April Cyber Bytes

Source: Forbes on April 7, 2022

When we refer to the weakest links in our home cybersecurity network, we could be referring to any endpoint: our mic, camera, phone, tablet, laptop, desktop, etc. But there's another important vector within our homes that we often neglect. Just when you think you've secured everything with your next-generation antivirus protection, DNS solution, VPN or any other safety feature, what happens when your kid comes along and tells you, "Hey, dad. Someone hacked into my gaming account"? Or, "Hey, mom. I think I downloaded a virus with the new game I just torrented on our family PC." Now what?

Kids, tweens and teens are often the most unsecured consumers, yet they are some of the most highly connected—and sometimes the most advanced—vectors, especially as they are now using new technology like cryptocurrency and starting to explore the metaverse. The targeting of kids is expected to come even more into the mainstream as cybercriminals continue to try and make use of consumer vulnerabilities. Here's how those in the technology industry and parents alike can help protect them:

Kids Love To Game

According to the Entertainment Software Association, more than 90% of American kids play video games—this is an extraordinary amount of young users, offering hackers plenty of opportunities to attack. These attacks come in all shapes and sizes, such as account takeovers or cracked games laced with malware programmed to steal sensitive information off of a device. Let's dig into one of the most popular methods of malware distribution, as discovered by RAV researchers: cracked games. Kids tend to pirate games online—in Australia, piracy has nearly doubled among 12-to-17-year-olds in recent years. Often, these illegal or pirated games will include malware such as coin miners or info stealers designed to hijack a device and exploit it for data, power or money.

Gaming accounts are compromised all the time: Hackers steal login information, reset passwords and resell accounts. While a PC gaming account may not seem like such a possible point of compromise, it can be. It's vital that leading game developers, companies and individuals consider the dangers of online piracy and actively campaign against it. It's time to take some responsibility in this fight and actively provide education surrounding this issue.

Poor Digital Hygiene

In the event that a child does infect the device they are using—often it won't just be them that gets affected. In homes where the family shares one device—for example, a shared family PC—the cybersecurity of the whole family could be compromised. The child's actions are then affecting the parent—their online activities become the gateway to a security breach, making them the weakest link in your cybersecurity. The younger generations are notoriously laissez-faire in their attitudes to digital hygiene. In the age of instant gratification, following popular trends and channel- and game-flicking, it's easy to forget, ignore or shrug off privacy concerns. Young internet users may also simply be unaware of what dangers are out there. We must take the time to educate our kids and walk them through what to do and what not to do with regard to private data.

Kids' fearlessness could result in downloading from untrusted sources, which can compromise everything in your network. They also lack adult-level sensibilities on how to store data securely, such as financial information or sensitive passwords. Because of this, tech leaders need to do a better job of providing cyber education to kids and safety nets for consumer products. While "trial and error" is a good motto in life, it's not something that should be practiced within the realms of cybersecurity.

Prevalence Of Android Malware

The rise in the use of mobile devices has presented more opportunities than ever before for the world to be connected. This goes for people from every generation, including the youngest. More than one-third of American parents with a child under 12 reported that their kid began interacting with a smartphone before the age of five. Never mind gaming teenagers. Simply by giving your toddlers an Android-powered tablet or your phone to play with, it's so easy for them to swipe, click or press the wrong button and cause harm. There's been a number of malicious apps disguised as games on the Google Play Store in recent years, which target kids. The Tekya threat, for example, was identified in 2020.

How To Protect Kids Online

Now is the time for change. Here is what can be done:

  • For tech leaders, it's vital that we take the time to educate the public, especially kids, on common threats, such as phishing and spamming—how to avoid them and what to do if they think they might have been attacked.
  • It's also critical that tech leaders begin to design cyber products specifically with children in mind, making them easy to use and readily accessible, including safeguards.
  • For parents, the best option here is to allow specific security software to "do the work for you." There are solutions you can use to stay one step ahead, like a parental control app (such as FamilyKeeper, Google Family Link and Norton Family), a VPN, an advanced NGAV solution or a password manager.

And of course, there’s always the chance that the biggest damage will be when a user drops their device and smashes the screen, or a toddler drops a tablet in the bath—so being vigilant (and having a smash-free case) is a good idea all-around.

Here are the top (7) phishing emails and texts we tracked during Q1.

Source: Aware Force on April 8, 2022

  1. Cybercrooks sent emails in January that offered a paid link to stream the new Spiderman movie, “No Way Home,” which was only playing in theaters. When purchasers provided their credit card or bank account information, money was debited from their account, but, of course, the streaming link didn’t work.
  2. In January, thieves targeted Twitter users by sending them fake emails urging them to “update” their account details or risk losing their verified status. The emails were aimed at collecting login credentials and multi-factor authentication codes.
  3. There was a return of phishing emails claiming users' computers had been compromised with viruses. Emails instructed users to call a phone number, where technicians walked them through steps to take control of the computer and “fix” the problem.
  4. A phish appeared to come from Disney+ / ESPN / ABC, warning of suspicious activity on users’ accounts. Recipients were instructed to click on a button to reset their passwords, but scammers collected usernames and passwords that could have been used on other sites.
  5. Scammers sent USB drives through the mail, claiming that the drives contained a $100 Best Buy or Amazon gift card for users to print and redeem. Malware was installed on computers if the USB drives were plugged in.
  6. QR code scams rose in Q1, most often by scammers putting fake QR codes over real ones, sending users to genuine-looking pages that stole the payments they submitted.
  7. The most common phishing emails during Q1 involved requests for contributions for victims in Ukraine. Money, of course, never made it beyond the fraudsters who sent them.

Fake Android shopping apps steal bank account logins, 2FA codes

Customers of Malaysian banks are being turned into cash cows.

Source: Zero Day on April 6, 2022

Researchers say that malicious Android applications disguised as legitimate shopping apps are stealing Malaysian bank customers' financial data. A roundup of the best software and apps for Windows and Mac computers, as well as iOS and Android devices, to keep yourself safe from malware and viruses. On Wednesday, ESET's cybersecurity team published new research documenting three separate apps targeting customers who belong to eight Malaysian banks.

First identified in late 2021, the attackers began by distributing a fake app pretending to be Maid4u, a legitimate cleaning service brand. The cyber attackers responsible created a website with a similar name -- a technique known as typosquatting -- and tried to lure potential victims into downloading the malicious Maid4u app. Paid Facebook Ads were used to further the domain's appearance of legitimacy and to work as a distribution method.

In January, MalwareHunterTeam shared a further three websites operating in the same vein, and at the time of writing, the campaign is still ongoing. ESET has since found another four malicious websites that mimic legitimate Malaysian shopping and cleaning services. Grabmaid, Maria's Cleaning, Maid4u, YourMaid, Maideasy, and MaidACall are all being impersonated alongside PetsMore, a pet shop. Five of the abused services do not have an app on Google Play.

The malicious domains don't allow customers to purchase products or services directly. Instead, the attack vector is a button that claims to link to Google Play, Google's official app repository, for customers to pay through. The fake Android apps linked to the purchase buttons are hosted on the attacker's servers. At this stage, a victim can avoid infection if they have chosen not to enable "Install unknown apps" -- a default security mechanism for Android handsets -- but if they install the software, they are shown different 'payment' options through the apps.

While two 'options' are displayed -- a credit card payment or a direct bank transfer -- the first option doesn't work. Left with bank transfers, victims are presented with a fake payment page that lists eight Malaysian banks: Maybank, Affin Bank, Public Bank Berhad, CIMB Bank, BSN, RHB, Bank Islam Malaysia, and Hong Leong Bank. When users input their bank credentials, they are sent to the attacker's command-and-control (C2) server. The victim is then shown an error message.

"To make sure the threat actors can get into their victims' bank accounts, the fake e-shop applications also forward all SMS messages received by the victim to the operators in case they contain two-factor authentication (2FA) codes sent by the bank," the researchers added. However, the malware embedded in these apps is simplistic: a basic info stealer and message forwarder. The lack of sophistication is highlighted as the apps can't intercept, hide, or delete the 2FA SMS messages from a victim's handset when an attacker tries to access their bank account, and so fraudulent access attempts may be flagged when 2FA codes are sent to the Android device.

One of the victim organizations being impersonated, MaidACall, has published a Facebook post warning its customers of the campaign. "Currently, the campaign targets Malaysia exclusively, but it might expand to other countries and banks later on," ESET says. "Moreover, the attackers may also enable the theft of credit card information in the malicious apps in the future."

Bill Requires Medical Device Makers to Enhance Cybersecurity

Bipartisan Legislation Seeks to Let FDA Demand Cyber Details From Manufacturers

Source: HealthInfoSec on April 5, 2022

The U.S. Senate and House of Representatives have each proposed a bill requiring better medical device cybersecurity. Bipartisan bills introduced into the U.S. Senate and House of Representatives aim to strengthen healthcare sector infrastructure by requiring medical device manufacturers to implement certain critical cybersecurity measures for the regulatory premarket approval process and life cycle of their products. Sens. Bill Cassidy, R-La., and Tammy Baldwin, D-Wisc., on Thursday introduced into the Senate the Protecting and Transforming Cyber Health Care - or PATCH - Act, which contains the medical device proposals. Also, Rep. Michael Burgess, R-Texas, and Rep. Angie Craig, D-Minn., introduced companion legislation into the House on March 29. Both the Senate and House versions of the PATCH Act contain the same proposals.

"In recent years, we've seen a significant increase in cyberattacks that have exposed vulnerabilities in our healthcare infrastructure, impacting patients across Wisconsin and the country. We must take these lessons learned to better protect patients," Baldwin says in a joint statement with Cassidy. "New medical technologies have incredible potential to improve health and quality of life. If Americans cannot rely on their personal information being protected, this potential will never be met," Cassidy, who is a physician, says in the statement.

Cassidy is also the co-sponsor of another Senate bill, the Healthcare Cybersecurity Act of 2022, introduced in March with Sen. Jacky Rosen, D-Nev., which proposes closer collaboration between the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency, also with the goal of strengthening cybersecurity in the health and public health sectors (see: Bill Touts CISA, HHS Teamwork to Aid Health Sector Security).

PATCH Act Proposals

Among its proposals, the PATCH Act, if signed into law, would amend the Federal Food, Drug, and Cosmetic Act so that the Food and Drug Administration may require manufacturers to implement certain cybersecurity requirements when the makers apply to the FDA for premarket approval of their devices.

The PATCH Act would also:

Require manufacturers to design, develop and maintain processes and procedures to update and patch medical devices and related systems throughout the life cycle of the device;
Establish a software bill of materials for the device - including components such as commercial, open-sourced and off-the-shelf software - that will be submitted to the FDA and provided to users;
Require the development of a plan by the device manufacturer to monitor, identify and address postmarket cybersecurity vulnerabilities;
Request a coordinated vulnerability disclosure to demonstrate safety and effectiveness of a device.

Pushing 'Laggards'

Some experts say that while some medical device makers are already taking many of the steps being proposed by the legislation to enhance the cybersecurity of their products, others are not. "Many manufacturers are already very proactive, with thought leaders in many working groups," says Michael Holt, president and CEO of healthcare security firm Virta Labs. "However, some laggard makers need to improve cyber hygiene." But if signed into law, the legislation also could potentially create other challenges for some device makers, he says. "The argument is that in developing newer devices and technologies, this could slow life-saving innovation by increasing the required resources for cybersecurity and thus time to market. "Many startups don't even know where to begin with implementing cybersecurity. The amount of unpatched devices in use is unbelievable and would require significant human resources to perform updates," Holt says.

Previous Guidance

Currently, the FDA's cybersecurity guidance for the premarket and postmarket of medical devices are considered "nonbinding" recommendations for manufacturers. The FDA in 2018 issued a draft to update its cybersecurity guidance for the premarket of medical devices, which had been issued in 2014. That 2018 draft proposed that medical device makers provide a "cybersecurity bill of materials" for their products. But the FDA has not yet finalized that updated guidance. FDA officials say that the regulators plan to release a revised draft guidance, but a specific timeline has not been announced. Also, the FDA in December 2016 released final postmarket guidance for how medical device manufacturers should help maintain the cybersecurity of network-connected devices once they are in use.

FDA's Statement

For its part, the FDA is encouraged to see congressional interest in legislative proposals relating to cybersecurity of medical devices, Dr. Suzanne Schwartz, director of the FDA's Office of Strategic Partnerships & Technology Innovation, Center for Devices and Radiological Health, tells Information Security Media Group. "In 2018, the FDA's Medical Device Safety Action Plan indicated that we were considering seeking additional authorities for medical device cybersecurity," she says. "We believe that the legislation proposed in the PATCH Act tracks closely with the additional authorities we have outlined."

Most recently, the FDA submitted a legislative proposal in accordance with the Office of Management and Budget proposing new requirements on medical device manufacturers to address the safety and effectiveness of devices through cybersecurity measures that span the total product life cycle, she says. Schwartz also says the FDA plans to publish a revised draft guidance related to premarket medical device cybersecurity in the "near future." As a device manufacturer's software bill of materials, that is akin to an "ingredients list" and integral to further protecting medical devices against cyber intrusions, exploits or attacks, irrespective of intent, i.e., whether deliberate or a spillover, opportunistic effect, Schwartz says.

"Owners and/or operators of devices or systems, such as healthcare delivery organizations, cannot adequately protect against compromise resulting from a cyber event unless there is knowledge of what software component parts reside within the devices and on systems and networks that contain vulnerabilities," she says. Schwartz says SBOMs are a critical tool for risk assessment and asset management, adding: "Transparency around software components, as achieved via SBOM, would enable proactive medical device vulnerability management. Ultimately, this advances the cyber posture of the healthcare ecosystem."

About Time?

The PATCH Act "will implement cybersecurity protocols and procedures for manufacturers applying for premarket approval through the FDA to ensure that users are properly equipped to deal with foreign or domestic ransomware attacks. It is time to examine how to modernize and protect our healthcare infrastructure," Burgess says in a joint statement with co-sponsor Craig about the House legislation. Bad actors have increasingly relied on cybersecurity vulnerabilities to take advantage of unsuspecting individuals and undermine national security, according to the statement. "That trend is especially alarming when it comes to personal medical devices, which can be exploited by cybercriminals - threatening the health and well-being of countless Americans," Craig says.

Some industry experts say the PATCH bill's intent to help improve medical device cybersecurity is an important aim. "This is a good idea, although it is regrettable that it requires legislation," says former healthcare CIO David Finn, vice president of the education and networking associations within the College of Healthcare Information Management Executives, a healthcare CISO professional organization. "The FDA should require this. Voluntary action has not driven improvement - except to identify that there are more problems than we even knew about," he says.

Finn says promising medical technologies cannot succeed if patients and providers cannot rely on them to be safe from attack, which means the devices must be operable and available during an attack or outage, and sensitive patient information stored on them must be protected. "During and post-COVID-19, remote care, remote monitoring took on a new urgency and in some cases criticality. It will be more important than ever to keep patients safe by ensuring that devices are built and deployed using privacy and security by design."

Work in Progress

The Healthcare Supply Chain Association, an industry group, says it is pleased to see that the proposed PATCH Act legislation incorporates provisions that are "generally consistent" with recent guidance the group issued regarding cybersecurity recommendations for medical devices and services (see: Why SBOMs in Healthcare Supply Chain Are Critical). "As information technology, software and medical devices play an increasingly important role in healthcare, it is more critical than ever to ensure that cybersecurity threats do not jeopardize patient health, safety and privacy," Todd Ebert, HSCA president and CEO, tells ISMG.

He says, "Although we take a cautious approach to additional regulatory burdens for healthcare supply chain participants, the proposed legislation is indicative of the broad bipartisan support for improved cybersecurity and could help clarify cybersecurity requirements for manufacturers of medical devices." Greg Garcia, executive director of cybersecurity at the Health Sector Coordinating Council, says the PATCH Act's proposals are "everything the health sector has been working toward with FDA and between health delivery organizations and medical device manufacturers."

For example, the HSCC and its working groups also have been striving to help the industry tackle some of the challenges involving medical device cybersecurity, according to Grant. "Our published model contract language and continued work on model vulnerability communications and legacy medical device cybersecurity management, all address the provisions of the bill, and support use of software bills of material." (see: Template Aims to Help Add Cyber in Medical Device Contracts). "Patient safety requires cyber safety," Garcia says.

Thousands of Android users downloaded this password-stealing malware disguised as anti-virus from Google Play

Users looking to protect their smartphone from hackers found their devices infected with Sharkbot malware.

Source: ZDNet on February 23, 2022

Six phony anti-virus apps have been removed from the Google Play app store because instead of protecting users from cyber criminals, they were actually being used to deliver malware to steal passwords, bank details and other personal information from Android users. The malware apps have been detailed by cybersecurity researchers at Check Point, who say they were downloaded from Google's official app marketplace by over 15,000 users who were looking to protect their devices, which instead became infected with Sharkbot Android malware.

Sharkbot is designed to steal usernames and passwords, which is does by luring victims into entering their credentials in overlayed windows which sends the information back to the attackers, who can use it to gain access to emails, social media, online banking accounts and more. The six malicious apps found by researchers aimed to attract Android users searching for antivirus, cleaner and security apps. It's possible that victims were sent phishing links which directed them to the download pages for the Sharkbot infested apps. The apps were able to bypass Google Play store protections because malicious behavior in the apps wasn't activated until after they'd been downloaded by a user and the app has communicated back to servers run by the attackers.

"We think that they were able to do it because all malicious actions were triggered from the C&C server, so the app could stay in the "OFF"-state during a test period in Google Play and turn "ON" when they get to the users' devices," Alexander Chailytko cyber security, research and innovation manager at Check Point Software told ZDNet. According to analysis of the malware, Sharkbot won't infect everyone who downloads it – it uses a geofencing feature to identify and ignore users from China, India, Romania, Russia, Ukraine or Belarus. Meanwhile, most victims who downloaded Sharkbot appear to be in the United Kingdom and Italy. After identifying the apps, Check Point disclosed the findings to Google, which has removed the six apps from the Google Play Store. While the Sharbot-infected apps have been removed from Google's official marketplace, they remain actively available on third-party sites, so users could still potentially be tricked into downloading them. ZDNet has asked Google for comment and will update this story if we get a response.

Anyone who suspects they've downloaded a malicious app should immediately uninstall it, download a legitimate antivirus program to scan their device, and change any passwords on accounts that could've been stolen. If there's any uncertainty about what to download or if an app is legitimate, looking at user reviews can help provide a clearer picture as if the app isn't legitimate, reviews will often say so.