WordPress, Apache Struts Attract the Most Bug Exploits

An analysis found these web frameworks to be the most-targeted by cybercriminals in 2019.

WordPress and Apache Struts vulnerabilities were the most-targeted by cybercriminals in web and application frameworks in 2019 – while input-validation bugs edged out cross-site scripting (XSS) as the most-weaponized weakness type.

That’s according to the RiskSense Spotlight Report, which analyzed 1,622 vulnerabilities from 2010 through November of 2019. Web frameworks streamline the development and deployment of applications and websites. Instead of requiring developers to code every line of PHP, HTML, etc., a framework can provide them with ready-made building blocks for many common tasks.

“Even if best application development practices are used, framework vulnerabilities can expose organizations to security breaches. Meanwhile, upgrading frameworks can be risky because changes can affect the behavior, appearance or inherent security of applications,” said Srinivas Mukkamala, CEO of RiskSense, in a media statement. “As a result, framework vulnerabilities represent one of the most important, yet poorly understood and often neglected elements of an organization’s attack surface.”

The firm found that WordPress and Apache Struts alone accounted for a combined 57 percent of exploited framework bugs during the year. Their respective underlying languages, PHP for WordPress and Java for Struts, were also the most weaponized languages in the study.

Also, while WordPress faced a number of different types of bugs over the course of the year, XSS was the most common problem according to the analysis; input validation meanwhile was the biggest risk for the Apache Struts framework.

Their prevalence in WordPress aside, XSS bug flaws overall have fallen in volume in recent years: XSS was the most common vulnerability over the 10-year study period, but it dropped to fifth when analyzed for just the last five years. Meanwhile, input validation accounted for 24 percent of all weaponized vulnerabilities over the past five years, mostly affecting Apache Struts, WordPress and Drupal.

The analysis also found that while the total volume of cybersecurity vulnerabilities in frameworks went down last year, the actual weaponization rate of those bugs went up. That rate jumped to 8.6 percent in 2019, which is more than double the National Vulnerability Database average of 3.9 percent for the same period.

In total, 27.7 percent of WordPress vulnerabilities were weaponized. Apache Struts had the third most-weaponized vulnerabilities and had one of the highest overall weaponization rates across all frameworks, the report found; and, 38.6 percent of all Struts vulnerabilities were weaponized.

“Only Laravel had a higher weaponization rate, but that was based on only four total vulnerabilities,” the report noted.

“It’s no surprise that Apache Struts is one of the most weaponized application frameworks out there,” Mehul Revankar, director of product management at SaltStack, told Threatpost. “It’s a key dependency for a many modern web applications, and it’s not easily known whether it’s in use or not by an application.”

An Apache Struts exploit was behind the infamous 2017 Equifax breach, which affected 147 million people.

Some specific types of bugs also saw a higher rate of weaponization. For instance, SQL injection, code injections and various command injections are sought-after by cyberattackers and saw weaponization rates of more than half in the study, despite being quite rare. Broken down, the top three weaknesses by weaponization rate were command Injection (60 percent weaponized), OS command injection (50 percent weaponized) and code injection (39 percent weaponized).

And, JavaScript and Python frameworks showed the lowest weaponization of vulnerabilities overall. For instance, the JavaScript-based Node.js had a notably higher number of vulnerabilities than other JavaScript frameworks last year, with 56 vulnerabilities – but only one has been weaponized to date, according to the research. Likewise, Django had 66 vulnerabilities, with only one weaponized.

“Web application vulnerabilities have been an increasingly ripe attack vector over the past decade,” said Jack Mannino, CEO at nVisium, speaking to Threatpost. “WordPress and Apache Struts implementations in particular have been notoriously plagued with out of date plugins and library versions. As these systems remain unpatched and not updated for long intervals, their likelihood for exposure is high. Off-the-shelf exploits against these technologies have been prevalent in attacker tooling and will continue to be.”

Adobe Discloses Dozens of Critical Photoshop, Acrobat Reader Flaws

An out-of-band Adobe security update addressed critical flaws in Photoshop, Acrobat Reader and other products.

Adobe has released out-of-band updates addressing critical vulnerabilities in its Photoshop and Acrobat Reader products, which if exploited could allow arbitrary code-execution.

Overall, Adobe on Wednesday patched flaws tied to 41 CVEs across its products, 29 of which were critical in severity. The fixes were released outside of Adobe’s regularly scheduled update day, which was earlier in March (during which, in fact, Adobe had no patches).

In this most recent group, Adobe Photoshop had the most vulnerabilities fixed, with 22 CVEs addressed overall, 16 of which were critical: “Adobe has released updates for Photoshop for Windows and macOS. These updates resolve multiple critical and important vulnerabilities,” according to Adobe’s advisory. “Successful exploitation could lead to arbitrary code-execution in the context of the current user.”

Critical arbitrary execution vulnerabilities include heap corruption (CVE-2020-3783), memory corruptions (CVE-2020-3784, CVE-2020-3785, CVE-2020-3786, CVE-2020-3787, CVE-2020-3788, CVE-2020-3789, CVE-2020-3790), out of bounds writes (CVE-2020-3773, CVE-2020-3779) and buffer errors (CVE-2020-3770, CVE-2020-3772, CVE-2020-3774, CVE-2020-3775, CVE-2020-3776, CVE-2020-3780).

Affected are Photoshop CC 2019 (versions 20.0.8 and earlier) and Photoshop 2020 (21.1 and earlier) for Windows and macOS. Users can update to Photoshop CC 2019 versions 20.0.9 and Photoshop 2020 21.1.1.

Adobe also addressed 13 vulnerabilities in Acrobat and Reader, including nine critical flaws. Critical flaws include out-of-bounds write (CVE-2020-3795), stack based buffer overflow (CVE-2020-3799), use-after-free bugs (CVE-2020-3792, CVE-2020-3793, CVE-2020-3801, CVE-2020-3802, CVE-2020-3805), buffer overflow (CVE-2020-3807) and memory corruption (CVE-2020-3797). All of these critical flaws enable arbitrary code execution in the context of the current user, according to Adobe.

Below are the affected versions of Acrobat and Reader; Adobe urges users to update to the fixed versions (2020.006.20042 for Acrobat and Reader DC, 2017.011.30166 for Acrobat and Reader 2017, and 2015.006.30518 for Acrobat and Reader 2015).

adobe acrobat reader

Other vulnerabilities include two critical flaws in Adobe ColdFusion, including a remote file read (CVE-2020-3761) from the ColdFusion install directory; and a critical file inclusion flaw (CVE-2020-3794) enabling arbitrary code execution of files located in the webroot or subdirectory.

Two critical flaws were also rooted out in Adobe Bridge that could enable arbitrary code execution, including an out-of-bounds write flaw (CVE-2020-9551) and heap based buffer overflow glitch (CVE-2020-9552). And, Adobe also patched important severity flaws in its Adobe Genuine Integrity Service and Adobe Experience Manager.

While Adobe had no regularly scheduled updates earlier in March, it did stomp out flaws tied to 42 CVEs in its regularly scheduled February updates, with 35 of those flaws being critical in severity. That well trumped Adobe’s January security update, which addressed just nine vulnerabilities overall, including ones in Adobe Illustrator CC and Adobe Experience Manager.

Convincing Google Impersonation Opens Door to MiTM, Phishing

Using homographic characters is an easy way to execute a convincing fake site.

An attack that uses homographic characters to impersonate domain names and launch convincing but malicious websites takes minutes and a bare modicum of skill — while reaping high rates of success in luring victims, according to an independent researcher.

Researcher Avi Lumelsky set out to see how easy it would be to set up a phishing page that used homographics to impersonate legitimate sites. As he explained in a posting this week, “homographic characters look like ASCII letters, but their encoding is different, in a way that is usually not noticeable for the human eye.”

As an example, this URL uses a homographic character as its first character: “ɢoogle.news.” That can be compared to the legitimate “google.news” font — there’s a barely discernable difference.

Lumelsky noted that a few years ago someone bought the homographic-including “ɢoogle.com” to use it for phishing purposes.

“I wondered to myself: There are new top-level-domains every year. Did the world learn from the ɢoogle.com acquisition? How hard is it to create a good Google phishing website from scratch?”

Setting out to find out, the researcher turned to the main domain registrars – GoDaddy, Namecheap and even Google Domains – to first see if he could snag appropriate URLs. He found the process to be so simple that a basic search resulted in a dozen suggestions for available domain names, including ɢoogle.company; ɢoogle.email; ɢoogle.tv; ɢoogle.life and even ɢoogletranslate.com, all for what Lumelsky said was a “great” price. He purchased a handful of them, using an obviously fake identity that included “Not Google :)” as the company name.

After that, he was able to set up a virtual private server in the cloud to host the domains; and he also requested a LetsEncrypt certificate to “safeguard” traffic to and from the sites – and get around security red flags from browsers. Chrome for instance showed the domains as “Secure” (with a lock icon) thanks to the certificate.

“Now, one can use https:// links to gain trust, while providing malicious content,” Lumelsky said.

The next step was routing the sites’ domain name server (DNS) traffic to the cloud server. DNS translates human-readable website names to machine addresses, which enables most internet interactions between sites, plugins and the like. He also set up a nginx proxy, masking the true destination of any request to the site’s DNS server. And to seal the deception, he also used Google’s JavaScript code from the legitimate site as the code for his own.

“The great thing about using a proxy is that my domain’s links previews, in every single platform, fetches Google Translate’s exact description while pointing to my link,” the researcher explained. “[Also,] Google’s JS runs normally from my domain.”

In all, Lumelsky said that it was a simple affair to set up a very convincing fake domain – it took minutes, with no coding, he explained. Further, “on mobile phones, the ‘ɢ’ in my domain looks like an actual ‘G,’” he said.

From there he completed his trial with some social-engineering forays that he said were successful in luring visitors to the sites, “with very little effort,” he said. He also posted links to the sites in security threads on Reddit and elsewhere to see if security-minded targets would notice the discrepancy in the domain name. That too was successful, he added.

“Eventually, without much work, I ended up with hundreds of unique visitors (excluding the bots and security scanners or the platforms in which I posted),” he explained. “It looks and acts just like any google single-page application.”

The next step in the proof-of-concept was to weaponize the domains. Aside from the obvious route of creating a phishing functionality, it’s also possible to execute a man-in-the-middle attack, the researcher explained.

“I am making the SSL handshake with the user,” he said. “The original Google application is served, it functions an expected, but I am exposed to the user’s traffic with the domain. Therefore, I can change the body of Google’s response.”

This man-in-the-middle (MiTM) attack technique can be used in a few different ways, he said. For instance, with a little effort, it’s possible to extract login credentials or tokens.

“Google uses the domain accounts.google.com for authentication,” Lumelsky explained. “I can, for example, override all the <a> tags in the HTML. Instead of pointing them to a subdomain in google.com (e.g accounts.google.com) we can point them to a custom phishing login page, within ɢoogletranslate.com domain. We can steal the user’s login credentials to Google by overriding the links within the page, and pointing them to [the maliciously registered domain] accounts.ɢoogletranslate.com (The sign-in button’s HTML tag’s href attribute).”

Further, an attacker could inject a malicious <script> tag into the hijacked HTTP body and execute code on a client browser connecting to the fake website.

“A majority of the user agents that visited the links were old browsers that haven’t been updated for a long time,” the researcher concluded. “Many of the Chrome, Firefox and Safari user agents from my access logs are devices which are vulnerable to one-day attacks (including sandbox escape).”

To protect oneself, site surfers should always be suspicious of off letters inside domains in links; and admins should implement rules within their security protocols that flag homographic hosts.

Lumelsky also filed a bug report with Google, identifying all of the places in the kill chain where this attack method could be thwarted. This includes not allowing “ɢoogle” top-level domains to be sold; or, if they are, to at least not allow them to be auto-suggested as they were by the Google Domains registrar. Another weak point the fact that Google’s JavaScript did not check that “(window.location” was a legitimate Google domain before allowing the script to be loaded.

The discussions are ongoing, but Google’s response, the researcher said, was: “Thank you for the considerable material, the thought behind it, as well as the actual money used to secure those domain names in creating this report. Homographic attacks are always interesting in their social-engineering application, but more challenging is deploying an attack that will trick not only the user, but also the infrastructure.”

Threatpost reached out to Google for further comment.

The attack method isn’t limited to Google, of course, and there are other weaknesses that it exploits. For instance, Lumelsky pointed out that people should not be able to request an SSL certificate from LetsEncrypt for homographic domains.

“Until there is a solution out there, every big company or service will have to secure their domains and assets, by spending lots of money on similar domain names,” he said. “The steps to reproduce this kind of attack are pretty simple for anyone with basic Linux and networking knowledge.”

Working from Home: COVID-19’s Constellation of Security Challenges

Organizations are sending employees and students home to work and learn — but implementing the plan opens the door to more attacks, IT headaches and brand-new security challenges.

As the threat of coronavirus continues to spread, businesses are sending employees home to work remotely, and students are moving to online classes. But with the social distancing comes a new threat – a cyber-related one.

As organizations rush to shift their businesses and classes online, cybercriminals are ramping up their tactics to take advantage of those who may have inadequate or naive security postures as a result. Given the challenges in securing work- and learn-from-home environments, the attack surface represents an attractive opportunity for threat actors.

“Working from home or online education programs are not new. However, a large, immediate migration of people from enterprise and university networks that are closely monitored and secured, to largely unmonitored and often unsecure home Wi-Fi networks, creates a very large target of opportunity for cybercriminals,” Chris Hazelton, director of security solutions at Lookout, told Threatpost. “These users are outside the reach of perimeter-based security tools, and will likely have higher exposure to phishing and network attacks.”

Attacks Ramp Up

Researchers say that the first rash of efforts aimed at remote students and workers is likely to play on their fears and concerns about what sent them home to begin with – the coronavirus itself.

The concern is more than theoretical. Already, attackers have been leveraging  coronavirus-themed cyberattacks as panic around the global pandemic continues – including various malware attacks involving Emotet and other threats. An APT for instance was recently spotted spreading a custom and unique remote-access trojan (RAT) that takes screenshots, downloads files and more, in a COVID-19-themed campaign. And, the World Health Organization (WHO) has issued warnings about scammers pretending to be the organization. That activity is expected to expand along with the expanded attack surface, researchers said.

“In general, attackers are looking for a vulnerability to deliver their attack,” Chris Rothe, chief product officer and co-founder of Red Canary, told Threatpost. “In this case, people’s fear over the virus is the vulnerability attackers will look to capitalize on. If an individual is concerned or stressed about the virus they are less likely to remember their security training and will be more likely to, for example, click a link in a phishing email or give their credentials to a malicious web site.”

This forgetfulness when it comes to security can be especially true for those who are not used to working or learning at home: “People working from home get easily distracted, especially if they are normally used to working in the office, and they will mix work with personal email and web browsing,” Colin Bastable, CEO of security awareness training company Lucy Security, said in an email interview. “This increases the risks that they can introduce to their employers and colleagues, by clicking on malware links. So now is a great time to warn people to be ultra-cautious, hover over links and take your time.”

Organizations may be distracted as well, leading to increased risk. For instance, Otterbein University in Columbus, Ohio, was hit with a ransomware attack in the past week, just as it was making preparations to switch to online classes. The situation forced the school to extend its spring break for another week as it dealt with the problem, since it was rendered incapable of delivering online education as planned.

University officials told the local ABC station that it’s unclear what the attack’s infection vector was; and that they’re not sure when things will return to normal – both potential indicators of cybersecurity unpreparedness and IT resources stretched thin.

Top Challenges in Remote Working

A lack of IT resources can bite many organizations as they move to enable remote strategies. When workers and students are sent outside the normal perimeter, managing device sprawl, and patching and securing hundreds of thousands of endpoints, becomes a much a bigger challenge.

“As a security team you lose control of the environment in which the user is working,” Red Canary’s Rothe said. “Have they secured their home Wi-Fi? If they’re using a personal computer, what mechanisms do you have to ensure that device isn’t compromised? Essentially, your network perimeter now includes all of your employees’ homes. Some security programs are ready for this, some aren’t.”

In terms of those that aren’t ready, it’s important to remember that there’s a wide swath of companies that don’t normally enable telecommuting, warned Sumir Karayi, CEO and founder of 1E.

“Government, legal, insurance, banking and healthcare are all great examples of industries that are not prepared for this massive influx of remote workers,” Karayi told Threatpost. “Many companies and organizations in these industries are working on legacy systems and are using software that is not patched. Not only does this mean remote work is a security concern, but it makes working a negative, unproductive experience for the employee.”

The challenges are particularly notable for those working in regulated industries, he added, and those that use proprietary or specific software – such as stock traders or airline reservationists.

“Regulated industries pose a significant challenge because they use systems, devices or people not yet approved for remote work,” he said. “Many companies must have secure environments and devices to meet regulations; it is not possible to secure and certify remote work because of security concerns and unauthorized people gaining access. Proprietary or specific software is usually also legacy software. It’s hard to patch and maintain, and rarely able to be accessed remotely.”

Also complicating the picture: Many organizations, including many schools, have proprietary, on-premise software that will require special configurations in order to be made accessible remotely.

“In a world of growing SaaS and cloud adoption this can be very seamless, but if your systems are all on an internal network the challenge is providing users a secure way to access those systems via a VPN or other networking solution,” Rothe noted.

And, adding insult to injury, workers in regulated industries are often stuck with endpoints that have cumbersome security protocols – which ironically can add to the attack surface.

“When they need help from IT, IT often does not have the right tools, so they have to try and take over the machine, which wastes a lot of time and is a security risk,” Karayi noted.

There’s also of course the specter of an increased threat from the mobile sphere. “Students and workers remaining at home, or possibly stranded in a remote locations are going to be heavily dependent on their mobile devices,” Lookout’s Hazelton said. “Mobile attacks are particularly effective because they often trigger immediate responses from recipients – instant communication platforms like SMS, iMessage, WhatsApp, WeChat and others.”

Best Practices for Remote Working and Learning

Fortunately, companies and schools can plan for distance learning and working in order to meet some of these challenges.

“The first step employers should take right now is to conduct a remote-work tabletop exercise with their key executives and line of business leaders,” said Rick Holland, CISO and vice president of strategy at Digital Shadows, speaking to Threatpost. “You need to inventory your business applications and identify the mission-critical ones. For SaaS applications, follow up with your providers and inquire about their business continuity plans. For on-premises applications that require VPN connectivity, test and validate that VPN connectivity for higher utilization than usual.”

Making risk-assessments of remote workers’ computing setups is essential as well, he added. Questions to ask include how they will connect to the company’s systems, and from which devices.

“The staff could connect from company-issued laptops or options like Citrix or Amazon Workspaces that enable staff to work from any device,” Holland said. “It might also be necessary to roll out new VoIP and increase web conferencing services licenses.”

It’s also important to consider the issue of on-premises software, including costs. “You cannot replace legacy on-premises applications overnight, so increasing VPN capacity to accommodate more staff working remotely could be expensive,” Holland said. “One of the unintended consequences of COVID-19 will likely be increased zero trust adoption that further embraces cloud services, eliminates VPNs, and enables employees to work from anywhere.”

And finally, given the social-engineering aspect of most attacks, user education is more important than ever.

“So yes, make sure your employees and students are up-to-speed with the latest info on the coronavirus and that they know how to protect themselves and their families from the virus itself, as well as all the fraud artists following in its wake,” said Eric Howes, principal lab researcher at KnowBe4.

DoppelPaymer Ransomware Used to Steal Data from Supplier to SpaceX, Tesla

Cyber attack at Visser Precision, which builds custom parts for the aerospace and automotive industries, reveals sensitive company data.

A company that provides custom parts to aerospace giants Lockheed Martin, SpaceX and Boeing, has been the target of an attack by an emerging type of ransomware that can both encrypt files and exfiltrate data.

Colorado-based Visser Precision said it was targeted by a “cyber incident” that involved the attacker accessing and stealing company data after a security researcher found some of the company’s stolen files leaked online.

Visser makes what are called “precision” parts for several industries, including automotive and aeronautics, with some high-profile customers that typically require heavy security requirements due to the sensitive and competitive nature of their work

Brett Callow, a threat analyst at anti-malware security firm Emsisoft, discovered the documents—a series of nondisclosure agreements Visser has with companies including SpaceX, Tesla, Honeywell, General Dynamics and others–on a hacker website and began alerting news outlets, according to published reports in Forbes and TechCrunch.

Attackers also tweeted in an account using the name “DoppelPaymer” that more files were on the way, alerting researchers that attackers likely used the DoppelPaymer ransomware in the attack, according to reports.

DoppelPaymer is an emerging type of ransomware that not only locks companies out of their own computer systems by encrypting files—the hallmark of typical ransomware—but also can exfiltrate company data and use it as collateral.

I February report by BleepingComputer noted that DoppelPaymer had shifted its tactics to include not just stealing a victim’s data, but also threatening targets to publish or sell their data if the victim did not pay the ransom.

This new show of sophistication in ransomware makes the tough decision of whether to pay the hackers’ ransom even more difficult for companies, which typically are advised not to pay in such a scenario, said one security expert.

“The evolution of ransomware from simply keeping data unusable, to that plus threatening to release it, is insidious in its premise,” Mike Jordan, vice president of research, Shared Assessments, said in an email to Threatpost. “Deciding whether to pay a ransomware extortionist always involves a financial calculus where you determine whether paying is cheaper than recovering the data on your own.”

The new methods that malware like DoppelPaymer and Maze employ are raising the stakes for victims of ransomware and increases the potential for financial loss if sensitive or classified data is revealed by threat actors, he said.

“If data is regulated, such as personal information, fines get introduced,” Jordan said. “And when the victim is a third party supplier of other companies, the potential loss of revenue from customers that lose faith in their ability to manage cybersecurity threats is also a particularly expensive variable.”

Indeed, some of the companies that appear on the list of revealed documents, such as Lockheed Martin, Boeing, Honeywell and General Dynamics, also have defense contracts with the federal government–which means they also deal in highly classified information. The threat of the release of this type of data definitely raises the stakes for Visser when considering whether to pay attackers, experts noted.

Targeting customer contracts also was a clever tactic by the attackers, as it has the potential to cause long-term damage not only to Visser but the customers affected, Jordan observed.

“Revealing confidentiality agreements threatens the possibility of revealing the contracts behind those agreements,” he said. “Revealing pricing puts the victim at a disadvantage to its competitors now and in the future, as they are still bound to those agreements, whereas competitors could undercut them. Additionally, revealing contracts put victims at risk of breaking confidentiality agreements, allowing customers to lawfully break favorable agreements.”

Of the companies affected in the Visser attack, only officials at Lockheed Martin so far have  publicly acknowledged that they are aware of the situation, according to reports.

Walgreens Mobile App Leaks Prescription Data

A security error in the Walgreens mobile app may have leaked customers’ full names, prescriptions and shipping addresses.

Popular pharmacy chain Walgreens is warning that a bug in its official mobile app may have exposed sensitive data, including customers’ full names and information on prescriptions for medications they are taking.

The security issue stemmed from an “error” in the personal secure messaging feature of Walgreens’ mobile app. The mobile messaging feature is a service for registered customers to receive SMS alerts for prescription refill notifications, deals and coupons. While Walgreens did not detail the technical glitch, it said that the internal application error enabled certain personal messages, stored in a database, to be viewed by other customers who were using the mobile app.

“As part of our investigation, Walgreens determined that certain messages containing limited health-related information were involved in this incident for a small percentage of impacted customers,” according to a Walgreens data security incident customer notification, filed with the Office of the Attorney General and published Friday. “We believe that you were part of the impacted customer group and that one or more personal messages containing your limited health-related information may have been viewed by another customer on the Walgreens mobile app between January 9, 2020 and January 15, 2020.”

That potentially exposed data includes first and last names of customers, their prescription numbers and drug names, store numbers that customers picked up prescriptions from, and shipping addresses. Walgreens said that financial information and Social Security numbers were not impacted.

After the issue was discovered on Jan. 15, “Walgreens promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue,” according to the notice. “Walgreens will conduct additional testing as appropriate for future changes to verify the change will not impact the privacy of customer data.”

Fausto Oliveira, principal security architect at Acceptto, said the incident looks like a typical example of a lack of proper testing.

“If the error conditions in the app had been properly tested, this type of issue should have been caught by the quality assurance department and never seen in production,” he told Threatpost. “It is unfortunate that often in the rush to go to market, shortcuts are taken and due-diligence testing is skipped in favor of meeting a release date. It also raises questions as to why wasn’t this information encrypted so that even if it was written to a database it would be unreadable and also how come individuals had access to a copy of the database? A proper design would have ensured that any records accessible on the mobile device would be encrypted using per user keys and that the device would only have access to the information that was relevant to the specific user.”

Walgreens recommended that customers monitor their prescriptions and medical records. The company did not say how many customers were impacted, and how many actually accessed the exposed information (Threatpost has reached out for further comment). But the potential number of people impacted is vast based on Walgreens’ customer base . The company interacts with approximately 8 million customers in its stores and online each day, and filled 1.2 billion prescriptions on a 30-day adjusted basis in fiscal 2019, according to its website. And, the Walgreens mobile app on the Google Play app marketplace has more than 10 million downloads.

The fact that prescriptions were leaked “is worrying,” said Oliveira, since it discloses health conditions that may be used for malicious attacks like blackmailing. A bad actor who got his hands on this data, for instance, could threaten to make employers aware of victims’ conditions that they may not want to reveal.

“I think the offer from Walgreens to place the customers in several credit-card monitoring companies, is ineffective and does not help at all to address the concerns,” he told Threatpost. “If the information has been leaked, it is out there and credit-card monitoring companies cannot do anything to prevent the information from spreading. This is a situation where preventing this type of events from happening in the first place is the only cure.”

It’s not the first time that Walgreens has dealt with a security issue. In 2013, the company was hit with a $1.4 million penalty for a data breach after a pharmacist in a Walgreens store in Indianapolis inappropriately viewed and shared a woman’s prescription history.

$1M grant kick-starts cyber research at Texas A&M-San Antonio

Texas A&M University-San Antonio will advance cyber research through a newly established Cyber Engineering Technology/Cyber Security Research Center with a $1 million grant from The Texas A&M University System Chancellor’s Research Initiative (CRI). The center will be housed in the Department of Computing and Cyber Security within the College of Business.

Some of the major research areas to be investigated at the center include security and privacy in the internet of things and cloud computing, secure vehicle-to-vehicle communications and cyber-physical systems. The grant will also be used to enhance research collaborations with local and regional research institutions.

Chancellor John Sharp created the Chancellor’s Research Initiative in 2013 for Texas A&M University and Prairie View A&M University to hire highly qualified professors who would impact the academic and research missions of those schools. Two years later, he expanded it to the rest of the A&M System.

“It is through research that the Texas A&M System can tackle global problems,” said Sharp. “I am proud that A&M-San Antonio will be involved in the critical field of cybersecurity.”

“This grant takes A&M-San Antonio to the next level of research,” said Dr. Cynthia Teniente-Matson, president of A&M-San Antonio. “We anticipate the A&M University System will see a great return on its investment in cybersecurity here in San Antonio, as well as contribute to advancing research related to the advancing science of the effectiveness for the internet of things.”

The grant will be shared with the Texas A&M Engineering Experiment Station (TEES), which will receive about a third of the money.

“The Texas A&M System is dedicated to protecting against cyberattacks of government, businesses and individuals,” said Dr. M. Katherine Banks, vice chancellor and dean of engineering and national laboratories and TEES director. “TEES and Texas A&M have built strong academic and research programs in cybersecurity, and this new grant will allow us to leverage our activities with those at A&M-San Antonio for increased impact.”

“The Cyber Engineering Technology/Cyber Security Research Center will develop foundational research infrastructure with cutting-edge technology and equipment to facilitate research in various areas and provide campus-wide infrastructure and resources for faculty and student research,” said Dr. Akhtar Lodgher, chair of the Department of Computing and Cyber Security. A portion of the grant will support existing degree programs at A&M-San Antonio, such as Cyber Engineering Technology, as well as future graduate programs. Dr. Smriti Bhatt and Dr. Lo’ai Tawalbeh, under the supervision of Dr. Lodgher, submitted the winning proposal.


RSAC 2020 Keynote: Changing the World’s False Perception of Cybersecurity

The reality of the cybersecurity industry is starkly different than what’s perceived by the rest of the world.

SAN FRANCISCO – Today, cybersecurity is portrayed in the media and by businesses as an ongoing complex conflict between defenders and cybercriminals, with heightened noise around hyper-technical proof-of-concept attacks, or nation state threats. But, the reality is starkly different, said Rohit Ghai, president of RSA, speaking on Tuesday at the RSA Conference.

The security industry needs to branch out beyond its historically “narrow culture” and change how it is perceived by the rest of the world. The narrative around cybersecurity needs to instead emphasize the human players behind cybersecurity, including the IT teams working in companies, the cybercriminals who are launching cyberattacks, the businesses who are working with security teams – and, importantly, the end users who are often the true victims.

“We are only as good as the story we leave behind,” he said. “The story we want is a business story of cyber resilience, not a technical story of cyber ping pong. The struggle that we often see in these types of stories engenders pity and fear, but it’s not one of the defender, but one of the protected.”

Often, hackers are portrayed as “technical sorcerers” while defenders are “hapless techies focused on zero-day vulnerabilities and only the most advanced threat vectors,” Ghai said. In reality, that’s not true, he said.

Cybercriminals are not always sophisticated, and in fact, more script kiddies exist than technically savvy hackers, said Ghai. The difference is that cybercriminals are more organized and create tools and exploit kits that allow less sophisticated actors to become well equipped in launching attacks.

Meanwhile, defenders are often grappling with burnout stemming from an industry plagued by a talent gap, complexity and noise. Instead of preventing sophisticated attacks, defenders are more often spending their time trying to block against ordinary phishing and business email compromise (BEC) scams, said Ghai.

To hit back against this difference with reality, the security landscape needs to change the narrative of its story, he said. “We need to reclaim our narrative, reorganize our defense, and rethink our culture.”

Ghai asserts that the cybersecurity landscape needs to better engage the media and share not just losses, but also wins. While the city of Atlanta‘s 2018 ransomware attack was widely covered in the media, what didn’t hit the headlines as much were the small “wins” in how the city dealt with the attack. For instance, the city did not pay the $51,000 ransom payment –  a loss for the cybercriminals – and also created a robust business continuity plan for its future, which Ghai called an eventual win.

The industry also needs to hold IT and device manufacturers accountable to better security – something that it has already started with the introduction of regulatory efforts. With the proliferation the Internet of Things, for instance, security is too often left in the dust – opening end users up to concerning security and privacy threats.

Most importantly, he said the cybersecurity industry needs to shift from a “culture of elitism to one of inclusion” by looking for defenders that are outside of the tech community. For instance, IT teams in industrial companies are also finding themselves increasingly dealing with operational technology teams in an effort to better secure industrial control systems.

Ghai said that business leaders and risk officers are now also interested in the story of cybersecurity – and in fact, more than 76 percent say cyber risk will increase in 2020 – but they remain on the sidelines. Instead, board and risk officers need to be the actors in the story, “the ‘zero-th’ line of defense, he called it.

Wendy Nather, head of advisory CISOs at Cisco, agreed, saying that the security space needs to shift its relationship with other industries. “We have to open up our security culture to everybody,” she said on Tuesday. “Security needs to be basic knowledge and freely available. We can’t shoehorn people into our narrow society culture.”

At the end of the day, security is a story that needs to include special attention to human characters, said Ghai. “Our story has global mindshare now – but we have lost control of the narrative,” he said. “We need to find the story of our industry playing its part.”

Data Breach Occurs at Agency in Charge of Secure White House Communications

A leak at the Defense Information Systems Agency exposed personal information of government employees, including social security numbers.

Hackers have compromised the Department of Defense (DoD) agency in charge of securing and managing communications for the White House, leaking personally identifiable information (PII) of employees and leading to concerns over the safety of the communications of top-level U.S. officials in the run-up to the 2020 presidential election.

Reuters first reported the data breach at the Defense Information Systems Agency (DISA), part of the DoD, on Friday, citing letters seen by the news outlet that were sent to people allegedly affected by the breach.

DISA, headquartered at Fort Meade in Maryland, provides direct telecommunications and IT support for President Trump, Vice President Mike Pence and their staff, as well as the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members of the armed forces, according to the agency’s website.

Last week Andy Piazza, chief evangelist with phia LLC—a security firm specializing in cyber defense and cyber intelligence operating in the Washington area—posted on Twitter a photo of one of the letters, which was dated Feb. 11.

“During the May to July 2019 time frame, some of your personal information, including your social security number, may have been compromised in a data breach on a system hosted by the Defense Information Systems Agency,” states the letter, signed by Roger Greenwell, DISA CIO and risk management executive.

Piazza’s comment accompanying the letter suggests this is not the first time DISA has experienced a breach, pointing to a persistent problem in security at the agency that handles some of the most sensitive information in the world.

“Awesome,” he tweeted. “Got another #PII #breach letter from DoD. Is this like Pokémon where I want to catch them all?”

DISA employs about 8,000 military and civilians, but also works with private companies that have certifications to work as federal contractors.

The agency also was part of the task force that helped reform the government security clearance process following digital break-ins at the U.S. Office of Personnel Management in 2014 and 2015, according to Reuters. That breach resulted in the compromise of records belonging to more than 21 million current and former government employees.

At this time it’s unclear how many people may have been affected by the DISA breach, although a separate report said it could be as many as 200,000.

DISA does not believe that any data from the breach has been misused, Greenwell wrote. However, it is still taking steps to mitigate further breaches, according to the letter.

“We take this potential data compromise very seriously,” Greenwell wrote. “As a result we have put additional security measures in place to prevent future incidents and we are adopting new protocols to increase protection of all PII.”

Still, the breach is troubling on a number of levels. While DISA has not disclosed specifics on the leak in terms of the type of compromise and system affected, one expert suggested the threat actors were probably working on behalf of a nation-state–given the target–and is probably planning more attacks.

“No doubt this was a state-sponsored activity; this breach will be used to further target DISA employees with admin access to highly sensitive networks,” Rosa Smothers, senior vice president of cyber operations, KnowBe4, said in an email to Threatpost. “It’s a painful irony that the agency charged with providing secure comms for the White House has fallen victim to a data breach.”

The hack also could have grave implications for the upcoming presidential election, especially with the memory of Russian interference in 2016 still fresh in many minds. There already has been evidence that an Iran-based state-sponsored group tried to hack email accounts belonging to President Trump’s 2020 re-election campaign, which is just one of the numerous threats that currently exist that could undermine the integrity of the vote come November.

Burning Man Tickets for $225? Yep, Too Good to Be True

Scammers are posing as event organizers in a sophisticated fraud effort.

Burning Man aficionados anxious to get their tickets squared away for the 2020 “experience” should beware: Fake concert organizers are offering passes in what researchers say is a very convincing and sophisticated scam effort.

Burning Man, which bills itself as a “vibrant participatory metropolis generated by its citizens,” is scheduled to happen August 30 – September 7 in Black Rock Desert in Nevada. It attracts tens of thousands of people: Artists, music fans, celebrities, tech enthusiasts, off-gridders, hippies, new agers, old-school punks and more. It features a mix of communal villages, art installations, audio-visual presentations, and of course, setting large effigies on fire.

Tickets are released in stages; snagging one requires pre-registration and luck, as they’re limited. Prices run between $495 – $1,400, with low-income registration available for $210 – and vehicle passes are required on top of that. To boot, no money is exchanged at Burning Man, so participants are expected to bring food, supplies, shelter and anything else they might need – all adding up to a potentially very expensive jaunt indeed.

In other words, getting a ticket is a process and everyone’s looking to save money doing it. While scams looking to prey on fan desperation are common, researchers at Kaspersky said that a new wrinkle has emerged this year.

Fraudsters have set up a fake website (see below) that closely mimics the official Burning Man site, in an effort to fool visitors into thinking it’s the real deal. The cybercrooks have coopted the same colors, fonts and design elements as the real thing, and “it looks real to the untrained eye,” Kaspersky said, in a post this week. Further, “the URL contains the name of the festival — ‘burningman,’ which on its own may be enough to convince the inexperienced visitor of its authenticity.”

The ticket information section is nearly identical to the real site as well – with one crucial difference. Instead of requiring pre-registration, the scammers say that they’re offering tickets immediately – and for only $225.

“To hurry the victim along, the cybercriminals claim that only 300 tickets are left, and that the next batch will appear only a month later and at a higher price,” researchers explained. “The offer promises a ‘GUARANTEED benefit’ of 150 percent, no less, though what that ‘benefit’ might be is left to the reader’s imagination.”

Clicking the link opens an order form asking for personal details and payment information.

“Unsurprisingly, Burning Man has caught the eye of scammers, and all the more so because tickets are costly,” according to Kaspersky. “The official Burning Man website offers tips about avoiding scalpers and scammers. But that’s for dealing with third parties. A more deceptive scam, one that we recently uncovered, involves scammers pretending to be festival organizers.”

Burning Man fans can avoid being, well, burned, by carefully inspecting any site before entering payment details. Look for multiple pages, for one: Burning Man’s real website has event history, invitation to collaborate, press releases, archives from past festivals, and so on. Googling any special offers or discounts should also yield up not only the official site first, but also information about this and any other scams that might pop up, researchers advised.