News Items

  • news

    Visible to the public Follow @SoS_VO_org on Twitter!

    Follow @SoS_VO_org on Twitter!

    The SoS-VO team is excited to announce that we recently updated the homepage of the website to link to the official Science of Security & Privacy twitter account where we will be making daily announcements about noteworthy news items, upcoming opportunities, and impending deadlines in the SoS community.

  • news

    Visible to the public Predictive Intelligence for Pandemic Prevention (PIPP) Webinars

    Predictive Intelligence for Pandemic Prevention (PIPP) Webinars

    February 16, 2021 11:00 AM to
    February 17, 2021 6:45 PM
    Virtual Workshop

    Save the Date

    February 25, 2021 11:00 AM to
    February 26, 2021 6:00 PM
    Virtual Workshop

    Save the Date

  • news

    Visible to the public NSF 21-044 Dear Colleague Letter: Computer and Information Science and Engineering Graduate Fellowships

    NSF 21-044

    Dear Colleague Letter: Computer and Information Science and Engineering Graduate Fellowships (CSGrad4US)

    February 2, 2021

    Dear Colleagues:

  • news

    Visible to the public HoTSoS 2021: Works-in-Progress Co-Chairs

    Meet the HoTSoS 2021 Team:
    Works-in-Progress Co-Chairs

    Kurt Kelville (MIT) and Aron Laszka (University of Houston) are our Works-in-Progress Co-Chairs for the 2021 Symposium. Happy to have these two on the Program Committee Team!

    About the Chairs

  • news

    Visible to the public Call for Participation: Canberra Artificial Intelligence Summer School

    Call for Participation

    Canberra Artificial Intelligence Summer School

    Virtual, December 4-7th, 2020



    [If interested in staying up-to-date, please join this Discord channel!]


  • news

    Visible to the public Take my word for it: Privacy and COVID alert apps can coexist


    Since the COVID-19 pandemic began, technologists across the country have rushed to develop digital apps for contact tracing and exposure notifications. New York, New Jersey, Pennsylvania, and Delaware have all recently announced the launch of such apps, announcements which generated excitement. But the advent of these tools has also created questions. Chief among them: Do these apps protect privacy?

  • news

    Visible to the public now supports DOI!

    The latest release of the has added Zenodo support for generating archives and including DOI information for content types such as files, news items, web pages, and wiki pages!

  • news

    Visible to the public Solicitation: NSF Secure and Trustworthy CyberSpace (SaTC) [Solicitation 21-500]

    Secure and Trustworthy Cyberspace (SaTC)

    NSF 21-500

    NSF 19-603

    National Science Foundation

    Directorate for Computer and Information Science and Engineering
         Division of Computer and Network Systems
         Division of Computing and Communication Foundations
         Division of Information and Intelligent Systems
         Office of Advanced Cyberinfrastructure

  • news

    Visible to the public NIST Releases Draft Security Feature Recommendations for IoT Devices

    NIST Releases Draft Security Feature Recommendations for IoT Devices

    "Core Baseline" guide offers practical advice for using everyday items that link to computer networks.

    August 01, 2019

  • news

    Visible to the public NSA-approved cybersecurity law and policy course now available online

    NSA-approved cybersecurity law and policy course now available online

    Cyber Scoop

    Shannon Vavra

    August 27th, 2019

    Anyone who is interested in cybersecurity law and policy can now take an online course that was partly shaped by National Security Agency.

  • news

    Visible to the public Verification Tool Competition

    ARCH brings together researchers and practitioners to establish a curated set of benchmarks for verification, testing and reachability, and evaluate them in a friendly competition. ARCH started in 2014 and has sustained a vibrant community since. Since 2017, ARCH has organized as a part of the workshop the International Competition on Verifying Continuous and Hybrid Systems (ARCH-COMP,, now in its 3rd iteration.

  • news

    Visible to the public Game-theoretic Paper Wins Annual Paper Competition

    The winner of the 6th Annual Best Scientific Cybersecurity Paper Competition is How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games by Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, and David Brumley. These researchers are from Carnegie Mellon University and University of California, Santa Barbara. This paper was originally accepted at 30th IEEE Computer Security Foundations Symposium (CSF '17).

    To learn more visit the competition homepage:

  • news

    Visible to the public Secretary of Energy Rick Perry Announces $68.5 Million for Advanced Vehicle Technologies Research

    WASHINGTON, D.C. - Today, U.S. Secretary of Energy Rick Perry announced up to $68.5 million in available funding for early-stage research of advanced vehicle technologies that will enable more affordable mobility, strengthen domestic energy security, and enhance U.S. economic growth.

  • news

    Visible to the public 2018 NSF CPS Program Solicitation

    The 2018 Cyber-Physical Systems Program Solicitation has been released. The submission window for proposals is April 27, 2018 - May 8, 2018. Please see the full solicitation for additional details and the summary of program requirements:

  • news
  • news

    Visible to the public NSA SoS Lablet Call for Proposals is Open

    The National Security Agency has distributed its BAA (really a request for proposals) for its next generation of SoS Lablets. These lablets include lablets on the 5 Hard Problem areas in Science of Security, on the Science of Privacy and dealing with Cyber Physical Systems. Proposals are due August 21. While the SoS team is not the point of contact for the contracting process, we can aid in directing:

  • news

    Visible to the public U.S. Department of Transportation Launches Smart City Challenge to Create a City of the Future

    Smart City Challenge

  • news

    Visible to the public NEW 2016 NSF-USDA Solicitation: Innovations at the Nexus of Food, Energy, and Water Systems (INFEWS)

    Innovations at the Nexus of Food, Energy and Water Systems (INFEWS)

    Program Solicitation
    NSF 16-524

    National Science Foundation

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public Sticky News Item

    This news item always appears at the top of the 'recent news' list because the 'pin to top of lists' box is checked under 'publishing options' below. News Items can also be set to show in the spotlight slideshow feature.

  • news

    Visible to the public "Bugs in Malware Creating Backdoors for Security Researchers"

    Malware authors often leverage vulnerabilities contained by software. However, malware could also have bugs and coding errors that cause it to crash or serve as backdoors for white hat hackers. Zscaler researchers studied the types of vulnerabilities that exist in some of the most prevalent malware families. They explored the use of these bugs or vulnerabilities to prevent malware infection, and to find out whether they are real vulnerabilities and coding errors or escape mechanisms. The researchers analyzed a dataset of malicious samples collected from 2019 to March 2021. Using behavioral similarities, they clustered the samples. They also used MITRE's Common Weakness Enumeration (CWE) system to classify malware. By looking at multiple examples of malware consisting of different types of vulnerabilities, the researchers were able to observe that malware sometimes does not validate the output of a queried Application Programming Interface (API) or cannot handle different types of command-and-control (C&C) responses. Malware is often developed based on the author's local environment. Oftentimes, malware authors also do not consider other techniques such as Address Space Layout Randomization (ASLR) and Data Execution Prevention (DEP) that are needed to load modules in malware, which causes them to crash. Sean Nikkel, Senior Cyber Threat Intel Analyst at Digital Shadows, points out that these bugs may be the result of rushing, inexperience in using development best practices, or other resource constraints. Security vendors could use these bugs to write different types of signatures for the identification and blocking of such malware attacks. This article continues to discuss key findings from Zscaler's study on the types of vulnerabilities in malware and how security researchers can use these bugs.

    Security Magazine reports "Bugs in Malware Creating Backdoors for Security Researchers"

  • news

    Visible to the public "XSLeak Flaw in Slack Could Allow a Malicious Workspace Member to Launch De-anonymisation Attacks"

    A cross-site leak (XSLeak) flaw has been discovered in the file-sharing feature of Slack's web application by a security researcher named Julien Cretel. According to Cretel, the exploitation of the vulnerability could allow threat actors to identify users outside of the workforce instant messaging platform when victims go to an attacker-created website in Chromium-based browsers. XSLeaks are a class of security vulnerabilities stemming from side-channels built into the web platform. These flaws abuse the web's core principle of composability that allows interactions between websites. They also exploit legitimate mechanisms to reveal sensitive information about users. Researchers from TU Darmstadt released a paper in 2019 detailing an XSLeak channel in the image-sharing features provided by Facebook, Twitter, Google, and other popular messaging platforms. According to the study, when users upload an image in their private chat threads, a unique URL is generated by the host service for the resource that can only be accessed by parties within the thread. The researchers discovered that this mechanism could be abused by malicious actors to create a unique URL for a target user and force visitors' browsers to go to another website to request the same URL. The browser's response could help the attacker determine if the visitor is the same user. They warned that this technique could be applied in fingerprinting or spear phishing attacks. When Cretel examined the file-sharing functionality of Slack's web client, he found it to be vulnerable to Leaky Image attacks. However, the exploitation of the security flaw requires the attacker to have a user account in the same Slack workspace as their targets and have the ability to send them direct messages. This article continues to discuss the XSLeak flaw found in Slack, the platform's response to the discovery of this vulnerability, and other previously uncovered security weaknesses in Slack.

    Computing reports "XSLeak Flaw in Slack Could Allow a Malicious Workspace Member to Launch De-anonymisation Attacks"

  • news

    Visible to the public "Hacking Gang Creates Fake Firm to Hire Pentesters for Ransomware Attacks"

    The FIN7 hacking group, also known as Carbanak, is now creating fake cybersecurity companies that perform network attacks under the guise of penetration testing. FIN7 has been involved in cyberattacks and campaigns aimed at stealing money since 2015, when the group first emerged, infecting ATMs with man-in-the-middle (MITM) attack-enabling malware. Researchers at Gemini Advisory uncovered the fake cybersecurity firm called Bastion Secure, set up by FIN7. According to the researchers, the website created for the fake corporate entity contained stolen and recompiled content from other websites. Bastian Secure's website claims that the company is based out of England, but the researchers observed the site serving 404 error pages in the Russian language. The website's 'About' page also states that the company is a spin-off of the legitimate cybersecurity firm Convergent Network Solutions Ltd. FIN7 was found offering between $800 and $1,200 per month to recruit C++, PHP, and Python programmers as well as Windows system administrators and reverse engineering specialists. The researchers believe the hacking group also wanted to hire system administrators because they would be able to map compromised corporate systems, conduct network reconnaissance, and locate backup servers and files, all of which are skills required for the pre-encryption stages of ransomware attacks. This article continues to discuss the evidence that suggests FIN7 was behind the creation of the fake Bastion Secure cybersecurity firm.

    Bleeping Computer reports "Hacking Gang Creates Fake Firm to Hire Pentesters for Ransomware Attacks"

  • news

    Visible to the public "Russian Cybercriminals Switch to Cloud"

    Cybersecurity researchers at Kaspersky released research on Russian-speaking cybercriminal activity and how it has changed over the past six years. The researchers found that historically favored attacks targeting banks and other financial organizations with money-stealing malware have largely been replaced. The researchers stated that nowadays, adversaries prefer to hit their targets with ransomware and data-stealing attacks delivered via spear-phishing emails with malicious attachments. Another critical change recorded by the researchers was a move away from developing malware in-house and toward public cloud infrastructure. Researchers found that cybercriminals now prefer to use publicly available penetration testing and remote access software to bypass security defenses by appearing legitimate. Russian adversaries were found to be working together in much smaller groups than before, and instead of hitting Russia, they are striking targets overseas.

    Infosecurity reports: "Russian Cybercriminals Switch to Cloud"

  • news

    Visible to the public CISS awards 2M in new cybersecurity training programs to underserved communities

    CISA, the US Cybersecurity and Infrastructure Security Agency has awarded NPower and CyberWarrior contracts worth $2m to bring cybersecurity training to underserved communities such as the unemployed and underemployed. One of the goals of these programs is to develop cybersecurity talent from non-traditional sources to address the shortage of workers in this area. They will be looking to increase underrepresented groups in the industry such as people of color, women, military spouses and veterans from both urban and rural communities.
  • news

    Visible to the public "US to Ban Export of Hacking Tools to Authoritarian States"

    The US government has issued new rules designed to prevent the export of hacking and surveillance tools to regimes guilty of human rights abuses. The new rules were released by the Commerce Department's Bureau of Industry and Security (BIS) and will go into force in 90 days. Governments singled out by the proposals are "of concern for national security reasons" or subject to an arms embargo. The rules will also apply if the exporter knows that the product will be used to impact the confidentiality, integrity, or availability of IT systems without the knowledge of their owner/administrator. The cybersecurity community has 45 days to comment on the rules. The latest rules created by BIS are a result of BIS's negotiations in the multilateral Wassenaar Arrangement, which governs export controls. The long-running treaty has been criticized in the past for adding unnecessary red tape for cybersecurity vendors wanting to export their products abroad.

    Infosecurity reports: "US to Ban Export of Hacking Tools to Authoritarian States"

  • news

    Visible to the public "CISA Awards $2 Million to Bring Cybersecurity Training to Rural Communities and Diverse Populations"

    The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) awarded $2 million to NPower and CyberWarrior in support of the development of cyber workforce training programs. The two organizations will focus on unemployed, underemployed, and underserved communities in urban and rural areas. They will also focus on commonly underserved populations, including veterans, military spouses, women, and people of color. The awards are part of CISA's mission to recruit diverse cybersecurity talent and build a skilled workforce. They are also the first of their kind to be given by CISA. The CISA Director Jen Easterly pointed out that addressing the cyber workforce shortage requires proactively searching and fostering prospective talent from nontraditional places. NPower and CyberWarrior will work with CISA to develop a scalable and replicable proof-of-concept program that identifies and trains talented individuals in cybersecurity. The three-year pilot program will develop and implement a comprehensive cybersecurity pathways retention strategy, deliver entry-level cybersecurity training via innovative training hubs, place talented individuals into entry-level cybersecurity jobs to decrease the cyber workforce shortage, and more. This article continues to discuss CISA's latest workforce development effort that aims to benefit communities and populations that may not currently have access to cybersecurity training programs.

    HSToday reports "CISA Awards $2 Million to Bring Cybersecurity Training to Rural Communities and Diverse Populations"

  • news

    Visible to the public "30+ Nations Pledge to Combat Ransomware, Promote Cyber Resilience"

    The White House had a series of virtual meetings with representatives from more than 30 countries to discuss the growing security threat posed by ransomware. The United States, together with other participating nations, pledged to tackle ransomware threats and promote cyber resilience. Those countries that have made this commitment, include Australia, Brazil, Bulgaria, Canada, Czech Republic, the Dominican Republic, Estonia, European Union, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Poland, Republic of Korea, Romania, Singapore, South Africa, Sweden, Switzerland, Ukraine, United Arab Emirates, the United Kingdom, and the United States. it was emphasized that ransomware poses a significant risk to critical infrastructure, essential services, public safety, consumer protection, privacy, and the economy. The nations pledged to strengthen network resilience by implementing policy frameworks, governance structures, and incident response procedures. This article continues to discuss the Counter Ransomware Initiative.

    HealthITSecurity reports "30+ Nations Pledge to Combat Ransomware, Promote Cyber Resilience"

  • news

    Visible to the public "Space ISAC and NY InfraGard Collaborate To Advance Cybersecurity in Space"

    The Space Information Sharing and Analysis Center (Space ISAC) and the NY Metro InfraGard Members Alliance (NYM-IMA) will work together to strengthen cybersecurity in space. The organizations signed a Memorandum of Understanding, thus allowing them to collaborate in different ways. This collaboration will focus on raising further awareness about the various activities in the space domain among space users and operators. The Space ISAC's mission is to improve the ability to prepare for and respond to vulnerabilities, incidents, and threats. The organization also wants to spread timely and actionable information to member entities, and serve as the main communications channel for the space sector regarding such information. Through this collaboration, the Space ISAC will develop a platform that enables collaboration and communication among organizations involved in the space industry. This article continues to discuss the partnership formed between the Space ISAC and the NYM-IMA to bolster space cybersecurity.

    Cyber Intel reports "Space ISAC and NY InfraGard Collaborate To Advance Cybersecurity in Space"

  • news

    Visible to the public "72% of Organizations Experienced a DNS Attack in the Last Year"

    Researchers at Neustar International Security Council (NISC) found that nearly three-quarters (72%) of organizations have suffered a domain name system (DNS) attack in the last 12 months. Of those organizations affected, 61% were targeted on multiple occasions, while 11% have been victimized regularly. The researchers noted that DNS attacks are generally a lower concern for security pros than vectors like ransomware, distributed denial-of-service (DDoS), and targeted account hacking. The researchers stated that DNS attacks are becoming increasingly menacing to organizations. According to the researchers, 55% of security professionals consider DNS compromise an increasing threat compared to 47% in October 2020. The most common types of DNS attacks experienced in the last 12 months were DNS hijacking (47%), DNS flood, reflection or amplification attacks that segued into DDoS (46%), DNS tunneling (35%), and cache poisoning (33%).

    Infosecurity reports: "72% of Organizations Experienced a DNS Attack in the Last Year"

  • news

    Visible to the public "Threat Actors Abusing Discord to Spread Malware"

    Researchers at Check Point have discovered new multi-function malware abusing the core functions of popular group app platform Discord. The researchers found several malicious GitHub repositories featuring malware based on the Discord API and malicious bots. It included various features, including keylogging, taking screenshots, and executing files. Discord bots help users automate tasks on the Discord server. However, they can also be used for malicious ends, the researchers warned. For example, the Discord Bot API can easily be manipulated to turn a bot into a simple Remote Access Trojan (RAT). This doesn't even require the Discord app to be downloaded to a target's machine. The researchers noted that communications between attacker, Discord server, and victim's machine are encrypted by Discord, making it much harder to detect any malware. The researchers said that this could provide attackers with an "effortless" way to infect machines and turn them into malicious bots. The researchers noted that the Discord API does not require any type of confirmation or approval and is open for everyone to use. Due to these Discord API freedoms, the only way to prevent Discord malware is by disabling all Discord bots. The researchers noted that preventing Discord malware can't be done without harming the Discord community, and as a result, it is up to the users' actions to keep their devices safe. The researchers also found dozens of instances where threat actors used Discord as a malicious file hosting service, with their privacy protected by the app.

    Infosecurity reports: "Threat Actors Abusing Discord to Spread Malware"

  • news

    Visible to the public "New Gummy Browsers Attack Lets Hackers Spoof Tracking Profiles"

    Academic researchers have developed a new fingerprint-capturing and browser-spoofing attack dubbed Gummy Browsers. According to the researchers, this attack is easy to perform and can have severe consequences. A digital fingerprint serves as a unique online identifier linked to a specific user based on a combination of a device's characteristics, including the user's IP address, browser and OS version, installed applications, active add-ons, and cookies. These characteristics also include the manner in which the users move their mouse or type on the keyboard. Digital fingerprints can be used by websites and advertisers to confirm that a visitor is human, track a user between sites, or improve targeted advertising. As these fingerprints are valuable, they are often found being sold on dark web marketplaces to threat actors and scammers, who can then use them to spoof users' online identities. Spoofing users' online identities makes it easy for the threat actors to take over accounts or conduct advertisement fraud. The Gummy Browsers attack involves making a person visit an attacker-controlled website to capture their fingerprint and then using that fingerprint on a target platform to spoof that person's identity. Following the generation of a user's fingerprint using existing or custom scripts, the researchers developed methods to spoof the user on other sites. The researchers explained that the Gummy Browsers attack could impersonate a victim's browser transparently nearly 100 percent of the time without affecting the tracking of legitimate users. This attack can easily be executed while remaining difficult to detect because acquiring and spoofing the browser characteristics is oblivious to the user and the remote web server. The researchers warned that the Gummy Browsers attack could have a lasting impact on users' online privacy and security as browser fingerprinting continues to grow in adoption in the real world. This article continues to discuss digital fingerprints as well as the process and potential impact of the Gummy Browsers attack.

    Bleeping Computer reports "New Gummy Browsers Attack Lets Hackers Spoof Tracking Profiles"

  • news

    Visible to the public "A Quarter of All Malicious JavaScript Is Obfuscated"

    Security researchers at Akamai analyzed 10,000 malicious JavaScript samples that represent threats such as malware droppers, phishing pages, scammers, cryptomining malware, and more. The analysis revealed that at least 25 percent of the samples used JavaScript obfuscation methods to evade detection. According to the researchers, this finding suggests the continued adoption of obfuscation techniques by cybercriminals to remain undetected. They call on the use of more advanced Machine Learning (ML) techniques to detect malicious obfuscation. These ML techniques should enable the differentiation between malicious and benign obfuscated JavaScript. The researchers also say an approach to detection should use additional indicators and automatically consider obfuscated code as suspicious until proven otherwise. This article continues to discuss key findings from Akamai's analysis of malicious JavaScript samples.

    ITPro reports "A Quarter of All Malicious JavaScript Is Obfuscated"

  • news

    Visible to the public "CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems"

    CISA warning for water and wastewater facilities On October 14, 2021, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) issues a warning for possible ransomware attacks trying to compromise water and wastewater facilities. When successful, clean water, potable water, and wastewater management all all at risk. These systems are often vulnerable because of outdated operating systems and software and not implementing security updates. The alert requires multi-factor authentication for all remote access and limited onsite users to essential personnel help prevent attacks.

    The Hacker News reports "CISA Issues Warning On Cyber Threats Targeting Water and Wastewater Systems"

  • news

    Visible to the public "Data Breach Hits US Dental Patients"

    A cyberattack on the vendor of a network of dental practices may have exposed the data of tens of thousands of patients. An adversary used a phishing attack to gain access to the computer systems of North American Dental Management between March 31 and April 1, 2021. Pittsburgh-based North American Dental Management provides administrative and technical support services for Professional Dental Alliance (PDA) offices. PDA notified patients that an unauthorized individual may have accessed some of their protected health information (PHI) after the security breach. The information that may have been exposed was stored in email accounts that the attacker could breach. At this time, the identity of some individuals is known, but the vendor's investigation is ongoing. After discovering the breach, North American Dental Management took steps to secure the compromised email accounts and launched an investigation. PDA noted that it had not found any evidence of any actual misuse of personal information and that its investigation of the matter indicates that the attack was limited to email credential harvesting. The threat actor did not access PDA's patient electronic dental record or dental images; however, the Alliance found that some sensitive personal information may have been present in the compromised email accounts. The full extent of the potentially affected personal information is not yet known and will vary between persons, but it may include the following: name, address, email address, phone number, dental information, insurance information, Social Security Number, and/or financial account numbers. The breach was reported to the DHS's Office for Civil Rights, impacting 125,760 patients in Connecticut, Florida, Georgia, Illinois, Indiana, Massachusetts, Michigan, New York, Texas, and Tennessee.

    Infosecurity reports: "Data Breach Hits US Dental Patients"

  • news

    Visible to the public "Microsoft, Intel and Goldman Sachs Team Up For New Supply Chain Security Initiative"

    Microsoft has teamed up with Intel and Goldman Sachs to push for hardware security improvements that could help to mitigate supply chain risks. Working under the auspices of the non-profit Trusted Computing Group (TCG), the companies have created a new Supply Chain Security workgroup that will aim to bring in experts from across the tech sphere. The TCG stated that malicious and counterfeit hardware is particularly difficult to detect as most organizations don't have the tools or in-house knowledge to do so. The newly formed group will focus on two key areas. First, the group will focus on provisioning to ensure devices can be trusted at every step of the supply chain. Secondly, the group will be helping companies to recover in the event of an attack. A researcher at Microsoft stated that for nearly 20 years, TCG has guided the industry in adopting technologies that enable secure computing, with specifications for IoT and embedded systems, PCs and servers, mobile, and storage. The researcher also noted that the supply chain is the one thing that spans all of these verticals, and experts from TCG workgroups are now coming together to create industry-wide guidance that seeks to make the supply chain more secure.

    Infosecurity reports: "Microsoft, Intel and Goldman Sachs Team Up For New Supply Chain Security Initiative"

  • news

    Visible to the public "CISA, FBI, and NSA Release BlackMatter Ransomware Advisory To Help Organizations Reduce Risk of Attack"

    The U.S. Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) published a joint cybersecurity advisory regarding BlackMatter ransomware cyber intrusions that have targeted two U.S. food and agriculture sector organizations and other U.S. critical infrastructure entities. The advisory provides technical details and an assessment of BlackMatter ransomware. It also includes mitigation actions to consider taking, to reduce the risk of a BlackMatter ransomware attack. Eric Goldstein, CISA's Executive Assistant Director for Cybersecurity, says the advisory emphasizes the need for a collective public and private approach to reduce the impact and frequency of ransomware attacks. This article continues to discuss the advisory released by CISA, the FBI, and the NSA about the BlackMatter ransomware gang and recommended best practices for organizations to protect their networks, systems, and data.

    CISA reports "CISA, FBI, and NSA Release BlackMatter Ransomware Advisory To Help Organizations Reduce Risk of Attack"

  • news

    Visible to the public "Sinclair Confirms Ransomware Attack That Disrupted TV Stations"

    Sinclair Broadcast Group, which owns hundreds of local television stations across the U.S., confirmed Monday that it had suffered a ransomware attack. The incident is disrupting its advertising operations, among other things, and spread to many of its owned TV affiliates over the weekend, knocking local broadcast feeds off the air. In a statement, the company noted that the cyberattack disrupted the company's general and office operations and resulted in data exfiltration. On October 16, 2021, the company identified and began to investigate and take steps to contain the potential security incident. On October 17, 2021, the company determined that specific servers and workstations in its environment were encrypted with ransomware and that particular office and operational networks were disrupted. According to reports, many stations had resumed operations as of Monday, but some are still dealing with some lingering issues such as trouble using weather graphics. Sinclair confirmed that data was taken, but it's not yet sure which information the attackers have.

    Threatpost reports: "Sinclair Confirms Ransomware Attack That Disrupted TV Stations"

  • news

    Visible to the public "Damages Escalate Rapidly in Multi-Party Data Breaches"

    New research from the Cyentia Institute explored the top 50 multi-party breaches, finding that the average large-sized breach involved 31 organizations and cost an average of $90 million, compared to the average loss of $200,000 due to a typical cybersecurity incident. Although system intrusions impacted the most organizations, ransomware and wiper incidents resulted in the greatest loss. Cyentia also found that attacks involving valid accounts and those that nation-state actors carried out, caused significantly greater damages per incident. These findings further emphasize the importance of companies increasing their efforts to ensure that their vendors and contractors are not opening their networks to attacks. The lesson learned from the largest multi-party breaches is that companies' cybersecurity and risk mitigation efforts must focus on attackers targeting businesses as well as those targeting third parties, which ripples down to vendors' clients. Wade Baker, the co-founder of Cyentia calls on organizations to approach risk management with more supply chain or third-party-centric thinking to help deal with nation-state actors or cybercriminal gangs. This article continues to discuss key findings from Cyentia's Information Risk Insights Study (IRIS).

    Dark Reading reports "Damages Escalate Rapidly in Multi-Party Data Breaches"

  • news

    Visible to the public "83% of Ransomware Victims Pay the Demand"

    Security researchers at ThycoticCentrify have found that more than four in five (83%) ransomware victims in the last 12 months felt they had no option but to pay the extortion demand to restore their data. The study, which was based on a survey of 300 US IT business decision-makers, also found that close to two-thirds (64%) of companies were victims of ransomware attacks in the last 12 months. The research further highlighted the substantial damage caused to organizations by ransomware attacks. Half (50%) of respondents said their company had experienced a loss of revenue and reputational damage from an attack, and 42% admitted they lost customers due to an attack. Additionally, around one-third attributed the ransomware attack as the cause for employee layoffs. The most vulnerable vectors for ransomware attacks are email (53%), applications (41%), and the cloud (38%), according to the IT business decision-makers surveyed. The researchers stated that encouragingly, there appears to be growing recognition of the need to improve cyber-defenses amid surging ransomware incidents. Nearly three-quarters of respondents have seen their cybersecurity budgets increase due to ransomware threats, while 93% of businesses are allocating a special budget to fight ransomware threats.

    Infosecurity reports: "83% of Ransomware Victims Pay the Demand"

  • news

    Visible to the public "Confidential Computing: A Game-Changing Way To Protect Data in Use"

    Advancements continue to be made in the encryption of data at rest and data in motion. However, it is also important to encrypt data while it is being analyzed in computer memory. Confidential computing is an emerging industry initiative aimed at protecting data in use, at scale, and in the cloud. It is enabled by implementing hardware technology that sets aside a section of a CPU as a secure enclave. The technology encrypts the memory in the enclave using an encryption key that is unique to the CPU and the application. An organization can apply this method to protect highly sensitive data and application code in the enclave. The data can only be decrypted in that enclave on that CPU, thus resulting in the data remaining protected while it is in use. For example, if attackers were to gain root access to a system while users are performing analytics on a database, the attackers still would not be able to read the data. In addition, the technology's attestation feature allows an organization to confirm to third parties that the data resides in an enclave. Enclave size was limited in earlier generations of this technology, but with the latest generation of computer processors allowing a server to have up to 1 TB of enclave memory, agencies can put an entire application, database, or transaction server inside the enclave. This article continues to discuss the technology that enables confidential computing, efforts to bring confidential computing to the government, and how the high-tech industry and public sector could benefit from the adoption of confidential computing.

    GCN reports "Confidential Computing: A Game-Changing Way To Protect Data in Use"

  • news

    Visible to the public "BEC Attacks: Scammers' Latest Tricks"

    A survey by GreatHorn revealed that 71 percent of organizations experienced at least one Business Email Compromise (BEC) attack within the past year. New research from Trend Micro has suggested that scammers are increasing their efforts in the performance of BEC attacks. Threat researchers and analysts at Trend Micro observed that BEC attacks not only target high-profile users such as executives but also any employees that can be found on LinkedIn and other social media networks with potentially valuable personal information published. Such information can be used to impersonate employees and partners, and lead to significant financial damage to targeted businesses. BEC scams have been among the top lucrative cybercriminal schemes for many years as they are often difficult to detect. Since BEC scam emails target specific recipients, do not include malicious attachments or links, and usually start with harmless requests, it is difficult for email security solutions to detect them. One trick used by BEC scammers is to register domain names containing keywords associated with the telecommunications industry and service provider names. Another trick employed by BEC scammers is to register domains with long names, common keywords, and new generic top-level domain (TLD) words. This article continues to discuss the difficulty in detecting BEC attacks and the latest tricks used by BEC scammers.

    Help Net Security reports "BEC Attacks: Scammers' Latest Tricks"

  • news

    Visible to the public "BlackByte Ransomware Decryptor Released"

    The Windows-based ransomware, dubbed BlackByte, discovered by researchers at the cybersecurity firm Trustwave, seems to have been inspired by other strains known to bring in significant financial rewards for their operators. BlackByte is described as odd because of the decisions made by its creators regarding design and functionality. According to a set of technical advisories recently published by Trustwave, the ransomware only targets systems that are not based on Russian or ex-USSR (Union of Soviet Socialist Republics) languages. BlackByte also employs the double-extortion tactic as it not only encrypts and locks systems, but also threatens to steal or sell stolen data in an effort to force victims to pay the demanded ransom. Like other modern ransomware operators, including Maze, REvil, Conti, and Babuk, BlackByte has launched a leak website. However, the researchers say BlackByte's threat of data exfiltration and leaks is baseless since the ransomware does not appear to have that capability. Despite the BlackByte ransomware having no exfiltration functionality, the threat will still push more victims to pay after their system has been infected. The ransomware's encryption process also suggests that it is likely operated by less-skilled threat actors since the malware downloads and executes the same key to encrypt files in the Advanced Encryption Standard (AES) instead of unique keys for each session. A free decryptor for BlackByte ransomware has been made available by Trustwave on GitHub. This article continues to discuss BlackByte's targets, double-extortion tactic, encryption process, and other capabilities, as well as the decryptor released for the ransomware.

    ZDNet reports "BlackByte Ransomware Decryptor Released"

  • news

    Visible to the public "Cyberattack Response Takes More than Two Working Days"

    Researchers at Deep Instinct have found that organizations worldwide take on average more than two business days to respond to cyberattacks. The finding was published in the company's second bi-annual Voice of SecOps Report, which was based on a survey of 1,500 senior cybersecurity professionals in 11 countries who work for businesses with more than 1,000 employees and annual revenue of more than $500m. The survey revealed the average global response time to a cyberattack to be 20.09 hours. Companies within the financial sector were faster to respond, taking on average 16 hours to react. The researchers also found that larger companies answered threats more quickly, clocking up an average response time of 15 hours. Smaller companies were slower at responding, taking an average of 25 hours to make their move. The researchers also discovered that only 1% of those surveyed believed that every single one of their endpoints was installed with at least one security agent. Just over a quarter (26%) cited "complexity" as the main thing impeding their ability to install more endpoint security agents. Other key concerns include the time it takes to investigate threats (39%) and a shortage of qualified SecOps staff (35%). Nearly one-third of survey respondents believe that the biggest challenge regarding deploying endpoint agents is the cloud. Files stored in the cloud were an unchecked vulnerability for 80% of respondents, while 68% were worried that their colleagues would accidentally upload malicious files.

    Infosecurity reports: "Cyberattack Response Takes More than Two Working Days"

  • news

    Visible to the public "Mitigating Cloud Risks Starts With Full Visibility of Shadow IT"

    Netskope and GovLoop conducted a survey to which 230 public sector agency managers and employees responded and provided insight into their understanding of cloud security risks. About 42 percent of the respondents cited good awareness of cloud security risks, while 26 percent cited low or no awareness, and about 32 percent cited somewhere in the middle. Different factors intensify cloud security risks in the public sector. One factor is the ever-changing threat landscape, with state-sponsored cyber actors and other malicious actors continuing to strengthen or develop new attack capabilities. Human error is another factor, with misconfigurations remaining one of the main elements involved in cyber incidents. Another factor is the overreliance on various technology vendors, which are often found to be limited in regard to the capability of their specific tools to prevent sensitive data from being leaked, control risk behavior, and more. Visibility and control are common denominators among these factors that heighten cloud security risks faced by the public sector. One of the biggest visibility gaps is in shadow IT usage. Shadow IT refers to the use of devices, applications, or services without explicit approval from the agency's IT department. Shadow IT has been found to make up as much as 97 percent of all cloud applications used by organizations. Over 50 percent of the survey respondents reported that their organization lacked visibility into the use of shadow IT. A lack of visibility and control leaves agencies open to data loss and other security vulnerabilities. A data-centric approach to cybersecurity is recommended to improve visibility and control of the IT environment, which involves verifying that a user's device is authorized to access the organization's network resources, limiting the resources users can access, and other practices. This article continues to discuss key findings from the survey regarding cloud security risk awareness and organizations' lack of visibility into the use of shadow IT, as well as the need for a data-centric approach to cybersecurity.

    NextGov reports "Mitigating Cloud Risks Starts With Full Visibility of Shadow IT"

  • news

    Visible to the public "Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs"

    Researchers from the Graz University of Technology and the CISPA Helmholtz Center for Information Security have disclosed new timing and power-based side-channel attacks, which affect all CPUs made by AMD. The researchers were among those who discovered the original Meltdown and Spectre vulnerabilities. These side-channel attacks enable malicious applications installed on a targeted machine to exploit CPU weaknesses to gather sensitive information from memory associated with other applications, including passwords and encryption keys. Many of the previously disclosed side-channel attacks targeted Intel processors, but newly presented research shows that systems powered by AMD processors are also impacted. The new attacks exploit time and power measurements of prefetch instructions. According to the researchers, prefetch attacks on AMD processors leak more information than prefetch attacks on Intel processors. They demonstrated multiple attack scenarios, including one in which they executed a Spectre attack to leak sensitive data from the operating system, and found a new technique for establishing a covert channel to exfiltrate data. They also claim to have identified the first full microarchitectural KASLR (Kernel Address Space Layout Randomization) break on AMD that can work on all major operating systems. The exploit mitigation technique, KASLR, has been shown to be breakable on laptops, desktop PCs, and virtual machines in the cloud. This article continues to discuss key findings surrounding the new side-channel attacks affecting all AMD CPUs and the chipmaker's response to these discoveries.

    Security Week reports "Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs"

  • news

    Visible to the public "US Treasury Tracks $5.2bn of Ransomware Transactions in Six Months"

    The US Treasury has tracked $5.2bn worth of Bitcoin transactions likely to have been ransomware payments in the first half of 2021. Its Financial Crimes Enforcement Network (FinCEN) bureau hinted in a new report that even this amount might only be the tip of the iceberg. FinCEN said it identified 68 ransomware families in total. The most frequently reported variants were REvil/Sodinokibi, Conti, DarkSide, Avaddon, and Phobos. The $5.2bn figure is associated with 177 wallet addresses mentioned in the suspicious activity reports (SARs) sent by banks to the authorities to combat financial crime and money laundering. The number of those SARs related to ransomware has soared over the first half of 2021, FinCEN said. Some 635 were filed during the reporting period of January 1 and June 30, 2021, up 30% from the total of 487 SARs filed for the entire 2020 calendar year. There were 458 transactions reported in these SARs and a total value of suspicious activity of $590m, which is more than the value reported for all of 2020 ($416m). FinCEN found that the average value of reported ransomware transactions per month in the first half of 2021 at around $100m. FinCEN couldn't say with complete certainty that all of the $5bn+ transactions it identified through blockchain analysis were ransomware related. Still, the figures certainly re-emphasize the enormous financial impact of ransomware. FinCEN revealed that threat actors are increasingly demanding payments in currencies that are harder to track, like Monero.

    Infosecurity reports: "US Treasury Tracks $5.2bn of Ransomware Transactions in Six Months"

  • news

    Visible to the public CISA warning for water and wastewater facilities

    CISA warning for water and wastewater facilities On October 14, 2021, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) issues a warning for possible ransomware attacks trying to compromise water and wastewater facilities. When successful, clean water, potable water, and wastewater management all all at risk. These systems are often vulnerable because of outdated operating systems and software and not implementing security updates.
  • news

    Visible to the public "Olympus Investigates Potential Cyber-Attack"

    Olympus has launched an investigation after detecting a potential cybersecurity incident in part of its IT system. The Japanese manufacturer of optics and reprography products said that suspicious activity was spotted on October 10. The possible threat affects the company's systems in the United States, Canada, and Latin America. The company is working with digital forensics experts at the moment. The company has not confirmed the specific nature of the cybersecurity incident but stated that they were working to contain the threat. Part of the company's response has been to shut down the systems that were affected. Olympus has noted that the current results of their investigation indicate the incident was contained to the Americas with no known impact to other regions. Security researchers said that the company should focus on understanding the root-cause and bolster data recovery capabilities once containment and eradication is complete.

    Infosecurity reports: "Olympus Investigates Potential Cyber-Attack"

  • news

    Visible to the public "US Government Warns of Insider and Ransomware Threat to Water Plants"

    The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) have issued an alert warning of ongoing malicious cyber-activity targeting the country's water and wastewater systems (WWS) sector. The U.S. authorities highlighted multiple tactics, techniques, and procedures (TTPs) being used by a range of actors in an attempt to compromise IT and OT systems. These include spear-phishing, exploitation of insecure RDP, targeting of unsupported or outdated operating systems and software, and exploitation of control system devices with vulnerable firmware. The alert refers to multiple incidents over the past two years, mainly ransomware attacks, including a September 2020 attack on a New Jersey-based WWS facility, a March 2021 compromise at a Nevadan plant, and an August 2021 attack on a Californian WWS site. The alert stated that attacks threaten the ability of WWS facilities to provide clean, potable water and effectively manage the wastewater of their communities. The agencies pointed out that the alert does not mean the WWS sector is being targeted more than other industries, merely that plant owners should be aware of ongoing cyber risks to their operations.

    Infosecurity reports: "US Government Warns of Insider and Ransomware Threat to Water Plants"