Get the latest cybersecurity, privacy, and surveillance news for information security professionals

IT Security News Blast – 10-6-2020

Custom-made UEFI bootkit found lurking in the wild

The attacks described in this blog post demonstrate the length an actor can go in order to gain the highest level of persistence on a victim machine. It is highly uncommon to see compromised UEFI firmware in the wild, usually due to the low visibility into attacks on firmware, the advanced measures required to deploy it on a target’s SPI flash chip, and the high stakes of burning sensitive toolset or assets when doing so.


Securing Data Integrity Against Ransomware Attacks: Using the NIST Cybersecurity Framework and NIST Cybersecurity Practice Guides

These projects help organizations implement technical capabilities that address data integrity issues. The objective of this document is to provide an overview of these Data Integrity projects; provide a high-level explanation of the architecture and capabilities; and explain how these projects can be brought together into one comprehensive data integrity solution.


Most Healthcare Apps Are Riddled with Bugs

Using OWASP-aligned static and dynamic analysis techniques, the Intertrust team found that every Android app it analyzed and 72% of iOS apps contained four or more vulnerabilities. More specifically, 91% of medical apps had mishandled and/or weak encryption, putting them at risk of exposing IP and patient data. A third of 34% of Android apps and 28% of iOS apps were vulnerable to encryption key extraction, and 85% of COVID apps leaked data.


UHS Health System Confirms All US Sites Affected by Ransomware Attack

Universal Health Services, one of the largest US health systems, confirmed on October 3 that the ransomware attack reported last week has affected all of its US care sites and hospitals, spurring clinicians into EHR downtime procedures.  [...] UHS officials reported the incident as an IT disruption the following day and has since update the notification to confirm it was a malware cyberattack.


Connected medical devices are exposing healthcare systems to cyber-attacks — Why ignoring clinical asset management is no longer an option

“In 2019, hospitals were victim to more cybersecurity threats than the total number of threats over the last four years combined,” Mr. Klumpe said. The average facility faces vulnerability from 20 percent of its medical devices that are connected to their network today, with experts suggesting that up to 70 percent of their medical devices will be connected to their network and face cybersecurity vulnerabilities over the next five years.


FinCEN Alerts Financial Institutions on Role in Facilitating Ransomware Attacks

The advisory walks through what FinCEN characterizes as a typical multi-step process when ransoms are paid, which often involves at least one depository institution and at least one money services business (MSB). FinCEN advised companies that facilitate ransomware payments, such as by money transmission, that they may be “required to register as an MSB with FinCEN” and be subject to BSA obligations, “including filing suspicious activity reports (SARs).”


Cyberattackers Turn To Payments Fraud, Ransomware As Tech Firms Fight Back

40 percent is the portion of business email breaches that happened on websites used for personal uses, according to a new study that indicates that the use of company emails for personal use by staff is making companies vulnerable, as cited by IT Brief. NordVPN Teams researchers looked at worldwide breach activity and examined more than 1.7 million breaches. Business emails on media and entertainment platforms in Europe and the U.S. are broadly used by employees for personal uses.


Cyber Pirates Hit Global Shipping Industry Nearing Peak Season

The International Maritime Organization, a UN agency that serves as the industry’s regulator, said Thursday it suffered “a sophisticated cyber attack against the organization’s IT systems.” The breach affected its public website and internal systems, it said.  [...] That attack followed the disclosure earlier this week by closely held CMA CGM SA, the world’s fourth-biggest container liner, that its information systems were compromised.


War, Terrorism, and Catastrophe in Cyber Insurance: Understanding and Reforming Exclusions

This novel use of the war exclusion, still being litigated, has raised doubts about whether adequate or reliable coverage exists for state-sponsored cyber incidents. Some observers have asked whether such incidents are insurable at all, given the potential for aggregated cyber losses even more catastrophic than those of NotPetya.


ESET discovers a rare APT that stayed undetected for nine years

ESET says the group's primary focus has been reconnaissance and document theft. Its targets have been government agencies and private companies in Eastern Europe and the Balkans. Targeted countries included Belarus, Moldova, Russia, Serbia, and Ukraine, according to ESET telemetry data, but other XDSpy operations may still be undiscovered.


FBI & CISA Warn of “Foreign-Backed Online Journals” Spreading Election Disinformation

Foreign intelligence services have used online journals, including some with a global reach, to exacerbate disunity and dysfunction in the United States while also misinforming or misleading readers. Foreign governments have used these journals to amplify their disinformation and overt propaganda, and they have used websites, social media, and other online platforms to amplify the journals' messages and increase their global reach.


US election 2020: Who do Russia, China and Iran want to win?

The three should not be compounded, as each, in the view of US intelligence, has their own goal and their own capabilities. The assessments themselves are under scrutiny too - a whistleblower recently alleged he was asked to downplay the threat posed by Russia as it "made the president look bad". So with a little over a month to go, what do US voters need to know?


Why is the United States losing the information war?

“Perhaps military physical action … or any other form of physical action by the U.S. government now should be increasingly seen as things that support information operations,” he said. “I have occasionally seen examples of this where we used kinetic action by [counterterror] elements to do shaping activities so that an information operation could succeed, but they’re rare. I think we need to make them much more commonplace.”


Why Is Amazon Tracking Opioid Use All Over the United States?

An Amazon spokesperson would not offer any specific information about why Amazon monitors opioid use, saying it tracks any number of factors that could be impacting employees and workers in order to keep them safe, but some drug experts told Motherboard that the revelation that Amazon tracked opioid use was a cause for alarm to its workers and customers.


Boom! Hacked page on mobile phone website is stealing customers’ card data

According to researchers from security firm Malwarebytes, Boom! Mobile’s website is infected with a malicious script that skims payment card data and sends it to a server under the control of a criminal group researchers have dubbed Fullz House. The malicious script is called by a single line that comprises mostly nonsense characters when viewed with the human eye.


Microsoft releases tool to update Defender inside Windows install images

Some of these images are reused for months at a time, and the Microsoft Defender (default antivirus) package found inside would usually end up being installed using an out-of-date detection database. The newly installed Windows operating systems would eventually update the Defender package, but Microsoft says that this creates a "protection gap" during which systems could be easily attacked and infected.


Malware Families Turn to Legit Pastebin-Like Service

[Now], more malware and ransomware families are starting to utilize another service, with the domain Paste.nrecom[.]net. This service been around since May 2014, and has a similar function as Pastebin. It also has an API (powered by open-source PHP based pastebin Stikked) that allows for scripting. Researchers with Juniper Networks said that the API  feature is lucrative for cybercriminals, who can leverage it to easily insert and update their data programmatically.


Imagine running a dating app and being told accounts could be easily hijacked. How did that feel, Grindr?

Thus you could enter someone's account email address into the password reset page, inspect the response, get the leaked token, construct the reset URL from the token, click on it, and you'd get to the page to enter a new password for the account. And then you control that user's account, can go through its pics and messages, and so on.


You are receiving this email because you are subscribed to receive the IT Security Daily Blast email from Michael Hamilton, Founder, President, and CISO of CI Security, formerly Critical Informatics.

Archived articles are available at

CI Security and the CI Security logo are the trademarks of CI Security, Inc. All other brand names, trademarks, service marks, and copyrights are the property of their respective owners.

© 2020 CI Security. All rights reserved.


CI Security

245 4th St, Suite 405  Bremerton, WA   98337

About Us   |   CI Security News   |   Contact Us 

Add this Email to Your Address Book