Cloudflare Revolutionizes CAPTCHAs

Turnstile, an ambitious new project from Cloudflare, aims to do away with the CAPTCHAs that are now being used on the internet to confirm users are not robots.

Turnstile utilizes a revolving set of “browser challenges” to verify that visits to a website are not, in fact, bots. This service is free for all website owners, whether they are Cloudflare clients or not. The company stated that their CAPTCHA replacement would also increase user privacy on the web since sites that use it won’t need to submit user data to Cloudflare.

Back in June 2022, Cloudflare stated that iOS and macOS users would be the first to receive the technology’s benefits while accessing webpages hosted on the company’s network.

It remains to be seen if website owners will opt for Turnstile instead of the current CAPTCHA. However, according to statistics, 97.7% of the top million websites utilize Google’s reCAPTCHA, the market’s most popular CAPTCHA tool. To make Turnstile more accessible, Cloudflare is developing plugins for popular platforms like WordPress.

Turnstile appears to be a more fair CAPTCHA system for several reasons.

According to security researchers, Google’s most recent iteration of reCAPTCHA violates users’ privacy by weighing the presence of a proprietary cookie in a browser to determine whether or not a user is malicious. Cloudflare claims that Turnstile avoids this problem for all users.

It’s worth noting that users that utilize firewalls to defend against cookie hijacking attacks may experience issues with cookies weighting verification. In addition, users that constantly remove their cookies to avoid being tracked around the internet also have problems with reCAPTCHA.

Turnstyle provides an alternative to Google’s stronghold on CAPTCHA services for website owners.

It’s not easy to consider Cloudflare’s Turnstile as anything other than a good thing right now because it’s a privacy-focused solution that aims to enhance user experience. Still, only time will tell if Turnstile manages to replace the Captcha functionality.

DDoS Attacks Target Major U.S. Airports

Some major U.S. airports’ websites were inaccessible early on Monday, October 10, 2022, due to a coordinated denial-of-service assault orchestrated by professional hackers. However, officials said flights were unaffected.

The assaults, in which participants bombard sites with garbage data, were planned by a mysterious organization named Killnet. The group posted a target list on its Telegram channel the day before the attacks.

Even though DDoS attacks are highly visible and meant to have the most psychological impact possible, they are mostly a nuisance. This differs from hacking, which involves breaking into networks and can cause severe damage.

John Hultquist, vice president of intelligence analysis at Mandiant, tweeted on Monday that both the state government and airport assaults “are what we make of them,” describing the DDoS impact as superficial, brief, but highly noticeable. However, the post added that he is concerned that we may be entering a new phase of increased targeting in the U.S. that might include more severe incidents.

Hultquist also stated, “These are not the serious impacts that have kept us awake.” Most of the time, these attacks show that webmasters aren’t doing enough to protect their sites, which now includes using a DDoS protection service.

The Los Angeles International Airport has issued a statement saying that had some difficulties early this morning. However, the outage was restricted to their website alone, and no internal airport systems were affected. LAX added that it had contacted the Transportation Security Administration and the FBI.

The Atlanta International Airport said that following the DDoS assault, its website is back operational and that airport operations were never affected.

According to a CISA spokesperson, the agency is aware of reports of DDoS assaults targeting numerous U.S. airport websites and is coordinating with possibly impacted entities and giving help as needed.

One hour before the first airport, Chicago O’Hare, was hit, Killnet announced the assaults on the airports via the Killnet Telegram account at 6:50 a.m. EST.

DDoS attacks are mostly a nuisance but can be disruptive. A group or organization usually carries them out, and target websites are chosen ahead of time. Unfortunately, the U.S. is not the only country to fall victim to these attacks, as they have been happening worldwide. While most of the time, these attacks are not severe, it is essential to be aware of them and take steps to protect websites from being attacked.


Cybersecurity Attack Hits U.S. Healthcare System

On October 4th, 2022 a cybersecurity incident has disrupted CommonSpirit Hospitals. With more than 150,000 employees, 20,000 physicians, and serving 21 million patients, CommonSpirit Hospitals is the second-largest nonprofit hospital system in the nation. In 21 states, CommonSpirit operates more than 1,000 care sites and 140 hospitals.

CommonSpirit Hospitals announced it is investigating an “IT security issue.” While the full extent of the attack is unknown, it has already caused significant disruptions for patients and staff at CommonSpirit Hospitals.

Some of MercyOne Des Moines Medical Center’s IT systems, including access to electronic health records, have been shut down. In addition, CHI Health, a subsidiary of CommonSpirit based in Nebraska, reported outages across its Omaha hospitals.

Although it is not entirely clear how the incident occurred or what kind of information was compromised, it does illustrate the vulnerability of the U.S. healthcare system to cyberattacks.

The healthcare system in the United States has been the target of numerous high-profile attacks, including University Medical Center Southern Nevada, Eskenazi Health, and Kaiser Permanente. In 2022, at least 15 U.S. health systems were affected by ransomware, and 12 of those incidents involved compromising personal health information.

Cybersecurity attacks on healthcare facilities can seriously affect patients, staff, and the hospital’s operations. These incidents can lead to the loss of essential data, disruptions in care, and financial damages.

Healthcare organizations can prevent cyberattacks by adopting strong security policies, investing in robust security technologies, and training employees to identify and respond to threats. As a result of these measures, healthcare organizations can reduce the harmful effects of cyberattacks on patients, staff, and facilities.

Updated Malware Attacks Point of Sale Devices

This year, security experts have found three updated versions of Prilex malware that target point-of-sale systems.

In 2014, Prilex was a type of malware that targeted ATMs. It switched to PoS (point of sale) devices in 2016, but it wasn’t until 2020 that the malware reached its peak. After that, it faded away in 2021.

Analysts at Kaspersky say that Prilex is back, and it looks like a more advanced and dangerous version of the malware has resurfaced this time. The latest version of this malware can create EMV (Europay, MasterCard, and Visa) cryptograms, which VISA introduced as a transaction validation system to help find and stop payment fraud.

The Kaspersky report explains that it lets threat actors use EMV cryptograms to do “GHOST transactions” with credit cards protected by CHIP and PIN technology.

The infection starts when a spear phishing email pretending to be from a technician from a PoS vendor says that the company needs to update its PoS software. Next, the fake technician goes to the target’s location and installs a malicious upgrade on the PoS terminals. The attackers could also tell the victim to install the AnyDesk remote access tool on their computer and then use it to replace the PoS firmware with a version that has been tampered with.

After the machine is infected, the operators will check to see if the target does enough financial transactions to be worth their time.

The new version of Prilex has a backdoor for communication. The backdoor can do many different things, like open files, run commands, end processes, change the registry, and record the screen. Once the information is encrypted and saved locally on the infected computer, the malware sends periodic requests to the control server.

Kaspersky concluded that the Prilex group knows a lot about how credit and debit card transactions work and how software used for payment processing works. This knowledge allows attackers to keep updating their tools until they find a way to get around the authorization policies and carry out their attacks.

Microsoft 365 Accounts Targeted In New BEC Scam

Recently, researchers at Mitiga have sounded the alarm about a new Business Email Compromise (BEC) campaign.  They discovered evidence of the campaign responding to another incident and have watched the campaign grow in scope and scale over time.

Here’s how the attack works:

The individual targeted by the campaign receives an email that appears to be from a bank and explains that the corporate account they usually send payments to has been frozen while a financial audit is underway.

In the meantime, the email explains that if the target needs to send payments, they can follow the instructions below the message.

The instructions appear to be inside a document behind a DocuSign wall, which is a contract management platform used widely in the corporate world.

To access the instructions, a potential victim needs to press the “Review Documents” button, which hands the victim off to a website controlled by the hackers.

These websites typically have names that appear to be legitimate companies the victim is familiar with, but a careful review of the URL will reveal an intentional typo, which gave rise to the term “typosquatting” to describe this very phenomenon.

On this page, the victim is asked to log into the Windows domain. If they do so, they inadvertently hand the attackers their Microsoft 365 account details which can be used later for any nefarious purpose the hacker’s desire.

On the face of it, this may not seem terribly convincing, but the hackers employ several tricks to make it seem completely legitimate.  Chief among these is the fact that the hackers hijack existing email streams and interrupt them. So to a reader who’s not paying close attention, the instructions seem to come from someone the victim is having an ongoing conversation with.

So far, the campaign has been devastatingly effective, so keep your guard up.  You don’t want to become their next victim.