Cyber Pulse: Edition 159 | 06 August 2021

UK universities awarded funding for research into IoT, smart home security

A number of British universities have been awarded a grant to explore the security issues surrounding internet of things (IoT) and smart home devices, as well as to determine ways to warn consumers of the risks. Announced on 13 July, the PrivIoT project, led by Dr James Nicholson, a lecturer at Northumbria University’s Computer and Information Sciences department, will also involve academics from Royal Holloway, Manchester, and Nottingham universities. The grant was awarded by the PETRAS National Centre of Excellence, an organisation focused on the social and technical aspects of deploying IoT into the consumer sphere.

The UK government is pushing for businesses and home users to permit smart meter installations on the grounds of reducing carbon emissions. However, there are already some security concerns surrounding these devices including patterns of use, device hijacking, and house occupancy monitoring.

When it comes to web security, the team may also examine issues surrounding IoT botnets and distributed denial-of-service (DDoS) attacks as use cases. The first phase of the research is underway, which will include study analysis and data collection. Researchers will be hired to help with the data collection stage, and companies including Toshiba, OTASKI Energy Solutions, and CybSafe will also be participating in the project.

Biden orders CISA and NIST to develop cybersecurity goals for critical infrastructure

President Joe Biden signed a memorandum on Wednesday addressing cybersecurity for critical infrastructure, ordering CISA and NIST to create benchmarks for organisations managing critical infrastructure. The move builds on, and formalises, an effort started in April around securing industrial control systems, which are now facing a barrage of attacks from both cybercriminals and state-backed entities. 

In a press briefing, a senior administration official explained that federal cybersecurity regulation in the US is sectoral, noting that the country has "a patchwork of sector-specific statutes that have been adopted piecemeal, typically in response to discrete security threats in particular sectors that gained public attention." 

The memorandum formalises the Industrial Control Systems Cybersecurity Initiative, which the White House said was a "voluntary, collaborative effort between the federal government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems."

The first part of the initiative started with the electricity subsector, according to a statement from the White House. The pilot will now start a second round on natural gas pipelines. Water systems, as well as wastewater sector systems and the chemical sector will be next. The White House acknowledged that each organisation has different cybersecurity needs but it ordered CISA and NIST to work together on creating cybersecurity baselines "that are consistent across all critical infrastructure sectors" and "security controls for select critical infrastructure that is dependent on control systems." The memorandum comes one day after Biden caused a minor stir with his comments about the ability of a cyber conflict to turn into a physical war. 

Survey shows reasons for cloud misconfigurations are many and complex

Media reports on misconfigured cloud resources are common. A researcher discovers the misconfiguration, reports it, and it is usually remedied. But in less time for it to be discovered and remedied, you can guarantee that hackers have already been there. Every misconfiguration report you read will describe a database that attackers have visited. A new Fugue/Sonatype report (The State of Cloud Security 2021), confirms the issue as cloud professionals’ biggest concern, and delves into the causes and possible solutions to the problem. 

Fugue surveyed more than 300 cloud professionals, including cloud engineers, cloud security engineers, DevOps, and cloud architects, to better understand the risks, costs and challenges of managing cloud security at scale. Gartner suggests that through 2023, at least 99% of cloud security failures will be the customer’s fault, mainly in the form of cloud resource misconfiguration. The practitioners do not disagree, with 83% of the survey respondents voicing concern that their organisation is at risk of a cloud-based data breach. The primary reason is insufficient focused resources to manage the size and complexity of enterprise cloud usage. There are too many APIs and interfaces to govern (cited by 32% of the respondents), a lack of controls and oversight (31%), a lack of policy awareness (27%), and negligence (23%). Twenty-one percent said they do not check Infrastructure as Code (IaC) prior to deployment, and 20% do not adequately monitor their cloud environment for misconfiguration.

Hackers leak full EA data after failed extortion attempt

Hackers leaked 751GB of compressed Electronic Arts (EA) data containing the FIFA 21 source code. This data dump comes from a hack that took place in June 2021. EA says no player data was included in the stolen data, confirmed by the data leaked this week. The hackers who breached EA last month have released the entire cache of stolen data after failing to extort the company and later sell the stolen files to a third-party buyer. The existence of this leak was initially disclosed on 10 June, when the hackers posted a thread on an underground hacking forum claiming to be in possession of EA data, which they were willing to sell for $28 million.

“Following the incident, we’ve already made security improvements and do not expect an impact on our games or our business,” an EA spokesperson told The Record. “We are actively working with law enforcement officials and other experts as part of this ongoing criminal investigation.”

After failing to find a buyer, the hackers tried to extort EA, asking the company to pay an undisclosed sum and avoid having the data leaked online. Initially, they released a cache of 1.3GB of FIFA source code on 14 July, only to release the entire data two weeks later after EA shunned their threats.

New WeTransfer phishing attack spoofs file-sharing to steal credentials

According to a report from Armorblox, cybercriminals are spoofing the WeTransfer file hosting system to carry out credential phishing attacks. The phishing email's subject line is "View Files Sent Via WeTransfer", with WeTransfer branding, and claims that WeTransfer has shared two files with the victim, with a link that leads to a phishing page featuring Microsoft Excel branding.  The similarity is enough to come across as a genuine WeTransfer email and can easily deceive unsuspecting users. The email body also makes several references to the target organisation to appear legitimate.

When the victim clicks on View Files, the link leads them to a phishing page supposedly of Microsoft Excel, with a blurred-out spreadsheet in the background and a form in the foreground that requires the victim to enter login credentials. It already contains the victim’s email address to create a sense of legitimacy around the entire process.

A range of techniques has been used to evade conventional email security filters and lure unsuspecting users. This includes social engineering, as the email title, content, and sender name have been designed to create a sense of trust and urgency in the victims.

Several malicious typosquatted python libraries found on PyPI repository

As many as eight python packages that were downloaded more than 30,000 times have been removed from the PyPI portal for containing malicious code, once again highlighting how software package repositories are evolving into a popular target for supply chain attacks.

"Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks," JFrog researchers Andrey Polkovnichenko, Omer Kaspi, and Shachar Menashe said on Thursday.

PyPI, short for Python Package Index, is the official third-party software repository for python, with package manager utilities like pip relying on it as the default source for packages and their dependencies. PyPI is hardly alone among software package repositories that have emerged as a potential attack surface for intruders, with malicious packages uncovered in npm and RubyGems equipped with capabilities that could potentially disrupt a whole system or serve as a valuable jumping-off point for burrowing deeper into a victim's network.