FFT news digest February 11 2022

Unauthenticated

Despite years of trying, Microsoft says only 22% of Azure Active Directory customers have adopted multi-factor authentication. Its new Cyber Signals report underlines the scale of attempts to compromise online accounts. "From January 2021 through December 2021, we've blocked more than 25.6 billion Azure AD brute force authentication attacks and intercepted 35.7 billion phishing emails with Microsoft Defender for Office 365," it says. We'd be the first to accept rolling out MFA can be challenging, but the effort is worth it. This week, Google said it had automatically enabled two-step verification for over 150 million people and this resulted in a 50% decrease in accounts being compromised compared to those not enrolled.

Multi-factor authentication is essential, but it's not foolproof - and attackers are constantly developing new ways to bypass it. Proofpoint has details of three new phishing kits specifically designed to overcome MFA. They work by exploiting a key element of the MFA process; the session cookie. They steal this by sitting between the user and their destination. This allows the attackers to harvest the user's credentials as they're entered. These are forwarded to the destination which issues a session cookie in return. The attacker intercepts that and forwards it to the user, but not before copying it and thus gaining access to the targeted account without the need for credentials or MFA.

As Proofpoint points out, kits like these have been around for years but little has been done to combat them. Proofpoint describes them as an "industry blind spot". It cites research from Stony Brook University and Palo Alto Networks that developed an automated tool to identify the reverse proxies used by the kits. The result; more than 1200 phishing sites. There's not much a user can do to prevent such attacks, but the research does suggest a number of potential mitigations, including using a separate channel to manage the second authentication factor.

Threats

Mac attack: Unusually sophisticated malicious software is being constantly updated to attack Mac users. It enters systems via popup ads for video apps or technical support utilities. Browser beware. Microsoft

30 minutes: A nasty piece of malicious software known as Qbot begins stealing data within just half an hour of the original infection. That infection comes via an Excel macro which are soon to be blocked (see below). The DFIR Report

SIM swaps: There's been an extraordinary rise in the number of incidents in which scammers pose as existing customers to obtain a replacement SIM card. The FBI says losses from the scam totalled $12 million in the three years to December 2020. Last year, the figure was $68 million. Your phone number can be as valuable as your bank account. It's vital to protect it.

LinkedIn: The business networking site has a handy marketing tool that shortens web addresses. You won't be surprised to learn it's being abused to hide links to phishing pages that mimic leading brands. Krebs on Security

Telegram: The messaging platform's 'People Nearby' feature can be "weaponised as a form of mass surveillance", according to a researcher. Telegram has some very valuable features, but we suggest it's used with care.

Override: A technique that's at least 20 years old has been revived and is being widely used. It involves messing with the way a filename is displayed, and Vade says it's being used to make Microsoft 365 users think they're opening an audio file when they're really being connected to a phishing site.

Shoulder surfing: Do you use banking apps or log in to social media in public? If so, ESET has a couple of cautionary tales settings out the risks of people peering over your shoulder.

Remote working

With apologies for banging on about this but...remote working is a key risk that needs to be taken seriously. In the latest research on the subject, Diligent found that 82% of companies that reported a breach said it resulted from issues or behaviour related to working from home. And a study from Check Point pointed to a "gap" in security created by remote working. Neither of these companies are disinterested parties - because they'd love to sell you solutions - but their findings are valid. Unmanaged access to corporate resources from personal devices, lack of email and mobile security, and poor or non-existent protection for web browsing all contribute to an extraordinarily dangerous situation that, as Diligent says, can't be fixed by "box-ticking".

Ransomware

The threat from ransomware continues to grow, with increasingly professional criminal gangs and a rising threat to critical infrastructure. Cybersecurity authorities in the US, UK and Australia say they have seen "an increase in sophisticated, high-impact ransomware incidents against critical infrastructure organizations globally". They have good advice on protection, including keeping devices and software updated and being very careful about any use of Remote Desktop Protocol. To underline the threat, the authorities describe how ransomware gangs have begun setting up arbitration systems to settle payment disputes. 

Proving your age in the UK

The UK government has revived plans to force pornography websites to verify the age of their users - or facing swingeing fines. The last attempt to introduce this foundered amid a tide of criticism and practical problems. Neither of those has gone away, but the government appears determined not to be swayed this time. Like most people, we're wholeheartedly in favour of protecting children from the torrent of explicit material around them, but the proposals appear woefully ill thought-out. Quite apart from concerns over privacy and civil liberties, it will be almost impossible to prevent unfettered access to porn sites outside the UK (unless of course the UK wishes to emulate 'The Great Firewall of China'). And just to complicate matters, social media sites have been added to the mix.

News Corp

Attackers - most likely from China - were able to spend two years rifling through documents and emails belonging to journalists from many of News Corp's companies, including The Wall Street Journal, Dow Jones and The Times. The company's cybersecurity consultant said the operation was probably designed to gather intelligence on subjects including Taiwan, the Uighur ethnic group, and the Biden administration. It's thought the attackers gained access to the organisations' Google Workspace accounts not because of vulnerabilities in them, but because at least one person was taken in by a targeted email that persuaded them to enter their credentials on a fake login page.

In brief

NSO: More problems for the maker of Pegasus spyware following (excellent) reporting by Israeli news outfit, Calcalist. Police are investigating its latest revelations about illegal surveillance operations against Israeli public figures, journalists and ministry heads.

Meta Europe: Despite some reports (and much to the probable disappointment of the French Finance Minister), Facebook and Instagram aren't pulling out of Europe. Parent company, Meta, said its remarks were merely highlighting a business risk cause by data protection regulations.

Grope gap: Meanwhile, Meta's virtual reality "metaverse" is having anti-groping protections added to it. Avatars will be given a four foot 'cordon sanitaire' which others will not be allowed to enter.

Zoom: Some Mac users say the Zoom app is keeping their computer's microphone on when they aren't using it. This is despite an update in December that was supposed to fix the issue.

Naughty Siri: Apple kept recordings of interactions with its voice assistant even when it was told not to. The issue lay in the 'Improve Siri and Dictation' setting. Apple says the problem was fixed in iOS 15.2.

Facial recognition: The US Internal Revenue Service is giving up on its plans to force taxpayers to authenticate themselves with facial recognition. The American Civil Liberties Union explores what it sees as the potential dangers of such technologies.

Truecaller: The app that's designed to show you who's really calling will be installed by default on Android phones in large parts of the world including Latin America, India and Indonesia. It's a useful service, but you can't control whether someone adds your number to it which can create a significant risk for, say, a visiting journalist trying to hide their identity.

Brain interface: Tired of your keyboard and mouse? A couple of researchers in the US have come up with a DIY brain-computer interface. It will be distributed via a "crowd sale". What could possibly go wrong. 

Updates

Microsoft: 'Only' 51 fixes in Microsoft's monthly security update - and none rated 'Critical', though arguably some should be.

Macros: A significant decision by Microsoft will block macros originating from external sources; an issue that has been a risk for users since at least 2000. The change will come into force in April, and will make it difficult (though not impossible) to enable macros.

Azure: One other change from Microsoft. Azure users will now be able to restore a 15-day old backup, as opposed to the current 72 hours.

Apple: Security updates for iOS, iPadOS, macOS, and Safari to address a serious flaw that it says may have been actively exploited. It's Apple's third zero-day (i.e. previously unknown) patch this year. The macOS update should also fix a battery drain issue.

Adobe: Updates for 17 issues affecting Premiere Rush, Illustrator, Photoshop, AfterEffects, and Creative Cloud Desktop Application. Five are rated 'Critical'.

SAP: The US Cybersecurity and Infrastructure Security Agency has joined SAP in urging users to install a vital update for SAP Internet Communication Manager (ICM).

Firefox: Version 97.0 is mainly focussed on security fixes, with only a few changes and additional features.

Signal: A new feature allows users to change phone numbers without losing their existing chats, groups, and messages.

Tails: Version 4.27 updates the Tor browser, Thunderbird email client, and fixes some WiFi issues.

Zimbra: An emergency fix has been released for a serious vulnerability in Zimbra 8.8.15.

Instagram: To mark Safer Internet Day, a couple of new features make it easier to view activity and manage account security.

Subscribe to receive the digest by email

Full Frame Technology

What we do 
Who we are 
Need to know
Privacy Notice
Website terms

Address

152-160 City Road
London, EC1V 2NX

Contacts
Email: info@fullframetech.com
Phone: +44 (0) 20 3290 2205
Support: +44 (0) 20 3290 2207

Company registration no. 10243217

© Copyright 2022 Full Frame Technology - All Rights Reserved