Cyber Security Headlines – November 12, 2021

EU pharmaceutical giants run old, vulnerable apps and fail to use encryption in login forms

On Thursday, Outpost24 published new research that claims the top 10 pharmaceutical countries in the EU region are all failing to maintain a robust security posture — with 80% considered to be “critically exposed” to the risk of cyberattacks. According to the report, entitled “2021 Web Application Security for Healthcare,” 18% of EU pharmaceutical businesses analyzed are using outdated, unpatched web components that contain known vulnerabilities. US healthcare organizations have roughly the same amount of suspicious apps in operation but tend to run far fewer apps on the whole — however, 23.74% of them are outdated.

(ZDNet)

Gmail accounts are used in 91% of all baiting email attacks

Bait attacks are on the rise, and it appears that actors who distribute this special kind of phishing email prefer to use Gmail accounts to conduct their attacks. According to a report by Barracuda, who surveyed 10,500 organizations, 35% of them received at least one bait attack email in September 2021 alone. A “bait attack” is a sub-class of phishing where threat actors attempt to gather basic information about a specific target and use it for more targeted and effective attacks in the future. It seldom comes with payloads, embedded links or even text, but are used to confirm that the email address is valid, is actively used, that the recipient is susceptibility to unsolicited emails, and it also tests the effectiveness of automated spam-detection solutions, many of whom do not notice these emails precisely because they do not carry any attachments.

(Bleeping Computer)

Microsoft warns of uptick in HTML smuggling

HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device, allowing the attacker to build the malware locally behind a firewall. In its Security blog, Microsoft says is being increasingly used in email campaigns, and most notably, was observed in a spear-phishing campaign from the threat actor NOBELIUM in May. This technique is highly evasive because it could bypass standard perimeter security controls, such as web proxies and email gateways, that often only check for suspicious attachments (for example, EXE, ZIP, or DOCX) or traffic based on signatures and patterns.

(Microsoft)

DDoS attack on VoIP provider Telnyx impacts global telephony services

Days after a massive DDoS attack on multiple voice over internet protocol (VoIP) services in the U.K., Telnyx reported that it had suffered a DDoS attack that impacted its global telephony services. Telnyx is a voice over Internet Protocol (VoIP) company that provides telephony services online across the U.S., APAC, Australia, and EMEA regions. Given the severity of the attack, Telnyx is moving its operations to Cloudflare Magic Transit to mitigate additional risks. The company warned that users might experience failed calls, API and portal latency/time outs, and/or delayed or failed messages until proper resolutions are made.

(CISO Mag)

Thanks to our episode sponsor, Vulcan Cyber

The fact that CISA felt the need to release the massive “Known Exploited Vulnerabilities Catalog” recently says everything we need to know about the state of our collective cyber debt. Attend the Vulcan Cyber virtual summit on December 9th and learn how your peers are working to take on cyber risk and mitigate known vulnerabilities at scale. Go to vulcan.io and click the button at the top of the screen to register for the event.

Flaws in the Nucleus embedded TCP/IP stack puts critical systems at risk

Security researchers have uncovered serious vulnerabilities in the TCP/IP stack of a real-time operating system (RTOS) called Nucleus that’s used in safety-critical devices across many industry verticals. The flaws, collectively dubbed NUCLEUS:13 and discovered by researchers from Forescout and Medigate Labs, can lead to denial of service (DoS), information leaks and remote code execution (RCE). The Nucleus RTOS is currently owned by Siemens and is used in potentially billions of devices used in hospitals and other medical facilities, factories and industrial installations, automotive and avionics systems, and even IoT chipsets and radio baseband processors used in phones and wireless equipment.

(CSOOnline)

Hackers with Chinese links breach defense, energy targets, including one in US

Suspected spies using similar tools and tactics to a Chinese government-connected hacking group compromised nine organizations in the defense, education, energy and health care industries across the globe beginning in September, according to new research. The hackers were “indiscriminate” in targeting that included parts of the U.S. Defense Department, according to Palo Alto Networks, which published its findings on Sunday with an assist from the National Security Agency’s Cybersecurity Collaboration Center. That center primarily works with defense contractors to collect and share threat information. Although the company said it couldn’t say with certainty who was behind the apparent espionage campaign, the hackers used tools and tactics similar to those of a Chinese hacking group alternately known as Emissary Panda, APT27 and Threat Group 3390.

(Cyberscoop)

USA signs internet freedom and no-hack pact introduced in 2018

The United States has signed up for The Paris Call for Trust and Security in Cyberspace – an international effort to ensure the internet remains free and open, and an agreement to put critical infrastructure off limits to electronic attack by sovereign states and other actors. The Paris Call was issued by French president Emmanuel Macron in 2018, as part of that year’s Internet Governance Forum held at UNESCO and alongside the Paris Peace Forum. A White House statement explains that the USA’s decision to adopt the Call “reflects the Biden-Harris Administration’s priority to renew and strengthen America’s engagement with the international community on cyber issues.”

(The Register)

BazarBackdoor now abuses Windows 10 app feature in social engineering ‘call me back’ attack

On Thursday, researchers from Sophos Labs said the attack was noticed after the cybersecurity firm’s own employees were targeted with spam emails sent by a “Sophos Main Manager Assistant,” one non-existent “Adam Williams,” which demanded to know why a researcher hadn’t responded to a customer’s complaint. To make resolution easier, the email helpfully contained a link to a PDF complaint report. The fake PDF triggers the Microsoft’s Edge browser on Windows 10, to invoke a tool used by the Windows Store application, called AppInstaller.exe, to download and run whatever’s on the other end of that link.”

(ZDNet)