Security News

A number of zero-day vulnerabilities that were addressed last year were exploited by commercial spyware vendors to target Android and iOS devices, Google's Threat Analysis Group has revealed. Upon clicking, the URLs redirected the recipients to web pages hosting exploits for Android or iOS, before they were redirected again to legitimate news or shipment-tracking websites.

The Federal Bureau of Investigation is warning companies in the U.S. of threat actors using tactics similar to business email compromise that allow less technical actors to steal various goods from vendors. Typical business email compromise attacks focus on stealing money by tricking the victim into diverting funds to the fraudster's account.

Cyber-physical system vulnerabilities disclosed in the second half of 2022 have declined by 14% since hitting a peak during 2H 2021, while vulnerabilities found by internal research and product security teams have increased by 80% over the same time period, according to Claroty. These findings indicate that security researchers are having a positive impact on strengthening the security of the Extended Internet of Things, a vast network of cyber-physical systems across industrial, healthcare, and commercial environments, and that XIoT vendors are dedicating more resources to examining the security and safety of their products than ever before.

The study also found that 50 percent of organizations have indirect relationships with at least 200 breached fourth-party vendors in the last two years. The study, which analyzed data from over 235,000 organizations across the globe and more than 73,000 vendors and products used by them directly or used by their vendors, offers an in-depth examination of how the interdependence of modern digital supply chains impacts organizational cyber risk exposure.

The firm previously identified four kinds of financial supply chain compromise, which dispense with impersonation of internal executives at the target company and instead wear the garb of one of the company's vendors. Abnormal Security says Firebrick Ostrich has used one of these types of financial supply chain compromises - third-party reconnaissance attacks - to commit 346 BEC campaigns dating back to April 2021, impersonating 151 organizations and using 212 maliciously registered domains, nearly all in the U.S. Crane Hassold, director of threat intelligence at Abnormal Security, said the amount of money that can be gotten from external, third-party impersonation is three times higher than traditional BEC exploits, and that their success stems from awareness deficit, as companies and their employees are trained to look for emails impersonating an internal executive, not a vendor.

The social media conglomerate also took steps to disable accounts and block infrastructure operated by spyware vendors, including in China, Russia, Israel, the U.S. and India, that targeted individuals in about 200 countries. A second set of 250 accounts on Facebook and Instagram linked to another Israeli company called QuaDream was found "Engaged in a similar testing activity between their own fake accounts, targeting Android and iOS devices in what we assess to be an attempt to test capabilities to exfiltrate various types of data including messages, images, video and audio files, and geolocation."

Canalys Forums APAC Canalys CEO Steve Brazier has proposed that cloud vendors should have similar accountability to credit card companies when accounts are hacked and used to mine cryptocurrency. "They can't afford to provide the computing power. But they can hack the public clouds," Brazier told the Canalys Forums APAC 2022 event.

With organizations expanding their vendor base, there is a critical need for holistic third-party risk management and comprehensive cybersecurity measures to assess how much risk vendors pose. While organizations assess and manage risk on a multitude of layers, none present bigger threats to business resiliency than third-party risk and a lack of robust cybersecurity controls.

Driven by security operations complexity, 46% of organizations are consolidating or plan on consolidating the number of vendors they do business with. As a result of this drive toward security technology consolidation, 77% of infosec pros would like to see more industry cooperation and support for open standards promoting interoperability, according to ISSA and ESG. This Help Net Security video highlights how organizations push their security vendors to adopt open industry standards.

With speculative execution attacks remaining a stubbornly persistent vulnerability ailing modern processors, new research has highlighted an "Industry failure" to adopting mitigations released by AMD and Intel, posing a firmware supply chain threat. "The impact of such attacks is focused on disclosing the content from privileged memory to obtain sensitive data from processes running on the same processor," the firmware protection firm said in a report shared with The Hacker News.