Information Technology

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents.
The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research [PDF] published this week by academics from the Ruhr-University Bochum in Germany.

Image: Mainka et al.
Academics have named this technique of forging documents a Shadow Attack.
The main idea behind a Shadow Attack is the concept of “view layers” — different sets of content that are overlaid on top of each other inside a PDF document.
A Shadow Attack is when a threat actor prepares a document with different layers and sends it to a victim. The victim digitally signs the document with a benign layer on top, but when the attacker receives it, they change the visible layer to another one.

Because the layer was included in the original document that the victim signed, changing the layer’s visibility doesn’t break the cryptographic signature and allows the attacker to use the legally-binding document for nefarious actions — such as replacing the payment recipient or sum in a PDF payment order or altering contract clauses.

Replace variant of a Shadow Attack
Image: Mainka et al.
According to the research team three variants of a Shadow Attack exist:
Hide — when attackers use the PDF standard’s Incremental Update feature to hide a layer, without replacing it with anything else.
Replace — when attackers use the PDF standard’s Interactive Forms feature to replace the original content with a modified value.
Hide-and-Replace — when attackers use a second PDF document contained in the original document to replace it altogether.

Hide-and-Replace variant of a Shadow Attack
Image: Mainka et al.
“The Hide-and-Replace attack variant is the most powerful one since the content of the entire document can be exchanged,” the research team says.
“The attacker can build a complete shadow document influencing the presentation of each page, or even the total number of pages, as well as each object contained therein.”
Researchers say that Shadow Attacks are possible because PDF documents, even when digitally signed, allow unused PDF objects to be present inside their content.
PDF viewer apps that remove unused PDF objects when signing a document are immune to Shadow Attacks.
Patches are available
The research team said they worked with the CERT-Bund (Computer Emergency Response Team of Germany) to contact PDF app makers to report this new attack vector and have it patched before going public with their findings earlier this week.
The Shadow Attack is currently tracked with the CVE-2020-9592 and CVE-2020-9596 identifiers.
Companies should update their PDF viewer apps to make sure the PDF documents they sign can’t be tampered with via a Shadow Attack.
This is the second time that this very same research team has broken digital signatures for PDF viewer applications. In February 2019, the same team broke the digital signing mechanism on 21 of 22 desktop PDF viewer apps and five of seven online PDF digital signing services to create documents with fake signatures.
Their new Shadow Attack is different from their first because it doesn’t tamper with the digital signature, as the first attack, but with the content of the PDF without breaking the signature.
In addition, the same research team also discovered PDFex, a technique to break the encryption on 27 PDF viewer applications and extract data from inside encrypted documents. More

Cyber criminals and hackers are actively taking aim at sports teams, organisations and leagues with phishing, ransomware attacks and more in attempts to scam huge sums of money.
The UK’s National Cyber Security Centre has detailed the cyber threats faced by the elite sports industry – and revealed that more than 70% of sports institutions have been the victim of some kind of attempted cyberattack or hacking incident over the past 12 months.

More on privacy

Almost a third had recorded at least five attempted attacks, which are predominantly conducted by financially motivated criminals – although the report warns there’s a chance nation states could attempt campaigns against sports organisations, particularly those that are involved with international events such as the Olympic Games.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
The key cyberattacks that sports organisations are warned to protect themselves against are business email compromise phishing attacks, fraud, and ransomware campaigns being used to shut down critical event systems and stadiums – a quarter of malware attacks targeting sports organisations are said to have involved ransomware.

One incident includes the email account of a Premier League football club’s managing director being hacked before a transfer negotiation, which almost led to the £1m fee being stolen by cyber criminals as part of a business email compromise scheme.
The director inadvertently entered their credentials into a spoof Office365 login page that provided the attackers with their details and the ability to monitor their emails – including one about the impending transfer of a player.
Attackers used the stolen credentials to start a dialogue between the two clubs and the deal was even approved – but the payment didn’t go through because the bank identified the cyber criminals’ account as fraudulent.
Meanwhile, a ransomware attack against an English football club crippled corporate and security systems, stopping the turnstiles from working, something that stopped fans being able to get in or out of the stadium and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income.
It’s believed that attackers got into the network via a phishing email or by remote access to the connected CCTV system. Once the hackers were in, they could spread across the network, as it was not segmented. The attackers demanded 400 bitcoin (almost £300,000) but the club didn’t pay, eventually restoring the network themselves.
Another incident detailed in the NCSC’s Cyber Threat to Sports Organisations report reveals that a member of staff at a racecourse had £15,000 stolen in a scam where attackers spoofed eBay.
The warning to sports clubs and league bodies to stay alert for cyberattacks comes at a time when many are already struggling with finances due to the impact of the coronavirus pandemic on sports fixtures, many of which have been cancelled or are being forced to be played behind closed doors. The prospect of losing more money because of a cyberattack could, therefore, be highly damaging.
“While cybersecurity might not be an obvious consideration for the sports sector as it thinks about its return, our findings show the impact of cyber criminals cashing in on this industry is very real,” said Paul Chichester, director of operations at the NCSC.
“I would urge sporting bodies to use this time to look at where they can improve their cybersecurity – doing so now will help protect them and millions of fans from the consequences of cybercrime.”
SEE: Ransomware attacks jump as crooks target remote working
Almost a third of the reported incidents detailed by the NCSC paper resulted in direct financial damage at an average cost of £10,000 each time – with the biggest single loss coming in at over £4 million.
To help protect against cyberattacks, the NCSC recommends that sports organisations should implement email security controls, something that the report says “isn’t routinely applied” throughout the sector. Organisations should also ensure that staff receive cybersecurity training and that cyber-risk management is taken seriously at all levels.
And to protect against ransomware and other cyberattacks targeting infrastructure, organisations should make sure that all systems are patched with the latest security updates to stop criminals exploiting known vulnerabilities. Remote access should also be restricted where it isn’t necessary.
MORE ON CYBERSECURITY More

An uptick in the spread of a new MgBot malware variant across India and Hong Kong is being laid at the feet of a suspected Chinese advanced persistent threat (APT) group. 

According to Malwarebytes researchers Hossein Jazi and Jérôme Segura, the theme of phishing documents used to drop the malware, relating to tensions in Hong Kong and China, indicates that a Chinese cyberattack group — active since 2014 — is likely to blame. 
In a blog post on Tuesday, the cybersecurity researchers said an archive file with a document masquerading as communication from the government of India was spotted on July 2. 
The phishing document originally dropped a variant of Cobalt Strike, a legitimate penetration testing tool that can be abused by threat actors. However, on the same day, the template was changed to drop a loader for MgBot, a Remote Access Trojan (RAT). 
On July 5, additional phishing documents laden with MgBot were found that weaponized statements from the UK Prime Minister, Boris Johnson, concerning the current political situation between China and Hong Kong. 

See also: Prometei botnet exploits Windows SMB to mine for cryptocurrency
It is believed that the RAT is being deployed via spear phishing emails and is used in targeted attacks against political entities and individuals. 
“The lures used in this campaign indicate that the threat actor may be targeting the Indian government and individuals in Hong Kong, or at least those who are against the new security law issued by China,” the team says. 
If a victim downloads the phishing document and enables macros, the payload is deployed and executes, disguising itself as Realtek Audio Manager tool. The final payload is dropped via the Application Management (AppMgmt) Service on Windows.
MgBot is able to link up to a command-and-control (C2) server to transfer stolen device data, take screenshots, log keys, kill, disable, and create processes, create Mutex resource restrictions, and uses persistence mechanisms. 
The malware’s authors have also attempted to stop the malicious code from being analyzed through the implementation of anti-analysis and anti-virtualization methods. These include the self-modification of code, checks for existing antivirus products, and scans for virtualized environments such as VirtualBox. If a sandbox is detected, MgBot does not perform any malicious activity.   
The C2 servers and IP addresses connected to the malware are almost all based in Hong Kong. Coding in simplified Chinese suggests the malware is the work of Chinese-language speakers. 
CNET: Apple’s new security program gives special iPhone hardware, with restrictions attached
During an examination of the C2, Malwarebytes also came across several malicious Android APKs that are thought to be part of the APT’s toolkit. The apps contain an embedded Trojan able to record smartphone screens and audio, grab a phone’s location via GPS data theft, steal phone contacts, call logs, SMS messages and web history, as well as send SMS messages without permission. 
While there is a number of prolific Chinese APTs currently in play, Malwarebytes believes the group responsible for this wave of attacks is separate from others such as Rancor or APT40, as the APT has always used a variant of MgBot in every campaign that has been tracked — at least, so far. 
Previous attacks attributed to this group have used MgBot disguised as an MP3 encoder library and the exploit of a VBScript vulnerability to drop the malware on to vulnerable machines. 
TechRepublic: Phishing attacks and ransomware are the most challenging threats for many organizations
“Considering the ongoing tensions between India and China, as well as the new security laws over Hong Kong, we believe this new campaign is operated by a Chinese state-sponsored actor,” Malwarebytes says. “Considering these factors we attribute this APT attack with moderate confidence to a new Chinese APT group.” 
In related news, on Wednesday Cisco Talos researchers published a paper describing the antics of Prometei, a botnet that is only four months old. The malware is using old Microsoft Windows SMB vulnerabilities to break into machines and set up shop as a Monero (XMR) cryptocurrency miner. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A year ago, Yubico released the world’s first security key to feature both USB-C and Lightning connectors. The YubiKey 5Ci Lightning/USB-C security key has now been released in a new “Clear Limited Edition” version.
The new version is the same as the existing version but for one difference — the high-security internal components have been encased in a transparent durable fiberglass-reinforced housing rather than the standard black housing used for other YubiKeys.
Must read: The real reason Apple is warning users about MacBook camera covers

I’ve been using a YubiKey 5Ci since its release last year, and it has become an invaluable part of my security. Hardware-based authentication is far superior to SMS-based 2FA, and the fact that I can use a single key on a whole raft of different devices — iPhone, iPad, Macs, Android devices, and Windows PCs — means that I’m no longer juggling a handful of keys.
Yubico YubiKeys are compatible with a huge list of services and apps, from password managers such as LastPass and 1PassWord, to services such as Twitter, Login.gov, GitHub, Bitbucket, CloudFlare, AWS, Dropbox, and much more.

One company that has made YubiKeys mandatory is Google, and this has resulted in zero account-takeovers, 4X faster login, and 92 percent fewer support calls.
The YubiKey 5Ci supports a wide range of protocols ––FIDO2/WebAuthn, FIDO U2F, OTP (one-time-password), PIV (Smart Card), and OpenPGP.
The limited edition clear YubiKey 5Ci retails for $70, same as the regular black version. More

Certo AntiSpy iPhone Spyware Detection

Certo
AntiSpy
is
not
an
app.
Instead,
it
is
a
utility
that
you
download
and
install
on
a
Windows
or
Mac,
and
you
use
that
to
scan
a
backup
of
your
iOS
or
iPadOS
for
subtle
signs
of
intrusion.
… More

When it comes to cybersecurity, most enterprises in Asean are opting to stick with the tried-and-tested and familiar. There is, however, growing interest in comparatively newer tools  such as software-defined wide area network (SD-WAN) security systems. 
Antivirus or antimalware tools remained the most popular cybersecurity choice for enterprises in the region, with 71% deploying these applications, revealed a Palo Alto Networks study released Thursday. The online survey was conducted in February 2020 at the start of the COVID-19 outbreak, before safe distancing measures were rolled out, with 100 respondents each from four Asean markets: Singapore, Indonesia, Thailand, and the Philippines. 

These businesses also were rolling out comparatively newer and more advanced options, with 58% implementing cloud native security platforms and 55% turning to SD-WAN infrastructures. Half had rolled out next-generation firewall, while 42% and 40% implemented encryption and anti-ransomware applications, respectively. 
SD-WAN security was particularly popular in Singapore, where 62% — the highest across the region — had implemented such systems, noted Palo Alto. In fact, 31% had deployed 5G security for Internet of Things (IoT), in anticipation of the network’s rollout next year.
Some 79% in the city-state also indicated an increased in their cybersecurity budgets between 2019 and 2020, with 53% dedicating at least half of their company’s IT budget towards cybersecurity. 

The move to push up their security spending was fuelled by growing volume of attacks, as cited by 71% of Singapore respondents, while 58% pointed to the increased sophistication of threats and 51% revealed a need to upgrade existing infrastructures to facilitate automation. 
Across the region, 73% said their security budgets had expanded, with 46% setting aside more than half of their total IT spending towards cybersecurity. 
Amongst 5% that chose to reduce their security spending, the majority pointed to the lower likelihood of breaches — based on their experience from the previous year — and a restructuring of their IT budgeting priorities. 
Palo Alto, however, noted that spending on cybersecurity could change as businesses reviewed the impact of the coronavirus outbreak. 
“In light of the COVID-19 pandemic, businesses will now need to navigate the newfound risks brought about by remote work and other COVID-19-themed threats,” Palo Alto Networks’ Asean vice president Teong Eng Guan said. “This will require a relook at cybersecurity existing strategies and investments.”
Across the four markets, 96% said they reviewed their cybersecurity policies and standard operating procedures (SOPs) at least once yearly, while 82% checked to ensure their computer software was updated at least once monthly. Another 94% supported the need for mandatory breach reporting. 
With threats growing, though, 58% acknowledged their organisation remained vulnerable to attacks. Some 48% said the lack of security awareness amongst employees as a top challenge, while 43% pointed to risks from third-party providers and suppliers. Another 32% were concerned about the lack of understanding within the management team about the importance of cybersecurity. 
Teong said: “Challenges around the ‘people’ factor of cybersecurity are set to remain in Asean, as employees log in from home networks. Many parallels can be drawn with how we’re dealing with the global pandemic, as we now navigate the resumption of our daily lives cautiously, businesses, too, will need to be more vigilant and extra cautious as they adapt and evolve their cybersecurity approach.
“As organisations roll out more cloud-based applications and connectivity tools to support a distributed workforce, we also need to be careful about the partners and suppliers they’re connecting to and sharing data with, now more than ever.”

(Source: Palo Alto Networks)
RELATED COVERAGE More

IBM has patched a vulnerability in Verify Gateway (IVG) that allows attackers to brute-force their way into systems remotely.

IVG is software designed to protect enterprise systems through multi-factor authentication features and pre-built credential provider services. IVG supports a range of operating systems and platforms including Windows, RedHat, Centos, Ubuntu, Debian, AIX, and SuSE.
This week, the tech giant issued a set of security advisories relating to versions 1.0.0 and 1.0.1 of the software, the most serious being the disclosure of CVE-2020-4400. 
Issued a CVSS severity score of 7.5, the vulnerability has been caused by an account lockout mechanism deemed “inadequate” which does not prevent multiple access attempts. In automated brute-force attacks, threat actors will hammer a system with usernames and passwords until they come across the right combinations, and to prevent these forms of attacks from being successful, software will often include login attempt restrictions.
See also: IBM intros new security dashboard for its financial services cloud

However, IVG’s settings did not reach this standard when it comes to time-based one-time passwords (TOTPs), and so the bug “could allow a remote attacker to brute-force account credentials,” according to IBM. 
The patched version of the software — v1.0.1 IVG for RADIUS and AIX PAM — as well as v1.0.2 of IVG for Linux PAM and IVG for Windows Login, has now added a throttling mechanism.  
IBM has also released a security advisory for CVE-2020-4369, a vulnerability in the privileged access management (PAM) components of the authentication gateway. 
This vulnerability is based on how IVG (AIX PAM and Linux PAM) manages the encryption of client-side property. While PAM allows encryption through the pam_ibm_auth.json file, this is not enabled by default, and so users have to remember to add obfuscation commands manually. 
CNET: Apple’s new security program gives special iPhone hardware, with restrictions attached
As this relies on customers to implement encryption, this may be considered a potential security risk that does not need to exist, and one that could lead to the “storage [of] highly sensitive information in cleartext that could be obtained by a user,” the company says. 
Now, IBM has now added client-side encryption by default in AIX PAM and Linux PAM. 
In addition, IBM has also tackled CVE-2020-4372, another information disclosure issue present in IVG for RADIUS, AIX PAM, Linux PAM, and Windows Login. 
TechRepublic: Phishing attacks and ransomware are the most challenging threats for many organizations
The vulnerability occurs when IVG components are running with debug tracing. When active, client secrets are exposed in cleartext via the debug log, including client usernames, passwords, and client IDs. 
IBM has patched the issue by suppressing client secrets when debug tracing is active. 
The company recommends that users install the latest updates of IVG, now renamed as IBM Security Verify Gateway.

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Eftpos
Eftpos has teamed up with distributed ledger firm Hedera Hashgraph to develop a micropayments proof-of-concept in hopes it could be used as an alternative payment to monthly subscriptions or paywalls.
The proof-of-concept was built using the Hedera Consensus distributed public ledger service that allows consumers to load their digital wallet with a few dollars to make an online micropayment, such as purchasing one article behind a paywall from an online newspaper, or a movie from a streaming service, instead of paying for a monthly subscription.
“By working with Hedera, we are leveraging next generation payments infrastructure technology that can support Australian dollar-based micropayments and open up entirely new ways of conducting business online,” Eftpos entrepreneur in residence Robert Allen said.
“The Hedera network will enable us to get speed to market and offers us the technology to process fast, secure, and affordable micropayment transactions for all Australian merchants and consumers.”
Read more: Google Cloud joins DLT platform Hedera Hashgraph’s governing council  

Hedera is a public ledger that uses hashgraph consensus, touted by the company as a faster, more secure alternative to blockchain consensus mechanisms.
Hashgraph claims to achieve high-throughput with 10,000-plus cryptocurrency transactions per second, low-latency finality in seconds from its “innovative gossip about gossip protocol”, and virtual voting.
Eftpos also announced it will team up with Australia Post to trial a new digital identity solution.
The Australian payments company touted that the solution, known as connectID, has been designed to protect consumers from identity theft and fraud.
The service acts a broker between identity service providers and merchants or government agencies that require identity verification, such as proof of age, address details, or bank account information.
The connectID solution, like the postal service’s Digital ID, has been designed to work within the federal government’s Trusted Digital Identity Framework (TDIF) and the banking industry’s TrustID framework.
As part of the trial, Eftpos will test its connectID service with Australia Post’s digital identification service, ahead of the official launch of connectID before the end of the year.
See also: Canberra wants to open digital identity system to commercial sector  
The trial follows a proof-of-concept with 20 other “well-known” Australian brands earlier this year.
“We are collaboratively working with businesses, online merchants, banks, and other identity providers with a view to building identity into our national payments infrastructure for all Australians and Australian businesses before the end of the year,” Benton said.
Eftpos revealed its plans about connectID as part of its submission [PDF] to the Select Committee on Financial Technology and Regulatory Technology. The company said its solution could also provide new secure and privacy-protecting ways to distribute government funds such as social security, disaster relief, health services, or small business assistance.
Although the Australian government has its own digital identity solution with myGovID, Eftpos said its solution could provide a “smoother, faster, and more secure onboarding experience, including for government services”.
Related Coverage More