag)

Thanks to our episode sponsor Altitude Networks

Uh oh, Johnny left the company 6 months ago, but still has access to numerous files in Google Drive via his personal account! Do you know how many other former employees and contractors still have access to our documents? It’s a lot more than you might think. Altitude Networks automatically discovers sharing to personal accounts and can eliminate it with one click. Check it out at AltitudeNetworks.com and be sure your sensitive data isn’t shared with the wrong people!

Zoom bombing is often an inside job

Research conducted jointly by Boston University and Binghamton University reveal that the scourge of zoom-bombing, in which trolls join and vandalize a video chat, is often due to legitimate participants sharing log on and password details specifically to invite the trolls in. The research recognized that there are other situations in which hackers may join a call or even brute-force the password, but they state that in many cases, especially in education related chats and lessons, the cause is students who seek to disrupt a class, thus rendering password-protection and waiting rooms completely useless.

(Wired)

Google Chrome sync feature can be abused for command-and-control and data exfiltration

Threat actors have discovered they can abuse the Google Chrome sync feature to send commands to infected browsers and steal data from infected systems, bypassing traditional firewalls and other network defenses. Chrome sync is a feature of the Chrome web browser that stores copies of a user’s Chrome bookmarks, browsing history, passwords, and browser and extension settings on Google’s cloud servers. Researchers state that since the commands and stolen data are sent via Chrome’s infrastructure, they would not be inspected or blocked by most corporate networks.

(ZDNet)

Social media giants crack down on account thieves

Facebook, Instagram, TikTok, and Twitter have taken steps to crack down on groups who traffic in hijacked user accounts across their platforms. The coordinated action seized hundreds of accounts belonging to companies that broker or trade in compromised and highly sought-after usernames. Facebook representatives told KrebsOnSecurity that it has seized hundreds of accounts, mainly on Instagram, that were stolen from legitimate users by intimidation, harassment, hacking, SIM swapping, and swatting. Although this highly lucrative crime is not new, the social media companies express increasing concern about the public’s use of SMS messaging for 2FA, including for email password reset as this has been shown to be one of the primary paths toward compromise.

(KrebsOnSecurity)

Plex Media servers are being abused for DDoS attacks

Security firm NetScout has announced that DDoS-for-hire services have found a way to abuse Plex Media servers to bounce junk traffic and amplify distributed denial of service (DDoS) attacks. As a web application for Windows, Mac, and Linux usually used for video or audio streaming and multimedia asset management, Plex Media Server now shares this unwanted distinction as a DDoS mule with the Windows Remote Desktop Protocol that NetScout announced in January. There are currently 27,000 Plex Media servers exposed online that could be abused for DDoS attacks.

(ZDNet)