Staying informed about the latest cybersecurity happenings in the industry is important for protecting our organizations against harmful attack vectors. The following are this week’s major cybersecurity news headlines:
HP Patches Two High-Severity Vulnerabilities
HP recently released patches for two high-severity vulnerabilities affecting the UEFI firmware, which has over 200 laptops, workstations, and other products. Tracked as CVE-2021-3808 and CVE-2021-3809, the vulnerabilities have a CVSS score of 8.8. These bugs were first reported by Nicholas Starke of Aruba Threat Labs and a researcher called “yngweijw.” HP didn’t provide any technical details on the flaws but mentioned their affected products. These include numerous desktop PCs, business notebooks, thin client PCs, retail point-of-sale devices, and desktop workstations.
The flaws may allow arbitrary code execution in these PC products, and therefore HP is releasing firmware updates to ensure protection against these vulnerabilities. To ensure cybersecurity, users must go through HP’s advisory for further details on impact and updates. HP has also released an advisory detailing the patches released by Intel to fix several software and firmware vulnerabilities in its chipsets and processors that affect HP products as well.
Cybersecurity Measures must be Futuristic: Says CISA Directors
CISA director Jen Easterly recently said that while we devote our resources to designing robust software systems for today’s security issues, it is equally important to invest time in preparing for future cybersecurity challenges. Easterly said that the next decade isn’t going to be easy for those involved in cybersecurity and technology, and therefore it is critical to strengthen our cyber defenses.
The current security challenges like ransomware and supply chain attacks might be accompanied by other forms of threats in the future. This has already begun to take shape in the form of IoT-based cyberattacks. The CISO director hinted at the challenges apart from cybersecurity that must be addressed now and in the future. These include defeating authoritarian regimes and marching towards futuristic technologies, dealing with the difficulties of cryptographically relevant quantum computers, facial recognition, and artificial intelligence.
Easterly suggests creating our applications and software with cybersecurity in mind so that there is little scope for zero-days being detected. While patches for zero days are launched immediately after detection, organizations are often slow to implement them. This, in turn, increases the cyber risks. To avoid such security gaps, we should put more effort into creating safer technologies for everyone.
NCSC Collaborates with ISPs to Ensure Better Security for Citizens
The National Cyber Security Center (NCSC) has announced a new industry partnership that promises to provide better cybersecurity for Brits against online scams. The latest offering would give internet service providers (ISPs) real-time threat data so that they can instantly block access to known fraudulent websites. The service will be available to all ISPs, browser providers, and managed service providers (MSPs). This new addition will complement the NCSC’s Takedown Service, which single-handedly removed 2.7 million scams from the internet in 2021.
Before this new service was announced, the NCSC collected data from phishing and spam scans related to certain domains and collaborated with hosting providers to remove malicious infrastructure and sites. This, along with NCSC’s website reporting tools and suspicious email reporting tools, helped remove questionable URLs and spam emails. With a vision to stay ahead of malicious threat actors, NCSC has joined hands with ISPs to block scams right in the beginning and prevent them from reaching citizens’ devices.
Chrome Browser Update Fixes 13 Vulnerabilities
Google has recently released a Chrome browser update that resolves 13 vulnerabilities. Reportedly, none of these vulnerabilities were reported by external researchers. Seven of the externally reported flaws are use-after-free bugs that lead to arbitrary code execution. The riskiest among these flaws is a high-severity use-after-free bug in Sharesheet, which has been traced as CVE-2022-1633. Khalil Zhani detected the bug, and Google awarded him a $5,000 reward for reporting the same. Zhani also reported another high-severity use-after-free in Browser UI (dubbed CVE-2022-1634), for which he received a reward of $3,000.
An anonymous researcher identified CVE-2022-1635- a high-severity use-after-free in Permission Prompts, for which (s) he received a bug bounty payout of $3,000.
Google is yet to determine the bug bounties for four other high-severity vulnerabilities addressed in this Chrome update, including CVE-2022-1637, CVE-2022-1638, CVE-2022-1639, and CVE-2022-1640. The new update is available for Windows, Linux, and Mac users as version 101.0.4951.64. So far, there is no indication of any of these vulnerabilities being exploited, but Google advises users to get the patch immediately for ransomware protection.
New Phishing-as-a-Service Toolkit in Town
Cybersecurity researchers have discovered a new phishing-as-a-service toolkit called Frappo, which is currently circulating on Telegram channels and the dark web. Frappo might become the next most popular tool among adversaries as it allows them to launch various impersonation attacks. Attackers can host and generate high-quality and legitimate-looking phishing pages using Frappo that resemble online banking, retail, and e-commerce services to steal sensitive and confidential information assets.
Frappo was first discovered on March 22nd, 2021, and has evolved significantly since then. It was last updated on May 1st, 2022.
Frappo also has a dashboard that tracks collected credentials and provides hackers with anonymous billing, updates, and technical support. So far, Frappo has impersonated brands like Uber, Amazon, Netflix, Royal Bank of Canada, TD Banks, Wells Fargo, Bank of America, Bank of Montreal, CIBC, Royal Bank of Canada, and Desjardins.
Phishing attacks hitting an all-time high might indicate the existence of many other phishing-as-a-service toolkits like Frappo. Therefore, it is important for users to always be on guard and look out for the authenticity of an email or message before responding.
Beware of New Credit Card Skimmer – Caramel
Cybersecurity researchers have identified a new credit card skimmer called Caramel, which CaramelCorp operates as a skimmer-as-a-service. CaramelCorp is a Russian threat actor selling this new skimming service to low-skilled Russian-speaking hackers. Caramel includes a campaign management panel, a skimmer script, and deployment instructions. The threat actor is selling the skimmer’s lifetime subscription for $2,000 and other features such as code upgrades, anti-detection solutions, and customer care support.
The service also comes with a starter guide on JavaScript methods for less technically adept buyers. It comes with obfuscation techniques to prevent detection. Since credit cards are frequently used for making payments on e-commerce sites, credit card skimming attacks have a high success rate. Further, these attacks require less effort on the adversaries’ part and are a popular attack vector among adversaries.