The report, by Bitdefender, mentions: “Users in a position to validate a link in an email client before clicking on it, will be susceptible to clicking on it because it has not yet been translated into a real domain name in their browser. The actual domain name would only be seen after the page has started to open.”

The term IDN refers to domain names that, in whole or in part use characters from a non-Latin script or alphabet, which are encoded by the Unicode standard. In order for the Domain Name System (DNS) to interpret them correctly, IDNs are stored in the DNS as ASCII strings using Punycode transcription.

Counterfeit IDN homograph domains can be created by combining letters from different alphabets, which to the user look so similar to each other that it is impossible to distinguish them, although Unicode treats them as separate entities. This is not a new concept, although it is still a problem for many users.

Most browsers, for example, display in the address bar the real name of an internationalized domain name (https://xn--n1aag8f.com, for example) instead of the name to display the real name (https://žugec.com) if the site is suspicious. However, Office applications, including Outlook, display the name in another method:

Since domain registration verification greatly limits which counterfeit domains can be registered and most browsers display the real name of the spoofed IDN domain, IDN homograph attacks have ceased to be a constant cybersecurity threat, although threat actors may find ways to deploy these attacks on a large scale.

Microsoft acknowledged the problem when it received the Bitdefender report, though it’s unclear if the issue will be fixed. While the issue is resolved, endpoint security solutions and IP and URL reputation services could collaborate by blocking most suspicious domains.

Feel free to access the International Institute of Cyber Security (IICS) websites to learn more about information security risks, malware variants, vulnerabilities, and information technologies.

The post How to hide spoofed malicious domain when users hover above a link in a phishing email in Microsoft Outlook, Word or Excel document? appeared first on Information Security Newspaper | Hacking News.

The document, titled “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”, invites buyers and end users of digital hardware, software, and services to conduct due diligence on the origin and security of components of a digital/technology product.

Supply chain attacks have become one of the most dangerous hacking variants, as they allow threat actors to compromise multiple devices at once, in addition to exploiting vulnerabilities in widely used components. Just remember the SolarWinds attack, which impacted thousands of organizations worldwide.

For Ilkka Turunen, software supply chain security specialist at Sonatype, these measures are important to substantially improve the security of organizations: “This document outlines fundamental best practices, such as generating software bills of materials (SBOM), as well as describing the maintenance activities necessary to maintain effective security practices in the supply chain.”

The researcher adds that software risk mitigation begins with understanding how the use of managed and unmanaged software occurs in an organization, in addition to the progressive mitigation of those risks at the vendor level and with the constant participation of customers.

On the other hand, Cequence Security experts recently alerted the cybersecurity community about the persistence of attacks exploiting flaws such as Log4Shell, discovered a few months ago and that allows abusing the Apache Log4j login utility, considered omnipresent.

A new wave of attacks, identified as LoNg4j, demonstrates the interaction between modern enterprise IT infrastructure and the digital supply chain, spreading across all kinds of applications and creating a critical attack vector in case any vulnerability is exploited.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post NIST updates the Cybersecurity Supply Chain Risk Management Guidance (C-SCRM) in Response to Executive Order Signed by President Biden appeared first on Information Security Newspaper | Hacking News.

This group is known for using various malware strains and distributing them in complex attack chains. According to the Cybereason report, it all starts with the exploitation of multiple vulnerabilities in an enterprise resource planning tool. Hackers then search for a file identified as gthread-3.6.dll in the VMware Tools folder; this allows you to inject other payloads such as webshells and credential dump tools.

Threat actors also strive to hide their malicious activity; among the techniques used by APT41, the use of the Windows Server Common Log File System (CLFS) stands out, since it uses an undocumented file format that can be accessed through APIs but cannot be analyzed, allowing hackers to hide their malicious payloads, bypassing detection during years: “The attackers stole intellectual property such as confidential documents, blueprints, diagrams, formulas and proprietary data related to the manufacturing industry.”

Experts add that the attacks targeted technology and manufacturing companies, especially in East Asia, Western Europe and North America, all considered industrial hotspots globally.   

Industrial espionage is a practice commonly associated with hacking groups sponsored by China and its all-powerful Communist Party. In the past, the United States and other nation states have accused the Asian giant of facilitating cyberattack campaigns for the theft of confidential records, either by financing their activities or by simply turning a blind eye to these groups and operations.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post How Chinese cyber army steals intellectual property from your company appeared first on Information Security Newspaper | Hacking News.

On its reasons for making this determination, the agency mentions that its teams identified “certain gaps that hinder the analysis of security incidents”; in addition to this new deadline, CERT-In will encourage the submission of incident reports by analog mediums such as telephone or fax, in addition to e-mail.

The new mechanisms will apply to service providers, intermediaries, data center operators, enterprises and government organizations that manage IT infrastructure.

As mentioned above, the report lists 20 types of security incidents, including information breaches and ransomware infections. Although it is obvious that the situation merits a report in these cases, on other occasions CERT-In provides very little concrete definitions, as is the case of those defined as “Attacks or suspicious activities that affect systems/servers/software/applications in the cloud”.

In addition to ambiguous definitions, CERT-In has received criticism about how short the report window is. Other legislative frameworks such as EU’s General Data Protection Regulation (GDPR) establish a deadline of 72 hours for the reporting of security incidents after their detection, while for the U.S. Government 24 hours are more than enough to submit these reports.

This is not the only update to the security incident reporting process in India. According to the new guidelines, organizations under this regulation must also keep a detailed record of all their information systems during the 180 days after the report, also having the obligation to deliver this data to CERT-In when requested.

Finally, additional requirements were established for organizations operating with cryptocurrency. Providers of services related to virtual assets will have to verify the identity of their customers and safeguard this data for at least five years, in what appears to be an aggressive measure against money laundering through cryptocurrency.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post CERT-IN makes mandatory for Indian companies to report hacking/cyber security incidents to government within six hours after detecting them appeared first on Information Security Newspaper | Hacking News.

While it was already possible to make these requests in cases of doxing or leaking of bank details, the update will allow users to request the removal of other content that appears in search results, including personal contact information. Google will also allow the removal of additional information that may pose a risk of identity theft, such as access credentials to online platforms.

According to the report, the following records may be considered personal contact information:

• Government identification numbers, including social security numbers, tax identification keys and the like depending on the country in question
• Bank account numbers and credit cards
• Images of handwritten signatures
• Images of identity documents
• Medical records
• Physical addresses, phone numbers and email addresses

On the processes that are implemented when receiving one of these requests, Google ensures that they evaluate all the content of websites that may incur in the exposure of confidential data, trying not to limit the availability of other useful data for users. The company also looks at whether content users want to remove is part of public or government records; if so, the request is inadmissible.

Although this is undoubtedly good news, users should remember that removing this content from the results in Google Search, this will not remove the content from the Internet. To do this, it is necessary to communicate directly with the administrators of the website in question.

Google continues to implement changes to its policies in order to improve the privacy experience of its users. In recent days it was revealed the application of a new measure to allow users under the age of 18 to request the removal of any image of theirs from image search results. The parents and guardians of minors may also carry out this procedure.

Full information about these requests and other security and privacy measures implemented by Google is available on the company’s official communication channels.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Now you can ask Google to remove your phone number, email address, physical address and other personal contact data from Search Results. Learn how to do it appeared first on Information Security Newspaper | Hacking News.

The Zero Day Initiative (ZDI) posted a message thanking those involved in the event: “Thank you again to all competitors and participating suppliers for their cooperation and for fixing the errors revealed.” Affected product vendors have 120 days to release patches for the reported flaws in Pwn2Own.

The main winners of the Pwn2Own Miami 2022 event are Daan Keuper and Thijs Alkemade of Computest Sector 7. During the first day, the team earned $20,000 USD by demonstrating a code execution attack on the Inductive Automation Ignition SCADA solution, exploiting a missing authentication flaw. During this day Computest Sector 7 also demonstrated a remote code execution (RCE) attack on AVEVA Edge HMI/SCADA, receiving a reward of $20,000 USD.

On the second day, the researchers exploited an infinite loop error to trigger a denial of service (DoS) condition against Unified Automation’s C++ demo server, earning $5,000 USD, in addition to demonstrating an authentication evasion attack on OPC Foundation OPC UA .NET Standard, earning $40,000 USD more.

Computest Sector 7 won the Master of Pwn title after winning a total of $90,000 over the three days of the contest and taking first place on the leaderboard with a total of 90 points.

This year’s Pwn2Own Miami was held in person and also allowed the remote participation of some researchers. During the first edition of Pwn2Own Miami, with the theme of ICS, held in January 2020, ZDI awarded $280,000 for the reporting of 24 zero-day vulnerabilities in ICS and SCADA products.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Pwn2Own Miami paid $400,000 USD for 26 zero-day exploits on ICS and SCADA products appeared first on Information Security Newspaper | Hacking News.

The new standard, detailed in a 360-page document, was created based on feedback from more than 200 members of the payments industry globally. A summary of the changes is presented in a document with technical details.

Cybersecurity specialists report that among the most prominent changes of this new release include the implementation of multi-factor authentication for all access to cardholder data environments, as well as replacing the term “firewall” with “network security controls” to support a wider range of data security technologies.

The implementation of updates to the new standard could take an indefinite time, so the current version will remain active until March 2024. The PCI SSC noted that some of the new requirements are initially considered best practices, but will take effect on March 31, 2025. After this date, they will be considered in their entirety in PCI DSS assessments.

Cybersecurity specialist Tim Erlin believes this update came at an ideal time: “Any additional emphasis on secure configuration of systems is a welcome addition to cybersecurity best practices. Although the previous version of PCI DSS addressed secure configuration, its limit came to changing default passwords.”

The expert adds that the new version focuses on the Zero Trust standard for authentication and authorization with permissions for an analytical security posture dynamically, providing access to resources in real time as an alternative to password rotation.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Payment card industry releases new PCI DSS v4.0 security standard appeared first on Information Security Newspaper | Hacking News.

A few months ago, a group of researchers published a report on misconfigured middleboxes and censorship systems for the reflection of DoS attacks, demonstrating that this infrastructure can be abused to achieve DoS amplification rates of up to 700,000:1. The experts also demonstrated that firewalls and intrusion prevention systems employed by state actors can also be used as weapons or potentiators of DoS attacks.

These conditions depend on the ability of middleboxes to respond to requests with very large blocking pages, even if a valid TCP connection or handshake has not been established.

In their report, Akamai experts explain that a threat actor can create sequences of TCP packets and send them to middleboxes. If the HTTP request headers in these streams contain a domain name for a blocked site, the middlebox responds with HTTP headers or full HTML pages.

As part of a DoS attack, hackers spoof the intended victim’s source IPs, causing middleboxes to direct traffic to that specific IP: “These responses provide attackers with an opportunity for reflection, and in some cases can become an attack scaling factor,” the report states.

While this is a minor increase compared to other attack vectors, TCP Middlebox Reflection abuse-based techniques could become a growing trend, as similar attacks against banking networks, gaming systems, travel, and web hosting have been confirmed.

There are currently hundreds of thousands of middlebox systems potentially vulnerable to these attacks around the world, so threat actors don’t need to access a large number of compromised systems to launch powerful DoS attacks, although the good news is that mitigation options are relatively easy to implement.

According to Akamai, because SYN packets are usually used to initiate the TCP handshake and not for data transmission, any packet that is longer than 0 bytes is suspicious and can be used to trigger defenses.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Cybercriminals are amplifying DoS attacks times 65 by exploiting firewalls, NAT and other middleboxes appeared first on Information Security Newspaper | Hacking News.

At the beginning of the investigation, Bowser faced 11 serious charges, although he has only pleaded guilty to conspiracy to evade security mechanisms in technological devices and traffic in evasion devices. Team Xecutor developed pirated software and emulators for Switch, Nintendo 3DS, Xbox, PlayStation and NES Classic.

The defendant admitted to working with this group between 2013 and 2020, during which time he managed illegal websites and sold software to hack consoles and devices. In the lawsuit against Team Xecutor, Nintendo claims to have lost more than $65 million USD due to this group.

Nintendo thanked the law enforcement agencies involved in the investigation, which include the Federal Bureau of Investigation (FBI) and the Department of Homeland Security (NHS).

The video game company has always tried to take strict action against the illegal use of its products. Previously, Nintendo won a lawsuit against the RomUniverse platform, forcing the website’s administrators to pay $2.1 million USD compensation, plus they had to destroy all the illegal ROMs developed.

More recently, Nintendo began sending out copyright warnings against the GilvaSunner YouTube channel for its Nintendo soundtrack videos, which will likely lead to the channel’s definitive shutdown. 

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Hacker sentenced to 3 years in prison for developing pirated software for Nintendo Switch appeared first on Information Security Newspaper | Hacking News.

According to the report, the investigative agency resorted to the so-called “geofence warrant” to force Google to hand over information about devices using its popular mobile operating system, located in the area at the time of the attack.

During the investigation of the incident, an officer stated that it all began at almost midnight, when two unidentified suspects caused intentional damage to the building using homemade explosives: “Based on this information, we believe there is probable cause to seek information in Google’s possession and related to devices located near the scene of the incident.”

In the order, Google is required to hand over location history data, including GPS data and information related to visible WiFi points and Bluetooth packets transmitted from these devices to Google, determining the devices within reach of the investigation using the coordinates, date and times provided by the FBI.

For obvious reasons, privacy activists expressed concern, believing that Google should not be able to hand over these confidential records to law enforcement without a clear case and as an attempt to locate potential suspects.

These kinds of measures can cause anyone located around a crime scene to be considered a suspect; if your mobile device shows any indication of this, the authorities can send you a subpoena and even request full access to the information stored on your smartphone.

A Google spokesperson said, “As with any other legal request, we have a rigorous process that is designed to protect the privacy of our users while supporting the important work of law enforcement,” though it has not been confirmed whether the FBI will have access to the desired information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post “Geofence warrant” allows police to obtain location data from Google users near crime scenes and arrest them appeared first on Information Security Newspaper | Hacking News.

According to a recent report, modified AirTags can be found online from which the built-in speakers have been removed, which would allow unsuspecting users to be spied on without even being able to identify signs of harmful activities. This “silent AirTags” is available for less than $80 USD.

While the seller of these devices, active on the e-commerce website Etsy, ensures that this modification is intended to help users find the devices without attracting the attention of potential thieves, this has undoubtedly been a cause for concern for cybersecurity experts, including director of cybersecurity at the Electronic Frontier Foundation Eva Galperin.

The specialist is concerned that these modified AirTags can be easily abused for other nefarious fines, leaving a potential victim exposed to tracking their location: “Any similar item could also be used to harass people,” Galperin says.

This is not a new practice, as you can even find online tutorials in text and video on how to disable the speakers on an AirTag simply by performing a small drill under the battery of the device, although this requires some skill and experience.

The concerns are legitimate, although Apple had already taken some action on the matter before; iPhone users can receive a notification in case they find a modified AirTag, plus Apple also developed an Android app with which users of any non-iOS device can scan around them for a hidden AirTag.

At the time of writing, this item had already been removed from Etsy website.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Silent AirTags with no speakers are being used for stalking appeared first on Information Security Newspaper | Hacking News.

According to a report, all athletes participating in the event must comply with Chinese health measures and register with the “My 2022” mobile app; nonetheless, the app is reportedly lacking of the adequate security measures, leaving athletes, journalists and government officials vulnerable to data theft and other hacking variants.

Like the Tokyo 2020 Summer Olympics, this sporting event will take place in the midst of the COVID-19 pandemic, so it is necessary to monitor the athletes and other people involved in the event. To do this, the Chinese government created “My 2022” platform, integrated by a mobile app and a website to keep a detailed record of any cases of infection in order to prevent a massive outbreak.

A digital forensics firm recently discovered that the app features a list of keywords to leak. This platform combines contact tracing with other services aiming to regulate access to events, act as a visitor guide with information on sports venues and tourist services, as well as chat feature, news and file transfer functions.

A group of experts examined the app and found it vulnerable to electronic theft. The app’s SSL certificates are not validated, which means the app has serious encryption flaws. As a result, the app could be “tricked” into connecting with a malicious host, allowing it to intercept information or even send infected data to the app.

Errors involve not only health data, but other important application services as well. This includes the service that processes all attachments, as well as the transfer of voice notes. The report also revealed that, in some services, the platform’s data traffic is not encrypted at all, leaving thousands of records exposed to hackers.

The revelations come at a time when international concern about digital security at these Olympics is growing; Germany, Australia, the United Kingdom and the United States have urged their athletes and officials to leave their personal devices at home in fear of cyber spying campaigns.

Although the security problems were reported to the organizing committee, neither this entity nor the Chinese government has mentioned anything about it.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Everyone who travels to the Beijing Winter Olympics must download My 2022 Chinese government application on their mobile appeared first on Information Security Newspaper | Hacking News.