Campaign demonstrates the DPRK-backed cyberattackers are gaining tools to avoid EDR tools.

North Korean advanced persistent threat (APT) group Lazarus (aka UNC290) has been targeting security researchers with a phishing campaign via LinkedIn since last June.

Mandiant reported that the phishing attacks started against a US-based tech company, and noted the threat actors were using three new code families — Touchmove, Sideshow, and Touchshift — in their activities.

Posing as recruiters on LinkedIn, the group works to earn a victim's trust, and it then convinces them engage on WhatsApp or by email, where they can send a malware dropper, Mandiant explained.

"Following the identification of this campaign, Mandiant responded to multiple UNC2970 intrusions targeting US and European media organizations through spear-phishing that used a job recruitment theme and demonstrated advancements in the groups ability to operate in cloud environments and against endpoint detection and response (EDR) tools," Mandiant said about the emerging phishing campaign.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Hackers Lure Cybersecurity Researchers With Fake LinkedIn Recruiter Profiles

AI-generated videos pose as tutorials on how to get cracked versions of Photoshop, Premiere Pro, and more.

Artificial Intelligence is being used to generate videos pretending to be step-by-step tutorials on how to access programs like Photoshop, Premiere Pro, Autodesk 3ds Max, AutoCAD, and others without a license. Instead, the videos are loaded with infostealer malware that scrapes the viewer's sensitive personal data stored on the device.

Researchers with CloudSEK measured a month-over-month increase of 200% to 300% since November 2022 of AI-created YouTube videos with links to infostealer malware, including Vidar, RedLine, and Raccoon.

Making the video lures more compelling to its targets, the CloudSEK security team added, AI video tools such as Synthesia and D-ID are being used to generate personas intended to exude trustworthiness across multiple languages and social media platforms, supercharging threat actors' ability to deliver infostealer malware.

"It is well known that videos featuring humans, especially those certain facial features, appear more familiar and trustworthy," the CloudSEK report explained. "Hence, there has been a recent trend of videos featuring AI-generated personas, across languages and platforms (Twitter, Youtube, Instagram), providing recruitment details, educational training, promotional material, etc. And threat actors have also now adopted this tactic." 

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

AI-Created YouTube Videos Spread Around Malware

Developers must balance creativity with security frameworks to keep applications safe. Correlating business logic with security logic will pay in safety dividends.

Web applications are the top vectors attackers use to pull off breaches. According to Verizon's "Data Breach Investigations Report" (PDF), Web applications were the way in for roughly 70% of all breaches studied.

After conducting more than 300 Web application penetration tests, I see why. Developers keep making the same security missteps that create vulnerabilities. They often don't use secure frameworks and try to write security code and authentication processes themselves.

It's important to note how much pressure developers are under to bring products to market quickly. They're rewarded based on how many features they can introduce as quickly as possible, not necessarily as securely as possible. This leads to taking security shortcuts and, down the road, vulnerabilities in Web applications.

**Five Lessons for More-Secure Apps**

Pen testers play the role of devil's advocate and reverse engineer what application developers create to show where and how attackers gain access. The results have highlighted common fundamental mistakes. Here are five lessons software development companies can learn to make their applications more secure.

1.  **Attackers are still leveraging cross-site scripting (XSS).** XSS has long been a popular Web application vulnerability. In 2021, it came off the Open Web Application Security Project (OWASP) top 10 list due to improvements in application development frameworks, but it's still evident in nearly every penetration test we perform.
    
    It's often thought of as low risk, but the XSS risks can be severe, including account takeover, data theft, and the complete compromise of an application's infrastructure. Many developers think that using a mature-input validation library and setting proper HttpOnly cookie attributes is enough, but XSS bugs still find a way in when custom code is used. Take WordPress sites, for example — an XSS attack that targets an administrator is critical because the credentials allow the user to load plug-ins, thus executing code-like malicious payloads on the server.
    
2.  **Automated scanners don't go far enough.** If you're only scanning Web applications using automated tooling, there's a good chance that vulnerabilities slip through the cracks. Those tools use fuzzing — a method that injects malformed data into systems — but that technique can create false positives.
    
    Scanners are typically not up to date with modern Web development and don't offer the best results for JavaScript single-page applications, WebAssembly, or Graph. Complicated vulnerabilities need a handcrafted payload to validate them, making the automated tools less effective.
    
    There's a human element required for the most accurate and detailed analysis of vulnerabilities and exploits, but these scanners can be a complementary resource to quickly find the low-hanging fruit.
    
3.  **When authentication is homegrown, it's usually too weak.** Authentication is everything to securing a Web application. When developers try to create their own forgotten password workflow, they typically don't do it in the most secure way.
    
    Pen testers often get access to other users' information or have excessive privileges that aren't in line with their role. This creates horizontal and vertical access control issues that can allow attackers to lock users out of their accounts or compromise the application.
    
    It's all about how these protocols are implemented. Security Assertion Markup Language (SAML) authentication, for instance, is a single sign-on protocol that's becoming more popular as a means of increasing security, but if you implement it incorrectly, you've opened more doors than you've locked.
    
4.  **Attackers target flaws in business logic.** Developers look at features to determine whether they accomplish a customer's use case. They're often not looking from the other side of the lens to identify how an attacker might use that feature maliciously.
    
    A great example is the shopping cart for an e-commerce website. It's business-critical, but often not secure, which creates severe vulnerabilities such as zeroing out the total at checkout, adding items after checkout, or replacing products with other SKUs.
    
    It's hard to blame developers for focusing on the primary use case and not recognizing other, typically nefarious, uses. Their performance is based on delivering the feature. Executives need to see the other side of the coin and understand that the business logic should correlate to security logic. The features with the highest business value, such as a shopping cart or authentication workflow, probably aren't the job for a junior developer.
    
5.  **There's no "out of scope" in a good penetration test.** Web applications can quickly become complex based on how many resources and assets go into them. Back-end API servers that enable the functionality of the main application need to be considered.
    
    It's important to share all those external assets, and how they connect to what the developers built, with security auditors that conduct penetration tests. The developer may consider those assets to be "out of scope" and that they therefore aren't responsible for them, but an attacker wouldn't respect that line in the sand. As penetration tests show, nothing is "out of scope."
    

**A Question of Balance**

When software development companies understand some of these common risks up front, they can have better engagements with security auditors and make penetration tests less painful. No company wants to hold its developers back, but by balancing creativity with security frameworks, developers know where they have freedom and where they need to align with the guardrails that keep applications safe.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

5 Lessons Learned From Hundreds of Penetration Tests

With the rise of cybercriminals targeting online piracy, this year's Oscar-nom fans need to be especially careful not to download malicious files while attempting to watch popular films for free.

Beware the Oscar nominees! In the age of films being available to pirate for free on the Internet, the data shows this: The more popular and critically acclaimed a pirated film is, the more likely it is to have a higher number of infected files.

This year, a research team at ReasonLabs collected data on film piracy from January 2022 to last month, focusing on some of the most well-known films from this past year, all of which are contenders for awards at the upcoming 95th Academy Awards. The researchers found thousands of cases of cyber threats within files pretending to be these highly nominated films. The boobytraps range from spyware to Trojans to malware.

In particular, _Everything Everywhere All at Once_, _Top Gun: Maverick_, and _Avatar: The Way of Water_, all fan and critic favorites, have been among the top films used to fish and lure movie watchers this past year.

Online piracy sites have been experiencing a steady influx of visitors, up 20% more than last year due to the COVID-19 pandemic, according to a study by MUSO, with film piracy experiencing the fastest level of growth. Businesses should take note, given that remote workers often use personal devices to access corporate assets.

ReasonLabs found the most common threats in this year's pirated Oscar contenders to be:

*   **Spyware Personal Documents Stealer:** A false, Microsoft-presenting file written in .NET that steals documents and sends them to the attacker's email.
*   **Password Stealer Extension:** A malicious installer that downloads external files to the C:\\programdata folder, with deceiving names.
*   **The Bat Worm:** An executable that drops three files, hidden from the user, and copies the user's files to each drive in the device.
*   **Keylogger:** An executable that sends stolen data to its server by tracking a user's keyboard activity.
*   **Search Hijacker Extension:** A Trojan file that installs malware instead of movies using a malicious extension and installer.

In turn, users and employers need to protect themselves by utilizing tools available to them. These "include physical and digital products but also include general education," says Dana Yosifovich, security researcher at ReasonLabs. "The continued push for cyber awareness by security companies and AV providers is paramount in order to reduce the vulnerabilities of home users, and the overall success of next-generation attacks."

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

And the Cyberattack Goes To ... Oscar-Nominated Film Fans

Between March 3 and March 9, at least 2,000 people a day downloaded the malicious "Quick access to ChatGPT" Chrome extension from the Google Play app store.

A threat actor may have compromised thousands of Facebook accounts — including business accounts — via a sophisticated fake Chrome ChatGPT browser extension which, until earlier this week, was available on Google's official Chrome Store.

According to an analysis this week from Guardio, the malicious "Quick access to Chat GPT" extension promised users a quick way to interact with the hugely popular AI chatbot. In reality, it also surreptitiously harvested a wide range of information from the browser, stole cookies of all authorized active sessions, and installed a backdoor that gave the malware author super-admin permissions to the user's Facebook account.

The Quick access to ChatGPT browser extension is just one example of the many ways in which threat actors have been trying to leverage the enormous public interest in ChatGPT to distribute malware and infiltrate systems. One example is an adversary who set up a fake ChatGPT landing page, where users tricked into "signing up" only ended up downloading a Trojan called Fobo. Others have reported a sharp increase in ChatGPT themed phishing emails in recent months, and the growing use of fake ChatGPT apps to spread Windows and Android malware.

**Targeting Facebook Business Accounts for a "Bot Army" **

Guardio's analysis showed that the malicious browser extension actually delivered on the quick access it promised to ChatGPT, simply by connecting to the chatbot's API. But, in addition, the extension also harvested a complete list of all cookies stored in the user's browser, including security and session tokens to Google, Twitter, and YouTube, and to any other active services.

In cases where the user might have had an active, authenticated session on Facebook, the extension accessed Meta's Graph API for developers. The API access gave the extension the ability to harvest all data associated with the user's Facebook account, and more troublingly, take a variety of actions on the user's behalf.

More ominously, a component in the extension code allowed hijacking of the user's Facebook account by essentially registering a rogue app on the user's account and getting Facebook to approve it.

"An application under Facebook's ecosystem is usually a SaaS service that was approved to be using its special API," Guardio explained. Thus, by registering an app in the user's account the threat actor gained full admin mode on the victim's Facebook account without having to harvest passwords or trying to bypass Facebook's two-factor authentication, the security vendor wrote.

If the extension encountered a Business Facebook account, it quickly harvested all information pertaining to that account, including currently active promotions, credit balance, currency, minimum billing threshold, and whether the account might have a credit facility associated with it. "Later, the extension examines all the harvested data, preps it, and sends it back to the C2 server using the following API calls — each according to relevancy and data type."

**A Financially Motivated Cybercriminal**

Guardio assessed that the threat actor will probably sell the information it harvested from the campaign to the highest bidder. The company also foresees the potential for the attacker to create a bot army of hijacked Facebook Business accounts, which it could use to post malicious ads using money from the victims' accounts.

Guardio described the malware as having mechanisms for bypassing Facebook's security measures when handling access requests to its APIs. For instance, before Facebook grants access via its Meta Graph API, it first confirms that the request is from an authenticated user and also from trusted origin, Guardio said. To circumvent the precaution, the threat actor included code in the malicious browser extension that ensured that all requests to the Facebook website from a victim's browser had their headers modified so they appeared to originate from there as well. 

**"**This gives the extension the ability to freely browse any Facebook page (including making API calls and actions) using your infected browser and without any trace," Guardio researchers wrote in the report on the threat.

ChatGPT Browser Extension Hijacks Facebook Business Accounts

A novel take on investment scams mixes romance and the lure of crypto riches to con targets out of "the whole hog" of their assets.

Pig butchering is a repulsively named, rising investment scam that uses a potent mix of the promise of romance and the lure of making easy cryptocurrency millions against its unsuspecting targets.

Through a careful process of "fattening up" victims with small returns on cryptocurrency deals and personal interactions, often with a romance element, all of which is meant to convince them to invest wildly. If successful, as they often are, threat actors are able to make off with the "whole hog" of their targets' assets.

Investment fraud as a category, of which pig butchering is a subset, cost victims about $3 billion in 2022, making it the top cybercrime loss leader, overtaking business email compromise (BEC) and even ransomware, according to a new analysis from Cofense of the latest FBI Internet Crime Report (IC3).

Within that, Cofense researcher Ronnie Tokazowski says that Cofense observed a 127% rise in pig butchering cases in 2022, though the latest IC3 doesn't specifically break out the threat. 

"FBI has mentioned pig butchering as a scam in several public alerts, news outlets have reported a massive increase, and seeing this missing is very surprising," Tokazowski says, noting that one alert was issued in New Mexico to warn residents about the rise of pig butchering scams during last December's holiday season.

"I have spoken with IC3 in the past, and this \[oversight\] may be a result of how metrics and data are collected," Tokazowski explains about his findings. "What I mean by that is if a victim initially \[calls something\] 'crypto investment' even though there may be a romance scam angle to it, this would ultimately be put in the 'crypto investment' bucket. Unfortunately, this single-bucket approach doesn’t tell the whole story, where victims are simultaneously part of different cybercrimes."

**Pandemic Loneliness Fueled Rise of Pig Butchering**

Pig butchering started in Asia, where it got its name, but the pandemic created an opportunity for threat groups to expand their operations into the US, Tokazowski explains.

"Based on reports from insiders tracking the scam, actors retooled their approaches to start targeting those in the west," he says. "Due to the increased isolation of the pandemic, this left people alone and vulnerable at home, anxiously awaiting any love connection. Scammers capitalized on this and is why we saw such a steep rise."

Experts who spoke to Dark Reading about the rising investment scam pointed out that it's essentially a riff on the classic Ponzi scheme.

"The abhorrently titled scam is essentially a rebrand of a Ponzi/pyramid scam," says Andrew Barratt, vice president of Coalfire. "Often executed using crypto, where more and more is taken until the mark/victim essentially thinks they’re onto a sure thing and puts more and more of their assets into an apparently growing 'investment,' before the calls go cold and the money is gone."

The rise of pig butchering is yet another example of how cybercriminals are leaning into social engineering to pull off their scams, Mike Britton, Abnormal Security's CISO says, but it demonstrates a shift to more time investment for a bigger payoff.

"Threat actors have seen huge payouts in their shift from high volume/low yield 'spray and pray' campaigns, to targeted and low volume — but massively high yield — social engineering attacks," Britton explains. "And with these incentives, they won’t be slowing down anytime soon."

Pig Butchering & Investment Scams: The $3B Cybercrime Threat Overtaking BEC

BlackLotus is the first in-the-wild malware to exploit a vulnerability in the Secure Boot process on Windows, and experts expect copycats and imminent increased activity.

BlackLotus, the first in-the-wild malware to bypass Microsoft's Secure Boot (even on fully patched systems), will spawn copycats and, available in an easy-to-use bootkit on the Dark Web, inspire firmware attackers to increase their activity, security experts said this week.

That means that companies need to increase efforts to validate the integrity of their servers, laptops, and workstations, starting now.

On March 1, cybersecurity firm ESET published an analysis of the BlackLotus bootkit, which bypasses a fundamental Windows security feature known as Unified Extensible Firmware Interface (UEFI) Secure Boot. Microsoft introduced Secure Boot more than a decade ago, and it's now considered one of the foundations of its Zero Trust framework for Windows because of the difficulty in subverting it.

Yet threat actors and security researchers have targeted Secure Boot implementations more and more, and for good reason: Because UEFI is the lowest level of firmware on a system (responsible for the booting-up process), finding a vulnerability in the interface code allows an attacker to execute malware before the operating system kernel, security apps, and any other software can swing into action. This ensures the implantation of persistent malware that normal security agents will not detect. It also offers the ability to execute in kernel mode, to control and subvert every other program on the machine — even after OS reinstalls and hard drive replacements — and load additional malware at the kernel level.

There have been some previous vulnerabilities in boot technology, such as the BootHole flaw disclosed in 2020 that affected the Linux bootloader GRUB2, and a firmware flaw in five Acer laptop models that could be used to disable Secure Boot. The US Department of Homeland Security and Department of Commerce even recently warned about the persistent threat posed by firmware rootkits and bootkits in a draft report on supply chain security issues. But BlackLotus ups the stakes on firmware issues significantly.

That's because while Microsoft patched the flaw that BlackLotus targets (a vulnerability known as Baton Drop or CVE-2022-21894), the patch only makes exploitation more difficult — not impossible. And the impact of the vulnerability will hard to measure, because affected users will likely not see signs of compromise, according to a warning from Eclypsium published this week.

"If an attacker does manage to get a foothold, companies could be running blind, because a successful attack means that an attacker is getting around all of your traditional security defenses," says Paul Asadoorian, principal security evangelist at Eclypsium. "They can turn off logging, and essentially lie to every kind of defensive countermeasure you might have on the system to tell you that everything is okay."

Now that BlackLotus has been commercialized, it paves the way for the development of similar wares, researchers note. "We expect to see more threat groups incorporating secure boot bypasses into their arsenal in the future," says Martin Smolár, malware researcher at ESET. "Every threat actor's ultimate goal is persistence on the system, and with UEFI persistence, they can operate much stealthier than with any other kind of OS-level persistence."

    

BlackLotus quickly followed after the publishing of the original exploit code. Source: ESET

**Patching Is Not Enough**

Even though Microsoft patched Baton Drop more than a year ago, the certificate of the vulnerable version remains valid, according to Eclypsium. Attackers with access to a compromised system can install a vulnerable bootloader and then exploit the vulnerability, gaining persistence and a more privileged level of control.

Microsoft maintains a list of cryptographic hashes of legitimate Secure Boot bootloaders. To prevent the vulnerable boot loader from working, the company would have to revoke the hash, but that would also prevent legitimate — although unpatched — systems from working.

"To fix this you have to revoke the hashes of that software to tell Secure Boot and Microsoft's own internal process that that software is no longer valid in the boot process," Asadoorian says. "They would have to issue the revocation, update the revocation list, but they're not doing that, because it would break a lot of things."

The best that companies can do is update their firmware and revocation lists on a regular basis, and monitor endpoints for indications that an attacker has made modifications, Eclypsium said in its advisory.

ESET's Smolár, who led the earlier investigation into BlackLotus, said in a March 1 statement to expect exploitation to ramp up.

"The low number of BlackLotus samples we have been able to obtain, both from public sources and our telemetry, leads us to believe that not many threat actors have started using it yet," he said. "We are concerned that things will change rapidly should this bootkit get into the hands of crimeware groups, based on the bootkit's easy deployment and crimeware groups' capabilities for spreading malware using their botnets."

BlackLotus Secure Boot Bypass Malware Set to Ramp Up

Hackers are increasingly tantalized by the troves of sensitive data held by lightly protected law firms and legal services organizations.

A rash of 10 cyberattacks hitting six different law firms materialized throughout January and February, attempting to infect law firm employees with info-stealing malware. The campaigns are emblematic of the rapidly growing attack landscape in the legal profession, driven by the treasure trove of data that firms possess: personal details about clients, information about criminal defense proceedings, very specific contractual information, financial account data, and so much more.

For law firms, the risk is twofold: The cost of remediation and maintaining operational status in the face of a cyberattack and potential legal consequences if the data they hold is exposed.

According to eSentire's Threat Response Unit (TRU), the most recent spate of attacks came from two separate, ongoing threat campaigns. In the first campaign, attackers attempted to infect law firm employees using SEO poisoning to lure victims to compromised WordPress websites. The sites were seeded with malicious links to phony contract or agreement templates that ran GootLoader malware. The second campaign utilized watering-hole attacks against victims, by poisoning a notary public's website with SocGholish malware, in the hopes of ensnaring lawyers and other related legal professionals.

"Law firms and legal services organizations have exceptional access to non-public and confidential data across all facets of the public and private sectors," says Larry Gagnon, senior vice president of security services and incident response for eSentire. "They, therefore, face significant cyber threats from adversaries' intent on financial cybercrime that want to steal and sell sensitive data associated with those clients and their activities."

And indeed, an analysis in January published by The American Lawyer on Law.com shows that cyberattacks in the legal sector have escalated significantly in the past few years. In looking at national data sets posted by four state governments required to publicly disclose the data, between 2014 and 2019, fewer than 20,000 Americans had their personally identifiable information (PII) compromised by law firm breaches. But between 2020 through 2022, that number shot up exponentially to 779,000. While only a limited data set, the growth statistic provides an excellent proof point to the fact that attackers are drawn to law firms like moths to light.

**Why Legal Firms Are So Attractive to Hackers**

It isn't just the sensitivity of the data that legal firms handle but also the scope and detail of data that can be dug up by attackers who successfully breach a single firm — especially if it's a large one. One attack can be a one-stop shop for monetizing the data and access stolen from not just one organization, but a whole portfolio of them.

"Law firms connect with and support many clients at any given time. Compromising one law firm gives bad actors access to numerous client networks without having to directly reach each one of them," says Michael Tal, technical director for Votiro, a cloud file security firm that works extensively with the legal industry. "Files are the primary form of communication and weaponizing them gives bad actors a sure way to get the clients to open and infect the clients."

For example, he noted one potential attack that his team uncovered where a hacker managed to breach the email inbox of a law firm and was using that access to send out malicious password-protected zipped files to insurance companies.

The other attractive element for hackers is that law firms and legal services companies tend to be very soft targets.

"Most law firms don’t have dedicated cybersecurity programs or personnel. As a result, their cybersecurity posture has likely failed to keep up with their requirements as a business," says eSentire's Gagnon, who notes that the legal IT environment also tends to be challenging to harden because it is typically comprised of a mix of legacy technology and more modern cloud-based solutions that sometimes don't play nicely together without advanced support. "When attackers successfully breach a legal organization, they tend to progress beyond the initial foothold to the intrusion phase more quickly."

This is likely also attributed to the fact that fewer than half of law firms have some kind of cyber incident response plan in place. According to the American Bar Association's (ABA) annual tech report published last November, only 42% of firms have a plan in place.

A cyberattack is a nightmare scenario for law firms that are at risk of not only having their reputations torn to tatters but also of breaking very strict compliance mandates and confidentiality laws. But the good news is that many law firms are at least building awareness about cybersecurity risks among their business and attorney stakeholders. 

The ABA report shows that the number of respondents reporting at least some cybersecurity governing policies in place for technology usage has grown from 77% two years ago up to 89% in 2022. 

It may take a while for investments to catch up with awareness, says Fran Haasch, founding attorney of Fran Haasch Law Group.

"Some law firms may view cybersecurity as an unnecessary expense or may not prioritize it over other business concerns," she says. "However, with the increasing prevalence of cyber threats and the potential legal and financial repercussions of a cyberattack, law firms should take cybersecurity seriously and invest in appropriate measures to protect their clients and themselves."

Legal Industry Faces Double Jeopardy as a Favorite Cybercrime Target

A video-enabled smart intercom made by Chinese company Akuvox has major security vulnerabilities that allow audio and video spying, and the company has so far been unresponsive to the discoveries.

A popular smart intercom and videophone from Chinese company Akuvox, the E11, is riddled with more than a dozen vulnerabilities, including a critical bug that allows unauthenticated remote code execution (RCE).

These could allow malicious actors to access an organization's network, steal photos or video captured by the device, control the camera and microphone, or even lock or unlock doors.

The vulnerabilities were discovered and highlighted by security firm Claroty's Team82, which became aware of the device's weaknesses when they moved into an office where the E11 had already been installed.

Members of Team82's curiosity about the device turned into a full-blown investigation as they uncovered 13 vulnerabilities, which they divided into three categories based on the attack vector used.

The first two types can occur either through RCE within the local area network or remote activation of the E11's camera and microphone, allowing the attacker to collect and exfiltrate multimedia recordings. The third attack vector targets access to an external, insecure file transfer protocol (FTP) server, allowing the actor to download stored images and data.

**A Critical RCE Bug in the Akuvox 311**

As far as bugs that stand out the most, one critical threat — CVE-2023-0354, with a CVSS score of 9.1 — allows the E11 Web server to be accessed without any user authentication, potentially giving an attacker easy access to sensitive information.

"The Akuvox E11 Web server can be accessed without any user authentication, and this could allow an attacker to access sensitive information, as well as create and download packet captures with known default URLs," according to the Cybersecurity and Infrastructure Security Agency (CISA), which published an advisory about the bugs, including a vulnerability overview.

Another vulnerability of note (CVE-2023-0348, with a CVSS score of 7.5) concerns the SmartPlus mobile app that iOS and Android users can download to interact with the E11.

The core issue lies in the app's implementation of the open source Session Initiation Protocol (SIP) to enable communication between two or more participants over IP networks. The SIP server does not verify the authorization of SmartPlus users to connect to a particular E11, meaning any individual with the app installed can connect to any E11 connected to the Web — including those located behind a firewall.

"We tested this using the intercom at our lab and another one at the office entrance," according to the Claroty report. "Each intercom is associated with different accounts and different parties. We were, in fact, able to activate the camera and microphone by making a SIP call from the lab's account to the intercom at the door."

**Akuvox Security Vulnerabilities Remain Unpatched**

Team82 outlined their attempts to bring the vulnerabilities to the Akuvox's attention, beginning in January 2022, but after several outreach attempts, Claroty's account with the vendor was blocked. Team82 subsequently published a technical blog detailing the zero-day vulnerabilities and involved the CERT Coordination Center (CERT/CC) and CISA.

Organizations using the E11 are advised to disconnect it from the Internet until the vulnerabilities are fixed, or to otherwise ensure the camera is not capable of recording sensitive information.

Within the local area network, "organizations are advised to segment and isolate the Akuvox device from the rest of the enterprise network," according to the Claroty report. "Not only should the device reside on its own network segment, but communication to this segment should be limited to a minimal list of endpoints."

**Bugs in Cameras & IoT Devices Abound**

A world of increasingly connected devices has created a vast attack surface for sophisticated adversaries.

The number of industrial internet of things (IoT) connections alone — a measure of the number of total IoT devices deployed — is expected to more than double to 36.8 billion in 2025, up from 17.7 billion in 2020, according to Juniper Research.

And while the National Institute of Standards and Technology (NIST) has settled on a standard for encrypting IoT communications, many devices remain vulnerable and unpatched.

Akuvox is the latest in a long line of these found to be severely lacking when it comes to device security. For instance, a critical RCE vulnerability in Hikvision IP video cameras was disclosed last year.

And last November, a vulnerability in a series of popular digital door-entry systems offered by Aiphone allowed hackers to breach the entry systems — simply by utilizing a mobile device and a near-field communication (NFC) tag.

Unpatched Zero-Day Bugs in Smart Intercom Allow Remote Eavesdropping

CISOs' ability to pivot tight budgets is key to defense plans that can stand up to attackers.

The tsunami of cyberattacks in recent years has wreaked havoc among businesses' infrastructures and drowned many defense strategies across all industries. Adding additional stress is the fact that cyberattacks are often linked to global events. For instance, hackers have exploited the vulnerabilities within increasingly complex remote work infrastructures ignited by the pandemic, presenting new challenges for security leaders. The reality is, nowadays hackers aren't breaking in — they're logging in via human-based attacks.

With today's uncertain economy and high inflation rates, this year's budget forecast calls for dry conditions across the security landscape. This year's budgets already have been approved, but key priorities may shift throughout the year — making understanding when and how to pivot tight budgets a critical aspect of ensuring the security of CISOs' infrastructures.

One strategy CISOs are following is to implement similar principles as attackers who are exploiting economic, social, and technical disruptions within society.

**Priorities to Consider When Shifting Budgets**

With the changing nature of the economy and workforce structures, there are many different factors to consider when executing a properly informed budget shift. So, from one CISO to another, here are five key priorities for security leaders to consider when preparing for potential budget shifts this year and beyond:

1.  **Geopolitical influences of cybersecurity:** Hackers have evolved their attacks to exploit geopolitical disruptions. These impacts, including the war in Ukraine, have refined the use of popular attack styles to increase the success of attackers' ransomware efforts.For instance, Russian hackers such as the Conti ransomware group have thwarted US and international war efforts to support Ukraine through the targeting and injection of ransomware into organizations operating within critical infrastructures. Recently, the common methods leveraged to infect businesses with ransomware across the globe include password spraying, spear-phishing, and credential stuffing. Due to these increasingly sophisticated attacks, CISOs must integrate technological defense strategies capable of thwarting attacks that are constantly evolving.
2.  **Uncertain economy:** Desperate times call for desperate measures, and traditionally, uncertain economic periods mean an increase in cyberattacks. Attackers are leveraging advanced technologies to engage in high-risk, identity-related fraud tactics to steal employee credential information and extort businesses. In fact, since 2021, there has been more than a 60% rise in corporate email compromises, leading to additional enterprise losses totaling over $40 billion.
    
    As current economic standings reel in uncertainty, CISOs must prepare to alter their budgets toward ongoing risk management, with special emphasis on tools that will help mitigate human error. From compliance to risk assessments, strategies need to revolve around minimizing high-risk identity attacks.
    
3.  **Evolving regulations:** As we know, cybersecurity is ever-evolving. This means that new regulations are continuously created — and others that are already in effect, such as GDPR and CCPA, are becoming stricter. The current challenges involved with adhering to dynamic — and often overlapping, industry-focused, regional, and cross-countries requirements — can cause quite the headache for security leaders. So, how can CISOs continuously comply in an expanding security landscape?The appropriate investment in comprehensive defense measures, such as zero-trust access, will ensure the security of enterprises' data, helping them remain compliant and adherent to the variety of crossover regulation.  
    
4.  **Training:** In the cybersecurity industry, CISOs and security leaders can't afford for their enterprises to be impacted by the current talent gap. A lack of skilled personnel can result in potentially devastating vulnerabilities within their infrastructure.Security leaders must properly prepare for spending reprioritizations as the skills gap widens. This ensures that their team has the necessary knowledge to engage in effective in-house modern reskilling and upskilling approaches. One key budget shift could be toward the implementation of assistive, advanced cloud-based services, such as high-risk identity management solutions, which can also be integrated to strengthen the organization's digital infrastructure.
    
5.  **Modern strategies:** Currently, 80% of breaches rely on employee access credentials. To maximize their defenses, CISOs must confirm their current strategies are proficient enough to combat the constant influx of human-focused attack styles, including Kerberoasting and pass-the-hash attacks. If infrastructures are unstable and priorities need to shift, CISOs can turn to common tools, including zero-trust access and high-risk identity-based control solutions — which can combat growing offense efforts.As identity-focused attacks rise, businesses will need security tools programmed to trust no one, not even their own vendors. This will increase compliance measures and enable the protection and sole ownership of internal, external, third-party, customer, and stakeholder's user data. It will also allow for stronger authentication, the monitorization of internal and external user operations, and the halting of lateral movement within businesses' infrastructures.
    
    As cyber threats evolve, businesses will need to keep pace and allocate for improved security systems that provide seamless control within their budgets.
    

**Evolution Is Key**

Hackers will continue to alter their methods of attack and exploit the vulnerabilities within current global geopolitical events. To stop them, security leaders will need to make sure their current budgets can pivot and are adaptable enough to deploy modern defense strategies and technologies, and capable of handling priority shifts as the year progresses.

This includes leaders taking the current economic, social, and technological factors into consideration while developing their defense plan. Doing so will help them make more informed decisions around the optimal use of their cybersecurity budgets for the next year and beyond.

Source

DARKReading