Stay tuned for this update each week. This is a joint cybersecurity weekly product from the Missouri Information Analysis Center, St. Louis Fusion Center, Kansas City Regional Fusion Center and the Missouri Office of Homeland Security.


DHS Creates Cyber Safety Review Board

The United States Department of Homeland Security has established a Cyber Safety Review Board (CSRB) to investigate “significant cyber incidents.” Mandated via President Joe Biden’s May 12 2021 executive order (EO 14028) on improving the nation’s cybersecurity, the board “shall review and assess, with respect to significant cyber incidents […] affecting Federal Civilian Executive Branch Information Systems or non-Federal systems, threat activity, vulnerabilities, mitigation activities and agency responses.” The CSRB, which was chartered on September 21 2021, will only operate in an advisory capacity. Rob Silvers, the DHS’ undersecretary for strategy, policy and plans, has been selected to chair the board for two years. Together with Cybersecurity and Infrastructure Security Agency director Jen Easterly, Silvers will choose up to 20 individuals to serve as board members. CSRB will be formed by a mixture of government workers and private sector representatives who may need to obtain security clearances. According to instructions included in Biden’s EO, the person chosen to serve as the board’s deputy chair should work in the private sector. Members will include at least one representative from the Department of Defense, the Department of Justice, DHS, CISA, the National Security Agency and the Federal Bureau of Investigation.


Phishing Kits’ Use of Man-In-The-Middle Reverse Proxies is Growing, Warns Proofpoint.

In the beginning we had passwords. Their hackability made a lot of people very angry and passwords were widely regarded as a bad move. Then we had two-factor authentication – and now Proofpoint (a Data Connectors Community Partner) reckons criminals online are able to start bypassing them with transparent reverse proxies. Phishing kits, readymade deployables used by crooks to steal victims’ login details, are increasingly capable of bypassing multi-factor authentication (MFA), the company warned today. In a blog post Proofpoint said it sees “numerous MFA phishing kits ranging from simple open-source kits with human readable code and no-frills functionality to sophisticated kits utilizing numerous layers of obfuscation and built-in modules that allow for stealing usernames, passwords, MFA tokens, social security numbers and credit card numbers.” Naming three particular MFA-bypassing phishing kits (Modlishka, Muraena/NecroBrowser, and Evilginx), Proofpoint said they tend to be deployed through crafted phishing domains; sites falsely posing as genuine sites that victims want to log into.


FBI Says More Cyber Attacks Come from China Than Everywhere Else Combined.

US Federal Bureau of Investigation director Christopher Wray has named China as the source of more cyber-attacks on the USA than all other nations combined. In a Monday speech titled Countering Threats Posed by the Chinese Government Inside the US, Wray said the FBI is probing over 2,000 investigations of incidents assessed as attempts by China’s government “to steal our information and technology.” “The Chinese government steals staggering volumes of information and causes deep, job-destroying damage across a wide range of industries – so much so that, as you heard, we’re constantly opening new cases to counter their intelligence operations, about every 12 hours or so.” Wray rated China’s online offensive as “bigger than those of every other major nation combined,” adding it has “a lot of funding and sophisticated tools, and often joining forces with cyber criminals – in effect, cyber mercenaries.” “They’re not just hacking on a huge scale but causing indiscriminate damage to get to what they want. Like in the recent Microsoft Exchange hack, which compromised the networks of more than 10,000 American companies in a single campaign alone,” he added. Wray said China sometimes directs attacks by government-owned companies but doesn’t have to rely on such entities because businesses are required to maintain a Communist Party Committee comprised of Party members who are placed in senior management positions. “Within China, they force US companies to partner with Chinese government-owned ones to do business in China, and then abuse and exploit those partnerships,” Wray added.


FBI Warns of Fake Job Postings Used to Steal Money, Personal Info.

Scammers are trying to steal job seekers’ money and personal information through phishing campaigns using fake advertisements posted on recruitment platforms. The warning was published today as a public service announcement (PSA) on the Bureau’s Internet Crime Complaint Center (IC3). “The FBI warns that malicious actors or ‘scammers’ continue to exploit security weaknesses on job recruitment websites to post fraudulent job postings in order to trick applicants into providing personal information or money,” the FBI says. “These scammers lend credibility to their scheme by using legitimate information to imitate businesses, threatening reputational harm for the business and financial loss for the job seeker.” Such scams have been around since early 2019, with average reported losses of almost $3,000 per victim besides the damage inflicted on victims’ credit scores. The federal law enforcement agency issued a similar warning in January 2020, saying that cybercriminals also began spoofing legitimate companies’ sites to steal job applicants’ money and personally identifiable information (PII). Crooks are taking advantage of the lack of strong security verification standards on recruitment websites to post fake job openings indistinguishable from those published by the companies they’re impersonating.


Intuit Warns of Phishing Emails Threatening to Delete Accounts.

Accounting and tax software provider Intuit has notified customers of an ongoing phishing campaign impersonating the company and trying to lure victims with fake warnings that their accounts have been suspended. Intuit’s alert follows reports received from customers who were emailed and told that their Intuit accounts were disabled following a recent server security upgrade. “We have temporarily disabled your account due to inactivity. It is compulsory that you restore your access within next 24 hours,” the attackers say in the phishing messages, masquerading as the Intuit Maintenance Team. “This is a result of recent security upgrade on our server and database, to fight against vulnerability and account theft as we begin the new tax season.” The recipients are instructed to go to immediately to restore access to their accounts. Clicking the link will likely redirect them to an attacker-controlled phishing site designed to infect them with malware or harvest their financial or personal information. Those who might think twice before clicking the embedded link are warned that they might permanently lose access to their accounts. The financial software maker said that it’s not behind these emails and that the sender “is not associated with Intuit, is not an authorized agent of Intuit, nor is their use of Intuit’s brands authorized by Intuit.”


Google Patches 27 Vulnerabilities with Release of Chrome 98.

Google on Tuesday announced the release of Chrome 98 in the stable channel with a total of 27 security fixes inside, including 19 for vulnerabilities reported by external researchers. The most severe of these security defects could be exploited to execute arbitrary code with the same privileges as the Chrome browser has on the target system. Of the 19 flaws, eight carry a severity rating of high, 10 are considered medium severity, and one low risk. More than half of the externally reported vulnerabilities addressed in this release are use-after-free bugs. The most important of these issues are CVE-2022-0452 and CVE-2022-0453, two use-after-free bugs in safe browsing and reader mode. The reporting researchers were awarded $20,000 rewards each, Google says in its advisory… Two other high-severity use-after-free issues were addressed, one in thumbnail tab strip (CVE-2022-0458) and another in screen capture (CVE-2022-0459).


CISA Orders Federal Agencies to Patch Actively Exploited Windows Vulnerability.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to secure their systems against an actively exploited security vulnerability in Windows that could be abused to gain elevated permissions on affected hosts. To that end, the agency has added CVE-2022-21882 (CVSS score: 7.0) to the Known Exploited Vulnerabilities Catalog, necessitating that Federal Civilian Executive Branch (FCEB) agencies patch all systems against this vulnerability by February 18, 2022. “These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” CISA said in an advisory published last week. CVE-2022- 21882, which has been tagged with an “Exploitation More Likely” exploitability index assessment, concerns a case of elevation of privilege vulnerability affecting the Win32k component. The bug was addressed by Microsoft as part of its January 2022 Patch Tuesday updates. “A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver,” the Windows maker said. The flaw impacts Windows 10, Windows 11, Windows Server 2019, and Windows server 2022.


FBI Publishes IOCs for LockBit 2.0 Ransomware Attacks.

The Federal Bureau of Investigation (FBI) on Friday released indicators of compromise (IOCs) associated with the LockBit 2.0 ransomware. LockBit 2.0, which is distributed as a Ransomware-as-a-Service (RaaS), makes detection and mitigation difficult, due to the use of a variety of tactics, techniques, and procedures (TTPs). The ransomware’s operators breach enterprise networks either by purchasing access or by compromising them through unpatched vulnerabilities, zero-day exploits, or insider access, the FBI says. Once inside a network, publicly available tools such as Mimikatz are employed for privilege escalation. Both off-the-shelf and custom tools are employed for data exfiltration, and then the LockBit ransomware is used to encrypt the victim’s files. A ransom note that the attackers place in the affected directories provides the victim with instructions on how they can obtain a decryption tool, but also contains the threat that the stolen data will be leaked online on a LockBit 2.0 site, unless a ransom is paid.


Ransomware Often Hits Industrial Systems, With Significant Impact

Ransomware attacks in many cases hit industrial control systems (ICS) or operational technology (OT) environments, and impact is often significant, according to a report published on Thursday by IoT and industrial cybersecurity company Claroty. Claroty’s “Global State of Industrial Cybersecurity” report is based on a Pollfish survey of 1,100 IT and OT security professionals in the United States, Europe and the APAC region. More than half of respondents work for enterprises that have an annual revenue exceeding $1 billion. The survey was conducted in September 2021. Roughly 80% of respondents admitted that their organization had experienced a ransomware attack within the past year, and nearly half said the incident had impacted their ICS/OT environment. Only 15% of respondents said there was no impact or minimal impact on operations, and nearly 50% said there was significant impact. Seven percent said the incident resulted in a full operations shutdown that lasted for more than a week. The cyberattack was disclosed to both authorities and shareholders in most cases, but some companies apparently did not inform anyone. The survey shows that ransomware payments are prevalent, with more than 60% confirming that they had paid a ransom. Twenty percent of respondents said the amount of money paid to the hackers exceeded $1 million — this includes nearly 7% that paid out more than $5 million.


Tennessee Community College Suffers Ransomware Attack.

A Tennessee community college suffered a data security attack that may have resulted in unauthorized access to personal information of former and current students, faculty and staff, officials said. Pellissippi State Community College is sending out notifications about a ransomware attack focused mainly on encrypting school data to force a ransom payment, the Tennessee Board of Regents said in a news release Tuesday. Pellissippi State did not pay a ransom, the Knoxville college said on its website. The college’s main database and credit card payment systems were not involved, and no data from those systems was accessed by unauthorized users, said the board, which oversees the state’s community colleges. The investigation did confirm unauthorized access to a system that included names, email addresses, internal identification numbers and school passwords, the board said.

Leave a Reply

Your email address will not be published. Required fields are marked *

Recent news posts

This is a sample blog post title.
Featured Image

Twitter’s New Ownership Sparks Changes to Security Structure

This is a sample blog post title.
Featured Image

Latin America Cyber Community Challenges Fast-Growing Threat Landscape

This is a sample blog post title.
Featured Image

Third-Party Threats Pose Problems for Healthcare Sector

This is a sample blog post title.
Featured Image

CISA, FBI Cite No Specific Cybersecurity Threat to Midterm Elections

This is a sample blog post title.
Featured Image

Atlanta Keynote Highlights: Hadas Cassorla

Attend an Event!

Connect and collaborate with fellow security innovators at our Virtual Cybersecurity Summits.

Register Today