Cyber Security Weekly Briefing, 25 June – 1 July

Telefónica Tech    2 July, 2022

​​​Kaspersky investigates attacks on industrial control systems

Kaspersky researchers have investigated an attack campaign targeting industrial control systems (ICS) of telcos and industrial companies in several countries on the Asian continent.

According to the researchers, most of the incidents analysed had as an entry vector the exploitation of the vulnerability catalogued as CVE-2021-26855, which affects Microsoft Exchange servers and allows remote code execution.

This campaign began in October 2021 and since then has used the backdoor known as ShadowPad, which masquerades as a legitimate DLL in order to be executed on the infected computer. Once the system is infected, threat actors remotely inject Cobalt Strike beacons and gain control of a building’s automation systems, including electricity, fire control, security and more.

Once in control of these systems, it is redistributed across the internal network via an account whose credentials have been stolen, gaining access to more internal services and more sensitive and confidential information. Now, the attackers’ ultimate targets remain unknown, although it is believed that they may be gathering information.

More info →

* * * 

Backdoor targeting governments and organisations around the world discovered

​​Kaspersky security researchers have revealed that threat actors have been using malware, named SessionManager, discovered on Microsoft Exchange servers belonging to government and military organisations in Europe, the Middle East, Asia and Africa.

SessionManager is a natively coded malicious module for Microsoft’s Internet Information Services (IIS) server that researchers discovered while continuing to search for IIS backdoors similar to Owowa, another malicious IIS module deployed by attackers on Microsoft Exchange Outlook Web Access servers since the late 2020s to steal Exchange credentials.

The SessionManager backdoor allows threat actors to maintain persistent, update-resistant and fairly stealthy access to a target organisation’s IT infrastructure and gain access to company emails, update malicious access by installing other malware, or secretly manage compromised servers, which can be leveraged as malicious infrastructure.

Due to the similarity of the victims and the use of a common OwlProxy variant, researchers believe that the malicious IIS module may have been exploited by the threat actor Gelsemium as part of a global espionage operation.

More info →

* * *

​​​​​​​0-day in Mitel devices used for ransomware attack

​​Researchers at CrowdStrike have analysed an incident in which malicious actors reportedly used an exploit that leverages a 0-day vulnerability, affecting Mitel MiVoice VoIP devices, to distribute ransomware.

The security flaw, now identified as CVE-2022-29499 and with a CVSSv3 of 9.8, is due to an error in data validation when performing a diagnostic script, allowing unauthenticated remote attackers to inject commands via specially crafted requests.

It should also be noted that the vulnerability is in the Mitel Service Appliance component of MiVoice Connect, used in SA 100, SA 400 and Virtual SA, making it possible for an attacker to perform remote code execution.

Although no official patch has been released, Mitel addressed it on 19 April 2022, releasing a fix script for MiVoice Connect versions 19.2 SP3 and R14.x and earlier.

The researchers estimate that further ransomware distributions using this entry vector are likely to occur due to this incident, and recommend that the fixes be applied.

More info →

* * *

More than 900,000 Kubernetes instances exposed on the Internet

Cyble researchers have conducted an analysis to locate exposed Kubernetes instances on the Internet, using scanning tools and search queries similar to those used by malicious operators.

More than 900,000 exposed Kubernetes servers have been detected from this analysis, although not all of these exposed instances are necessarily vulnerable to attack or expose sensitive data. Of the servers, the TCP ports with the highest exposure are “443” with just over one million instances, followed by port “10250” and “6443” respectively.

According to Cyble, the vast majority of the exposed instances return the error code 403, indicating that the unauthenticated request is forbidden and cannot be attacked. However, they have detected a small subset of 799 instances that return a status code 200, which is fully accessible to external attackers.

Even though the number of vulnerable servers is quite low, only one remotely exploitable vulnerability needs to be discovered for a much larger number of devices to be vulnerable to these attacks.

More info →

* * *

​​​FabricScape: vulnerability in Microsoft Service Fabric

Researchers at Unit 42 in Palo Alto have reported a vulnerability in Microsoft Azure Service Fabric that affects containers in the Linux cluster.

The flaw, CVE-2022-30137 CVSSv3 7.6, was discovered and reported to the company in early 2022, and affects the tool, which is widely used to host more than a million applications, some of them extremely important. The vulnerability has been named FabricScape and is due to an arbitrary write by race condition flaw in the Data Collection Agent (DCA) component, executed as root in Service Fabric.

This would allow an attacker to escalate their privileges to root, take control of the host node and compromise the entire Service Fabric Linux cluster. The vulnerability was resolved with the June patch for Microsoft Azure Service Fabric 9.0 for all users who have automatic updates enabled.

If you do not have this feature enabled, it is recommended that you manually upgrade to the latest Service Fabric version.

More info →

How should you speak to children about Artificial Intelligence?

Paloma Recuero de los Santos    30 June, 2022

In previous years, people’s relationship with technology in general, and with artificial intelligence in particular, was based on “text”, usually using specialised programming languages. Today, however, artificial intelligence has learned to speak and interpret human language.

So, even if we talk to an assistant as if she were a person, and we say, “Siri, I want a video of Pepa Pig”, at no time are we going to doubt that Siri is not a person.

However, we are seeing that, for the little ones of the alpha generation, the limits between themselves and the technology that has always surrounded them are not so clear.

Figure 2: “Siri, I want a video of Pepa Pig”,

Sue Shellenbarger, a columnist for the Wall Street Journal, warns that “many children think that robots are smarter than humans or give them magical powers”.

A 2018 study on the Cozmo toy robot, a toy designed to appear “to have a soul”, showed how children between the ages of 4 and 10 thought the toy was “smarter” than they were, and even that it was capable of feeling.

Figure 3: Cozmo Robot (source: amazon.com)

In promoting the toy, Boris Sofman, one of the founders of Anki, the company that manufactures them, said: “If you don’t play with Cozmo for a week, you will feel like you haven’t played with your dog for a week”.


How can little ones not be confused when their toys are designed this way?

Other studies show how children between the ages of 9 and 15 feltemotionally attached to human-looking robots, and thought that they “could be their friends”; or they changed their answers to “is it OK to hit other children” according to their doll’s “opinion”. “My doll says “it’s OK“.

The Solution

As with almost everything else, the best way to help children define the boundaries between technology and reality is through education.
Researchers at MIT are working with children of different ages to see how adults can help them perceive artificial intelligence correctly. Although it may seem rushed, and it certainly is, very few four year old children were able to understand that even if the toy beats a game, it is not smarter than they are.

The MIT AI ethics course

Between the ages of 10 and 14, children begin to develop high-level thinking and deal with complex moral reasoning. And at that age too, most have smart phones with all kinds of AI-based applications.

MIT has developed an AI ethics course for children, which teaches them how AI-based algorithms work, and how there can be determined intentions behind the answers. For example, they learn why Instagram shows them a certain ad, or why they may receive one piece of information and not another in their news app.

They are also challenged to design an “algorithm” in the form of a recipe for the best peanut butter sandwich or play bingo (AI Bingo). In short, they learn in a simple and fun way, that technology, robots, computers… are nothing more than tools, fast, precise, powerful, but they do nothing more than follow the models, or the algorithms with which we have programmed them.

Some simple tips to put into practice

Adults are a fundamental reference for children, especially parents. And, without having to take any MIT course (neither they nor we), we can help them understand the limits of AI with these simple tips proposed by Sue Shellenbarger:

  • Do not refer to assistants, robots, or AI-based toys as if they were people
  • It tries to convey a positive image to them about the benefits of AI in general. They make our lives easier in many ways.
  • Arouse their curiosity about how robots are designed and built
  • Help them understand that the “source” of intelligence for AI-based devices is humans
  • Discuss ethical aspects of AI design with questions such as: Should we build robots that, (as we try to teach them), are polite and ask for things please, say hello, thank you etc?
  • It encourages their critical thinking about the information they receive through these toys or smart devices; as well as that received from social networks and the internet.
  • Be very careful with toys that are marketed as a child’s “best friend”. They can create unwanted dependencies.

And most importantly, try to challenge, whenever they arise, ideas such as “machines are superior to humans”, “robots will kill humans” etc, because they can be harmful to the naive minds of children.

Translated by Patrick Buckley

How Lokibot, the malware used by Machete to steal information and login credentials, works

Aarón Jornet    29 June, 2022

LokiBot is a malware that is used in different ways, such as: backdoor, credential theft or crypto-asset theft. Depending on the version and who is using it, it also serves as a bridge for the execution of other malicious files. This tool has also been seen to be used by other groups such as the Gorgon group.

Such malware is usually introduced via emails with attachments and, depending on the version, different executions have been seen, ranging from exploits of vulnerabilities to different scripts that intertwine with each other.

The final objective is usually to install itself in a legitimate or self-initiated process to serve as a backdoor, to obtain as much information as possible from the machine and the user, and to communicate with Command and Control (C&C) servers. Depending on the victim, this tool will be used to obtain as much data as possible or to steal assets by exfiltrating this information.

Machete is a group devoted to information theft and espionage using various tools, including LokiBo.

Machete has currently no associated country but is believed to be based in Spanish-speaking countries, or parts of them. This group started operating in 2010 and this year has had a major impact on many countries, attacking a large number of them, with an emphasis on Latin America, Spain and Russia.

What are Machete’s main objectives and what tools does it use?

Its main targets are defence departments, government entities and energy and telecommunications companies.

The main motivation of this group is information theft and espionage, in which tools for stealing all kinds of sensitive information, to be used for strategic advantage, stand out.

The main tools they have used along the way are largely software developed in Python. The malwares used by Machete for backdoors, information theft and information exfiltration in their attacks are the following:

  • LokiBot | Loki.RAT | Loki (Backdoor, Keylogger, Stealer): Malware dedicated to launching or being launched by others in order to obtain relevant information such as browser data, FTP and SSH credentials, as well as email data to send all collected data to a C&C.
  • Machete (Backdoor, Stealer): Proprietary malware typically used via SFX or RAR which will contain various tools, usually written in Python, to generate persistence on the machine, obtain network information and geo-locate and then send the information to a C&C.
  • Pyark (Backdoor, Stealer, Exfiltration): Malware written in Python, usually used to create a backdoor by generating persistent tasks and gaining access to cameras, microphones, FTP, browsers, clipboard, etc. To then exfiltrate the information.

During this year, we have seen different variants of Lokibot used by different groups. Two or three versions have always stood out. In order to try to group most of them together, a study has been made of the versions that have been distributed the most.

LokiBot input vectors

LokiBot is a tool that this year has been largely distributed via attachments, using the Spear-Phishing Attachment technique.

The way to reach the targets was to send fraudulent emails to get the victim to download the attachment in order to execute the following step.

In the multiple versions that have been found, attaching an RTF (Rich Text Format) or DOC/XLS document has prevailed.

We found different versions of documents such as the previous case: an .xlsx file whose function would be to exploit the vulnerability CVE-2017-11882 in which, taking advantage of a bad use of memory, it would launch malicious code using Microsoft Office Equation Editor known as EQNEDT32.

We would observe a launch of this binary that would execute the embedded Malware.

In the RTF versions we would find a document whose content at first glance would not give us much information.

However, depending on the version of this type of file, the same exploit EQNEDT32.exe can be found inside it.

LokiBot malware variants

The campaigns’ waves of LokiBot, and the use of this tool also in groups, leave behind a large number of versions of the same malware, which are similar in function to each other. If we group all the versions together, we would get two that would represent the majority seen this year 2022.

The summary of both variants is as follows:

LokiBot variant 1

  • After downloading and executing the document, a download or execution of malicious scripts will be performed.
  • Subsequently, if it were a variant in which the next step is downloaded, it would be carried out using a wget after a powershell or cmd by dumping it into a script (usually using the name Done.vbs, although other variants have been seen). Otherwise it would directly execute a Wscript or Cscript.
  • Later, we would see the execution of a new explorer.exe launching the script, in the case of a download. If not, the execution of a Wscript or Cscript of a script.
  • Afterwards, it would again perform a powershell execution to launch another obfuscated script that would end up in the injection of code to a legitimate software (using AppLaunch or InstallUtil among others).
  • After this step, we would have the Lokibot inside a legitimate process where it would start the tasks of this Malware.

LokiBot variant 2

  • After downloading and executing the document, an EQNEDT32 exploitation will be performed.
  • Subsequently, files will be created in temporary folders (Temp | Public | ProgramData), usually using the name vbc.exe, although other names have been seen.
  • This will create other files in temporary folders, on which it will later rely and which will serve as auxiliary files.
  • From the created files, an injection will be made in one of them after a suspended execution, in which it will obtain code from the auxiliary files and will introduce it in the memory of this process.
  • After this injection, we will have Lokibot inside a malicious process created by a loader.
Attacking login credentials

How LokiBot infections usually works

Both variants of LokiBot have small differences, in that they sometimes rely on installers or introduce an extra step or omit another. But the vast majority have a similar thread of execution and their goal is usually to inject LokiBot into a process.

A general summary of how the vast majority of infections by this Malware would work is as follows:

LokiBot: Version 1

In the first version of LokiBot, we find one that bases the entire execution thread on the use of obfuscated scripts to reach its target.

We will find, after the execution of the document as a Wscript.exe or Cscript.exe launches an obfuscated Powershell.exe that it will try to download fake .mp4, .png or similar files.

After this, it will invoke the execution of the downloaded file to launch a second obfuscated script. Depending on versions, it will invoke an explorer.exe that will launch a script left in temporary folders.

In both cases, we will see the execution and the content is large.

We see that the second part of the script will load a Portable Executable (PE) into a variable.

We extract this binary and get a .NET file that is intended for another download to another address to perform a deofuscation.

Once the binary downloads, we get another file with a fake .pdf extension, which is another obfuscated script.

Reversing the code we get the information for the deobfuscation and we will see another MZ (PE) header.

We found this binary in VirusTotal to be quite well reported, indicating that these final phases are not so changeable.

This file is another .NET file that will do the task of injecting code into another process, usually AppLaunch.exe or InstallUtil.exe, although it can use any binary related to .NET. Once injected, we would have the LokiBot inside a legitimate process using the Process Hollowing technique.

Once injected into the legitimate process, Lokibot will, depending on the version of the payload, obtain information about the computer, users, search engines, among others.

LokiBot: Version 2

In the second version of this LokiBot, the Malware will base the whole execution thread on the use of different binaries to reach its target. These files will be launched in different folders to favour evasion.

After executing the document, we will obtain an EQNEDT32 exploiting the CVE-2017-11882 which will launch a binary in a temporary folder, in our case Public.

Our version contains a variant in which they have introduced an installer on top of the main execution.

We get a script of usual execution in Nullsoft, which indicates which are the folders where it is going to save and execute the auxiliary files that will be used later.

We will see how a file svgsnex.exe is executed, with a different name for each version and after another common name, vbc.exe, which is also susceptible to change.

Now we can see the creation of the auxiliary files.

Analysing the file, we find the main function that shows that it will be performing a loop.

In this function, we can see that it will manipulate, check files and reserve memory space.

With these memory spaces, we see that it will subsequently buffer data that it will introduce during execution in the memory of a process or a thread. It will be a loop so it will be rescuing information from its own memory and from auxiliary files.

This functionality is given, to relaunch, with the data contained in this second executable, together with the files launched in temporary folders, the same executable svgsnex.exe with additional content. This technique will normally be done by leaving the process in a suspended state and injecting the LokiBot code into it.

Instead of taking advantage of a system or legitimate binary, as in the first version, it will use the same executable to inject itself with the LokiBot code. This way, we will see that the backdoor and stealer actions will be carried out by the same after the injection.

AI of Things (VII): Better data, better decisions

Esther Cardenal    27 June, 2022

Have you ever wondered if you are using the right strategies to improve your shop’s performance? Or what you need to do to improve the customer experience at the point of sale?

If so, it means you know the importance of analytics and insights to make impactful business decisions. It is natural to have doubts, especially if you don’t have the means to really quantify the benefits of your in-store strategies.

Data, a key asset for business

Data is a key enabler for business, as the difference between winning or losing a customer is the ability to collect, analyse and derive actionable information fast enough to respond to changing customer needs.

The only solution is to measure, but it’s not just about knowing the sales achieved at the end of each day, it’s about finding new ways to improve efficiency and personalise the customer experience. But what are the right metrics to measure efficiency in a shop? How can we know which customers are coming into our shops? What actions do I need to take?

Indoor insights for a complete funnel

The futuristic scenario introduced by Steven Spielberg in his 2002 film ‘Minority Report’, in which we saw Tom Cruise being greeted as he entered a shop and the advertising on the screens being personalised, is now a reality.

We can even get to know the profile of potential visitors to the area, how many come in and whether customers approach, look at and touch certain products.  It sounds like science fiction, but having the complete sales funnel is possible thanks to indoor insights.

You can identify which factors are negatively affecting your revenue and be proactive with shop improvements, providing you with measurable targets and a favourable ROI on your new technology investment by providing more accurate data on shop activities and new insights into customer behaviour and preferences.

Extracting valuable information from data

However, the amount of data can be overwhelming and the data sources can be very varied, so it is key to look for a partner that is able to unify all the data to provide the complete business funnel in a simple way.

  • Do you know the potential audience in the area where your shop is located? What are their web preferences, their tastes?
  • What is the conversion rate to the shop? How many come into your business? Which segment converts better or worse?
  • What is the actual conversion rate? Are they all customers? Or do they come in groups, families, couples?
  • Which doors or areas of the shop have the highest conversion rate? How long do they stay inside, how do they move around your shop?
  • What areas do they visit, where do they stay the longest? What products do they look at? Which ones do they touch?

These questions are important because knowing the answers gives you a real picture of how your business is performing, helps you solve problems, support new ideas or the creation of new products and services, and ultimately, actionability to improve revenue.

Use cases

As we already mentioned in a previous article, the combination of data from outdoor location analytics tools with data generated inside the shop through video or wifi analytics solutions enables multiple use cases:

  • Have end-to-end traceability of the sales funnel within the shop
  • Personalise marketing content according to the profile of the public that is visiting them at any given time;
  • Improve processes and manage resources by knowing dwell times in different areas, waiting times at checkout points, or conversion rates of previously analysed points of interest;
  • Optimise staff schedules according to demand, peaks, location or other factors;
  • Change product selection, assortment repositioning and even shop layout design based on audience type and conversion to specific products and areas.
  • Integration with the Proximity Marketing App to send messages to customers to alert them to the location of the self-checkout area if there are queues at the checkout counters on the floor where the customer is located; 
  • Integration with the content management platform to change dynamic marketing screen advertising or music based on the profile of customers in shop.

In short, we can conclude that having better data allows us to make better decisions in order to obtain more profit from our business, which is what all companies seek.

* * *

If you want to know more applications of the fusion of the Internet of Things and Artificial Intelligence, known to us as AIoThings, you can read other articles in the series:

AI of Things(I): Multiplying the value of connected things
AI of Things (II): Water, a sea of data
AI of Things (III): IoT anomalies, how a few wrong pieces of information can cost us dearly
AI of Things (IV): You can already maximise the impact of your campaigns in the physical space
AI of Things (V): Recommendation and optimisation of advertising content on smart displays
AI of Things (VI): Generative Artificial Intelligence, creating music to the rhythm of perceptron

Cyber Security Weekly Briefing, 18 – 24 June

Telefónica Tech    24 June, 2022

​​Microsoft Office 365 and Cloudflare services went down worldwide

Multiple web services were interrupted worldwide last Tuesday. The source of these incidents was Microsoft Office 365 on the one hand and Cloudflare on the other.

In the early hours of Tuesday morning, many users reported problems accessing Microsoft Office 365 services, including Exchange, Teams and SharePoint; Microsoft reported on its official Twitter account about these problems, and that they were due to the fact that the traffic management infrastructure was not working.

Meanwhile, Cloudflare also suffered a massive outage yesterday, affecting well-known websites such as Amazon, Telegram, Twitch, and Gitlab.

The origin of this incident was caused by a change in the network configuration as part of an internal project to increase the resilience of its busiest locations, resulting in 19 of its data centres being affected. Both incidents have now been resolved and all services are operating as usual.

Read more

* * *

​​​Critical vulnerability affecting QNAP NAS devices

QNAP has issued a security advisory about a vulnerability affecting its Network Attached Storage (NAS) devices.

According to the manufacturer, some of its server models are vulnerable to possible attacks through a critical PHP vulnerability that dates back to three years ago, as long as they are not configured by default.

The vulnerability, identified as CVE-2019-11043 and with a CVSS3 of 9.8, allows remote code execution for PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11.

The company indicates that, in order to exploit this vulnerability, both Nginx and PHP-FPM must be installed on the NAS server. If these conditions are met, the flaw will affect the following versions of its operating systems: QTS 5.0.X and later, QTS 4.5.X and later, and the following versions QuTS hero h5.0.x, QuTS hero h4.5.X, QuTSCloud c5.0.x.

In addition, QNAP advises customers that patches are currently available for the operating systems QTS 5.0.1.2034 build 20220515 and later and QuTS hero h5.0.0.0.2069 build 20220614 and later.

Real more

* * *

​​​​​​​Quantum: new tool for creating malicious LNK files 

Cyble researchers have identified a new tool based on the creation of malicious .LNK files that is increasingly being used in the early stages of an attack.

The use of .LNK files with malicious code is not new, as they have been used to manipulate legitimate Windows system tools in malware infections such as Emotet, Bumblebee, Qbot and IcedID.

Attackers can easily perform techniques such as bypassing user account control or the SmartScreen component, loading multiple payloads via a single .LNK, building HTA and ISO files or executing malware in a delayed fashion, using this new tool, called Quantum.

The developers of this tool also point out that the generated files are evaded by the corresponding security solutions. It should also be noted that some versions of Quantum also include exploits for the “dogwalk” vulnerability, and Cyble links its use to the well-known APT Lazarus.

Read more

* * *

Cisco announces it will not fix vulnerability in Small Business RV routers

Cisco has warned users still using Small Business RV routers that the company has no plans to fix a new remote code execution vulnerability, which has been assigned a CVSS of 9.8.

The vulnerability, listed as CVE-2022-20825, is the result of insufficient HTTP packet validation on the Small Business: 110W Wireless-N VPN Firewall, RV130 VPN, RV130W Wireless-N Multifunction VPN, and RV215W Wireless-N VPN routers, as long as the remote management web interface is enabled on WAN connections.

According to the company, despite the severity of the flaw, there will be no patch or fix for the vulnerability, as these devices are currently out of support, and it has made it clear that the only possible mitigation is to disable the remote management interface.

The company has therefore recommended that its users migrate their operation to Cisco Small Business RV132W, RV160 and RV160W routers.

Read more

* * *

​​​​Critical vulnerability in TheHive and Cortex

Security firm StrangeBee has issued a security advisory to report a critical authentication bypass vulnerability discovered in TheHive and Cortex.

TheHive is an open-source security incident response platform, widely used by companies around the world, while Cortex is an independent scanning engine, also developed by StrangeBee.

The vulnerability, which was discovered by Przemysław Mazurek, allows to impersonate any account on the platform, including administrator accounts, as long as the Active Directory (AD) authentication module is enabled and used to authenticate users on these platforms.

This is because AD accepts anonymous connections, resulting in the fact that, if someone sends an authentication request for an existing account without passwords via the TheHive/Cortex API, AD’s response to the request allows authentication as “anonymous”.

This vulnerability, which does not yet have an identifier, affects TheHive versions 3 to 5 and Cortex 3, so it is recommended to upgrade to the latest version as soon as possible.

Read more

Women’s Engineering Day: Building New Paths

Cristina del Carmen Arroyo Siruela    23 June, 2022

The term “engineer” comes from the Latin, ingenium, in English ingenuity.  The world of engineering has long been associated with the male sex. But is ingenuity a purely masculine thing? Do women lack ingenuity? 

In recent years, society has begun to normalise the presence of women in engineering or STEM careers. Gradually, it seems that some established stereotypes about women and their ability to pursue engineering careers are fading or disappearing.

What have been the steps to get to this point? What have been the foundations and the path to enable a woman to study engineering? Why does a woman study engineering or a technical degree?

Female Engineers Have Been Around for More Than 100 Years

Female presence in the field of engineering dates back to the period around the First World War (although it is probably earlier). The Women’s Engineering Society (WES) launched the Women’s Engineering Day initiative in the UK on June 23, 2014, on the occasion of its 95th anniversary.

The aim was to commemorate the inclusion of women in the world of engineering and to give visibility to the female presence, as well as to establish objectives with a view to achieving gender equality in this field. Today it is still celebrated with the same premises and demands, as these objectives have not yet been achieved.

There have been many outstanding female engineers in history, although most have not received enough recognition or value.

  • Ada Lovelace laid the foundations for the algorithms used in computers and programming today. 
  • Edith Clarke contributed her knowledge so that today we can enjoy electricity without blackouts and
  • Hedy Lamarr, an actress of the Second World War era, contributed to what is today GPS, Wi-Fi or Bluetooth.

Women have been adding value to engineering for more than 100 years, even if they have not been properly recognised or even mentioned in school textbooks. They and many others laid the foundations and made important discoveries that led to incredible advances in the field of engineering.

Breaking Moulds and Stereotypes

Those female engineers, in spite of their outstanding value and knowledge, encountered many obstacles and stereotypes in their way, trying to stop them from succeeding due to their gender.

Fortunately, these women and others decided that they would not stand back and that, against all that was imposed or established, they would demonstrate through their vocation and passion for engineering and their desire to discover something greater, that women can be scientists and engineers.

Unfortunately, some of these stereotypes remain today. Society has a moral obligation to break them down and eradicate them through the necessary actions and initiatives, especially in undeveloped and developing countries.

When Do Women Develop an Interest in Engineering or STEM Careers?

Throughout childhood and youth, skills such as curiosity and a general interest in STEM-type areas and technologies are developed. 

Some girls may have wondered how some electronic devices work, how programmes are written, how mobile phones or telephones work, or how roads, train tracks, etc. are built.

Most of them will probably spend their afternoons jumping rope or playing video games. Others will be more interested in doing chemistry experiments, in understanding how a video game or programme is developed. They will find it more interesting than the chemical result itself or the video game or programme itself. They will seek to understand how things work, to modify and improve them.

It is currently reported that many girls lose interest in engineering, technology and STEM careers by the time they reach their teenage years.

This loss of interest is mainly associated with cultural barriers, which grow out of insecurity about choosing degrees that are known to be difficult or more male-dominated.

There are several programmes and cultural actions that aim to prevent this loss of interest and remove these fears and barriers, such as #LadyHacker, StemTalentGirl, and others.

And Why Do Women Study/Not Study Engineering or Technical Degrees? Do Female Engineers Have the Same Job Opportunities as Male Engineers?

Some women, either because of the stereotypes of the time or for various reasons, gave up their vocation as engineers to study “more “girlish” careers, such as law or business.

In my case: “I started studying LADE because I was convinced that computer engineering was very difficult, according to some of my professors. Shortly afterwards I decided to accept my vocation, overcome my fears and after joining a group of engineers (all boys) at university with whom I shared passion and hours of study and research, I decided to reorient myself towards computer science and communications.

According to a study by the OEI (Organisation of Ibero-American States for Education, Science and Culture), women represent only 13% of students in STEM or engineering degrees.

Nowadays, engineering degrees are degrees with many job opportunities and are in great demand. They are considered to be difficult and highly competitive, and it is this thinking, as well as other social and cultural stigmas, that has limited women’s choice of these degrees in many cases.  

Society must be made aware of the importance of engineering, technical careers that provide an extraordinary education and provide the necessary basis to face different professional challenges and develop in various fields.

In 2019, according to Eurostat’s statistical data, 41.1% of total employment in the science and engineering sector in the European Union corresponded to women. They also indicated that in Spain 49.3% corresponded to the national total of women in science and engineering. We will have to check whether this trend continues or improves once more up-to-date data become available.

The biggest gaps between men and women are in working conditions, salaries and promotion to more senior engineering positions. These gaps are especially pronounced in underdeveloped or developing countries.

Assembling And Advancing Along the Engineering Journey

The path consists of assembling, with all the tools available today, the pieces or keys necessary to achieve a situation in which women and men have full gender parity in the field of engineering, in all aspects (access to studies, working conditions and salaries, equal conditions for promotion, equal treatment and status, etc.)

It is society that must get involved in this path, in this change of paradigm that allows us to achieve equality in all areas of engineering: access to degrees, to jobs, having the same working conditions and salaries for both sexes and encouraging actions to recognise those female engineers forgotten by history, who did so much and contributed so much and who can serve as an inspiration to young women.

States and society in general must be proactively involved in all actions regarding access to STEM degrees, especially for girls and teenagers, who specially suffer the greatest gender inequality.

Ingenuity, curiosity, perseverance and passion are the necessary elements to dedicate oneself to a career and profession that, for those who profess it and venture into it, there are no limits, there is only technology, ingenuity, problem solving and a whole range of needs and possibilities to improve or create.

Engineering science is responsible for the welfare state currently enjoyed. Advances and the breaking down of boundaries in the field of engineering have led to substantial improvements in the welfare state: in homes, transport, communications, to name but a few.

Undoubtedly, the most important screw or mechanism to dedicate oneself to the world of engineering is ingenuity. Engineering provides the tools and knowledge that, together with the ingenuity of each human being, allow us to create, improve and build unimaginable things. Who is in?

Attacking login credentials

Telefónica Tech    22 June, 2022

An access credential is basically a username and password associated with a person and the access permissions granted to that person for an application, service or system. An access credential can also be considered as a user certificate, or any other form or method of authentication for the purpose of providing access to a resource, such as an application or a web page or service.

Access credentials are used on a daily basis by all kinds of user profiles, both experts in ICT systems and people unaccustomed to new technologies. This makes them a target for cybercriminals, who also require these credentials to achieve their goals.

Crimes aimed at obtaining access credentials are growing every year, with new techniques and mechanisms being implemented to try to obtain them.

Access credentials are essential in order to protect an organisation’s information and personal data, so it is important to be clear about which attacks are focused on obtaining them and what mechanisms and techniques they employ.

Attacks on passwords

One of the most common password attacks is brute force, which consists of guessing the password on a trial-and-error basis. This method begins by trying different combinations with personal data, data collected by other means or random data.

These types of actions are automated using tools that facilitate the task and search.

Dictionary attacks are another type of password attack. They exploit the malpractice of using a word as a password. As in brute force attacks, tools are used to automate the search process.

Photo: Mourizal Zativa / Unsplash
Photo: Mourizal Zativa / Unsplash

This cyber-attack uses dictionaries, which are text files containing words and characters commonly used as passwords. There are many dictionaries on the internet, such as the widely used rockyou.txt, dictionary.

If the cyber-attack is heavily targeted against a specific person, information about the victim is also usually collected, such as dates of birth, names of family members, pets or places where the victim has lived, etc. And a customised dictionary is created with these and similar combinations to carry out the cyber-attack, taking advantage of the malpractice of using passwords based on personal data or likes and dislikes.

Google’s Passkey is just another nail in the password coffin

What can be done to prevent passwords from being vulnerable to these attacks?

Create strong passwords that meet the following guidelines:

  • At least 10 to 12 characters, combining different types of characters (upper case, lower case, numbers and symbols);
  • The following should not be used:
    • Simple words in any language (dictionary words);
    • Personal names, dates, places or personal data;
    • Words that are made up of characters close together on the keyboard;
    • Excessively short words.
  • Avoid using passwords consisting of elements or words that may be public or easily guessable (e.g., name + date of birth);
  • Create stronger and more robust passwords, totally different from others, to access critical services or applications.

Common mistakes in the use of passwords

Credential stuffing is a weakness that makes it easier for a brute-force or dictionary attack to succeed.

Password spraying is the technique of using a large number of stolen passwords (from a security breach) on a group of accounts (e.g., webmail accounts of employees of a company) to see if it can gain access where it is needed. These searches are automated with tools that limit access attempts so as not to notify the alert systems of the site to be breached.

Photo: Ed Hardie / Unsplash
Photo: Ed Hardie / Unsplash

Here are some actions that can help counter these attacks or to try to make a password less vulnerable to such attacks:

  • Do not reuse passwords under any circumstances, especially those used for access to critical systems.
  • Enable MFA (multiple factor authentication) or 2FA (two-factor authentication) whenever the system being accessed allows it.
  • Consider access using factors other than the ‘username/password’ itself, such as:
    • Biometric systems such as fingerprint, iris, etc. 
    • Cryptographic tokens, by software or hardware
    • Coordinate cards
    • Access by OTP (One time password)
  • Avoid using your corporate account and email to register for non-corporate services.

Social engineering

Social engineering attacks focused on obtaining passwords employ a variety of different manipulation techniques in order to obtain information to help obtain passwords and in some cases, to obtain credentials directly.

Phishing, smishing, vishing and warshipping

These types of cyber-attacks mainly take advantage of misinformation and human naivety. They impersonate, by various mechanisms and means, a trusted manager or agent (bank, post office, tax authorities, etc.) in order to request the victim’s credentials. To do so, they use different entry vectors such as emails, SMS, calls or devices.

  • Phishing: A technique that consists of sending an e-mail with an urgent or eye-catching subject (banking matters, tax office, post office, etc.). In this message, a link or button is added that leads to a website designed to look very similar to the legitimate website of the entity they claim to be and they request that you enter your credentials to log in. These fake websites will record the credentials entered and pass them to the attackers and redirect the victim to the original website of the spoofed company or organisation. There are several variants of phishing, such as spear-phishing and whaling. 
  • Smishing: A technique that consists of a cybercriminal sending an SMS to a user pretending to be a legitimate entity – social network, bank, public institution, etc. – with the same purpose as in the case of phishing.
  • Vishing: A phone call that employs phishing techniques and using social engineering and similar techniques, seeks to obtain the user’s credentials, as in phishing and smishing.
  • Warshipping: A technological gift (usually a USB device or similar) infected with malware that, when connected to our systems and elements, will use different mechanisms to obtain credentials and other data and send them to the cybercriminal. It is also feasible to include in this type baiting, where an infected USB device is given away at conferences, conventions, or through websites with pop-up windows, advertised prizes, or other mechanisms.

Shoulder surfing

This technique consists of spying on the victim as they type in their credentials, either because they are in a public or insecure environment or because of the cybercriminal’s skill in perceiving the credentials they type in. In some cases, they gain the user’s trust by impersonating technical or trusted personnel, causing the victim to relax and enter credentials without fear.

It is therefore advisable to be aware of the environment you are in, being alert to any suspicious activity that may occur around you.

Typosquatting: how to detect and protect yourself

Dumpster diving attack

This technique aims to obtain information by searching through the victim’s trash. They usually look for notes, notebooks, annotations, which give rise to seeing the type of credentials that are used or a credential noted in a note or notebook.

The following guidelines are recommended in order to protect against social engineering attacks focused on obtaining credentials:

  • Use common sense and be cautious at all times.
  • Attend digital security awareness and training sessions. The first line of defence is the end user.
  • Avoid clicking on links that arrive via SMS or emails. Banks, for example, do not send SMS of the type used in these attacks. If you want to access these services and websites, do so through the official channels and routes they offer.
  • Use biometric logins and accesses such as facial recognition, fingerprint, etc.
  • Enable 2FA or MFA on all logins where possible.
  • Do not trust gifts from strangers and check them in advance with security software, under secure environments.
  • Do not trust any phone call requesting access credentials.

Other attacks on credentials

Other cyber-attacks against credentials use malicious software such as keyloggers. A keylogger is a programme that can extract anything typed on the computer infected with this malicious software. Cybercriminals use them in advance by infecting the victim’s computer via USB, email or any known attack vector.

Another cyber-attack that may be aimed at obtaining credentials is Man in the Middle. This involves intercepting communication between two or more parties, impersonating one or the other as desired, in order to view and obtain information and modify it at will.

Once communications have been intercepted, the responses received at either end may have been manipulated or may not have come from the legitimate interlocutor. Therefore, the sender could use various social engineering techniques in these messages, send malicious attachments to install software or use spoofing techniques to steal the victim’s passwords.

The metaverse will be a means, not an end, for companies

Álvaro Alegría    20 June, 2022

If one thing is clear at this stage in 2022, it is that the buzzword of the year in the technology and business world will be: metaverse.

What is less clear is what the metaverse actually consists of and what opportunity it will represent in the medium and long term for companies. The metaverse will undoubtedly be an opportunity. But to understand it, it is necessary to be clear about some basic concepts. What it is and what it is not.

The first thing we need to understand is that the metaverse does not yet exist, but it is currently under construction. When it actually exists, it will constantly evolve and mutate. After all, the metaverse will be, in reality, the sum of multiple individual universes connected to each other.

What is the metaverse?

This concept is best understood by making an analogy with the internet, as the internet is not a web page, but the sum of millions of web pages. What makes the metaverse different from the internet is that the universes will be interconnected in such a way that any one of us, as a user, will be able to move from one to another without friction.

The next thing to keep in mind is that each universe will have its own characteristics that will differentiate it from the rest and make it unique. These characteristics will define multiple aspects such as the ownership of the metaverse (centralised or decentralised), its focus (generalist or verticalised), the target audience to which they aspire, the type of experiences they will offer or their internal economics.

Like social media, the metaverse must be a means to achieve the company’s strategic objectives

Should companies enter the metaverse?

It will be essential for companies to understand all these differences in order to be able to make the best decisions when defining their metaverse adoption strategy. The metaverse is not an end but must be a means to achieve the company’s strategic objectives.

Once again using an analogy, we can consider each universe of the metaverse as a social network. The presence on social networks is not an end for companies, but a means to achieve multiple objectives: branding, customer service, funnel generation, etc. Therefore, communication departments devote enormous efforts to designing their social network strategy and have employees specialised in its management.

Each social network has a different audience, a different approach and even specific codes that are shared and recognised by the entire community. Getting the most out of them is complicated and therefore, the first decision that companies must make is which social network or networks they want to be present on and discard the rest.

Photo: Mo / Unsplash
Photo: Mo / Unsplash

The same approach should be followed with the metaverse. Each company must analyse the multiple universes within its reach and make the decision as to which one or ones are the ones in which it will have the best chance of achieving its objectives as a company.

The potential of the metaverse for business

Going back to the characteristics I mentioned earlier, I would like to quickly explain some of them to make it clear how important it is to understand the differences:

  • Centralisation: Universes can be divided into two broad groups based on how they are governed. Universes can be owned by a company that has total control (centralised control) over the technology, data and economy of the universe. Or, in contrast, they can be owned by all the members of the universe, who govern them through democratic mechanisms (decentralised power). Decentralisation sounds idyllic from a theoretical point of view, but companies will have to assess whether they want to take the risk of being at the mercy of community decisions or prefer the stability that a centralised universe will provide.
  • Focus: Most of the universes that exist today have been a natural evolution of the world of online video games and are therefore very focused on entertainment in that area. However, many of the big tech companies are working on other proposals. It is to be expected, for example, that Meta (formerly Facebook) will choose a generalist universe where the experience is not only focused on entertainment. Companies such as Microsoft or NVIDIA are building proposals focused on the field of relationships at work, the former, and in the field of industrial development, the latter.
  • Economy: The metaverse is already a new economy in which hundreds of millions are being moved. I have not expressly mentioned whether in dollars or euros because, in reality, the economy of the metaverse is, today, almost exclusively linked to cryptocurrencies. And this is also important to bear in mind for several reasons. First, because the adoption of the metaverse will probably be the definitive push for many large and medium-sized companies to include cryptocurrencies in their balance sheets. Secondly, because several universes operate with their own cryptocurrency, which gives them enormous power over the internal economy of the universe.

In the medium term, it is most likely that, as is already the case with social networks, companies will have a multi-channel presence in the metaverse, adapting the message to the characteristics of each one of them.

The potential it offers is enormous and in another article we will be explaining the different strategies that can be used to take advantage of it.

Leave a Comment on The metaverse will be a means, not an end, for companies
Álvaro Alegría
Álvaro Alegría

Alvaro Alegría is Head of Internal Projects and Strategic Initiatives at Telefónica Tech AI of Things. His main responsibilities include the leadership of the group's internal global initiatives in the field of Big Data as well as collaborating in the definition of Telefónica Tech AI of Things's strategy and value proposition for the B2B market. Previously he has held roles related to strategic consulting and digital transformation within Synergic Partners; company acquired by Telefónica. He has a degree in law and business studies from the Pontifica Universidad de Comillas (ICADE), a master's degree in business consulting from IE and in BigData & Analytics from the EOI. It also has training in Leadership, Management and Entrepreneurship by the London School of Economics.

Cyber Security Weekly Briefing, 13 – 17 June

Telefónica Tech    17 June, 2022

​​​Hertzbleed. New side-channel attack on AMD and Intel processors

Security researchers at several US universities have discovered a new side-channel attack affecting Intel and AMD processors, called Hertzbleed.

What is remarkable about this attack is that it could allow an attacker to extract cryptographic keys from remote servers. This is due to the fact that, under certain circumstances, the Dynamic Voltage and Frequency Scaling System (DVFS) of modern x86 architecture processors depends on the data being processed, allowing, on modern processors, the same program to run at a different CPU frequency.

Both Intel (CVE-2022-24436) and AMD (CVE-2022-23823) have already identified the vulnerability and issued the corresponding security advisories.

According to the researchers who discovered Hertzbleed, neither firm plans to release patches for these flaws.

* * *

PACMAN. New attack against Mac devices

Security researchers at MIT CSAIL have discovered a new attack that could evade Pointer Authentication (PAC) on Apple’s M1 processors.

PAC is a security mechanism which cryptographically signs certain pointers and allows the operating system to detect and block unexpected changes. If these changes are not detected, they could lead to information leaks or system compromise.

This attack would allow threat actors to access the file system and execute arbitrary code on vulnerable Macs. To do so, attackers must first locate an existing memory write/read flaw affecting the software on the victim’s Mac device, which would be blocked by PAC and could increase the severity of the flaw by achieving pointer authentication bypass.

In addition, it would be necessary to know the PAC value of a particular pointer on the target. This new attack technique was reported to Apple in 2021, along with a proof of concept, although the company indicates that it does not pose an immediate risk to Mac users, as it requires the exploitation of another flaw, and it is not possible to bypass security systems on its own.

More info: https://pacmanattack.com/

* * *

Citrix fixes two vulnerabilities in ADM

Citrix has released a critical security bulletin fixing two vulnerabilities in Citrix Application Delivery Management (ADM).

The first flaw, listed as CVE-2022-27511, is due to improper access control, and could allow an attacker to reset the administrator password after a device reboot, allowing SSH access with the default administrator credentials.

In addition, Citrix has fixed another security flaw (CVE-2022-27512) that, if successfully exploited, could result in a temporary outage of the ADM license server, causing Citrix ADM to be unable to issue new or renew licenses.

Both flaws affect Citrix ADM versions 13.1 before 13.1-21.53 and Citrix ADM 13.0 before 13.0-85.19. The firm urges users to upgrade Citrix ADM server and Citrix ADM agent as soon as possible.

* * *

Microsoft Exchange servers compromised to deploy BlackCat ransomware

The Microsoft 365 Defender threat intelligence team has reported two security incidents where the BlackCat ransomware was deployed.

On the one hand, the exploitation of an unpatched Exchange server was detected as an entry vector. After this initial access, the attackers moved through the affected network, stealing credentials and exfiltrating large amounts of information to be used for double extortion. Two weeks after the initial access, the ransomware was deployed. It is worth mentioning that Microsoft has not reported which vulnerability was exploited.

Another incident involved the use of compromised credentials on a remote desktop server with internet access as an entry vector, with the attackers subsequently gaining access to passwords and other information, and ultimately implementing the BlackCat payload for data encryption.

* * *

​​Office365 feature makes it easy to encrypt files in the cloud

Security researchers at Proofpoint have discovered a feature in Office 365 that could allow ransomware operators to encrypt files stored in SharePoint Online and OneDrive, making them unrecoverable without backups or the attacker’s decryption key.

The researchers have focused on studying these two cloud applications because they are the most widely used in enterprise environments. The only necessary requirement they set for both SharePoint Online and OneDrive is initial access, which can be achieved by compromising the user’s account (through phishing attacks, brute-force attacks, etc.), tricking the user into authorising third-party OAuth applications that allow access to these platforms, or through session hijacking, either by hijacking a logged-in user’s web session or by hijacking an API token for SharePoint and/or OneDrive.

Once accessed, the attack relies on exploiting the “AutoSave” functionality, which allows users to create cloud backups of old versions every time they edit their files. What the attacker does is to reduce the limit of file versions that can be stored to a very small number and encrypt the file more times than the limit that has been entered.

In this way, the versions of the files that had been saved prior to the attack are lost and only the encrypted versions are available in the cloud account.

Proofpoint has reportedly alerted Microsoft, which has indicated that the functionality works as it should and that old versions of files can be recovered for 14 days with the help of Microsoft Support.

We have a brand-new website! Get to know the new Telefónica Tech Cyber Security & Cloud website

Nacho Palou    17 June, 2022

Telefónica Tech is constantly growing and working to be the technological partner of companies in their digital transformation process.

As part of this purpose, Telefónica Tech Cyber Security & Cloud launches its new website. A space that we have entirely developed and designed in house, which allows us to promote and share our entire value proposition with our customers better than ever:

Telefónica Tech’s Cyber Security & Cloud business unit drives the digital transformation of companies, public administrations and organisations by applying the capabilities of the most advanced Cloud technologies so that they can reach their maximum potential. Always reducing the associated risks thanks to professional services managed by our team of certified experts.

The new website represents who we are as digital solution providers and reinforces our position as a benchmark in the market

The new Telefónica Tech Cyber Security & Cloud website brings together more than 140 solutions and products that, together with our partner ecosystem, we offer to our B2B customers in the business sectors in which we specialise, such as banking, industry, education and healthcare, among others.

Learn how our digital solutions drive business in the real world

The new Telefónica Tech Cyber Security & Cloud website, in collaboration with our customers, provides audiovisual resources, whitepapers, infographics and testimonials on some of the case studies that show how our technologies can contribute to the digital transformation of businesses, companies and organisations of any size and sector.

Recent examples include:

  • La Marina de Valencia, the 4.0 port that continues to advance in its digital transformation by applying IDoT – technologies related to Cybersecurity, Cloud Computing, certification and 5G connectivity – and which already has intelligent points of light and water supply to reduce its water and environmental footprint.
  • Thanks to 5G technology and Edge Computing combined with Virtual Reality, IE University students can connect remotely and interact with professors and peers in an immersive and enjoyable virtual space that enhances their performance and enables innovative learning resources.

Find out why Telefónica Tech is a benchmark in knowledge technologies

Based on our numerous research, development, analysis and dissemination projects, the innovation area and cybersecurity laboratory make Telefónica Tech Cyber Security & Cloud an international benchmark in solutions that offer companies a reliable, secure and resilient digital transformation.

Our new website makes it easier for users to navigate and helps them find what they need. We have gathered all the information about our innovation centres, patents, technologies… We have also created a lot of content about Cybersecurity and Cloud technologies and all the initiatives we are carrying out to share our knowledge with industries, start-ups, students and universities.

Come and visit us at https://cybersecuritycloud.telefonicatech.com/en. We’d love to hear from you and get feedback to help us improve —thank you!