Information Technology

Microsoft has flagged a relatively new style of attack, dubbed “HTML smuggling”, which is being used in email campaigns that deploy banking malware and remote access Trojans (RATs), and as part of targeted hacking attacks.HTML smuggling lets an attacker “smuggle” an encoded malicious script within a specially crafted HTML attachment or web page. It’s a “highly evasive” malware delivery technique that uses legitimate HTML5 and JavaScript features warns the Microsoft 365 Defender Threat Intelligence Team. 

ZDNet Recommends

It’s a nasty trick that bypasses standard network perimeter security, such as web proxies and email gateways, since the malware is built inside the network after an employee opens a web page or attachment with the malicious HTML script. So, a company’s network can be hit even if gateway devices check for suspicious EXE, ZIP, or Office documents. SEE: A winning strategy for cybersecurity (ZDNet special report)”When a target user opens the HTML in their web browser, the browser decodes the malicious script, which, in turn, assembles the payload on the host device. Thus, instead of having a malicious executable pass directly through a network, the attacker builds the malware locally behind a firewall,” Microsoft warns. It’s a practical attack technique because most businesses use HTML and JavaScript to run their business apps. The problem is that there’s been a recent surge in HTML smuggling attacks because cybercriminal groups behind banking malware like Trickbot, RATs and other malware are learning from state-sponsored attackers. The style of attack is notable because it’s been used by Kremlin-backed hackers – tracked by Microsoft as Nobelium. Since then, it has been adopted by cybercriminals. 

And HTML smuggling is an effective technique because the web is vital to business operations. Organizations, for example, can disable JavaScript in the browser, but it’s widely known to be an impractical approach because language is ubiquitous on the web. Microsoft has tried to tighten up Edge security with its Super Duper Secure Mode that turns off the JavaScript JIT compiler. Google also regularly fixes potent bugs in Chrome’s V8 JavaScript engine.  “Disabling JavaScript could mitigate HTML smuggling created using JavaScript Blobs. However, JavaScript is used to render business-related and other legitimate web pages,” Microsoft explains. “In addition, there are multiple ways to implement HTML smuggling through obfuscation and numerous ways of coding JavaScript, making the said technique highly evasive against content inspection.”SEE: The IoT is getting a lot bigger, but security is still getting left behindMicrosoft has found that between July and August there was an uptick in HTML smuggling in campaigns that deliver RATs such as AsyncRAT/NJRAT.”In September, we saw an email campaign that leverages HTML smuggling to deliver Trickbot. Microsoft attributes this Trickbot campaign to an emerging, financially motivated cybercriminal group we’re tracking as DEV-0193,” says Microsoft.  More

US President Joe Biden on Thursday signed into law bipartisan legislation that will ban companies like Huawei and ZTE from getting approval for network equipment licences in the US. The legislation, Secure Equipment Act of 2021, will require the Federal Communications Commission (FCC) to adopt new rules that clarify it will no longer review or approve any authorisation applications for networking equipment that pose national security threats. Last year, the FCC formally designated Huawei and ZTE as national security threats, with that decision being made as the agency found that both companies had close ties to the Chinese Communist Party and China’s military apparatus. Since March, FCC commissioner Brendan Carr has made repeated calls for the legislation to be passed, saying at the time that the FCC has authorised 3,000 applications for Huawei networking equipment to be used. “Once we have determined that Huawei or other gear poses an unacceptable national security risk, it makes no sense to allow that exact same equipment to be purchased and inserted into our communications networks as long as federal dollars are not involved. The presence of these insecure devices in our networks is the threat, not the source of funding used to purchase them,” Carr said at the time. Besides Huawei and ZTE, other Chinese companies flagged as national security threats are Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, and Dahua Technology Company. At the end of last month, the FCC also removed the authority for China Telecom to operate in the US, with the telco required to pack its bags and stop providing domestic and international services by the end of Christmas.

Citing a recommendation from the Trump-era Justice Department, the Commission said China Telecom America “failed to rebut” a series of concerns raised. “China Telecom Americas, a US subsidiary of a Chinese state-owned enterprise, is subject to exploitation, influence, and control by the Chinese government and is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the FCC said. With the US clampdown especially focused on Huawei, alongside other countries following suit, the Chinese tech giant reported a steep decline in its first-half revenue, with its business to the end of June reporting 320 billion yuan in sales, compared to 454 billion yuan at this time last year. In providing the financial results, rotating chair of Huawei Eric Xu said the aim of the company moving forward would be to survive sustainably.   Related Coverage More

Missouri’s Department of Elementary and Secondary Education (DESE) has apologized to the 620,000 past and present educators who had their sensitive information — including their social security numbers — exposed on the DESE certification database.

Black Friday Deals

Missouri’s Office of Administration Information Technology Services Division (OA-ITSD) and the DESE will send out letters to those affected notifying them that their personally identifiable information “may have been compromised during a recent data vulnerability incident.”The situation caused national headlines last month because the governor of the state used the incident to attack The St. Louis Post-Dispatch. Josh Renaud, a reporter from the newspaper, discovered a vulnerability in the certification database that exposed teacher data, notified the DESE, and gave them time to fix it before publishing his story. But Missouri Governor Mike Parson claimed Renaud had “hacked” the database himself and threatened legal charges against the reporter. Since being ridiculed by cybersecurity professionals — and even members of his own party — Parson has used the incident to fundraise for himself, bringing in about $85,000 thanks to an ominous video doubling down on the hacking accusations, according to the Post-Dispatch. But DESE officials, alongside members of OA-ITSD, apologized this week to the teachers who had their data exposed and offered 12 months of credit and identity theft monitoring resources through IDX. “Educators have enough on their plates right now, and I want to apologize to them for this incident and the additional inconvenience it may cause them,” said Commissioner of Education Margie Vandeven. “It is unacceptable. The security of the data we collect is of the utmost importance to our agency. Rest assured that we are working closely with OA-ITSD to resolve this situation.”

The state claims it is “unaware of any misuse of individual information or if information was accessed inappropriately outside of an isolated incident.” But officials said that “out of an abundance of caution,” they wanted to provide teachers with some protection. Those who may have been affected by the issue can contact the IDX Call Center at 833-325-1777.DESE explained that Renaud said he was able to view the social security numbers of certain teachers “through a multi-step process” that involved accessing the certification records of at least three educators and then taking the encoded source data from that webpage and “decoding that data.””Educators’ PII was only accessible on an individual basis within this search tool, and there was no option to decode SSNs for all educators in the system all at once. Upon verification of the threat, DESE immediately notified OA-ITSD who immediately disabled the educator certification search tool,” the state said. “The services offered through IDX will cost the state approximately $800,000. The state was able to take advantage of an existing multi-state contract with this vendor, which significantly lowered the cost for the credit and identity theft monitoring services.”Parson originally claimed during a press conference that the incident would cost the state $50 million as opposed to the $800,000 that is now being spent. Despite the ridicule Parson got from cybersecurity experts, the Missouri Highway Patrol-led investigation into the incident is still ongoing.  More

The Brazilian government has created a special commission aimed at tackling electronic fraud.

Created by the Ministry of Justice (MoJ) under the National Consumer Defense Council, the commission will include representatives of antitrust regulator Cade, as well as the National Confederation of Commerce, the consumer defense bodies from the states of São Paulo, Tocantins and Porto Alegre, the Federal Public Defender’s Office, and the the Central Bank. This commission follows the recent creation of a working group, which is providing an assessment of the current online fraud landscape. The working group has the involvement of bodies such as the Brazilian Federation of Banks (Febraban) and the Central Bank.According to the MoJ, the working group will publish a final report listing proposals for combatting online fraud. The group is also due to meet with the National Data Protection Authority.In September, the MoJ started negotiations with Febraban about creating a National Cybercrime Strategy. According to Febraban, the discussions are informed by the National Strategy Against Corruption and Money Laundering, which is led by the Ministry of Justice and has been in place since 2003.The idea is to “expand the identification and repression” of the actors responsible for cybercrimes, the commission said. Other goals include jointly developing platforms for sharing fraud data, training security forces in cybersecurity and digital fraud issues, and leading public awareness campaigns on cyber risks and fraud. More

US Vice President Kamala Harris said the US will be joining the Paris Call for Trust and Security in Cyberspace — a voluntary agreement between more than 80 countries, local governments and tech companies centered on advancing cybersecurity and “preserving the open, interoperable, secure, and reliable Internet.”The announcement was part of a diplomatic trip Harris made to Paris, where she met with French President Emmanuel Macron to discuss a range of issues. Macron spearheaded the creation of the initiative in 2018 and has long sought the inclusion of the US. But the administration of former President Donald Trump refused to join, criticizing it because both China and Russia also were not part of it. In a statement, The White House said the US “looks forward to continued partnership with France and other governments, private sector, and civil society around the world to advance and promote norms of responsible behavior in cyberspace.”  “This includes working with likeminded countries to attribute and hold accountable States that engage in destructive, disruptive, and destabilizing cyber activity. The United States’ decision to support the Paris Call reflects the Biden-Harris Administration’s priority to renew and strengthen America’s engagement with the international community on cyber issues,” The White House explained. “The United States interprets the Paris Call consistent with our existing domestic and international obligations and commitments, including the importance we place on respecting human rights, freedom of expression and privacy. This announcement builds on the United States’ continuing work to improve cybersecurity for our citizens and business, including rallying G7 countries to hold accountable nations that harbor cyber criminals, supporting the update of NATO cyber policy for the first time in seven years, and the recent counter-ransomware engagement with over 30 countries around the world to accelerate international cooperation to combat cybercrime.”The Paris Call is made up of nine principles, which include protecting individuals and infrastructure, protecting the internet, defending electoral processes, defending intellectual property, the non-proliferation of malicious software, lifecycle security, cyber hygiene, banning private actors from “hacking back,” and implementing international norms “of responsible behavior.”

The effort has already led to some changes across Europe and South America that allowed for tougher cybersecurity measures around emergency phone systems, the protection of domain name systems, more prominent bug bounty programs and more. Before Harris left for Paris, two senior leaders in Congress — Senate Foreign Relations Committee chairman Robert Menendez and House Foreign Affairs Committee chairman Greg Meeks — wrote a letter to her urging for the US to join the Paris Call. “Given the recent surge of ransomware and other cyberattacks against the United States and our partners and allies, the Forum’s work on cybersecurity is essential. Cybersecurity is a critical economic and national security imperative, and confronting this challenge will require comprehensive and sustained US engagement with a wide range of stakeholders,” the two wrote. “In particular, private-sector companies play an increasingly significant role, including through the Paris Peace Forum and its Paris Call for Trust and Security in Cyberspace. We welcome your commitment to engage with our allies and partners, private-sector companies, and other important stakeholders at the Paris Peace Forum.” More

Cybersecurity education company Cybint is doing its part to address veteran unemployment — which stands at 11% right now — and the cybersecurity talent shortage through a new 3 to 6 month program that trains novices in all things security. Texas has more than 42,000 open cybersecurity positions, one of the highest rates in the country. Cybint is partnering with universities and colleges like Houston Baptist University to offer the Cybint cybersecurity bootcamp to military and veteran students. Roy Zur, Cybint’s CEO, told ZDNet he was inspired to start the program by his time in the Israeli military, where he was part of a cybersecurity unit that re-skilled 18-year-old cadets who recently joined the army. Within six months, they were able to train people with no cybersecurity knowledge in a variety of security topics, and Zur eventually brought the method to the US after 10 years in the army. Also: Getting military veterans jobs in IT and cybersecurity”I wanted to bring this concept of re-skilling people, those that are very early in their career or are career shifters. Veterans are a big part of this population in the US, and after they finish their career in the military, we want to allow them to switch to other careers,” Zur said. “Some people think that cybersecurity is this mysterious thing that you need years of practice to get into. But eventually, if you simplify it, it’s about protecting data from different perspectives and protecting networks.”Zur explained that Cybint’s educational programs range from full-time three month courses to six month part-time courses, all of which draw heavily from the National Institute of Standards and Technology’s frameworks. 

The bootcamp is divided into several pillars covering a variety of topics including protecting and defending, analyzing, investigating, and more. “By the end of the program, the graduates finish with skills in different aspects of network security, SOC analysis, SOC management, some basic aspects of malware analysis, and different aspects of forensics. They have a broad view of cybersecurity and, specifically, the hands-on skills of an entry-level security defender,” Zur said. “It’s not necessarily just for veterans, but veterans acquired great skills and experience in their military career. They have experience working under pressure and working in different environments. Most of them also have security clearances, which are important in cybersecurity. “We’ve also seen there is a significant rate of unemployment among veterans. The US government, different authorities and the military all want to help solve this problem. So it’s kind of like a win-win-win situation for everyone.”Also: VA releases new cybersecurity strategy in honor of Veterans DayZur’s goal is to partner with even more institutions, community colleges, and public universities to offer Cybint’s courses and bootcamps to students interested in cybersecurity. Ariel Julius Lee, a Cybint student and Marine Corps Veteran, said he started the program with little knowledge of the field of cybersecurity but noted that the bootcamp presented each topic for beginners. He told ZDNet the labs were especially helpful because they gave him an opportunity to apply the concepts covered by the instructors in practice. “While they have been challenging, they have helped me in reframing my approach to problem-solving. This has been the best aspect of the program thus far because implementing something you learned in practice, first-hand, is the best way to study,” Lee said.  “This bootcamp inspired me to pursue a career in the field of cybersecurity and boosted my confidence that I will be able to succeed in it.”Ethan Schellingerhout, another veteran who took part in the program, said it gave him a hands-on overview of cybersecurity through its labs and bettered his presentation skills through its research projects. It also helped prepare him for CompTIA Security+ exams.William Welch is a professor of computer information technology systems at Central Texas College, which previously hosted some of Cybint’s bootcamps. Many veterans, he said, separate from the service each week and are more than deserving of a chance to start a fresh career. “They exhibit grit, strong technical capability, and seek challenging, vital employment opportunities. The Cybint cybersecurity bootcamps are key as they train these capable veterans to handle and thrive in cybersecurity and technology organizations,” Welch said. Cybint has programs at schools in Illinois, Iowa, Louisiana, and New Hampshire in addition to its Texas locations. More

The Department of Veterans Affairs released a new cybersecurity strategy ahead of Veteran’s Day as a way to better protect the personal information of US veterans as well as to stop the potential corruption of critical data. The VA said cybercriminals have long sought access to veterans’ data for a variety of scams and exploitation, prompting the department to make changes to its security.  In 2006, the organization faced a massive data breach affecting the sensitive information of 26.5 million veterans as well as their spouses and family members.Just last month, the Justice Department sentenced a former medical records technician for the US Army after he was caught accessing personal information from US veterans and using the data to steal millions from benefits sites.While working as a civilian medical records technician and administrator with the US Army at the 65th Medical Brigade, stationed at Yongsan Garrison in South Korea, 40-year-old Fredrick Brown stole names, Social Security numbers, military ID numbers, dates of birth and contact information for thousands of military members. This occurred between July 2014 and September 2015. US Attorney Ashley Hoff noted that many of the veterans targeted in the scheme were disabled or elderly, since they received more service-related benefits.The Department of Veterans Affairs said it developed an entirely new strategy to protect veteran data. It uses new frameworks that outline ways they can protect the VA’s most critical business functions and assets while also making them more resilient. “As we continue to rapidly advance technology across VA, this strategy provides an agile framework to address the challenges of today and adapt to the technologies and threats of tomorrow,” said Secretary of Veterans Affairs Denis McDonough. 

“This comprehensive approach practices accountability and transparency, while remaining hypervigilant of cyber threats — charting a course for success at the individual and enterprise levels.”On top of securing and protecting the data of the VA and veterans, the new plan includes measures to protect information systems and assets, use innovative measures to strengthen the organization’s cybersecurity, partner with other organizations on best practices, and use risk management frameworks to bolster their cybersecurity goals. Also: Getting military veterans jobs in IT and cybersecurityThe VA added that the new strategy takes into consideration, among other things, “Executive Orders, technological advancements, innovations, and world events that have impacted the way VA delivers services.”Andrew Barratt, vice president at cybersecurity firm Coalfire, said that the VA provides additional assistance to a number of the company’s employees.”We’re pleased to see the VA take steps to formalize a refreshed strategy committing to protecting Veterans’ data. Like many cybersecurity strategies, it is high level in nature and focuses on five critical goals,” Barratt said. Coalfire’s John Dickson added that it’s less about what strategies the VA announces and more about resource allocation and sustained executive focus on cybersecurity. “Given the 2006 public security breach, other organizational security ‘near misses,’ and the VA’s historical approach to cybersecurity, this is one case where actions most certainly speak louder than words,” Dickson said. More

Google has launched ClusterFuzzLite, a continuous fuzzing solution for improving software supply chain security. 

On Thursday, Google software engineers Jonathan Metzman and Oliver Chang, together with product lead for Google’s CI/CD products, Michael Winser, said in a blog post that the new tool can run “as part of CI/CD workflows to find vulnerabilities faster than ever before.”Fuzzing is an automated testing technique for finding bugs and unexpected behavior by inputting invalid and random data into programs. This can flag up vulnerabilities or errors that may otherwise go unnoticed through manual analysis.  The new tool, ClusterFuzzLite, is based on ClusterFuzz, an open source scalable fuzzing infrastructure previously released by Google and used as the fuzzing backbone for the OSS-Fuzz program.  According to Google, ClusterFuzzLite can be integrated into existing workflows to fuzz pull requests, improving the chance of vulnerabilities to be found earlier in the development process and before changes are committed.  While ClusterFuzz and ClusterFuzzLite contain some of the same features — including continuous fuzzing, coverage report creation, and sanitizer support — the team says that the main difference is ClusterFuzz is easy to set up with closed source projects, and so developers can make use of it to quickly fuzz their software.  As of now, ClusterFuzzLite supports GitHub Actions, Google Cloud Build, and Prow. 

“With ClusterFuzzLite, fuzzing is no longer just an idealized “bonus” round of testing for those who have access to it, but a critical must-have step that everyone can use continuously on every software project,” the team said. “By finding and preventing bugs before they enter the codebase we can build a more secure software ecosystem.” Documentation on the tool can be accessed at GitHub.  In February, Google launched the Open Source Vulnerabilities (OSV) website, a platform for open source vulnerability mapping. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More