Education and government most at risk from email threats

Rene Millman

26 Nov, 2021

Organizations in the education sector and local and state government are most at risk from email threats, according to a new report.

The report, published by IT security firm Cyren, also found that phishing remains the dominant form of attack against all industries.

Based on data gathered from nearly 45,000 incidents, researchers found that the education sector received over five threats per thousand emails received. State and local government bodies received just over two threats per thousand emails received, nearly double the amount received by the next most targeted industry, software.

The report also looked at the number of attacks per 100 users across a wide range of industries. It found that there were nearly 400 per 100 users in education compared to just over 150 in the construction industry.

Researchers said there was a surprisingly low rate for manufacturing, especially when compared to the construction industry, which is closely related.

“We observed 20 confirmed threats per 100 users in the manufacturing vertical. Without solid detection and automated incident response, a manufacturer with 100 Office 365 users would spend at least 16 hours manually investigating and remediating emails,” they added.

In a blog post, security researchers found that the data supported a widely held theory that phishing is a precursor to more damaging attacks such as business email compromise (BEC) and ransomware.

The report looked at phishing compared with malware and BEC attacks across four industries. Phishing remained the dominant threat in healthcare (76%), finance and insurance (76%), manufacturing (85%), and real estate (93%).

In healthcare, BEC attacks made up the remaining 24%. Researchers said that robust malware detection capabilities in the healthcare industry explains the high rate of BEC attempts. 

“Attackers understand that they can’t easily slip malware past automated defenses, so they have shifted to social engineering tactics,” said researchers.

Researchers said that when it comes to solving the email threat problem, user education is an important component, but several organizations have “over-rotated” on the idea that users are responsible for keeping sophisticated email threats at bay.

“The predominant trend is to use an email hygiene technology such as Microsoft Defender for Office 365 to catch 80% of threats, deploy a specialized add-on to catch and contain zero-day phishing and most BEC attempts, enable employees to perform initial analysis on the small percentage of emails that are classified as suspicious (rather than malicious or clean), and automate incident response workflows to save time and reduce exposure,” added researchers.

Hacked Google Cloud Platform instances are riddled with cryptominers

Connor Jones

26 Nov, 2021

Google Cloud has revealed that 86% of hacked Google Cloud Platform (GCP) instances in 2021 led to cryptocurrency miners being dropped into customers’ environments.

Cryptocurrency miners being installed in cloud instances was the leading issue facing GCP customers this year with 58% of compromised instances having cryptominers installed within just 22 seconds of attackers gaining access.

Google Cloud’s Threat Analysis Group (TAG) said this led it to believe the process was script-driven without requiring human intervention.

GCP customers were targeted heavily with attackers attempting to leverage the high levels of compute available to them, without having to foot the bill.

Google Cloud also revealed cloud instances have been compromised in as little as 30 minutes, with the majority taking just eight hours.

The TAG at Google’s cloud arm noticed attackers are monitoring the public IP address space for signs of unsecured GCP instances, knowing how quickly they can compromise each one. 

“Given that most instances were used for cryptocurrency mining rather than exfiltration of data, Google analysts concluded the Google Cloud IP address range was scanned rather than particular Google Cloud customers being targeted,” the report read.

“The amount of time from the launch of a vulnerable Google Cloud instance until compromise varied with the shortest amount of time being under 30 minutes.”

TAG researchers also noted that threat actors gained access to GCP instances through exploiting poor customer security practices in almost 75% of all cases.

Half of these cases were compromised because of attackers exploiting instances with weak or in some cases no passwords for user accounts or API connections.

This meant unsecured GCP instances could quite easily be scanned by attackers and brute-forced with minimal difficulty.

Google Cloud customers were also at fault in 26% of cases for installing third-party software in their instance which was then exploited to gain access.

Google Cloud’s basic recommended mitigations to the flaws allowing attackers into GCP instances include ensuring accounts always have strong passwords, updating third-party software before a cloud instance being exposed to the web, and not publishing credentials in GitHub projects

Container Analysis is also available to GCP customers to perform vulnerability scanning and metadata storage for containers, while the Web Security Scanner in the Security Command Center can identify security vulnerabilities in their App Engine, Google Kubernetes Engine, and Compute Engine web applications.

IBM unveils world-first machine learning training method for GDPR-compliance

Connor Jones

25 Nov, 2021

IBM researchers have unveiled a novel method of training machine learning (ML) models that minimises the amount of personal data required and preserves high levels of accuracy.

The research is thought to be a boon to businesses that need to stay compliant with data protection and data privacy laws such as the General Data Protection Regulation (GDPR) and the California Privacy Rights Act (CPRA).

In both GDPR and CPRA, ‘data minimisation’ is a core component of the legislation but it’s been difficult for companies to determine what the minimal amount of personal data should be when training ML models.

It’s especially difficult when the goal of training ML models is usually to achieve the highest degree of accuracy in predictions or classifications, regardless of the amount of data used.

The findings from the study, thought to be a world-first development in the field of machine learning, showed that fewer data could be used in training datasets by undergoing a process of generalisation while preserving the same level of accuracy compared to larger ones.

At no point did researchers see a drop in prediction accuracy below 33% even when the entire dataset was generalised, preserving none of the original data. In some cases, the researchers were able to achieve 100% accuracy even with some generalisation.

In addition to adhering to the data minimisation principle of major data protection laws, researchers suggest that smaller data requirements could also lead to reduced costs in areas like data storage and management fees.

Data generalisation process

Businesses can become more compliant with data laws by removing or generalising some of the input features of runtime data, IBM researchers showed.

Generalisation involves taking a feature value and breaking it down into specific values and generalised values. For a numerical feature ‘age’, the specific values of which could be 37 or 39, a possible generalised value range could be 36-40.

A categorical feature of ‘marital status’ could have the specific values ‘married, ‘never married’, and ‘divorced’. A generalisation of these could be ‘never married’ and ‘divorced’ which eliminates one value, decreasing specificity, but still provides a degree of accuracy as ‘divorced’ implies that an individual has, at one point, been married.

The numerical features are less specific, adding three additional values, while the categorical feature is less detailed. The quality of these generalisations is then analysed using a metric. IBM chose to use the NCP metric over others in consideration as it lent itself best to the purposes of data privacy.


Researchers then selected a dataset and trained one or more target models on it to create a baseline. Generalisation was then applied, the accuracy was calculated and re-calculated (see diagram above) until the final generalisation was ready to be compared to the baseline.


The accuracy of the target model is calculated using decision trees (see above) which are gradually trimmed from the bottom upwards, taking note of any significant decreases in accuracy.

If accuracy is maintained or meets the acceptable threshold after generalised data is applied, the researchers then work to improve the generalisation by gradually trimming the decision tree from the bottom upwards, increasing the generalised range of a given feature, until the final optimised generalisation is made.

SMBs urged to update software ahead of Black Friday

Sabina Weston

25 Nov, 2021

Small and medium-sized businesses (SMBs) are being urged to update their software ahead of Black Friday and Cyber Monday to avoid financial and reputational damage.

The warning comes after the National Cyber Security Centre (NCSC) identified 4,151 online shops that had been compromised using a vulnerability within the e-commerce platform Magento. With 250,000 clients, the Adobe subsidiary is the third-largest e-commerce system globally, after WooCommerce and Shopify.

NCSC alerted the affected retailers of the vulnerability in late September, with Magento issuing a security patch on 12 October

All online businesses are being urged to update their software, as the mass shift to e-commerce since the start of the pandemic has caused more customers to shop online than ever before, increasing their risk of falling victim to online scams.

Hence, the NCSC has issued guidance on running a secure website and avoiding threats including skimming, which has been described as “a threat to all retailers” by British Retail Consortium assistant director Graham Wynn.

The trade association has urged “all retailers to follow the NCSC’s advice and check their preparedness for any cyber issues that could arise during the busy end of year period”.

NCSC deputy director for Economy and Society, Sarah Lyons, said that the agency wants “small and medium-sized online retailers to know how to prevent their sites being exploited by opportunistic cyber criminals over the peak shopping period”.

“Falling victim to cyber crime could leave you and your customers out of pocket and cause reputational damage. It’s important to keep websites as secure as possible and I would urge all business owners to follow our guidance and make sure their software is up to date,” she added.

Last year, Check Point’s security researchers observed a sharp increase in the number of phishing exploits in the run-up to Black Friday and Cyber Monday, with phishing emails having increased by over 13 times in early November 2020. In December 2020, RiskIQ security researchers discovered around 37,000 fake retail websites set up to scam holiday shoppers, with 208 domain infringement events containing only “Black Friday,” “Cyber Monday,” “Boxing Day,” or “Christmas”.

Mozilla to end support for Firefox Lockwise password manager

Bobby Hellard

24 Nov, 2021

Mozilla has announced that its Firefox Lockwise password manager will reach end-of-life on 13 December.

The final versions of the plug-in will be 1.8.1 for iOS and 4.0.3 for Android, after that it will no longer be available for download or reinstallment

Lockwise joins several defunct projects Mozilla has taken down to try and streamline its business and become more profitable. Over the last few years, the company has shut down the team building the operating system for the failed Firefox phone, as well as binning off a file transfer tool and the Thunderbird email platform. There is, however, an Android replacement for the password manager – Firefox 93 for Android – that was released last month. 

Firefox Lockwise was launched in 2018, originally as a small experimental mobile app (named Lockbox at that point) that ended up bringing a way to access saved passwords and perform autofills on iOS, Android, and even desktops. It was later adapted as a Firefox extension, but with only a four-year lifespan.  

In a support article posted by Mozilla, users are advised to continue accessing passwords via the native Firefox browser on desktop and mobile. There is also a note on the support site suggesting that the Firefox iOS app will gain the ability to manage Firefox passwords system-wide later in December. This might mean that Mozilla adopts the features of Lockwise and eventually integrates them into the Firefox browser apps for all platforms. 

Mozilla laid off around 250 people – roughly a quarter of its workforce – in 2020 to refocus its business on projects that make money. CEO Mitchell Baker wrote in a blog post, at the time, that the company’s plans leading up to the outbreak of COVID have become “no longer workable” after it became a pandemic. 

As part of the layoffs, Baker laid out a series of new focuses for Mozilla to set a stronger course for the company, such as building new products that “mitigate harms” and “that people love and want” to use, and also to build out new revenue streams.

Google faces mandatory vaccination resistance ahead of office return

Bobby Hellard

24 Nov, 2021

Google is facing an internal backlash over its plans to enforce employees to provide vaccination statuses by December. 

“Several hundred” Googlers have signed and circulated a manifesto opposing the plans, according to CNBC, potentially delaying the tech giant’s office return, again

Google is following the Biden administration’s orders that all US companies with 100 or more workers have to ensure that all employees are fully vaccinated or regularly tested for Covid-19 by 4 January. According to internal documents, seen by CNBC, the tech giant has asked its 150,000 plus workforce to upload vaccination status to its internal system by 3 December, whether they plan to come into the office or not. This also appears to be the case for employees that work directly or indirectly with US government contracts – also whether they work remotely or not.

“Vaccines are key to our ability to enable a safe return to the office for everyone and minimise the spread of Covid-19 in our communities,” wrote Chris Rackow, Google VP of security, in an email sent near the end of October, CNBC reports.

The manifesto spreading around Google has been signed by at least 600 employees, according to reports. It asks the company’s leaders to retract the vaccine mandate and create a new one that is “inclusive of all Googlers“. It also calls on employees to “oppose the mandate as a matter of principle”, informing staff to not let the policy alter their decision if they’ve already opted not to get a vaccine.

“As we’ve stated to all our employees and the author of this document, our vaccination requirements are one of the most important ways we can keep our workforce safe and keep our services running,” a spokesperson for Google said. “We firmly stand behind our vaccination policy.”

Hackers use SquirrelWaffle malware to hack Exchange servers in new campaign

Rene Millman

23 Nov, 2021

Hackers are using ProxyShell and ProxyLogon exploits to break into Microsoft Exchange servers in a new campaign to infect systems with malware, bypassing security measures by replying to pre-existing email chains.

Security researchers at Trend Micro said investigations into several intrusions related to Squirrelwaffle led to a deeper examination into the initial access of these attacks, according to a blog post.

Researchers said that Squirrelwaffle first emerged as a new loader spreading through spam campaigns in September. The malware is known for sending its malicious emails as replies to pre-existing email chains.

The intrusions observed by researchers originated from on-premise Microsoft Exchange Servers that appeared to be vulnerable to ProxyLogon and ProxyShell. According to researchers, there was evidence of the exploits on the vulnerabilities CVE-2021-26855CVE-2021-34473, and CVE-2021-34523 in the IIS Logs on three of the Exchange servers that were compromised in different intrusions.

“The same CVEs were used in ProxyLogon (CVE-2021-26855) and ProxyShell (CVE-2021-34473 and CVE-2021-34523) intrusions. Microsoft released a patch for ProxyLogon in March; those who have applied the May or July updates are protected from ProxyShell vulnerabilities,” said researchers.

In one case, all the internal users in the affected network received spam emails sent as legitimate replies to existing email threads.

“All of the observed emails were written in English for this spam campaign in the Middle East. While other languages were used in different regions, most were written in English. More notably, true account names from the victim’s domain were used as sender and recipient, which raises the chance that a recipient will click the link and open the malicious Microsoft Excel spreadsheets,” they said.

In the same intrusion, researchers analyzed the email headers for the received malicious emails and found that the mail path was internal, indicating that the emails did not originate from an external sender, open mail relay, or any message transfer agent (MTA).

“Delivering the malicious spam using this technique to reach all the internal domain users will decrease the possibility of detecting or stopping the attack, as the mail getaways will not be able to filter or quarantine any of these internal emails,” they added.

Researchers said that the hackers also did not drop or use tools for lateral movement after gaining access to the vulnerable Exchange servers in order to avoid detection. Additionally, no malware was executed on the Exchange servers to avoid triggering alerts before the malicious email could be spread across the environment.

According to researchers, the recent Squirrelwaffle campaigns should make users wary of the different tactics used to mask malicious emails and files.

“Emails that come from trusted contacts may not be enough of an indicator that whatever link or file included in the email is safe,” they warned.

AWS wins Adidas contract to host its SAP workloads

Praharsha Anand

23 Nov, 2021

Amazon Web Services (AWS) has won a contract to provide sports clothing brand Adidas with a cloud environment for hosting its SAP workloads.

German-based multinational Adidas AG also intends to develop a modern SAP S/4HANA platform using AWS, according to the deal.

By integrating SAP into its enterprise resource planning (ERP) system, Adidas aims to connect data across its global operations, while also tapping into AWS‘ SAP expertise to support advanced analytics, data science, and enterprise reporting, the company said in a release.

Utilizing AWS’ machine learning solutions, including Amazon SageMaker, Adidas’ data scientists can forecast seasonal demand for goods. This ensures the right product arrives at a warehouse or retail store at the right time, increasing customer satisfaction.

Through a cloud-based data lake on AWS, Adidas can also gain visibility into both internal and outbound operations, while AWS Sustainability programmes will also assist Adidas in reducing the environmental impact of its cloud operations.

Adidas said the deal will allow it to offer customers discounts and early access to new releases, priority services, and personalized offers.

“We want to drive innovation across our business, which includes everything from how we design our products to how we engage with the consumers who buy them. By committing to cloud infrastructure, we have the scalability and elasticity we need to handle the seasonality of our business during peak demand, and support the projected growth in our e-commerce business in the years to come,” explained Markus Rautert, senior vice president of technology enablement at Adidas AG.

“Deploying SAP environments on AWS isn’t just about transforming our technology—it’s about transforming business opportunities and using AWS’ wide range of cloud capabilities to create efficiencies and bring us closer to consumers,” he added.

GoDaddy data breach exposes over 1.2 million customer details

Danny Bradbury

23 Nov, 2021

Hosting company GoDaddy has said that around 1.2 million users have been affected by a data breach on its managed WordPress hosting service.

The hack is said to have exposed email addresses, customer numbers, administrative login credentials, and in some cases SSL private keys.

The hosting company discovered that an intruder had gained access to its managed WordPress hosting environment on Nov 17, it said in a filing with the SEC. The intruder used a stolen password to access the provisioning system for the service.

Up to 1.2 million active and former users of the company’s managed service had their email addresses and customer numbers exposed, the company said, raising the possibility of further phishing attacks to come. The original administrative passwords for the managed WordPress accounts were also available to the hacker, putting the accounts themselves at risk if the credentials were still in use.

Also exposed were sFTP and database usernames and passwords, and an undisclosed number of users also had their SSL private keys exposed.

GoDaddy discovered that the intruder had been inside the system since September 6, meaning that the hacker has had access to the data for over two months. It worked with a forensics company upon discovering the incident, and has taken steps to safeguard its systems, including changing original administrative passwords that were still in use, resetting sFTP and database passwords, and installing new digital certificates for affected customers.

“We are sincerely sorry for this incident and the concern it causes for our customers,” the company said in its filing. “We, GoDaddy leadership and employees, take our responsibility to protect our customers’ data very seriously and never want to let them down. We will learn from this incident and are already taking steps to strengthen our provisioning system with additional layers of protection.”

In 2017, the company revoked thousands of SSL certificates after issuing them without proper checks and authorization. In January 2019, an independent researcher found a vulnerability in its process for handling DNS change requests that enabled hackers to hijack domains and create phishing campaigns. It also notified customers of a hack that exposed SSH login details in the same year.

Retail giant Schwarz Group snaps up Israeli cyber security startup XM Cyber

Daniel Todd

23 Nov, 2021

Schwarz Group has announced the acquisition of a majority stake in Israeli cloud cyber security startup XM Cyber for a reported $700 million, as the EU retail giant looks to grow its digital business.

Headquartered in Tel Aviv, XM Cyber specialises in proactive prevention of cyber-attacks using the attacker’s perspective. By discovering critical attack paths across on-premises and multi-cloud networks, the firm’s solutions aim to help organisations close security gaps before systems are compromised.

Christian Müller, chief information officer of Schwarz Group, said the addition of XM Cyber adds a “deep technical understanding and innovation” that will compliment Schwarz’ existing portfolio for advanced cybersecurity services.

“Finding and closing security gaps from an attacker’s perspective is a disruptive approach to the way organisations can proactively protect their networks,” he said. “XM Cyber’s solution builds on our strong IT security to further protect our customers, partners, and ourselves as a company.“

Headquartered in Germany, Schwarz Group has become one of the world’s largest retailers, known particularly for its ownership of EU staples such as Lidl and Kaufland supermarkets.

The group said XM Cyber’s comprehensive knowledge in securing complex hybrid cloud networks was a driving factor behind the acquisition, with the startup set to boost the groups expanding digital venture.

Upon completion of the acquisition, XM Cyber will continue to operate independently with its current branding, full suite of products, and support structure, it added.

Noam Erez, co-founder and CEO of XM Cyber, says the move will provide its business with “immense potential” to further expand and develop its business model.

“We are thrilled to become part of the Schwarz Group,” he said. “With the backing and international footprint of the largest European retailer, we can accelerate innovation and growth and further strengthen our position in the global cybersecurity market.”