News Items

  • news

    Visible to the public Paper on One-Way-Functions Wins NSA Paper Competition

    "On One-way Functions and Kolmogorov Complexity" wins the 9th Annual Best Scientific Cybersecurity Paper Competition. This paper was written by Yanyi Liu from Cornell University and Rafael Pass from Cornell Tech.

    An honorable mention award was given to "Retrofitting Fine Grain Isolation in the Firefox Renderer” written by Shravan Narayan, Craig Disselhoen, Tal Garfinkel, Nathan Froyd, Sorin Lerner Hovav Shacham and Deian Stefan.

  • news

    Visible to the public NSF 21-122 Dear Colleague Letter: Enabling Secure and Trustworthy Cyberspace (SaTC) CISE-SBE Interdisciplinary Collaborations

    NSF 21-122

    Dear Colleague Letter: Enabling Secure and Trustworthy Cyberspace (SaTC) CISE-SBE Interdisciplinary Collaborations

    Proposals are due Dec 10, 2021, but an approval letter from a program officer is required before you can submit. Submitting in response to that DCL does *not* count against the limit of the number of proposals that can be submitted against the SaTC solicitation.


    September 27, 2021

    https://www.nsf.gov/pubs/2021/nsf21122/nsf21122.jsp

  • news

    Visible to the public Solicitation: NSF Secure and Trustworthy CyberSpace (SaTC) [Solicitation 22-517]

    Secure and Trustworthy Cyberspace (SaTC)

    PROGRAM SOLICITATION
    NSF 22-517

    REPLACES DOCUMENT(S):
    NSF 21-500

    National Science Foundation

    Directorate for Computer and Information Science and Engineering
         Division of Computer and Network Systems
         Division of Computing and Communication Foundations
         Division of Information and Intelligent Systems
         Office of Advanced Cyberinfrastructure

  • news

    Visible to the public HoTSoS 2022 Call for Papers! Deadline December 17th!

    HoTSoS 2022 Call for Papers! Deadline December 17th!

    The HoT Topics in the Science of Security (HoTSoS) Symposium is now soliciting submissions for the 2022 program. Following the success of the virtual HoTSoS Symposium in 2021, HoTSoS`22 will be a virtual event held the week of April 4th, 2022. In addition to research paper discussions and presentations, the symposium program will also include invited talks and panels.

    We are accepting submissions in the following three categories:

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public Predictive Intelligence for Pandemic Prevention (PIPP) Webinars

    Predictive Intelligence for Pandemic Prevention (PIPP) Webinars


    February 16, 2021 11:00 AM to
    February 17, 2021 6:45 PM
    Virtual Workshop

    Save the Date

    February 25, 2021 11:00 AM to
    February 26, 2021 6:00 PM
    Virtual Workshop

    Save the Date

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Call for Participation: Canberra Artificial Intelligence Summer School

    Call for Participation

    Canberra Artificial Intelligence Summer School

    Virtual, December 4-7th, 2020

    FREE

    Website: http://canberraai.net/caiss2020/
    Discord: https://discord.com/invite/rcKuNm4

    [If interested in staying up-to-date, please join this Discord channel!]


    Introduction

  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist

    BY LORRIE CRANOR, OPINION CONTRIBUTOR -- 11/10/20 09:30 AM EST

    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public CPS-VO.org now supports DOI!

    The latest release of the CPS-VO.org has added Zenodo support for generating archives and including DOI information for content types such as files, news items, web pages, and wiki pages!

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public Verification Tool Competition

    ARCH brings together researchers and practitioners to establish a curated set of benchmarks for verification, testing and reachability, and evaluate them in a friendly competition. ARCH started in 2014 and has sustained a vibrant community since. Since 2017, ARCH has organized as a part of the workshop the International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP, https://cps-vo.org/group/ARCH/), now in its 3rd iteration.

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage: https://cps-vo.org/group/sos/papercompetition/pastcompetitions

  • news

    Visible to the public Secretary of Energy Rick Perry Announces $68.5 Million for Advanced Vehicle Technologies Research

    WASHINGTON, D.C. - Today, U.S. Secretary of Energy Rick Perry announced up to $68.5 million in available funding for early-stage research of advanced vehicle technologies that will enable more affordable mobility, strengthen domestic energy security, and enhance U.S. economic growth.

  • news

    Visible to the public 2018 NSF CPS Program Solicitation

    The 2018 Cyber-Physical Systems Program Solicitation has been released. The submission window for proposals is April 27, 2018 - May 8, 2018. Please see the full solicitation for additional details and the summary of program requirements: https://cps-vo.org/node/45729

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing: https://cps-vo.org/group/SoS/contact

  • news

    Visible to the public U.S. Department of Transportation Launches Smart City Challenge to Create a City of the Future

    Smart City Challenge

  • news

    Visible to the public NEW 2016 NSF-USDA Solicitation: Innovations at the Nexus of Food, Energy, and Water Systems (INFEWS)

    Innovations at the Nexus of Food, Energy and Water Systems (INFEWS)


    Program Solicitation
    NSF 16-524

    National Science Foundation

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public "Spyware Blitzes Compromise, Cannibalize ICS Networks"

    Researchers have discovered attackers targeting industrial enterprises with spyware campaigns aiming to steal corporate credentials for financial gain and cannibalizing compromised networks to launch additional attacks. Although the campaigns use off-the-shelf spyware, they are unique because they limit each malicious sample's scope and lifetime. The researchers consider the attacks anomalous because they are not typical spyware attacks. One researcher explained that the attackers use spearphishing emails sent from compromised corporate mailboxes. These emails contain malicious attachments that deliver the spyware. The attackers use industrial enterprises' SMTP services to send spearphishing emails and collect data stolen by the spyware as a command-and-control (C2), which allows them to launch future attacks. The initially stolen data is believed to be used by the threat operators to spread the attack inside the local network of the compromised organization and to attack additional organizations. The researchers noted that the malware used in the attacks was typically found to belong to AgentTesla/Origin Logger, Snake Keylogger, Azorult, Noon/Formbook, and other well-known commodity spyware families. Nearly 45 percent of the computers targeted in the campaigns are Industrial Control System (ICS)-related and have access to their respective company's corporate email service. Over 2,000 corporate email accounts belonging to industrial companies have been stolen and leveraged as next-attack C2 in the malicious campaigns. However, the researchers estimate that more than 7,000 corporate email accounts have been stolen, sold, or used in other ways. This article continues to discuss findings regarding the spyware campaigns aimed at collecting corporate credentials.

    Threatpost reports "Spyware Blitzes Compromise, Cannibalize ICS Networks"

  • news

    Visible to the public "FBI Officially Linked the Diavol Ransomware Operation to the Infamous TrickBot Gang"

    The Federal Bureau of Investigation (FBI) has linked the Diavol ransomware operation to the TrickBot group, who are behind the TrickBot banking Trojan. The developers of the TrickBot banking Trojan, which has been active since October 2016, have continuously updated it with new capabilities. The botnet continues to be offered through a multi-purpose malware-as-a-service (MaaS) model. Over a million computers have been infected by the TrickBot botnet. Findings from an analysis conducted by IBM X-Force researchers further suggested a link between Diavol ransomware and the TrickBot malware. The Bot ID generated by Diavol is almost the same as the format used by TrickBot and the Anchor DNS malware, also linked to the TrickBot gang. This article continues to discuss the Diavol ransomware operation and its link to the notorious TrickBot gang.

    Security Affairs reports "FBI Officially Linked the Diavol Ransomware Operation to the Infamous TrickBot Gang"

  • news

    Visible to the public "#COVID19 Phishing Emails Surge 500% on Omicron Concerns"

    Researchers at Barracuda Networks observed a 667% month-on-month surge in COVID-19 phishing emails from February to March 2020. The security vendor also observed another significant increase when new vaccines were released at the start of 2021. Now public concern over the highly transmissible Omicron variant is catching the eye of phishers. The researchers discovered that the latest COVID-19 variant has led to a 521% increase in phishing attacks using the virus as a lure to trick users into clicking. The researchers stated that among the tactics used to trick users into clicking on malicious links and/or entering personal details are offers of counterfeit or unauthorized COVID-19 tests and protective equipment such as masks or gloves. The researchers noted that some adversaries are impersonating testing labs and providers or even employees sharing their results. In other phishing emails, the user may receive a fake notification for an unpaid order of tests and is urged to provide their PayPal details to complete the delivery of the kit.

    Infosecurity reports: "#COVID19 Phishing Emails Surge 500% on Omicron Concerns"

  • news

    Visible to the public "Two-Fifths of Ransomware Victims Still Paying Up"

    Security researchers at Anomali Research have discovered that two-fifths (39%) of ransomware victims paid their extorters over the past three years, with the majority of the victims spending at least $100,000. The security researchers interviewed 800 security decision-makers in the US, Canada, the UK, Australia, Singapore, Hong Kong, India, New Zealand, the UAE, Mexico, and Brazil. Most respondents (87%) said their organization had been the victim of a successful attack resulting in damage, disruption, or a breach since 2019. However, 83% said they'd experienced more attacks since the start of the pandemic. Over half of the participants (52%) were ransomware victims, and 39% paid the ransom. Of the participants that paid the ransom, 58% gave their attackers between $100,000 and $1m, while 7% handed over more than $1m.

    Infosecurity reports: "Two-Fifths of Ransomware Victims Still Paying Up"

  • news

    Visible to the public "Red Cross Implores Hackers Not To Leak Data for 515k 'Highly Vulnerable People'"

    The International Committee for the Red Cross (ICRC) has revealed that hackers stole personal data on nearly 515,000 "highly vulnerable people" who received aid from a program aimed at reuniting family members separated because of conflict, disaster, or migration. Robert Mardini, the ICRC's director-general, released a statement directly pleading with the hackers to not leak, sell, or use the data. According to the ICRC, the data was stolen through the hack of a Switzerland-based subcontractor that stores data for the Red Cross. The data comes from at least 60 different Red Cross and Red Crescent National Societies globally. The perpetrators behind the cyberattack remain unknown, and the ICRC is still unaware as to whether any of the compromised information has already been leaked or shared publicly. This article continues to discuss the cyberattack on the Red Cross that left sensitive data of millions of people exposed.

    Ars Technica reports "Red Cross Implores Hackers Not To Leak Data for 515k 'Highly Vulnerable People'"

  • news

    Visible to the public "More Than Half of Medical Devices Found To Have Critical Vulnerabilities"

    Cynerio's 2022 State of Healthcare IoT Device Security Report highlights the results from the analysis of 10 million medical devices at over 300 global hospitals and medical facilities, revealing that over 50 percent of the examined Internet-connected devices contain a known vulnerability. Infusion pumps were found to be the most common healthcare IoT device, with 73 percent of them containing a vulnerability that poses a threat to patient safety, data confidentiality, or service availability if exploited by a malicious actor. Some of these vulnerabilities stem from outdated programs and weak default credentials. This article continues to discuss discoveries made from the analysis of 10 million medical devices and recommended solutions for mitigating the discovered vulnerabilities.

    ZDNet reports "More Than Half of Medical Devices Found To Have Critical Vulnerabilities"

  • news

    Visible to the public "Top Public Sector Cybersecurity Threat No Longer is Employees"

    According to the Public Sector Cybersecurity Survey Report released by SolarWinds, the public sector is more concerned about external threats than internal ones. The report gives insight into how state and local government professionals perceive IT challenges and the sources of IT security threats. One of the key findings in the report is that hackers are the primary source of security threats faced by public sector organizations, followed by negligent or untrained employees and foreign governments. Careless insiders were not cited as the top security threat for the first time in five years. Another finding is that state and local governments are more likely to be concerned about hackers than other public sector groups. Concerns surrounding ransomware, malware, and phishing have increased the most over the last year. Government respondents have suggested improving investigation and remediation capabilities as well as increasing threat information sharing between public and private sectors. This article continues to discuss key findings from SolarWinds' seventh Public Sector Cybersecurity Survey Report.

    GCN reports "Top Public Sector Cybersecurity Threat No Longer is Employees"

  • news

    Visible to the public "Third Firmware Bootkit Discovered"

    Cybersecurity researchers at Kaspersky have discovered a third known case of a firmware bootkit in the wild. The kit, which made its first appearance in the wild in the spring of 2021, has been named MoonBounce. The security researchers stated that the campaign is the work of well-known Chinese-speaking advanced persistent threat (APT) actor APT41. The researchers noted that MoonBounce demonstrates a more complicated attack flow and greater technical sophistication than previously discovered bootkits LoJax and MosaicRegressor. The researchers found the malicious implant hiding inside the CORE_DXE component of the Unified Extensible Firmware Interface (UEFI) firmware. UEFI firmware is critical because its code is responsible for booting up a device and passing control to the software that loads the operating system (OS). Once MoonBounce's components have made their way into the operating system, they reach out to a command & control server to retrieve further malicious payloads, which Kaspersky researchers could not retrieve. The code to boot the device is stored in a non-volatile component external to the hard drive called the Serial Peripheral Interface (SPI) flash. The researchers noted that bootkits of this kind are extremely hard to detect because the code they target is located outside of the device's hard drive in an area that most security solutions do not scan as standard. The researchers also stated that firmware bootkits are also tricky to delete. They can't be removed simply by reformatting a hard drive or reinstalling an OS because the code is launched before the operating system.

    Infosecurity reports: "Third Firmware Bootkit Discovered"

  • news

    Visible to the public "Research: Why Employees Violate Cybersecurity Policies"

    Security researchers asked more than 330 remote employees from a wide range of industries to self-report on both their daily stress levels and their adherence to cybersecurity policies over the course of two weeks. The security researchers also conducted a series of in-depth interviews with 36 professionals who were forced to work remotely due to the Covid-19 pandemic to better understand how the transition to work-from-home has impacted cybersecurity. The researchers found that adherence to security conventions was intermittent. During the 10 workdays they studied, 67% of the participants reported failing to fully adhere to cybersecurity policies at least once, with an average failure-to-comply rate of once out of every 20 job tasks. When asked why they failed to follow security policies, the participants' top three responses were, "to better accomplish tasks for my job," "to get something I needed," and "to help others get their work done." These three responses accounted for 85% of the cases in which employees knowingly broke the rules. In contrast, employees reported a malicious desire to cause harm in only 3% of policy breaches, making non-malicious breaches 28 times more common than retaliatory ones. The researchers also found that people were substantially more likely to knowingly break security protocols on days when they reported experiencing more stress, suggesting that being more stressed out reduced their tolerance for following rules that got in the way of doing their jobs.

    Harvard Business Review reports: "Research: Why Employees Violate Cybersecurity Policies"

  • news

    Visible to the public "Researchers Explore Hacking VirusTotal to Find Stolen Credentials"

    The SafeBreach research team discovered a way to collect vast amounts of stolen user credentials through the execution of searches on the online service used to analyze suspicious files and URLs called VirusTotal. The team was able to collect over a million credentials with a VirusTotal license and a few tools. They wanted to identify data that could be gathered by a criminal using a VirusTotal license. A licensed VirusTotal user can query the service's dataset with a combination of queries for file type, file name, submitted data, country, file content, and more. The team introduced the idea of VirusTotal hacking, which is based on the method of Google hacking where criminals look for vulnerable websites, Internet of Things (IoT) devices, web shells, and sensitive data leaks. Many who steal information collect credentials from various forums, mail accounts, browsers, and other sources, and then write them to a fixed hard-coded file name such as "all_credentials.txt." The information stealers will then exfiltrate this file from the victim's device and send it to a command-and-control (C2) server. With this method, the team took VirusTotal tools and Application Programming Interfaces (APIs) such as search, VirusTotal Graph, and Retrohunt, and used them to find files containing stolen data. They conducted their research using known malware, including RedLine Stealer, Azorult, Raccoon Stealer, and Hawkeye, along with known forums such as DrDark and Snatch_Cloud to steal sensitive data, finding that their method works at scale. The researchers emphasized that criminals could apply this method to collect a nearly unlimited number of credentials and other user-sensitive data with significantly low effort in a short time using an infection-free approach. They disclosed their findings to Google, which owns VirusTotal, and advised the company to periodically search for and remove files containing sensitive user data. The team also suggested that Google ban API keys that upload those files and implement an algorithm for disallowing uploading files with sensitive data. This article continues to discuss the VirusTotal hacking method and how Google can prevent this technique from being successful.

    Dark Reading reports "Researchers Explore Hacking VirusTotal to Find Stolen Credentials"

  • news

    Visible to the public "Researchers Find Way to Bypass SMS Codes on Box Accounts"

    Researchers with Varonis Threat Labs have discovered a way to circumvent the multi-factor authentication for Box accounts in which SMS text code is used for log-in verification. With this method, an attacker could use stolen credentials to compromise an organization's Box account and exfiltrate sensitive data without having to access the victim's phone. The team found that if the user does not navigate to the SMS verification form from Box, an SMS message does not get sent, but a session cookie still gets generated. They said an attacker would only need to enter the user's email address and password, stolen from a password leak or phishing attack, in order to get a valid session cookie. Therefore, an SMS message code is not required. Following the disclosure of the issue to Box via HackerOne on November 2, 2021, Box issued a cloud-based update. The Varonis research is considered significant because 97,000 companies and 68 percent of Fortune 500 companies rely on Box for collaboration and access to information from anywhere. Although multi-factor authentication is known to prevent account takeover, it is not a silver bullet solution because there are ways to bypass it, and not everyone can use it. Varonis has highlighted that malicious actors could make additional authentication tools less effective through compromised user credentials. Organizations are encouraged to implement coverage for mobile phishing attacks to protect against compromised credentials. Doing this will protect users from socially engineered phishing campaigns that give threat actors access to corporate infrastructure, apps, and data. This article continues to discuss the Box multi-factor authentication bypass that leaves accounts open to attack and why this type of authentication is not the ultimate solution.

    SC Magazine reports "Researchers Find Way to Bypass SMS Codes on Box Accounts"

  • news

    Visible to the public "QR Codes Can Eat Your Lunch, FBI Warns"

    Since the pandemic, QR codes have been used much more in restaurants and other businesses. Many users like to use them, but the FBI is warning that scammers love them as well. The FBI noted that cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim's device, and redirecting payment for cybercriminal use. The bureau urges consumers to double-check any URL generated by a QR code and be cautious about using them in general, especially for making payments. The FBI's warning is the latest in a long string of advisories from cybersecurity researchers or government agencies about the threat posed by QR codes. Last week, Ars Technica reported on fake QR codes that were stuck on parking meters in Texas cities, with the goal of intercepting payments.

    Cyberscoop reports: "QR Codes Can Eat Your Lunch, FBI Warns"

  • news

    Visible to the public "International Effort Takes Down VPN Service, VPNLab, Used for Criminal Activity"

    Law enforcement officials from almost a dozen countries teamed up to take down a virtual private service used by threat actors to distribute malware, carry out ransomware operations, and commit other cybercriminal activities. According to the European law enforcement agency Europol, investigations into malware distribution and other criminal activities led authorities to the VPNLab website. As a result, they seized and disrupted 15 servers that hosted the website's infrastructure. A screenshot of the VPNLab website's front page following its takedown shows a message saying the service provided a platform for the anonymous commission of high-value cybercrime cases and was used in multiple major international cyberattacks. The takedown operation was led by German police and included the Netherlands, Canada, the Czech Republic, France, Hungary, Latvia, Ukraine, the US, and the UK. This article continues to discuss the shutdown of the VPNLab website and why this service was a popular choice for cybercriminals.

    CyberScoop reports "International Effort Takes Down VPN Service, VPNLab, Used for Criminal Activity"

  • news

    Visible to the public "Doxbin Leak Includes Criminals' Data, Could Boost Hacking"

    According to security experts, threat actors using the data-sharing website, Doxbin, have had highly sensitive information leaked online. Doxbin is often used by hackers to dump their victims' Personally Identifiable Information (PII). According to the threat intelligence firm, Cyble, and independent researcher and threat hunter, Troy Hunt, the leaked data includes PII belonging to an undisclosed number of Doxbin users, including hackers and their victims. This data contains plaintext passwords, multi-factor authentication codes, stealer logs, and chat history. On January 8, Hunt revealed that Doxbin had 380,000 email addresses across user accounts and doxes shared online. Cyble estimates that over 700,00 email addresses were leaked, based on a recent count. A report released by Cyble also reveals that the leaked information includes the identities of the threat actors' family members, IP addresses, and geolocation. Cyble says the doxed information contains work-related information that could be used to perform phishing attacks. The firm warns of an increase in identity theft and other malicious activities because of the Doxbin leak. Based on discussions on the dark web observed by Cyble, the leaked doxed information can augment or verify law enforcement agencies' investigative work. Dhanalakshmi PK, senior director of malware and intelligence research at Cyble, says that the leaked information could be aliases used by threat actors, and therefore, may not be real. However, she adds that it could help authorities verify information about the threat actors. This article continues to discuss the source and potential impact of the Doxbin leak.

    BankInfoSecurity reports "Doxbin Leak Includes Criminals' Data, Could Boost Hacking"

  • news

    Visible to the public "'White Rabbit' Ransomware May Be FIN8 Tool"

    A new ransomware family dubbed "White Rabbit," which hit a US bank last month, is suspected to be connected to FIN8, the financially-motivated Advanced Persistent Threat (APT) group. According to Trend Micro researchers, the operators behind the White Rabbit ransomware appear to be using the same tactics as the more established ransomware family, Egregor, in regard to hiding malicious activity. The White Rabbit ransomware was first detected on December 14, 2021, by the Lodestone Forensic Investigations team, but the earliest strings go as far back as July 10, 2021. The ransom note displayed by the ransomware includes bunny ASCII art and a message warning victims of the compromise of their network infrastructure, leakage of their critical data, and encryption of their files. The operators are using the same double-extortion tactic applied by the increasing number of Ransomware-as-a-Service (RaaS) players, threatening to leak or sell encrypted data to the public. This article continues to discuss the discovery, tactics, techniques, and procedures of the White Rabbit ransomware group, as well as the group's possible affiliation with FIN8.

    Threatpost reports "'White Rabbit' Ransomware May Be FIN8 Tool"

  • news

    Visible to the public "Rise in School Cybercrime Attacks Sparks NCA Education Drive"

    A new initiative has been launched in the UK to divert young people from cybercrime after cyberattacks designed to block access to school networks and websites more than doubled during the COVID-19 pandemic. Data from the National Crime Agency's National Cyber Crime Unit (NCCU) revealed a 107 percent increase in reports from the police cyber prevent network on young students executing distributed denial-of-service (DDoS) attacks from 2019 to 2020. Students as young as nine have been performing such attacks. The National Crime Agency (NCA), in collaboration with Schools Broadband, part of the Talk Straight Group, launched a new initiative aimed at educating students who search for terms related to cybercrime on school computers. When a student searches for specific terms associated with cybercrime, they will see a warning message and suggestion to visit the Cyber Choices website, where they can learn about the Computer Misuse Act, cybercrime, and the consequences of committing such crime. This article continues to discuss the increase in the deployment of cyberattacks by young students and the new initiative designed to prevent young people from getting involved in cybercrime.

    NCA reports "Rise in School Cybercrime Attacks Sparks NCA Education Drive"

  • news

    Visible to the public "NATO, Ukraine Sign Deal to 'Deepen' Cyber Cooperation"

    NATO on Monday agreed to bolster its cyber support for Ukraine after a cyberattack against Kyiv heightened tensions amid fears that Russia could be plotting an invasion of Ukraine. NATO Secretary General Jens Stoltenberg stated that experts from NATO and its members were already on the ground, working with Ukraine to tackle the latest cyberattack. He also said the new agreement would involve "enhanced cyber cooperation, including Ukrainian access to NATO's malware information sharing platform." Stoltenberg also stated that under this renewed agreement, NATO will deepen their collaboration with Ukraine to support them in modernizing their information technology and communications services while identifying areas where training may be required for their personnel. Ukraine's ambassador to NATO, Natalia Galibarenko, stated that with NATO's support Ukraine plans to further introduce modern information technologies and services into the command and control system of the Armed Forces of Ukraine.

    SecurityWeek reports: "NATO, Ukraine Sign Deal to 'Deepen' Cyber Cooperation"

  • news

    Visible to the public "Zoho Patches Critical Vulnerability in Endpoint Management Solutions"

    Zoho Corp has released patches for a critical vulnerability affecting Desktop Central and Desktop Central MSP, the endpoint management solutions from ManageEngine. Tracked as CVE-2021-44757 and rated critical severity, the newly addressed security error is an authentication bypass issue that could allow a remote attacker to perform various actions on the server. When exploited, Zoho stated that the authentication bypass vulnerability can allow an attacker to read unauthorized data or write an arbitrary zip file. Zoho also noted that anyone with access to the internal network can exploit the vulnerability, even if a security gateway is in use for access to the central server. The vulnerability can be exploited from the Internet as well, provided that UI Access is enabled via Secure Gateway. Users of Desktop Central and Desktop Central MSP should upgrade to build 10.1.2137.9 to address the issue. Customers are advised to log into their Desktop Central console and check the current build number on the top right corner. Those in the build range 10.1.2140.X to 10.1.2149.X should contact the ManageEngine team.

    SecurityWeek reports: "Zoho Patches Critical Vulnerability in Endpoint Management Solutions"

  • news

    Visible to the public "Safari 15 Bug Can Leak Your Recent Browsing Activity and Personal Identifiers"

    Researchers at the browser fingerprinting and fraud detection service, FingerprintJS, discovered a vulnerability in Apple's implementation of IndexedDB in Safari 15 that can leak a user's browsing activity and reveal some of the user's personal information attached to their Google account. IndexedDB is a low-level browser Application Programming Interface (API) that stores client data. According to FingerprintJS, IndexedDB follows the same-origin policy for restricting one origin from interacting with data collected on other origins, meaning only the website that generates data can access it. For example, if a user opens their email account in one tab and then opens a malicious webpage in another tab, the same-origin policy stops the webpage from viewing and tampering with the user's email. However, FingerprintJS found that Apple's implementation of the IndexedDB API in Safari 15 violates the same-origin policy. The researchers discovered that a new empty database with the same name is created in all other active frames, tabs, and windows within the same browser session when a website interacts with a database in Safari. Therefore, other websites can see the name of other databases created on different websites, which could reveal specific details about a user's identity. FingerprintJS developed a proof-of-concept (POC) demo that uses the browser's IndexedDB vulnerability to identify the sites currently open or opened recently. The demo also shows how sites that exploit the bug can scrape information from a Google User ID. It currently detects 30 popular sites affected by the bug, including Instagram, Netflix, Twitter, and Xbox. This article continues to discuss findings surrounding the Safari 15 bug.

    The Verge reports "Safari 15 Bug Can Leak Your Recent Browsing Activity and Personal Identifiers"

  • news

    Visible to the public "UTSA Researcher Part of Team Protecting EV Charging Stations From Cyberattacks"

    The need for electric vehicle (EV) charging stations and Internet-based managing systems grows as the number of electric cars on the road increases. However, these managing systems are vulnerable to cyberattacks. A team of researchers from the UTSA Cyber Center for Security and Analytics, University of Dubai, and Concordia University, are bringing further attention to the vulnerabilities of these cyber systems and recommending measures for protecting them. The systems implemented into electric cars as well as the Internet-enabled EV charging stations perform critical duties over the Internet such as remote monitoring, customer billing, and more. The team delved into the real-life implications of cyberattacks on EV charging stations and how to mitigate them with cybersecurity measures. They also assessed how compromised systems could be used to attack critical infrastructure such as the power grid. The researchers categorized 16 EV charging managing systems into groups, including firmware, mobile, and web apps, then conducted an in-depth security analysis of each one. The team discovered a range of vulnerabilities contained by the systems but highlighted only 13 flaws as the most severe, which include missing authentication and cross-site scripting. Attackers can manipulate the firmware, disguise themselves as actual users, and access user data by exploiting these vulnerabilities. Although it is possible to execute different attacks on various entities in the EV ecosystem, the team's study focuses on exploring large-scale attacks that could severely impact the compromised charging station, its user, and the connected power grid. This article continues to discuss the study on protecting EV charging stations from cyberattacks.

    UTSA reports "UTSA Researcher Part of Team Protecting EV Charging Stations From Cyberattacks"

  • news

    Visible to the public "Many Users Don't Know How to Protect Their Broadband Wi-Fi Routers"

    Broadband Genie surveyed 1,320 broadband users, finding that many of them do not take basic security precautions to protect themselves from online threats. Findings of the survey revealed that 88 percent have never updated their router firmware, and 84 percent have never updated the admin password for their router. A home network will typically have ten connected devices. However, 72 percent said they had never verified what devices are linked to their router. Overall, 48 percent said they had never taken any of the security precautions listed in the survey. When asked why they had not carried out any of the security actions, 73 percent said that they did not know why they would need to change their router's settings, while 20 percent said they did not know how to make these modifications. This article continues to discuss the key findings from the survey of broadband users that further highlight the vulnerability of broadband Wi-Fi routers to attacks.

    Help Net Security reports "Many Users Don't Know How to Protect Their Broadband Wi-Fi Routers"

  • news

    Visible to the public "Personal Information Compromised in Goodwill Website Hack"

    Nonprofit organization Goodwill has started notifying users of its ShopGoodwill.com e-commerce platform that their personal information was compromised due to a cybersecurity breach. The company has informed users that an "unauthorized third party" accessed buyer contact information, including name, email address, phone number, and mailing address. Goodwill noted that no payment card information was exposed. The organization said the website vulnerability exploited in the incident has been addressed. The ShopGoodwill website is currently offline "for maintenance," but it's unclear if it's related to the breach. This appears to be the second data breach disclosed by the nonprofit in the past decade. In 2014, Goodwill informed customers that more than 800,000 payment cards had been compromised due to a breach at a third-party vendor. The affected payment processor confirmed at the time that hackers had access to its systems for more than a year.

    SecurityWeek reports: "Personal Information Compromised in Goodwill Website Hack"

  • news

    Visible to the public "Flaw Found in Biometric ID Devices"

    Security researchers at Positive Technologies have discovered a critical vulnerability in more than ten devices that use biometric identification to control access to protected areas. The flaw can be exploited to unlock doors and open turnstiles, giving attackers a way to bypass biometric ID checks and physically enter controlled spaces. Acting remotely, threat actors could use the vulnerability to run commands without authentication to unlock a door or turnstile or trigger a terminal reboot to cause a denial of service. The critical vulnerability impacts 11 biometric identification devices made by IDEMIA. The researchers stated that the impacted devices are used in the "world's largest financial institutions, universities, healthcare organizations, and critical infrastructure facilities." The critical vulnerability (VU-2021-004) has received a score of 9.1 out of 10 on the CVSS v3 scale, with ten being the most severe. The IDEMIA devices affected by the vulnerability are MorphoWave Compact MD, MorphoWave Compact MDPI, MorphoWave Compact MDPI-M, VisionPass MD, VisionPass MDPI, VisionPass MDPI-M, SIGMA Lite (all versions), SIGMA Lite+ (all versions), SIGMA Wide (all versions), SIGMA Extreme and MA VP MD. The researchers stated that enabling and correctly configuring the TLS protocol according to Section 7 of the IDEMIA Secure Installation Guidelines will eliminate the vulnerability. IDEMIA, after learning about the vulnerability, has said it will make TLS activation mandatory by default in future firmware versions.

    Infosecurity reports: "Flaw Found in Biometric ID Devices"

  • news

    Visible to the public "New Vulnerabilities Highlight Risks of Trust in Public Cloud"

    Amazon Web Services (AWS) has fixed two vulnerabilities contained by its core services. According to Orca Security, the exploitation of one of the flaws could have allowed any user to access and take over any company's infrastructure. Although the vulnerabilities have now been fixed, the attack chain involving compromising a core service, escalating privileges, and using those privileges to attack other users, also affects users on different cloud services. Yoav Alon, chief technology officer at Orca Security, says the method impacts many other cloud vendors. The root of the problem is that there is a lack of isolation between services and little granularity in the permissions of different services and users. The most critical of the two vulnerabilities was discovered in AWS Glue, a serverless integration service that lets AWS users manage, clean, and transform data. Attackers could have used this flaw to compromise the service and gain administrative privileges. Since the AWS Glue service is trusted, the attackers could have used their role to access other users' environments. Orca's researchers were able to escalate privileges to the point where they had unrestricted access to all the service's resources in the region, including complete administrative privileges. The second vulnerability was found in AWS CloudFormation (CF), a service that enables users to provision resources and cloud assets. This flaw allowed the researchers to compromise a CF server and run as an AWS infrastructure service. It is an XML External Entity (XXE) issue that could have allowed attackers to penetrate protections implemented to isolate different AWS users. These vulnerabilities highlight the advantages and weaknesses of the cloud model. Cloud providers are encouraged to improve isolation between their services to prevent malicious actors from abusing flaws in a core service to compromise the security model of the overall cloud. This article continues to discuss the two major AWS security flaws and how these vulnerabilities highlight the risk of trust in the public cloud.

    Dark Reading reports "New Vulnerabilities Highlight Risks of Trust in Public Cloud"

  • news

    Visible to the public "Modelling the Spread of Viruses"

    A new study published in the International Journal of Mathematics in Operational Research explores a new path for the propagation of viruses in a computer network. Anis Rezgui of Ecole Polytechnique de Tunisie and Carthage University in Tunisia introduces a novel approach that offers a rigorous way of modelling viral propagation mathematically. Researchers could use it to understand a network's global behavior when exposed to malware infection. The proposed approach focuses on the dynamics of each node in the network. This type of modelling aims to help researchers understand how a virus spreads so that they can develop more effective strategies for stopping it through network analysis. Implementing such a model into an antivirus system could halt zero-day infection. This article continues to discuss the study and introduction of a novel approach to modelling the spread of a virus in a computer network.

    Science Spot reports "Modelling the Spread of Viruses"

  • news

    Visible to the public "DoD Launches University Consortium for Cybersecurity"

    The Department of Defense (DoD) has launched the DoD University Consortium for Cybersecurity (UC2), which aims to foster better communication between the Secretary of Defense and academia, and meet a requirement set by the 2020 National Authorization Act. The National Defense University's College of Information and Cyberspace (CIC) will operate as the UC2 Coordination Center, with Jim Chen, a CIC faculty member, being the center's director. The University of Idaho's Center for Secure and Dependable Systems (CSDS) will serve as a support center for UC2. This article continues to discuss the purpose and support behind UC2.

    MeriTalk reports "DoD Launches University Consortium for Cybersecurity"

  • news

    Visible to the public "Phishers Take Over FIFA 22 Accounts"

    Cybercriminals are using social engineering attacks to take over accounts belonging to players of the Electronic Arts video game FIFA 22. While the gaming giant's investigation into the attacks remains ongoing, Electronics Arts estimates that fewer than 50 accounts have been taken over through a combination of phishing techniques and mistakes made by its customer experience team. Electronic Arts Sports FIFA team stated that adversaries were able to exploit human error within their customer experience team and bypass two-factor authentication to gain access to player accounts. Since discovering the cybercriminal activity, Electronic Arts has put all its advisors and individuals who assist with the service of EA accounts through individualized re-training and additional team training, with a specific emphasis on account security practices and the phishing techniques used by the adversaries. The company said it is also implementing additional steps to the account ownership verification process, such as mandatory managerial approval for all email change requests. In addition, Electronic Arts said it would be updating the software used by its customer experience to better identify suspicious activity, flag at-risk accounts, and slash the risk of human error in the account update process.

    Infosecurity reports: "Phishers Take Over FIFA 22 Accounts"

  • news

    Visible to the public "Ukraine’s Official Websites Hit by Massive Cyberattack Amid High Tensions With Russia"

    Unknown hackers launched a cyberattack on Ukrainian government websites early Friday, blocking access and warning internet users to "expect the worst." Officials say it is too early to tell who was behind the attacks. Viktor Zhora, deputy head of Ukraine's state agency of special communication and information protection, said that "close to 70" federal and local government websites were attacked, and a "substantial portion" is up and working again. Viktor Zhora also stated that Ukrain is seeing increased cyber intrusions that appear to be intelligence collection for potential execution of a kinetic operation by the Russians. Earlier this month, Ukraine's state security services said that they had blocked in December close to 60 cyberattacks "against information systems of state institutions." These included malware and "web app attacks." Officials stated that the hackers did not obtain the personal information of Ukrainians during the cyberattack. The cyberattack came immediately after a flurry of diplomatic efforts in Europe failed to resolve the mounting crisis over Russian demands for sweeping new security arrangements by the United States and NATO.

    The Washington Post reports: "Ukraine's Official Websites Hit by Massive Cyberattack Amid High Tensions With Russia"