Information Technology

A well-resourced hacking operation has deployed newly-developed trojan malware in a campaign targeting financial tech organisations with the aim of stealing email addresses, passwords and other sensitive corporate information – and the malicious code is bundled inside code ripped from legitimate applications.
Known as Evilnum, the advanced persistent threat (APT) group first emerged in 2018 and one of the reasons for their success is how often they’ve changed tools and tactics as they take aim at targets related to Fintech mostly located in Europe and the UK, although some victims are located in the Americas and Australia.
Evilnum’s activity has been varied, with reports of it using different components written in Javascript and C#, and now it has deployed another new tool for attacks. This time, it’s a Python-scripted remote access trojan (RAT) which emerged in recent weeks alongside a new spate of targeted attacks.
Uncovered by cybersecurity researchers at Cybereason who’ve dubbed it PyVil RAT, the trojan allows attackers to secretly steal corporate information through the use of keylogging and taking screenshots, as well as the ability to collect information about the infected system, including which version of Windows is running, what anti-virus products are installed and whether USB devices are connected.
Previous Evilnum attacks have begun with highly targeted spear phishing emails and the PyVil delivery campaign is similar, although rather than delivering Zip archives like before, the compromise begins with emails containing an LNK file masquerading as a PDF.
The phishing emails claim to contain identification documents associated with banking, including utility bills, credit card statements and even drivers license photos.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
If opened, the file will start a sequence which ultimate sees the compromised machine connected to Evilnum’s command and control servers and the trojan malware dropped on the system – and able to to provide instructions and potential additional functionality to PyVil – all while staying hidden from the victim.
One of the reasons the new trojan is able to do this is because the malicious code is obfuscated behind many different layers, including being bundled inside code from legitimate software which has somehow been plucked and wrapped around the malware.
“This tactic works to their advantage in several ways, including avoiding detection and maintaining persistence – the abuse of legitimate code is more common with more sophisticated actors,” Tom Fakterman, threat researcher at Cybereason told ZDNet.
While it remains unclear who the cyber criminals behind Evilnum ultimately are, the highly targeted nature of the attacks combined with the way in which they’re constantly changing their tactics leads researchers to believe that it’s a highly professional, well-resourced campaign.
Evilnum is thought to remain active and it’s likely only a matter of time before the group changes it’s tools and techniques for targeting organisations in the Fintech space once more.
“We still see samples of the malware pop up and we see that the threat actors infrastructure is still active. The best way of protection is education, improving security hygiene and teaching employees not to be duped into opening phishing emails and not downloading information from dubious websites,” Fakterman said.
READ MORE ON CYBERSECURITY More

MIT has debuted a new platform designed to help the enterprise decide how to invest in cybersecurity. 

On Thursday, MIT’s Computer Science and Artificial Intelligence Lab (CSAIL) launched the Secure Cyber Risk Aggregation and Measurement (SCRAM) cryptographic platform (.PDF), which aggregates data to show the weakest spots in security — and those leading to the worst financial losses. 
According to the researchers, at a time when many organizations are restructuring and cutting costs due to the disruption caused by COVID-19, a technological solution that is able to quantify an organization’s security posture and recommend what areas to prioritize is valuable. 
See also: Lazarus group strikes cryptocurrency firm through LinkedIn job adverts
SCRAM, developed by Taylor Reynolds, technology policy director at MIT’s Internet Policy Research Initiative (IPRI), economist Professor Andrew Lo and cryptographer Vinod Vaikuntanathan, does not require users to reveal sensitive corporate data, but instead, builds its recommendations based on existing security incidents without accessing the finer points of each event. 
The team says that the platform has three goals: to quantify how secure an organization is, how their security compares to rival companies, and to evaluate whether or not cybersecurity is being given the right budget — and if not, what priorities should be changed.  
CNET: Best Android VPNs for 2020
During tests, internal data was received by seven enterprise companies averaging 50,000 employees with annual revenue of $24 billion. SCRAM then aggregated data from 50 security incidents at the participating companies using Center for Internet Security Sub-Controls, allowing researchers to analyze the attack vectors and what steps could have potentially prevented each one. 
By using multi-party computation (MPC), the team was able to perform calculations in tandem with the CIS controls, without reading or unlocking the confidential information they were sent. Once analyzed, the participating companies received individual cryptographic keys to unlock each report privately. 
TechRepublic: North Korean hackers are actively robbing banks around the world, US government warns
“The power of this platform is that it allows firms to contribute locked data that would otherwise be too sensitive or risky to share with a third party,” Reynolds says.
The MIT CSAIL team found that the most expensive financial losses, exceeding $1 million, were caused by failures to prevent malware infections; unauthorized communication over ports, and failure to log and manage security incident records.

In the future, the researchers hope that more companies will participate; in particular, from the electricity, financial, and biotech industries. If 70 to 80 companies representing these areas join up, MIT believes it will be able to “put an actual dollar figure on the risk of particular defenses failing.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The majority of IT departments are underestimating the maturity of their vulnerability remediation programs by a wide margin, according to a study from Vulcan Cyber. 
The company said it was surprised that most organizations think that they are much further along in their work in patching known vulnerabilities yet they have barely begun the work required.
“What caught us off guard was that the vast majority of respondents felt their programs were already mature,” said Yaniv Bar-Dayan, co-founder and CEO of Vulcan. “Given the amount of breaches caused by known, unpatched vulnerabilities, we discovered a surprising disconnect that merits a closer look.”

Most organizations are only at Stage 1 in Vulcan Cyber’s maturity model
Vulcan Cyber
The study asked 100 computer security and IT executives about how they manage vulnerability remediation. It found that 84% reported having “mature” remediation programs. But on further questioning they were found to have only completed very basic tasks and were many stages away from a “mature” program. 
Most had completed these basic activities: vulnerability scanning (72%); use of remediation tools (49%); and prioritization of vulnerabilities (44%).
But these tasks were less mature: collaborative remediation (48%); automated remediation (48%); and business alignment around cyber objectives (31%).
Vulnerability remediation can be a problem because there is often no one directly responsible for the program. For example, security teams will identify vulnerabilities and then turn it over to IT teams to complete the patch. Or, they share the work without anyone being clearly responsible for its completion. The work is further slowed by extensive testing that’s required to make sure the remediation doesn’t break any critical IT processes.
The study reflected this organizational problem with 89% of respondents saying that their security and IT teams spend considerable time working together with cross-functional teams; and for nearly half of them (42%) reporting that it is “a lot”  of time; with 7% complaining that it is “too much” time.
Judging by the lack of progress in vulnerability remediation programs, the meetings and the lack of a clear process seem to be getting in the way of the work.
“Vulnerability scanning and prioritization are essential functions, but they are the bare minimum — not what constitutes a mature program,” Bar-Dayan said. ” In our experience, program bottlenecks are further along in the remediation lifecycle, stemming from inefficient cross-team collaboration. Changing the status quo requires organizations to update and automate their remediation processes. It’s a heavy undertaking.”
Vulcan says that the reward for reorganizing how remediation is handled will be far stronger computer security for the enterprise. Most data breaches use known vulnerabilities that haven’t been patched. 
The Vulcan SaaS platform identifies and prioritizes vulnerability remediation. Additional results from the study can be found here: Vulcan Cyber whitepaper and infographic More

It might all sound like a sci-fi concept, but building quantum networks is a key ambition for many countries around the world. Recently the US Department of Defense (DoE) published the first blueprint of its kind, laying out a step-by-step strategy to make the quantum internet dream come true, at least in a very preliminary form, over the next few years. 
The US joined the EU and China in showing a keen interest in the concept of quantum communications. But what is the quantum internet exactly, how does it work, and what are the wonders that it can accomplish?

WHAT IS THE QUANTUM INTERNET?
The quantum internet is a network that will let quantum devices exchange some information within an environment that harnesses the weird laws of quantum mechanics. In theory, this would lend the quantum internet unprecedented capabilities that are impossible to carry out with today’s web applications.
SEE: Managing AI and ML in the enterprise 2020: Tech leaders increase project development and implementation (TechRepublic Premium)
In the quantum world, data can be encoded in the state of qubits, which can be created in quantum devices like a quantum computer or a quantum processor. And the quantum internet, in simple terms, will involve sending qubits across a network of multiple quantum devices that are physically separated. Crucially, all of this would happen thanks to the whacky properties that are unique to quantum states. 
That might sound similar to the standard internet. But sending qubits around through a quantum channel, rather than a classical one, effectively means leveraging the behavior of particles when taken at their smallest scale – so-called “quantum states”, which have caused delight and dismay among scientists for decades. 
And the laws of quantum physics, which underpin the way information will be transmitted in the quantum internet, are nothing short of unfamiliar. In fact, they are strange, counter-intuitive, and at times even seemingly supernatural. 
And so to understand how the quantum ecosystem of the internet 2.0 works, you might want to forget everything you know about classical computing. Because not much of the quantum internet will remind you of your favorite web browser.
WHAT TYPE OF INFORMATION CAN WE EXCHANGE WITH QUANTUM?
In short, not much that most users are accustomed to. At least for the next few decades, therefore, you shouldn’t expect to one day be able to jump onto quantum Zoom meetings.
Central to quantum communication is the fact that qubits, which harness the fundamental laws of quantum mechanics, behave very differently to classical bits. 
As it encodes data, a classical bit can effectively only be one of two states. Just like a light switch has to be either on or off, and just like a cat has to be either dead or alive, so does a bit have to be either 0 or 1.
Not so much with qubits. Instead, qubits are superposed: they can be 0 and 1 simultaneously, in a special quantum state that doesn’t exist in the classical world. It’s a little bit as if you could be both on the left-hand side and the right-hand side of your sofa, in the same moment. 
The paradox is that the mere act of measuring a qubit means that it is assigned a state. A measured qubit automatically falls from its dual state, and is relegated to 0 or 1, just like a classical bit. 
The whole phenomenon is called superposition, and lies at the core of quantum mechanics. 
Unsurprisingly, qubits cannot be used to send the kind of data we are familiar with, like emails and WhatsApp messages. But the strange behavior of qubits is opening up huge opportunities in other, more niche applications.
QUANTUM (SAFER) COMMUNICATIONS
One of the most exciting avenues that researchers, armed with qubits, are exploring, is security. 
When it comes to classical communications, most data is secured by distributing a shared key to the sender and receiver, and then using this common key to encrypt the message. The receiver can then use their key to decode the data at their end.
The security of most classical communication today is based on an algorithm for creating keys that is difficult for hackers to break, but not impossible. That’s why researchers are looking at making this communication process “quantum”. The concept is at the core of an emerging field of cybersecurity called quantum key distribution (QKD).
QKD works by having one of the two parties encrypt a piece of classical data by encoding the cryptography key onto qubits. The sender then transmits those qubits to the other person, who measures the qubits in order to obtain the key values. 
SEE: The UK is building its first commercial quantum computer
Measuring causes the state of the qubit to collapse; but it is the value that is read out during the measurement process that is important. The qubit, in a way, is only there to transport the key value.
More importantly, QKD means that it is easy to find out whether a third party has eavesdropped on the qubits during the transmission, since the intruder would have caused the key to collapse simply by looking at it.
If a hacker looked at the qubits at any point while they were being sent, this would automatically change the state of the qubits. A spy would inevitably leave behind a sign of eavesdropping – which is why cryptographers maintain that QKD is “provably” secure.
SO, WHY A QUANTUM INTERNET?
QKD technology is in its very early stages. The “usual” way to create QKD at the moment consists of sending qubits in a one-directional way to the receiver, through optic-fibre cables; but those significantly limit the effectiveness of the protocol. 
Qubits can easily get lost or scattered in a fibre-optic cable, which means that quantum signals are very much error-prone, and struggle to travel long distances. Current experiments, in fact, are limited to a range of hundreds of kilometers. 
There is another solution, and it is the one that underpins the quantum internet: to leverage another property of quantum, called entanglement, to communicate between two devices.
When two qubits interact and become entangled, they share particular properties that depend on each other. While the qubits are in an entangled state, any change to one particle in the pair will result in changes to the other, even if they are physically separated. The state of the first qubit, therefore, can be “read” by looking at the behavior of its entangled counterpart. That’s right: even Albert Einstein called the whole thing “spooky action at a distance”.
And in the context of quantum communication, entanglement could in effect, teleport some information from one qubit to its entangled other half, without the need for a physical channel bridging the two during the transmission.
HOW DOES ENTANGLEMENT WORK?
The very concept of teleportation entails, by definition, the lack of a physical network bridging between communicating devices. But it remains that entanglement needs to be created in the first place, and then maintained. 
To carry out QKD using entanglement, it is necessary to build the appropriate infrastructure to first create pairs of entangled qubits, and then distribute them between a sender and a receiver. This creates the “teleportation” channel over which cryptography keys can be exchanged.
Specifically, once the entangled qubits have been generated, you have to send one half of the pair to the receiver of the key. An entangled qubit can travel through networks of optical fibre, for example; but those are unable to maintain entanglement after about 60 miles. 
Qubits can also be kept entangled over large distances via satellite, but covering the planet with outer-space quantum devices is expensive. 
There are still huge engineering challenges, therefore, to building large-scale “teleportation networks” that could effectively link up qubits across the world. Once the entanglement network is in place, the magic can start: linked qubits won’t need to run through any form of physical infrastructure anymore to deliver their message. 
During transmission, therefore, the quantum key would virtually be invisible to third parties, impossible to intercept, and reliably “teleported” from one endpoint to the next. The idea will resonate well with industries that deal with sensitive data, such as banking, health services or aircraft communications. And it is likely that governments sitting on top secret information will also be early adopters of the technology.
WHAT ELSE COULD WE DO WITH THE QUANTUM INTERNET?
‘Why bother with entanglement?’ you may ask. After all, researchers could simply find ways to improve the “usual” form of QKD. Quantum repeaters, for example, could go a long way in increasing communication distance in fibre-optic cables, without having to go so far as to entangle qubits.
That is without accounting for the immense potential that entanglement could have for other applications. QKD is the most frequently discussed example of what the quantum internet could achieve, because it is the most accessible application of the technology. But security is far from being the only field that is causing excitement among researchers. 
The entanglement network used for QKD could also be used, for example, to provide a reliable way to build up quantum clusters made of entangled qubits located in different quantum devices.
Researchers won’t need a particularly powerful piece of quantum hardware to connect to the quantum internet – in fact, even a single-qubit processor could do the job. But by linking together quantum devices that, as they stand, have limited capabilities, scientists expect that they could create a quantum supercomputer to surpass them all.
SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)
By connecting many smaller quantum devices together, therefore, the quantum internet could start solving the problems that are currently impossible to achieve in a single quantum computer. This includes expediting the exchange of vast amounts of data, and carrying out large-scale sensing experiments in astronomy, materials discovery and life sciences.
For this reason, scientists are convinced that we could reap the benefits of the quantum internet before tech giants such as Google and IBM even achieve quantum supremacy – the moment when a single quantum computer will solve a problem that is intractable for a classical computer.
Google and IBM’s most advanced quantum computers currently sit around 50 qubits, which, on its own, is much less than is needed to carry out the phenomenal calculations needed to solve the problems that quantum research hopes to address. 
On the other hand, linking such devices together via quantum entanglement could result in clusters worth several thousands of qubits. For many scientists, creating such computing strength is in fact the ultimate goal of the quantum internet project.
WHAT COULDN’T WE DO WITH THE QUANTUM INTERNET?
For the foreseeable future, the quantum internet could not be used to exchange data in the way that we currently do on our laptops.
Imagining a generalized, mainstream quantum internet would require anticipating a few decades (or more) of technological advancements. As much as scientists dream of the future of the quantum internet, therefore, it is impossible to draw parallels between the project as it currently stands, and the way we browse the web every day.
A lot of quantum communication research today is dedicated to finding out how to best encode, compress and transmit information thanks to quantum states. Quantum states, of course, are known for their extraordinary densities, and scientists are confident that one node could teleport a great deal of data.
But the type of information that scientists are looking at sending over the quantum internet has little to do with opening up an inbox and scrolling through emails. And in fact, replacing the classical internet is not what the technology has set out to do. 
Rather, researchers are hoping that the quantum internet will sit next to the classical internet, and would be used for more specialized applications. The quantum internet will perform tasks that can be done faster on a quantum computer than on classical computers, or which are too difficult to perform even on the best supercomputers that exist today.
SO, WHAT ARE WE WAITING FOR?
Scientists already know how to create entanglement between qubits, and they have even been successfully leveraging entanglement for QKD. 
China, a long-time investor in quantum networks, has broken records on satellite-induced entanglement. Chinese scientists recently established entanglement and achieved QKD over a record-breaking 745 miles.
The next stage, however, is scaling up the infrastructure. All experiments so far have only connected two end-points. Now that point-to-point communication has been achieved, scientists are working on creating a network in which multiple senders and multiple receivers could exchange over the quantum internet on a global scale.
The idea, essentially, is to find the best ways to churn out lots of entangled qubits on demand, over long distances, and between many different points at the same time. This is much easier said than done: for example, maintaining the entanglement between a device in China and one in the US would probably require an intermediate node, on top of new routing protocols. 
And countries are opting for different technologies when it comes to establishing entanglement in the first place. While China is picking satellite technology, optical fibre is the method favored by the US DoE, which is now trying to create a network of quantum repeaters that can augment the distance that separates entangled qubits. 
In the US, particles have remained entangled through optical fibre over a 52-mile “quantum loop” in the suburbs of Chicago, without the need for quantum repeaters. The network will soon be connected to one of the DoE’s laboratories to establish an 80-mile quantum testbed. 
In the EU, the Quantum Internet Alliance was formed in 2018 to develop a strategy for a quantum internet, and demonstrated entanglement over 31 miles last year.
For quantum researchers, the goal is to scale the networks up to a national level first, and one day even internationally. The vast majority of scientists agree that this is unlikely to happen before a couple of decades. The quantum internet is without doubt a very long-term project, with many technical obstacles still standing in the way. But the unexpected outcomes that the technology will inevitably bring about on the way will make for an invaluable scientific journey, complete with a plethora of outlandish quantum applications that, for now, cannot even be predicted.

Innovation More

Chrome doesn’t exactly have a velvet touch, when it comes to privacy.
Are browsers an emotional issue for everyone?

More on privacy

Or just for those who’ve had Microsoft’s Edge descend upon them like a guillotine from the sky?
Many people seem to just accept a certain browser and live with it for far longer than they really should.
But then there’s LG’s global corporate communications chief Ken Hong. I happened upon his strong feelings as I was browsing Twitter, desperate for a feeling of hope.
Hong was responding to a tweet emitted by gadget reviewer Ben Sin.
Sin mused: “Seriously is wild how I googled a foldable bike once or twice a couple weeks ago and I’ve been getting bike ads on Facebook, IG, everywhere. the level to which these companies all team up and know everything about us is wild.”
This is something that’s become wildly normal in digital life. Brands follow you around in the belief that they can pester you into submission. Because that’s how marketing works, right?

I had a similar eye-opening incident like that happen 2 years ago which led to me deleting my FB account and dumping Chrome for Brave. https://t.co/hsNJjAPYou
— Ken Hong (@visitken) September 1, 2020

Hong, though, made a dramatic declaration. He replied to Sin: “I had a similar eye-opening incident like that happen 2 years ago which led to me deleting my [Facebook] account and dumping Chrome for Brave.”
It was only in 2018 that Hong noticed how these companies make dramatic incursions into our personal lives?
Still, there’s something truly uplifting about a senior figure in technology saying “enough is enough.” There’s something heartbreakingly hopeful when one considers that Chrome is the default browser on, oh, most LG products.
Yet Hong, I suspect, is still very much in the minority. Chrome enjoys an almost 50 percent market share, despite having become increasingly memory-sucking and slow.
Perhaps many people just fall into a browser habit and put up with the stalking. They believe it’s everywhere. Some, I fear, are even flattered by it.
See also: Pick privacy-friendly alternatives to every Google service | Brave deemed most private browser in terms of ‘phoning home’ | Startpage private search engine now an option for Vivaldi browser | Brave to generate random browser fingerprints to preserve user privacy
Sin himself explained he was at peace with tech companies following him around.
He said: “For the record I don’t even mind too much. I think consumers complain way too damn much about stuff they don’t pay for. Like the way I see it, you wanna be on always connected in this day and age you gotta accept tech brands know all our info.”
Ah, it’s all about the money. If you don’t pay for it, don’t whine. Even if you actually pay for it by giving your whole life away.
Sin added: “Either live like a disconnected hermit life, or accept there ain’t no such thing as privacy in 2020. Google knows more about us than our partners and mom.”
What a choice the tech industry has given us. Either live like a hermit or let us creep into your every pore.
They call this progress? More

When Magecart attacks first began making the rounds, the attack vector — scripts covertly installed on websites to harvest customer payment card data — was considered to be the signature move of a specific hacking group. 

However, credit card-skimming scripts have now been adopted by numerous cyberattackers and the trend has evolved to classify these types of attacks under a broad ‘Magecart’ umbrella involving numerous groups, targets, and countries. 
Several years ago, domains belonging to high-profile names including British Airways and Ticketmaster were compromised via Magecart attacks, in which websites containing vulnerabilities were exploited to upload JavaScript code in payment portal pages. 
As customers made purchases and input their details, payment card information was quietly harvested and whisked off to a command-and-control (C2) server, to later be sold on or used to make fraudulent purchases.
Now, Magecart-style attacks are far more common and techniques used to deploy card-skimming code are under a constant state of evolution. 
See also: Credit card skimmers are now being buried in image file metadata on e-commerce websites
JavaScript code is either hosted directly on a compromised website or referenced and hosted on an attacker-controlled server. Malwarebytes has previously found Magecart code buried in image EXIF metadata, and in August, these image-related techniques evolved further to combine the Inter information collection framework, .ICO files, and so-called “homoglyph” attacks.
.ICO image requests on websites may now be changed to call up fraudulent .ICO images containing skimmer code, hosted on domains similar to legitimate domains but containing small spelling errors or differences to avoid detection. 
The issue with Magecart-style attacks is the relatively “low bar” to entry set by Inter for cybercriminals seeking to cash in on our cards, RiskIQ says.
The Inter kit, which includes sniffers, data extraction tools, different injection modes, and scripts compatible with multiple e-commerce CMS varieties has been tracked by cybersecurity researchers for a number of years. An earlier build of the toolkit, as described by Volexity in 2018, was named JS Sniffer/SniFall and was used against the Magento e-commerce platform. 
Further RiskIQ and Flashpoint research suggested that Inter first landed on underground forums in 2016 with a price tag of $5,000, but now, it appears that modern versions of Inter are on offer for $1,300 per license. This has now reduced to as little as $1,000 and a 30/70 revenue split option to entice even more attackers to the fold. 
CNET: Appeals court finds NSA’s bulk phone data collection was unlawful
In March, PerimeterX said Magecart-related groups had grown from a “handful to a few hundred,” likely due to the discounted licensing cost and Inter’s all-in-one criminal solution, which requires little technical knowledge to deploy. 
Inter, PerimeterX says, is well on its way to becoming a “Skimming-as-a-Service” option in underground forums. RiskIQ has carried on this research and says that over 1,500 websites at present are infected with the skimmer, with the kit becoming “one of today’s most common and widely used digital skimming solutions globally.”
“The Inter skimmer kit is a hot item on this market and comes prepackaged and ready-made to skim so that even cybercriminals with little technical expertise (but a little cash to burn) can use it,” the team says.
TechRepublic: Organizations facing nearly 1,200 phishing attacks each month
RiskIQ says the actor behind the kit, known by aliases including porter and Sochi, has made a number of recent improvements including the option to bolt-on additional obfuscation services; the ability to create fake payment forms using legitimate names such as PayPal; and automatic checks of stolen information to remove duplication. 
Inter has now also been connected to a variety of other cybercriminal campaigns, including ransomware deployment, Darkcloud and SandiFlux fast flux DNS services — DNS techniques used to maintain botnets — and domains likely connected to phishing and spam campaigns. 
“Since the Inter kit is licensed out to many different actors, we cannot say whether these activities are definitely connected to Sochi,” the researchers added. “Still, we do know that the Inter kit is part of an ever-growing web of malicious activity.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cisco has raised an alert for customers using its Jabber video and instant-messaging client to patch four security flaws, including one critical bug that’s wormable.
Without the latest patch, the Jabber for Windows client allows a remote attacker to exploit the flaw by sending rigged XML-based Extensible Messaging and Presence Protocol (XMPP) messages to the vulnerable Jabber client, according to Cisco. 

More on privacy

Such an attack also poses a threat to the Windows system the Jabber client is running on. 
SEE: Security Awareness and Training policy (TechRepublic Premium)
“A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution,” Cisco notes. 
The bug only affects vulnerable versions of the Cisco Jabber client for Windows that have XMPP messaging services enabled. 
The flaw, tracked as CVE-2020-3495, has a severity rating of 9.9 out of 10 and should be patched immediately, given a report by Norwegian pen-tester Olav Sortland Thoresen of Watchcom, who discovered the flaws. 
He’s published a detailed account of the four flaws and the design of Jabber, which is based on the Chromium Embedded Framework (CEF). CEF allows developers to embed a natively sandboxed Chromium-based web browser in their applications.  
The one critical Jabber flaw allows an attacker to create a worm that spreads malware automatically between Jabber users without requiring user interaction, according to Thoresen. 
“Cisco Jabber is vulnerable to Cross Site Scripting (XSS) through XHTML-IM messages. The application does not properly sanitize incoming HTML messages and instead passes them through a flawed XSS filter,” he explains. 
“Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically.”
While the embedded browser is sandboxed to prevent access to files and performing system calls, he notes developers create ways to bypass the sandbox to add functionality, in this case to allow the client to open files received from other Cisco Jabber users. 
“Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious .exe file and force the victim to accept it using an XSS attack,” explained Thoresen. 
“The attacker can then trigger a call to window.CallCppFunction, causing the malicious file to be executed on the victim’s machine.”
Thoresen says organizations using Cisco Jabber should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. He’s also provided some indicators that security teams should be watchful for: 
XMPP messages with unusual HTML content
Invocations of CiscoJabber.exe with unusual flags
Unusual sub-processes of CiscoJabber.exe
Malicious files being sent through Cisco Jabber’s file-sharing feature More

The developers of the WordPress File Manager plugin have patched an actively-exploited security issue permitting full website hijacking.  

According to the Sucuri WordPress security team, the vulnerability emerged in version 6.4 of the software, which is used as an alternative to FTP in managing file transfers, copying, deletion, and uploads. 
File Manager accounts for over 700,000 active installations. 
In version 6.4, released on May 5, a file was renamed in the plugin for development and testing purposes. However, rather than being kept as a local change, the renamed file was accidentally added to the project. 
See also: KingComposer patches XSS flaw impacting 100,000 WordPress websites
The file in question was pulled by third-party dependency elFinder and used as a code reference. An extension added to the file, the rename of connector-minimal.php-dist to connector-minimal.php, was a small tweak — but was enough to trigger a critical vulnerability in the popular plugin. 
ElFinder’s script, as a file manager, grants users elevated privileges for modifying, uploading, and deleting files. As the system is focused on ease of use, to set the elFinder file manager up, it takes nothing more than changing the file’s extension from .php-dist to .php — and so the avenue for attacks was opened. 
While using the file as a reference may have helped the team locally test features, the researchers say that leaving such a script — intentionally designed to not check access permissions — in a public build causes a “catastrophic vulnerability if this file is left as-is on the deployment.”
“This change allowed any unauthenticated user to directly access this file and execute arbitrary commands to the library, including uploading and modifying files, ultimately leaving the website vulnerable to a complete takeover,” Sucuri says. 
The solution, included in version 6.9, is simple enough: simply delete the file — which was never part of the plugin’s functionality anyway — and other unused .php-dist files.
CNET: Appeals court finds NSA’s bulk phone data collection was unlawful
However, a week before the file was removed, a Proof-of-Concept (PoC) code was released on code repository GitHub, leading to a wave of attacks against websites before version 6.9 was made available. 
Sucuri says the exploit rapidly gained traction. The first attack was spotted on August 31, a day before a fixed version of the file manager was released. This ramped up to roughly 1,500 attacks per hour, and a day later, this increased to an average of 2,5000 attacks every 60 minutes. By September 2, the team saw roughly 10,000 attacks per hour.
In total, Sucuri has tracked “hundreds of thousands of requests from malicious actors attempting to exploit it.”
TechRepublic: Organizations facing nearly 1,200 phishing attacks each month
While the vulnerability has now been resolved, at the time of writing, only 6.8% of WordPress websites have updated to the new, patched version of the plugin, leaving many websites open to compromise. 
In July, a reflected XSS vulnerability was patched in KingComposer, a WordPress plugin for drag-and-drop page creation. The bug, CVE-2020-15299, was caused by a dormant Ajax function that could be abused to deploy malicious payloads. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More