News Items

  • news

    Visible to the public "Irish Data Protection Commission Fines Meta Over 2021 Data-Scraping Leak"

    The Irish Data Protection Commission (DPC) fined Meta $275.5 million for a data leak suffered by Facebook in 2021 that exposed the data of millions of Facebook users. Meta is also subject to a number of corrective measures imposed by the DPC. On April 3, 2021, a user leaked the phone numbers and personal information belonging to 533 million Facebook users on a hacking forum. Alon Gal, CTO of cyber intelligence firm Hudson Rock, was the first to report on the data's availability. The leaked data impacted users in 106 countries, with more than 32 million records belonging to US users, 11 from the UK, and 6 million from India. Users' phone numbers, Facebook IDs, full names, locations, birth dates, bios, and, in some cases, email addresses were among the information leaked. Following the disclosure of the data leak, the Irish DPC launched an investigation into Meta's potential General Data Protection Regulation (GDPR) violations. Threat actors gathered the information by exploiting a vulnerability fixed in 2019 that allowed data to be scraped from the social media platform. Facebook said at the time that the data was gathered by malicious actors who used a Facebook tool called "Contact Importer" to upload a large number of phone numbers to see which ones matched the service's users. The company reiterated that it had removed the ability to scrape its services using phone numbers in 2019. The DPC has now concluded its investigation and argued that Meta violated the GDPR by failing to implement appropriate technical and organizational measures, and failing to implement the necessary safeguards as required by European Regulation. This article continues to discuss Meta getting fined by the Irish DPC for the data leak suffered by Facebook that exposed data belonging to millions of Facebook users.

    Security Affairs reports "Irish Data Protection Commission Fines Meta Over 2021 Data-Scraping Leak"

  • news

    Visible to the public "Pre-auth RCE in Oracle Fusion Middleware Exploited in the Wild (CVE-2021-35587)"

    The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a pre-authentication Remote Code Execution (RCE) flaw in Oracle Access Manager (OAM), tracked as CVE-2021-35587, which was fixed in January 2022, is being exploited in the wild. The vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. The vulnerability exists in the OAM product's OpenSSO Agent component, which corporations widely use for Single Sign-On (SSO) as part of the Oracle Fusion Middleware suite. It could enable an unauthenticated attacker with HTTP network access to compromise OAM and use it to create users with any privileges or execute arbitrary code on the victim's server. The vulnerability affected OAM v11.1.2.3.0, 12.2.1.3.0, and 12.2.1.4.0 and has been patched in those supported versions, but it also affects Oracle Weblogic Server 11g (10.3.6.0) and OAM 11g (11.1.2.0.0), which were no longer supported on January 1, 2022, and thus do not have a patch available for this RCE vulnerability. In addition, several Proof-of-Concept (PoC) exploits for the pre-authentication RCE flaw have been published on GitHub after the researchers who discovered it released a portion of theirs in March 2022. CISA has now detected successful exploitation attempts but has not yet provided information about these attacks. Since this vulnerability has been added to the KEV catalog, US Federal Civilian Executive Branch agencies must implement patches by December 19, 2022. This article continues to discuss the pre-authentication RCE flaw found in OAM.

    Help Net Security reports "Pre-auth RCE in Oracle Fusion Middleware Exploited in the Wild (CVE-2021-35587)"

  • news

    Visible to the public "Cyber-Threat Group Targets Critical RCE Vulnerability in 'Bleed You' Campaign"

    A campaign called "Bleed You" is attempting to exploit a known Remote Code Execution (RCE) vulnerability in Windows Internet Key Exchange (IKE) Protocol Extensions, and over 1,000 systems are unpatched and vulnerable. According to a new report from Cyfirma, the critical flaw, tracked as CVE-2022-34721, has been under active attack since September, affecting vulnerable Windows OS, Windows Servers, as well as Windows protocol and services. Once compromised, threat actors move laterally to deploy ransomware and other malware. According to Cyfirma, the threat actors speak Mandarin but also have ties to Russian cybercriminals. The attacks are not limited to a specific sector, with targets including retail, government, Information Technology (IT) services, and more. Victims were also dispersed across Canada, the UK, and the US. This article continues to discuss the targeting of a critical RCE vulnerability in Windows IKE Protocol Extensions in a malicious campaign known as Bleed You.

    Dark Reading reports "Cyber-Threat Group Targets Critical RCE Vulnerability in 'Bleed You' Campaign"

  • news

    Visible to the public "Acer Fixes UEFI Bugs That Can Be Used to Disable Secure Boot"

    Acer has patched a critical vulnerability affecting several laptop models that could allow local attackers to disable Unified Extensible Firmware Interface (UEFI) Secure Boot on targeted systems. The Secure Boot security feature thwarts untrusted operating system (OS) bootloaders on computers equipped with Trusted Platform Module (TPM) chip and UEFI firmware in order to prevent malicious code, such as rootkits and bootkits, from loading during the startup process. The security flaw, tracked as CVE-2022-4020, was found in the HQSwSmiDxe DXE driver on some consumer-grade Acer Notebook devices, according to Martin Smolar, an ESET malware researcher. Attackers with elevated privileges can take advantage of it to disable Secure Boot by altering the BootOrderSecureBootDisable NVRAM variable. This allows for low-complexity attacks that do not require user input. Threat actors can hijack the OS loading process, load unsigned bootloaders to bypass or disable protections, and then deploy malicious payloads with system privileges after exploiting the vulnerability on affected Acer laptops and disabling Secure Boot. Acer laptop models Aspire A315-22, A115-21, A315-22G, Extensa EX215-21, and EX215-21G are all on the list of affected models. To fix this problem, Acer advises users to update their BIOS to the most recent version. According to the company, this update will be a critical Windows update. Customers can also manually install the BIOS update on impacted systems by downloading it from the company's support website. Similar flaws that could have allowed hackers to disable UEFI Secure Boot were patched earlier this month by Lenovo in several ThinkBook, IdeaPad, and Yoga laptop models. Threat actors can deploy malware that can survive OS reinstallations and get around security solutions' anti-malware defenses if they can run unsigned, malicious code before OS boot. This article continues to discuss the potential impact of the UEFI bugs fixed by Acer.

    Bleeping Computer reports "Acer Fixes UEFI Bugs That Can Be Used to Disable Secure Boot"

  • news

    Visible to the public "Hackers Using Trending TikTok 'Invisible Challenge' to Spread Malware"

    According to new Checkmarx research, threat actors are exploiting a popular TikTok challenge to trick users into downloading information-stealing malware. The Invisible Challenge trend involves using a filter called Invisible Body, which only leaves a silhouette of the person's body behind. However, the fact that people filming such videos may be undressed has led to a malicious scheme in which attackers post TikTok videos with links to rogue software dubbed "unfilter" that claims to remove the applied filters. According to Checkmarx researcher Guy Nachshon, instructions to obtain the 'unfilter' software deploy WASP stealer malware hidden inside malicious Python packages. The WASP stealer, also known as the W4SP Stealer, is a piece of malware designed to steal users' passwords, Discord accounts, cryptocurrency wallets, and other sensitive information. The attackers' TikTok videos from November 11, 2022, are estimated to have received over a million views. As a result, the accounts have been suspended. The video also includes an invite link to the adversary's Discord server, which had nearly 32,000 members before being reported and deleted. Victims who join the Discord server are then sent a link to a GitHub repository that contains the malware. The attacker has since renamed the project "Nitro-generator," but not before it appeared on GitHub's Trending repositories list for November 27, 2022, by encouraging new Discord members to star it. This article continues to discuss the exploitation of the TikTok challenge to spread the WASP stealer malware.

    THN reports "Hackers Using Trending TikTok 'Invisible Challenge' to Spread Malware"

  • news

    Visible to the public "SocGholish Finds Success Through Novel Email Techniques"

    Proofpoint researchers have revealed more technical details about SocGholish, the malware variant they discovered earlier in November, emphasizing its tactics that differ from traditional phishing campaigns. SocGholish deviates from the norm by doing away with all of the classic staples of modern phishing, such as pushing a sense of urgency, promising rewards, and misdirection. SocGholish is instead used in email campaigns with site injections, primarily targeting organizations with extensive marketing campaigns or Search Engine Optimization (SEO). According to Drew Schmitt, managing security consultant and lead analyst at GuidePoint Security, the SocGholish email-based attacks combined with download-style infections are unique because they explicitly avoid having characteristics that the average user would be able to detect and identify. On November 2, Proofpoint revealed that SocGholish attacks had infected over 250 US news sites. According to the company, it observed intermittent injections in a media company that serves content to its partners via JavaScript. Proofpoint identified the threat actor as TA569, who modified the codebase of the benign JavaScript and used the media company to deploy SocGholish, potentially resulting in a dangerous supply chain attack. The threat actor is not directly targeting the media industry, but rather uses these companies as delivery mechanisms. Consumers who visit those websites are the intended victims. The actors are opportunistic, injecting scripts into landing pages, third-party styling resources, trackers, and scripts. They rely on the compromised entity being a legitimate organization and natural email traffic to drive traffic to those sites, such as newsletters, marketing efforts, and bulletins. Since articles on online news sites are often optimized for search engines, ad hoc searching would also lead potential victims to the compromised sites. The SocGholish is noteworthy because it is more than just a credential-stealing attack. It is also an attempt to gain persistence and lateral movement in order to drop additional malware payloads, which could include ransomware or other threats. This article continues to discuss key findings regarding the SocGholish malware.

    SC Magazine reports "SocGholish Finds Success Through Novel Email Techniques"

  • news

    Visible to the public The 2022 prize of ARCH-COMP was awarded to PSY-TaLiRo.

    The 2022 prize of ARCH-COMP was awarded to PSY-TaLiRo. The jury, consisting of group leaders and workshop participants, appreciated the technical achievements embodied in PSY-TaLiRo and furthermore recognised the long and continuous stream of contributions that the team has made to the community. The award comes with a 500 USD prize.

  • news

    Visible to the public "Cisco Identifies Vulnerabilities in Identity Services Engine"

    High-level vulnerabilities in Cisco Systems' network access control solution could allow an authenticated, remote attacker to inject arbitrary operating system commands, bypass security safeguards, and execute Cross-Site Scripting (XSS) attacks. Four of the five Cisco Identity Services Engine (ISE) issues were discovered earlier in November, but network and security administrators will have to wait until Cisco releases software fixes for them. There is no workaround for these vulnerabilities, tracked as CVE-2022-20964, CVE-2022-20965, CVE-2022-20966, and CVE-2022-20967. According to Cisco, valid and authorized ISE users can only exploit the vulnerabilities. Until the fixes are released, ISE administrators are urged to take extra precautions to limit console access and admin web access. CVE-2022-20961, a hole in ISE's web-based management interface that could allow an unauthenticated, remote attacker to conduct a Cross-Site Request Forgery (CSRF) attack and perform arbitrary actions on an affected device, has received software updates. Cisco says this vulnerability stems from insufficient CSRF protections for an affected device's web-based management interface. An attacker could exploit this flaw by convincing a user of the interface to click on a crafted link. The exploitation of this flaw could allow the attacker to perform arbitrary actions on the affected device with the target user's privileges. Cisco noted that the four vulnerabilities listed in one advisory are not dependent on one another for exploitation. Furthermore, a software release that is affected by one of the vulnerabilities may not be affected by the others. This article continues to discuss the potential impact of the ISE vulnerabilities.

    IT World reports "Cisco Identifies Vulnerabilities in Identity Services Engine"

  • news

    Visible to the public "What's Next in Cybersecurity"

    Hacking is an unavoidable constant in the cybersecurity industry, which is expected to spend $150 billion this year without actually being able to stop hackers. This year has seen Russian government hacks against Ukraine, an increase in ransomware attacks against hospitals, an increase in attacks against entire governments, and a series of costly cryptocurrency hacks. There have also been high-profile cyberattacks on companies such as Microsoft, Nvidia, and Rockstar Games. According to cybersecurity experts who spoke with MIT Technology Review, all of these types of hacks will continue next year and in the near future. Russia is expected to continue its online operations against Ukraine in the coming year. Ransomware attacks on hospitals, schools, and governments are expected to continue next year. Law enforcement action, including international cooperation among governments, was more frequent and effective this year, according to experts, implying that governments may be making inroads against ransomware. However, the Ukrainian conflict may make international cooperation more difficult. In January of this year, the Russian government declared that it was cooperating with the US by arresting 14 members of REvil and seizing computers, luxury cars, and more than $5 million, but this unprecedented collaboration did not last. According to Chainalysis, 2022 was the year of cryptocurrency hacks, with hackers stealing at least $3 billion in cryptocurrency during the year. Another cryptocurrency tracking company, Elliptic, estimated the total theft to be $2.7 billion. In the world of cryptocurrency, there were over 100 large-scale victims. There are now websites and Twitter accounts dedicated to tracking these hacks, which seem to occur on a daily basis. The most significant of them all was the Nomad protocol hack, in which a hacker discovered a vulnerability and began draining funds. This article continues to discuss notable cyberattacks that occurred this year and what cyberattack trends are expected to be seen in the new year.

    MIT Technology Review reports "What's Next in Cybersecurity"

  • news

    Visible to the public "Google Releases Patch for Zero-Day Chrome Vulnerability"

    Google has started rolling out a patch for a critical security flaw affecting the desktop version of its Chrome browser. The vulnerability, tracked as CVE-2022-4135, impacts Chrome for Windows, Mac, and Linux. Google is aware of an exploit for the high-severity vulnerability in the wild, implying that hackers may be targeting vulnerable Chrome installations. The flaw affects a Chrome component known as the renderer process. When a user visits a web page, Chrome downloads it as a collection of code files. Chrome's renderer process is in charge of converting the code files into a working web page with which the user can interact. Google's browser runs each web page in a sandbox for security reasons. The sandbox prevents page code from accessing critical components of the user's operating system, making it more difficult for malicious code to infiltrate the user's computer. The newly patched Chrome vulnerability may allow hackers to circumvent Chrome's sandbox mechanism. Sidestepping the mechanism enables malware to easily manipulate the user's operating system. According to the National Institute of Standards and Technology (NIST), hackers can use malicious web pages to target CVE-2022-4135. Because the vulnerability allows hackers to create a heap buffer overflow, it opens the door to cyberattacks. Chrome stores its code and the data it processes in the user's computer's memory. A program's memory is divided into sections known as buffers while running. One buffer may contain some of Chrome's source code, while another may contain some of the web page that the user has opened. When more data is written to a buffer than it can hold, the buffer overflows. Excess data is written to other buffers, overwriting the data in them. Hackers can exploit this to replace parts of a program with malicious code. This article continues to discuss the high-severity security vulnerability affecting the desktop version of its Chrome browser.

    SiliconANGLE reports "Google Releases Patch for Zero-Day Chrome Vulnerability"

  • news

    Visible to the public "FIFA World Cup Fans Warned Amid Rise of Cyber Attacks"

    Security experts have seen a sharp rise in the number of fake streaming website for the FIFA World Cup 2022 and other related scams. These sites are stealing user data and infecting users' sites with downloaded malware. Some of the sites pull fans in by offering "free streaming of FIFA matches" but instead try to get visitors to enter a credit card--saying it's only for verification purposes or a free trial. Scammers are also trying to sell fake tickets. Legitimate FIFA 2022 World tickets can only be purchased from the FIFA website. Fans should enjoy the games--but beware that personal loses could be off the field if you fall for scams.

    Yahoo Finance reports "FIFA World Cup Fans Warned Amid Rise of Cyber Attacks"

  • news

    Visible to the public "India's AIIMS Hit by Outages After Cyberattack"

    The All India Institute of Medical Sciences (AIIMS), India's leading public medical institute, is experiencing outages due to a cyberattack. Hundreds of patients and doctors are affected by the outages, which include patient admission, discharge, and billing systems. Thousands of medical undergraduate and postgraduate students attend AIIMS. With over 2,200 beds, it is also one of the largest state-owned hospitals. According to hospital officials, the cyberattack appears to be a ransomware attack because the attackers changed the extensions of infected files. According to AIIMS officials, patient care services have been severely impacted. The medical institute switched to manual operations, including handwriting patient notes, after the server that recorded patient data became inoperable. Long lines and errors in handling emergency cases have resulted from the outages. After a few hours of disruption, hospital officials issued a statement confirming the cyberattack. They are unable to send blood tests, request imaging studies, or view previous reports or images. Many such operations are performed manually, which takes more time and is more prone to errors, according to a resident doctor. The hospital administration later directed doctors to continue using handwritten notes, including signing birth and death certificates by hand, while the systems were inoperable. A National Informatics Centre team is collaborating with the Indian Computer Emergency Response Team to assist in the organization's recovery. According to a person with direct knowledge of the incident, an effort is underway to restore the data from backups. In addition, several law enforcement agencies, including the Central Bureau of Investigation and the Delhi Police Intelligence Fusion and Strategic Operations, are investigating the incident and the perpetrators. This article continues to discuss the impact and investigation of the AIIMS cyberattack.

    TechCrunch reports "India's AIIMS Hit by Outages After Cyberattack"

  • news

    Visible to the public "ConnectWise Fixes XSS Vulnerability That Could Lead to Remote Code Execution"

    Remote monitoring and management (RMM) platform ConnectWise has recently patched a cross-site scripting (XSS) vulnerability that could lead to remote code execution (RCE). Security researchers at Guardio Labs noted that threat actors could exploit it to take complete control of the ConnectWise platform. The researchers noted that in the case of the Page.Title resource, the [user input validation], is not being taken care of, leaving it vulnerable to a "Stored XSS" exploitation. The researchers stated that the user's input is inserted directly, as is, in between the tags on any page of the web app. The researchers added that this included the landing page for visitors (where they could enter their support code and potentially install a remote access Trojan), the admin login page, and any of the internal admin pages. The researchers stated that any code they maliciously inject in between the tags with some manipulations is executed as any other code in the context of the web app as if it was authored by the official owner of the service. The researchers explained that a script executing from this context would give an attacker full control over any element of the web app, potentially altering elements on the page, as well as connection to the backend servers. Guardio Labs confirmed it disclosed the vulnerability earlier this year, which ConnectWise promptly patched on August 8, 2022, in v22.6.

    Infosecurity reports: "ConnectWise Fixes XSS Vulnerability That Could Lead to Remote Code Execution"

  • news

    Visible to the public "Cybercrime Carnage: Cryptocurrency-Targeting Attacks Abound"

    Theft of cryptocurrency has grown to be a significant component of cybercrime. Despite the fallout from the collapse of cryptocurrency exchange FTX, which declared bankruptcy on November 11, illicit interest in cryptocurrency continues. Bitcoin still has a lot of value for attackers who can steal Bitcoin, Monero, Ether, and other cryptocurrencies and convert them to fiat currency using money-laundering techniques. Attackers raided the FTX exchange, with many market observers suspecting insider involvement. According to Chainalysis, the attacker converted approximately $60 million in stolen funds via the decentralized renBTC bridge. Direct attacks on cryptocurrency exchanges are often found to be associated with nation-state attack groups. However, criminals with no nation-state affiliation are more likely to use phishing, offer suspicious cryptocurrency exchange platforms, and launch cryptojacking to illicitly mine cryptocurrency. Cryptojacking is the use of malware that quietly sits on systems and uses its computational power to mine for cryptocurrency, solving computationally intensive tasks in exchange for the opportunity to receive free cryptocurrency as a reward. As law enforcement agencies work to disrupt ransomware operations, cryptojacking has resurfaced on a large scale. Mining used to be primarily a threat to end users, but now miners are stealing power from large businesses and critical infrastructure. Even large ransomware operators, such as AstraLocker, are ceasing operations in order to transition to cryptojacking. Attackers' favorite tactic remains the outright theft of cryptocurrency, but centralized exchanges are no longer the primary target of attackers as Decentralized Finance (DeFi) protocols have taken over. Chainalysis reported in October that 11 attacks had resulted in the theft of $718 million from DeFi protocols. This article continues to discuss the rise in cryptocurrency-targeting attacks.

    BankInfoSecurity "Cybercrime Carnage: Cryptocurrency-Targeting Attacks Abound"

  • news

    Visible to the public "Financial Services API and Web Application Attacks Increase by 257%"

    One of the most difficult challenges modern security teams face is managing the attack surface. Every app and Application Programming Interface (API) in today's hybrid and multi-cloud environments is a potential target for cybercriminals to exploit. Akamai Technologies, a Content Delivery Network (CDN) provider, recently released a new report revealing a 257 percent increase in web application and API attacks on financial service institutions. According to the same report, Distributed Denial-of-Service (DDoS) attacks on financial institutions increased by 22 percent year over year, and threat actors are using techniques in their phishing campaigns to circumvent two-factor authentication solutions. Although the findings focus on financial institutions, the report has broader importance for businesses. It emphasizes that web apps and APIs will be a primary target for cybercriminals in the future. According to Noname Security research, 41 percent of organizations had an API security incident in the previous 12 months, with 63 percent involving a data breach or data loss. One of the primary reasons for the high level of API exploitation targeting enterprises and financial institutions is the large attack surface of web applications and APIs that most security teams lack the resources and expertise to protect. There are several steps that businesses can take to strengthen their defenses against API-driven threats. Gartner suggests that organizations invest in technologies that automatically discover, catalog, and validate APIs. They are also urged to develop a security strategy that includes API security testing and API access control. Increasing transparency about which internal and third-party APIs are used allows enterprises to begin mitigating potential vulnerabilities across the attack surface. This article continues to discuss key findings and recommendations regarding the increase in API and web application attacks.

    VB reports "Financial Services API and Web Application Attacks Increase by 257%"

  • news

    Visible to the public "African Police Bust $800K Fraud Schemes"

    Interpol stated that police in Africa recently arrested ten people connected to global fraud worth an estimated $800,000 after a four-month operation. The global policing organization noted that 27 countries joined the Africa Cyber Surge Operation, which ran from July to November. Interpol stated that it was coordinated from the Interpol Command Center in Kigali, Rwanda. The operation focused on tackling the enablers of cybercrime. Police took action against 200,000 pieces of "malicious cyber infrastructure" across the region, including botnet-linked technology used to run mass phishing, spam, and online extortion campaigns. In Tanzania, police recovered over $150,000 of victims' money from data infringement and copyright cases, while in Eritrea, they dismantled a darknet market selling cybercrime-as-a-service components. Interpol noted that in Cameroon, police disrupted multiple cryptocurrency scams, including one that cost a victim over $12,600. Alongside the ten individuals arrested in connection with fraud, an eleventh was arrested on suspicion of committing child abuse offenses. Interpol noted that collaboration was critical to the success of the Africa Cyber Surge Operation. "Interpol worked with its local equivalent, Afripol; private sector security vendors including Trend Micro, Fortinet, Group-IB, and Kaspersky; local ISPs and Computer Emergency Response Teams (CERTs); hosting providers; and other players like the non-profit Shadowserver Foundation." According to Interpol, 18 of the participating countries have CERTs, and, crucially, police have now put in place agreements to formalize response work for the future. Many countries participated for the first time in such an operation.

    Infosecurity reports: "African Police Bust $800K Fraud Schemes"

  • news

    Visible to the public "Personal Data of Nearly 4,000 People Leaked in Hack of Radio Free Asia"

    Radio Free Asia (RFA), a US government-sponsored news outlet, revealed that it faced a breach that affected nearly 4,000 people and exposed vast amounts of personal information, including Social Security numbers and passport numbers, as well as financial information. The hack occurred on June 17, according to documents filed with Maine's attorney general, and RFA discovered it on June 28. The hack affected at least 3,779 people, with addresses, driver's license numbers, health insurance information, medical information, and "limited financial information" stolen. The incident was discovered within the organization's email system, which indicated unauthorized access to a limited number of servers. RFA took systems offline immediately after detection and then took measures to address and contain the incident, including launching an investigation, engaging data privacy and security professionals, collaborating with law enforcement, changing passwords, and migrating to a new cloud-based email environment, according to the organization's statement. The investigation determined that the unauthorized access was caused by an exploit of a service provider's vulnerability that RFA was unaware of at the time of the compromise. There is currently no evidence that information has been misused, but victims are being offered two years of free credit monitoring through Equifax. This article continues to discuss the RFA hack that leaked personal data belonging to almost 4,000 people.

    The Record reports "Personal Data of Nearly 4,000 People Leaked in Hack of Radio Free Asia"

  • news

    Visible to the public "DoD Releases Zero Trust Strategy and Roadmap"

    The Defense Department (DoD) has published its Zero Trust Strategy and Roadmap. Cyber threats and attacks have driven the need to adopt a zero trust strategy that goes beyond traditional perimeter defense. By FY27, the DoD intends to implement specific zero trust capabilities and activities outlined in the strategy and associated roadmap. The strategy foresees a DoD Information Enterprise protected by a fully implemented, department-wide zero trust cybersecurity framework that reduces the attack surface, enables risk management and effective data-sharing in partnership environments, and quickly detects and remediates adversary activity. The strategy outlines four high-level and integrated strategic goals that define what the department will do to realize its zero trust vision. All DoD personnel must be aware of, understand, and commit to a Zero Trust mindset and culture, as well as support its integration. Zero trust must be incorporated and operationalized in both new and legacy systems. Technologies must be deployed at a rate that matches or exceeds industry advancements. Processes, policies, and funding at the department and component levels should be aligned with zero trust principles and approaches. This article continues to discuss the DoD Zero Trust Strategy and Roadmap.

    HSToday reports "DoD Releases Zero Trust Strategy and Roadmap"

  • news

    Visible to the public "Belgian Police Under Fire After Major Ransomware Leak"

    A notorious ransomware group has recently begun leaking highly sensitive data it stole from Belgian police in what is being described as one of the biggest breaches of its kind in the country. RagnarLocker has been connected to the incident, which hit the Zwijndrecht police force in the city of Antwerp. Zwijndrecht police noted that earlier in the year, internet criminals were able to gain access to the administrative network. It is currently being investigated. Records dating back to 2006 were accessed by the hackers. The police did mention that sensitive information was on the network. While the administrative staff is most impacted by the incident, they're not the only ones. It is currently unclear how many citizens are affected by the breach, but they include victims, perpetrators, witnesses, and those under surveillance, with potentially far-reaching consequences if their identities are uncovered.

    Infosecurity reports: "Belgian Police Under Fire After Major Ransomware Leak"

  • news

    Visible to the public "US FCC Bans the Import of Electronic Equipment From Chinese Firms"

    Due to an unacceptable national security threat, the US Federal Communications Commission (FCC) announced a total ban on telecommunication and surveillance equipment from Chinese companies Huawei, ZTE, Hytera, Hikvision, and Dahua. The companies have already been added to the Covered List by the US government, and the new rules aim to protect Americans from national security threats involving telecommunications. The FCC adopted new rules prohibiting the importation or sale of communications equipment deemed to pose an unacceptable risk to national security in the US. This is the FCC's latest effort to safeguard the nation's communications networks. Several actions have been taken in recent years by the Commission, Congress, and the Executive Branch to build a more secure and resilient supply chain for communications equipment and services in the US. The new rules carry out the directive in the Secure Equipment Act of 2021, which President Biden signed in November. Hytera, Hikvision, and Dahua, all Chinese companies, must provide information about the safeguards they have put in place for the sale of their devices for government use and the surveillance of critical infrastructure facilities. The FCC added Pacific Network Corp, ComNet (USA) LLC, and China Unicom (Americas) Operations Limited to the Covered List in September. The FCC explained that the companies are subject to the Chinese government's exploitation, influence, and control, as well as the national security risks associated with such exploitation, influence, and control. This article continues to discuss the US FCC's ban on the import of electronic equipment from Huawei, ZTE, Hytera, Hikvision, and Dahua.

    Security Affairs reports "US FCC Bans the Import of Electronic Equipment From Chinese Firms"

  • news

    Visible to the public "Slippery RansomExx Malware Moves to Rust, Evading VirusTotal"

    The Advanced Persistent Threat (APT) group known as DefrayX appears to have unleashed a new version of its RansomExx malware, possibly to bypass detection by antivirus software. According to IBM Security X-Force Threat researchers, that evasion may be successful for the time being. IBM reported that one of the samples it analyzed was not detected as malicious in the VirusTotal platform for at least two weeks after its initial submission. The new sample is still only detected by 14 of the platform's more than 60 antivirus providers. Rust has the advantage of being platform-agnostic, in addition to being harder to detect and reverse-engineer. As a result, while the new version of RansomExx malware runs on Linux, IBM predicts that a Windows version will be available soon. RansomExx malware is not the only Rust-based malware package. BlackCat, Hive, and, prior to that, Buer are well-known examples of malware that have been rewritten to avoid detection based on C/C++ versions. This article continues to discuss the launch of a new version of RansomExx malware by DefrayX.

    Dark Reading reports "Slippery RansomExx Malware Moves to Rust, Evading VirusTotal"

  • news

    Visible to the public "Many Global 2000 Companies Lack Proper Domain Security"

    CSC released its third annual Domain Security Report, which discovered that three out of every four Forbes Global 2000 companies have not implemented key domain security measures, leaving them vulnerable to security threats. These businesses have only implemented about half of all domain security measures. Furthermore, lookalike domains are also targeting those businesses, with 75 percent of homoglyph registrations going to unrelated third parties. As a result, many of the world's largest brands are dealing with maliciously registered domains that resemble their brands. These fake domain registrations aim to exploit the targeted brand's trust to launch phishing attacks or other forms of digital brand abuse or Intellectual Property (IP) infringement, resulting in revenue loss, traffic diversion, and a diminished brand reputation. Phishers and malicious third parties can use many domain spoofing tactics and permutations, including homoglyph domains. A domain security score of "0" was assigned to 137 businesses (6.8 percent). Companies that do not implement any of the recommended domain security measures are vulnerable to a wide range of attacks, including but not limited to domain and Domain Name System (DNS) hijacking attacks, network and data breaches, phishing and ransomware attacks, and Business Email Compromise (BEC). This article continues to discuss key findings from CSC's third annual Domain Security Report.

    Help Net Security reports "Many Global 2000 Companies Lack Proper Domain Security"

  • news

    Visible to the public "5.4 Million Twitter Users' Stolen Data Leaked Online — More Shared Privately"

    A hacker forum has shared over 5.4 million Twitter user records containing non-public information stolen using an Application Programming Interface (API) vulnerability fixed in January. A security researcher also revealed another massive, potentially more impactful, data dump of millions of Twitter records, demonstrating how widely threat actors exploited this bug. The information is made up of scraped public information as well as private phone numbers and email addresses. Last July, a threat actor began selling the personal information of over 5.4 million Twitter users for $30,000 on a hacking forum. Although most of the information was public, such as Twitter IDs, names, login names, locations, and verified status, it also included private information, such as phone numbers and email addresses. This information was gathered in December 2021 by exploiting a Twitter API vulnerability disclosed in the HackerOne bug bounty program, which allowed people to submit phone numbers and email addresses to the API in order to retrieve the associated Twitter ID. Threat actors could then scrape public information about the account using this ID to create a user record containing both private and public information. In addition, an even larger data dump was allegedly created using the same vulnerability that could contain tens of millions of Twitter records. These include personal phone numbers obtained through the same API bug as well as public information such as verified status, account names, Twitter IDs, bio, and screen names. This article continues to discuss leaks of stolen information on Twitter users.

    Bleeping Computer reports "5.4 Million Twitter Users' Stolen Data Leaked Online -- More Shared Privately"

  • news

    Visible to the public "Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations"

    Ukraine has been subjected to a new wave of ransomware attacks, similar to previous intrusions linked to the Russia-based Sandworm nation-state group. The attacks against several Ukrainian entities were first detected on November 21, 2022, according to the Slovak cybersecurity firm ESET, which dubbed the new ransomware strain RansomBoggs. Although the malware is new, its deployment is similar to previous Sandworm attacks, according to the company. The news comes as the Sandworm actor, dubbed Iridium by Microsoft, has been linked to a series of attacks targeting the transportation and logistics sectors in Ukraine and Poland with another ransomware strain called Prestige in October 2022. The RansomBoggs activity is said to use a PowerShell script to distribute the ransomware, with the latter being almost identical to the one used in the April Industroyer2 malware attacks. According to the Computer Emergency Response Team of Ukraine (CERT-UA), the POWERGAP PowerShell script was used to deploy CaddyWiper data wiper malware via a loader called ArguePatch, also known as AprilAxe. ESET's analysis of the new ransomware reveals that it generates a randomly generated key and encrypts files with AES-256 in CBC mode, appending the ".chsch" file extension. Sandworm, an elite adversarial hacking group within Russia's GRU military intelligence agency, has a long history of targeting critical infrastructure. This article continues to discuss the RansomBoggs ransomware targeting Ukrainian organizations.

    THN reports "Russia-based RansomBoggs Ransomware Targeted Several Ukrainian Organizations"

  • news

    Visible to the public "Redacted Documents Are Not as Secure as You Think"

    According to researchers, popular redaction tools do not always work as intended, and new attacks can reveal hidden data. Since most documents are now digitized, securely redacting their contents has become more difficult. Most redactions by government officials and courts involve the placement of black boxes over text in PDFs. People's safety and national security can be jeopardized if done incorrectly. A new study from the University of Illinois looked at the most popular tools for redacting PDF documents and found that many of them fell short. Two of the most popular tools for redacting documents were found to provide no protection to the underlying text, making it accessible by copying and pasting it. Furthermore, a new attack method they devised allows them to extract secret details from the redacted text. The researchers discovered thousands of documents that exposed people's names and other sensitive details after examining millions of publicly available documents with blacked-out redactions, including those from the US court system, the US Office of the Inspector General (OIG), and Freedom of Information Act (FOIA) requests. Officials usually redact sections of text in documents because they contain people's personal information or because they believe the information should not be released to protect the interests of an organization. Names of confidential informants or whistleblowers may be redacted from court documents, and information that could harm national security if made public may be redacted from policy documents. The team examined 11 popular redaction tools during the new study, finding that PDFzorro and PDFescape Online enabled full access to allegedly redacted text. They only needed to copy and paste the text to gain access to it. The researchers registered Common Vulnerabilities and Exposures (CVE) numbers for both issues, which are used to catalog unique security vulnerabilities. During testing, they were able to access PDFzorro redactions by highlighting them, but the text cannot be accessed if you choose to "lock" the PDF before downloading it. The Illinois study goes beyond copying and pasting. It also shows a new way to attack PDF documents and use hidden fingerprints to reveal redacted names. The team focused on names because they are often redacted and sensitive. According to the researchers, it appears that large blocks of text cannot be unredacted. In order to reveal people's identities, the team created Edact-Ray, a tool that can detect, break, and repair redaction information leaks. This article continues to discuss findings from the study on the security of popular redaction tools.

    Wired reports "Redacted Documents Are Not as Secure as You Think"

  • news

    Visible to the public "Researchers Use Blockchain to Increase Electric Grid Resiliency"

    Oak Ridge National Laboratory (ORNL) researchers are using blockchain to validate communication between electric grid devices. The project is part of the Department of Energy (DOE) Office of Electricity (OE)-funded ORNL-led Darknet initiative to secure the nation's electricity infrastructure by shifting communications to more secure methods. The risks of cyberattacks have increased with two-way communication between grid power electronics equipment and new edge devices, such as solar panels, electric car chargers, and intelligent home electronics. An ORNL research team is working to increase the resilience of the electric grid by providing a trust framework for communication among electrical devices. The team created a framework to detect unusual activity, such as data manipulation, spoofing, and unauthorized changes to device settings. These activities could trigger cascading power outages as protection devices trip breakers. This framework introduces a completely new capability for quickly responding to anomalies. In the long run, the framework could help in detecting unauthorized system changes, tracking down their source, and providing a more reliable failure analysis. The goal is to mitigate the impact of a cyberattack or equipment failure. The method employs tamper-resistant blockchain to spread configuration and operational data across multiple servers. The data and settings of the equipment are constantly validated against a statistical baseline of normal voltage, frequency, breaker status, and power quality. At regular intervals, equipment settings are collected and compared to the most recent good configuration saved in the blockchain, thus enabling quick identification of when and how settings were changed, whether the changes were authorized, and what caused them. The blockchain uses a cryptographic method known as hashing, which involves performing a mathematical computation on the bulk data to represent it as numbers in the blockchain. For each intelligent grid device, the blockchain processes thousands of transactions per second, validating the contents. The framework was demonstrated at DOE's Grid Research Integration and Deployment Center (GRID-C) at ORNL. To simulate the architecture of a real substation, the advanced protection lab employs commercial-grade hardware in a closed electrical loop. This provides a low-risk method of simulating cyberattacks or unintended misconfigurations, which can both be detected by the team's validation framework. Researchers are expanding the strategy to include communication between renewable energy sources and utilities. This article continues to discuss the trust network developed by the ORNL research team to increase the resilience of the electric grid against cyberattacks or equipment failures.

    ORNL reports "Researchers Use Blockchain to Increase Electric Grid Resiliency"

  • news

    Visible to the public "Australian Cyber Task Force Looks to 'Hack the Hackers' After Data Breach Crime Wave"

    Recent data breaches have prompted changes to Australia's cybersecurity and data protection policies, with the most recent development appearing to be the formation of a cyber task force set with hacking back and actively pursuing cybercriminals. As millions of Australian citizens have seen sensitive personal data stolen from various major companies and long lines have formed to have compromised personal identification re-issued, Home Affairs promises a new "tough on crime" policy in regard to cyber incidents and data leaks. The agency promises a force of around 100 officers made up of a collaboration between the Australian Federal Police (AFP) and the Australian Signals Directorate. According to the Home Affairs office, the cyber task force will be an operation that focuses on criminal syndicates. It will engage in "day in and day out" operations to track down the perpetrators of data breaches. Officials stated that they had identified the Medibank hackers but would not release their names to the public because they are in discussions with Russian law enforcement agencies through Interpol. There has been speculation that it is either REvil or an offshoot group made up of former members. The Australian government's reaction appears to be motivated not only by the string of breaches that have occurred since September, but also by the nature of the data extortion in the Medibank case. There was a lot of sensitive health information among the 9.7 million records stolen, and the attackers slowly leaked the most sensitive items via a dark website. The announcement has sparked speculation about the scope of the cyber task force's plans, given that "hacking back" is a contentious concept in the international sea of cyber engagement norms and unspoken rules. Private industry has discussed the idea on occasion, but it is generally dismissed due to the risk of causing an international incident by striking a nation-state entity or harming innocent third parties. This article continues to discuss the Australian cyber task force and concerns regarding the hack back approach.

    CPO Magazine reports "Australian Cyber Task Force Looks to 'Hack the Hackers' After Data Breach Crime Wave"

  • news

    Visible to the public "European Parliament Website Hit by Cyberattack After Russian Terrorism Vote"

    The European Parliament website was hit with a sophisticated cyberattack that disrupted its services moments after members voted to designate Russia as a state sponsor of terrorism. According to Dita Charanzova, Czech MEP and Parliament vice president in charge of cybersecurity, the Parliament has been subjected to an external cyber attack, but the Parliamentary services are doing well in defending the Parliament. According to Marcel Kolaja, European Parliament member for the Czech Pirate party, the attack is a Distributed Denial-of-Service (DDoS) attack in which massive amounts of traffic are sent to servers in an attempt to block Internet users from accessing websites. Hacking groups use DDoS attacks to disrupt and cause chaos. It became a favorite tool of Russian hacking groups like Killnet, particularly as a means of protesting political decisions in European countries to support Ukraine in the war. Killnet, a group of hackers with ties to Russia, is suspected of carrying out the attack. This article continues to discuss the cyberattack on the European Parliament website following the Russian terrorism vote.

    Politico reports "European Parliament Website Hit by Cyberattack After Russian Terrorism Vote"

  • news

    Visible to the public "Beware of Dangerous Spyware Masquerading as VPN Apps"

    According to new research from ESET, the Advanced Persistent Threat (APT) group Bahamut has been using Virtual Private Network (VPN) apps as a new carrier for dangerous malware targeting Android phones. Threat actors could hire the Bahamut APT group to launch spear phishing attacks. The group has been active for some time, targeting people in the Middle East and South Asia. ESET researchers discovered at least eight versions of Bahamut spyware in trojanized versions of popular Android apps SoftVPN and OpenVPN. In order to infect these malicious apps, the group allegedly repurposed older spyware code. Since 2017, the Bahamut APT has made headlines for various cyber espionage attacks. This one involving VPN apps is a fairly standard spyware attack designed to compromise the victim's device and gain access to SMS, call logs, location, and call recordings. Through the capability of key logging, the spyware can spy on messaging apps such as WhatsApp and extract other data such as banking information. All infected apps were distributed using a spoofed version of the SecureVPN website, and they were never available for download on the Play Store. These VPN apps appeared to target specific people, who were directed to a website with a special activation key. Another red flag for potential victims is that the genuine version of the VPN does not require an activation key or a visit to the website. This key prevents the malicious payload from executing on devices that do not belong to the specific victim. This article continues to discuss spyware disguised as VPN apps.

    Android Police reports "Beware of Dangerous Spyware Masquerading as VPN Apps"

  • news

    Visible to the public "US Authorities Seize iSpoof, a Call Spoofing Site That Stole Millions"

    An international police operation has taken down an online spoofing service that helped cybercriminals impersonate trusted corporations and steal over $120 million from victims. iSpoof, which now displays a message stating that the FBI and US Secret Service seized it, provided "spoofing" services that allowed paying users to mask their phone numbers with those of a trusted organization, such as banks and tax offices, in order to carry out social engineering attacks. According to Europol, the website's services allowed those who signed up and paid for the service to make spoofed calls, send recorded messages, and intercept one-time passwords anonymously. Users could impersonate an infinite number of entities for financial gain and significant losses to victims. The Metropolitan Police in London, which began investigating iSpoof in June 2021 alongside international law enforcement agencies in the US, the Netherlands, and Ukraine, announced the arrest of the website's suspected administrator, Teejai Fletcher, on charges of fraud and organized crime. Fletcher was remanded in custody and will appear in court on December 6. The Metropolitan Police also used bitcoin payment records discovered on the site's server to identify and arrest another 100 iSpoof users in the UK. The site's infrastructure, which was hosted in the Netherlands but moved to Kyiv earlier in 2022, was seized and taken offline earlier this month in a joint Ukrainian-US operation. This article continues to discuss the takedown of the iSpoof website that allowed cybercriminals to impersonate trusted corporations to steal more than $120 million from victims.

    TechCrunch reports "US Authorities Seize iSpoof, a Call Spoofing Site That Stole Millions"

  • news

    Visible to the public "Idaho Now Has a Vulnerability Disclosure Policy for Election Websites"

    The Idaho secretary of state's office has become the fourth in the country to implement a vulnerability disclosure policy that allows white-hat hackers to legally probe the office's election-related websites for flaws. Under the new policy, security researchers will be able to inspect a set of five websites for potential or real security flaws, such as sensitive data exposures, and report them for correction without fear of retaliation or prosecution. The secretary's office is working with the Center for Internet Security (CIS), which operates the federally-funded Election Infrastructure Information Sharing and Analysis Center (EI-ISAC) and will check any reports submitted under the new policy. The goal is to mitigate and disclose any confirmed vulnerabilities within 120 days. Idaho now joins Iowa, South Carolina, and Ohio as the only states where secretaries of state have implemented Vulnerability Disclosure Programs (VDPs) that allow independent researchers to test election-related systems legally. When researchers discover a potential vulnerability, the initial report will be reviewed by CIS under the new policy, and if the staff can replicate the flaw, they will notify Idaho's Information Technology (IT) team, who will begin mitigation. There are also restrictions on the types of research that can be conducted, with tests for Denial-of-Service and attempts to degrade services being prohibited. This article continues to discuss Idaho's vulnerability disclosure policy for election websites.

    StateScoop reports "Idaho Now Has a Vulnerability Disclosure Policy for Election Websites"

  • news

    Visible to the public "Google Warns: Android 'Patch Gap' Is Leaving These Smartphones Vulnerable to Attack"

    Many Android smartphones have been found to be vulnerable to a number of high-severity security flaws that have yet to be addressed, despite Arm releasing fixes. The unpatched flaws identified by Google Project Zero (GPZ) affect Android phones equipped with Arm Mali GPUs. According to GPZ researcher Ian Beer, even Google's Pixel phones, as well as phones from Samsung, Xiaomi, Oppo, and others, are vulnerable. Beer is urging all major Android smartphone vendors to do what customers are constantly told to do, which is patch their devices as soon as possible. Despite Arm releasing fixes for them months ago, smartphone users cannot apply a patch for an Arm Mali GPU driver because no Android smartphone vendor has applied the fixes to their Android builds. According to Beer's blog, Jann Horn, a fellow GPZ researcher, discovered five exploitable vulnerabilities in the Mali GPU driver, tracked as issues 2325, 2327, 2331, 2333, and 2334. Arm patched them in July and August, assigning the vulnerability identifier CVE-2022-36449 to them, disclosing them on the Arm Mali Driver Vulnerabilities page, and publishing the patched driver source on their public developer website. Another Mali GPU bug that Arm fixed is CVE-2022-33917. In order to comply with the Android Original Equipment Manufacturer (OEM) Security Patch Level (SPL) policy, the Android team is in discussions with Android smartphone manufacturers and will require them to patch the vulnerabilities. However, the Pixel team will not have patches for a few weeks. Other Android OEMs will eventually follow suit. This article continues to discuss the Android patch gap leaving smartphones vulnerable to attacks.

    ZDNet reports "Google Warns: Android 'Patch Gap' Is Leaving These Smartphones Vulnerable to Attack"

  • news

    Visible to the public "Experts Investigate WhatsApp Data Leak: 500M User Records for Sale"

    On November 16, an actor advertised a 2022 database of 487 million WhatsApp user mobile numbers on a well-known hacking community forum. The data set is said to contain WhatsApp user data from 84 different countries. According to the threat actor, there are over 32 million US user records included in the data set. Significant portions of the phone numbers belong to the citizens of Egypt (45 million), Italy (35 million), Saudi Arabia (29 million), France (20 million), and Turkey (20 million). The data set for sale also allegedly contains the phone numbers of nearly 10 million Russians and more than 11 million UK citizens. The threat actor told Cybernews that they were selling the US data set for $7,000, the UK data set for $2,500, and the German data set for $2,000. Since attackers commonly use such information in smishing and vishing attacks, users should be suspicious of any calls from unknown numbers, as well as unsolicited calls and messages. According to reports, WhatsApp has more than two billion monthly active users worldwide. The seller of WhatsApp's database provided a sample of data to Cybernews researchers upon request. The shared sample included 1,097 UK and 817 US user numbers. Cybernews investigated all of the numbers in the sample and confirmed that they are all WhatsApp users. The seller did not specify how they obtained the database, only stating that they collected the data using their strategy, and assured Cybernews that all of the numbers in the instance belong to active WhatsApp users. The information on WhatsApp users could have been obtained by mass data harvesting, also known as scraping, which is a violation of WhatsApp's Terms of Service. Massive data dumps posted online are often obtained through scraping. This article continues to discuss the WhatsApp data leak.

    Security Affairs reports "Experts Investigate WhatsApp Data Leak: 500M User Records for Sale"

  • news

    Visible to the public "Almost 1,000 Suspects Arrested in Interpol Operation Which Seized Over $129 Million"

    An Interpol operation resulted in the seizure of more than $129 million in "virtual assets" and the arrest of nearly 1,000 suspects. The operation comes at a critical juncture in international cooperation to combat online financial crime, particularly fraud and money laundering, with world leaders meeting earlier this month to reaffirm their commitment to combating ransomware. From June 28 to November 23, Interpol's Operation HAECHI III involved global fraud investigators collaborating to intercept money and virtual assets linked to various cyber-enabled financial crimes and money laundering in order to help countries recover and return illicitly obtained funds to victims. According to Interpol, the operation targeted voice phishing, romance scams, sextortion, investment fraud, and money laundering associated with illegal online gambling, resulting in the arrest of 975 people and the resolution of over 1,600 cases. Nearly 2,800 bank and virtual asset accounts linked to the investigated crimes have been blocked. One of the investigations led to the arrest of two fugitives wanted by South Korea under Red Notices after they allegedly embezzled $29 million from 2,000 Korean victims in a global Ponzi scheme. Another case involved bureaus in Austria and India identifying a group of cybercriminals who were impersonating Interpol officers and convincing victims to transfer $159,000 via financial institutions, cryptocurrency exchanges, and online gift cards. Authorities in India raided a call center associated with these criminals, seizing four cryptocurrency wallets and other critical crime evidence. This article continues to discuss the seizure of millions of dollars from cybercriminals in Interpol's Operation HAECHI III.

    The Record reports "Almost 1,000 Suspects Arrested in Interpol Operation Which Seized Over $129 Million"

  • news

    Visible to the public "The Emergence of Zero Trust Consumers"

    According to a Daon survey report, 92 percent of consumers believe that cybersecurity threats will continue to outpace cybersecurity technology, and 91 percent are willing to take additional security measures to prove their identity on an ongoing basis to protect their information and accounts. Findings show that consumers are aware of the high-risk environment they face when conducting various aspects of their lives online. These attitudes indicate the emergence of zero-trust consumers. The report titled "The Era of the Zero Trust Consumer," is based on a survey of more than 2,000 consumers in the US and over 1,000 in the UK conducted in October 2022. It reveals that consumers, like businesses, are accepting the reality of ongoing cybersecurity threats. A zero-trust architecture in the enterprise recognizes continuous and constantly evolving cybersecurity risks, and requires user identity, both inside and outside of organizations, to be authenticated and continuously verified before the user is granted access to networks, applications, or data. As the frequency and sophistication of online breaches, hacks, and fraud targeting businesses, governments, and consumers increases, consumers are becoming more aware of these threats and are determined to do whatever it takes to secure their accounts and information, according to Tom Grissen, CEO of Daon. Despite rising industry and consumer pressure to move beyond vulnerable passwords, the report finds that passwords remain the industry standard, with 68 percent of consumers stating that they are their most used and least trusted security measure. The findings show that consumers are ready to embrace stronger security measures and expect businesses with which they have accounts to meet them halfway in protecting their identities. This is especially true for their digital financial accounts, where consumers are concerned about the safety of their financial information and money due to their increased reliance on financial technology. Although 93 percent expect stronger security measures, passwords with one-time codes and simple passwords remain the most commonly used methods of safeguarding this information. This article continues to discuss key findings from Daon's survey of consumers on the topic of zero-trust.

    Help Net Security reports "The Emergence of Zero Trust Consumers"

  • news

    Visible to the public  "Hot Ticket: 'Aurora' Go-Based Info-Stealer Finds Favor Among Cyber-Threat Actors"

    Cybercriminal organizations are increasingly using Aurora, an information stealer built on the Go open-source programming language, to target data from browsers, cryptocurrency wallets, and local systems. Sekoia's research team discovered at least seven malicious actors, known as "traffers," who added Aurora to their information stealer tools. It is also being used with the Redline or Raccoon information stealers in some cases. According to the report, over 40 cryptocurrency wallets and applications such as Telegram have been successfully targeted thus far, with Aurora's relatively unknown status and evasive nature serving as tactical advantages. Aurora was discovered in July, and it is suspected to have been promoted on Russian-speaking forums since April, where its remote access features and advanced information-stealing capabilities were highlighted. Hundreds of collected samples and dozens of active command-and-control (C2) servers helped to confirm Sekoia's previous prediction that Aurora stealer would become a common information-stealer in October and November 2022. The Aurora stealer is becoming a prominent threat as multiple threat actors, including traffers teams, add the malware to their arsenal. According to the report, cybercriminal threat actors have been spreading it through multiple infection chains, including phishing websites masquerading as legitimate, YouTube videos, and fake "free software catalog" websites. The company's analysis also identifies two infection chains currently distributing the Aurora stealer in the wild, one via a phishing site impersonating Exodus Wallet and the other via a YouTube video from a stolen account demonstrating how to install cracked software for free. The malware gathers a list of directories to search for files of interest using a simple file-grabber configuration. It then communicates via Transmission Control Protocol (TCP) connections on ports 8081 and 9865, with 8081 being the most commonly available open port. The files that have been exfiltrated are then encoded in base64 and sent to the C2. This article continues to discuss findings surrounding the Aurora stealer.

    Dark Reading reports "Hot Ticket: 'Aurora' Go-Based Info-Stealer Finds Favor Among Cyber-Threat Actors"

  • news

    Visible to the public "Docker Hub Repositories Hide Over 1,650 Malicious Containers"

    More than 1,600 publicly available Docker Hub images conceal malicious behavior, such as cryptocurrency miners, embedded secrets that can be used as backdoors, Domain Name System (DNS) hijackers, and website redirectors. Docker Hub is a cloud-based container library that allows users to search for and download Docker images as well as upload their own creations to the public library or personal repositories. Docker images are templates for creating containers with ready-to-use code and applications quickly and easily. As a result, those looking to start new instances often use Docker Hub to find an easily deployable application. However, due to threat actors abusing the service, over a thousand malicious uploads pose serious risks to unsuspecting users deploying malware-laden images on locally hosted or cloud-based containers. Many malicious images are disguised as popular and trustworthy projects by their names, indicating the threat actors uploaded them to trick users into downloading them. Sysdig researchers explored the issue, attempting to assess the scope of the problem, and reported on images discovered to contain malicious code or mechanisms. Aside from images verified to be trustworthy by the Docker Library Project, the service hosts hundreds of thousands of images with an unknown status. Sysdig examined 250,000 unverified Linux images with its automated scanners and identified 1,652 of them as malicious. The most prevalent category was cryptocurrency miners, which were found in 608 container images. Images with embedded secrets were the second most common occurrence, accounting for 281 cases. SSH keys, AWS credentials, GitHub tokens, NPM tokens, and other secrets are embedded in these images. This article continues to discuss the discovery of over 1,600 malicious containers hidden by Docker Hub repositories.

    Bleeping Computer reports "Docker Hub Repositories Hide Over 1,650 Malicious Containers"

  • news

    Visible to the public  "Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions"

    An examination of firmware images from Dell, HP, and Lenovo devices revealed the presence of outdated versions of the OpenSSL cryptographic library, highlighting a supply chain risk. The EFI Development Kit (EDK) is an open-source implementation of the Unified Extensible Firmware Interface (UEFI), which serves as an interface between the operating system and the firmware embedded in the hardware of a device. The firmware development environment, now in its second iteration (EDK II), includes its own cryptographic package called CryptoPkg, which uses OpenSSL project services. The firmware image associated with Lenovo Thinkpad enterprise devices was discovered to use three different versions of OpenSSL: 0.9.8zb, 1.0.0a, and 1.0.2j, the last of which was released in 2018. Furthermore, one of the firmware modules called "InfineonTpmUpdateDxe" relied on OpenSSL version 0.9.8zb, which was released on August 4, 2014, and is responsible for updating the firmware of the Trusted Platform Module (TPM) on the Infineon chip, according to Binarly. This indicates a problem with the supply chain with third-party dependencies when it appears that these dependencies were never updated, even for critical security issues. The fact that the device firmware uses multiple versions of OpenSSL in the same binary package demonstrates how third-party code dependencies can complicate the supply chain ecosystem. Binarly also pointed out flaws in a Software Bill of Materials (SBOM), which arises from integrating compiled binary modules, also known as closed-source in firmware. This article continues to discuss the use of outdated OpenSSL versions by Dell, HP, and Lenovo devices.

    THN reports "Dell, HP, and Lenovo Devices Found Using Outdated OpenSSL Versions"

  • news

    Visible to the public "New Black Basta Ransomware Campaign Is Actively Targeting US Companies"

    The cybersecurity technology company Cybereason has warned that an aggressive new ransomware campaign from the Black Basta ransomware group is targeting US businesses. Black Basta first appeared in April and is thought to be an offshoot of the Conti ransomware gang, employing similar tactics. The data leak blogs, payment sites, recovery portals, victim communications, and negotiation methods used by Black Basta are all similar to Conti operations. The group targets organizations in the US, Canada, the UK, Australia, and New Zealand. Black Basta engages in double-extortion ransomware attacks, which encrypt and steal data from victims. The stolen data is used to extort victims for a ransom payment, with the threat that the stolen data will be published if the demanded ransom is not paid. Black Basta's latest campaign employs QakBot malware to establish an initial point of entry and move laterally within an organization's network. QakBot, also known as QBot or Pinkslipbot, was discovered in 2019 and has been used in ransomware attacks, including one against FUJIFILM Holdings in 2020. After gaining access to a victim's network, QakBot installs a back door that allows the threat actor to drop additional malware, which is ransomware in the latest Black Basta campaign. According to the Cybereason researchers, while Black Basta is not new, its latest campaign is aggressively targeting many organizations. Those behind the current Black Basta campaign have been observed moving quickly, with cases where the threat actor obtained domain administrator privileges in less than two hours and moved to ransomware deployment in less than 12 hours. Black Basta, described as widespread and severe, has been using QakBot to target mostly US-based companies and has acted quickly on any spear phishing victims they have compromised. Over the last two weeks, the researchers have identified over ten different Cybereason customers who the campaign has impacted. This article continues to discuss findings regarding the new Black Basta ransomware campaign.

    SiliconANGLE reports "New Black Basta Ransomware Campaign Is Actively Targeting US Companies"

  • news

    Visible to the public "Hackers Are Locking Out Mars Stealer Operators From Their Own Servers"

    A security research and hacking startup discovered a coding flaw that enables locking out Mars Stealer malware operators from their own servers and releasing their victims. Mars Stealer is a data-stealing Malware-as-a-Service (MaaS) that allows cybercriminals to rent access to infrastructure in order to launch their own attacks. The malware is often distributed through email attachments, malicious advertisements, and torrented files on file-sharing websites. Once infected, the malware steals a victim's passwords, two-factor codes from their browser extensions, and the contents of their cryptocurrency wallets. It can also deliver other malicious payloads, such as ransomware. A cracked version of the Mars Stealer malware was leaked online earlier this year, allowing anyone to build their own Mars Stealer command-and-control (C2) server. However, its documentation was flawed, leading would-be bad actors to configure their servers in a way that would accidentally expose log files with user data stolen from victims. In some cases, the operator would accidentally infect themselves with malware, thus exposing their own personal information. Mars Stealer gained popularity in March following the removal of Raccoon Stealer, another prevalent data-stealing malware. This resulted in an increase in new Mars Stealer campaigns, which included the mass-targeting of Ukraine following Russia's invasion, as well as a large-scale effort to infect victims with malicious advertisements. By April, security researchers had discovered over 40 servers hosting Mars Stealer. Buguard says the vulnerability it discovered in the leaked malware allows it to remotely break in and defeat Mars Stealer C2 servers, which are used to steal data from infected victims' computers. According to Youssef Mohamed, the company's CTO, once exploited, the vulnerability deletes the logs from the targeted Mars Stealer server, terminates all active sessions that disconnect from the victims' computers, and scrambles the dashboard's password so that the operators cannot log back in. This article continues to discuss the flaw that could lead to Mars Stealer malware operators being locked out of their own servers.

    TechCrunch reports "Hackers Are Locking Out Mars Stealer Operators From Their Own Servers"

  • news

    Visible to the public "AWS Fixes 'Confused Deputy' Vulnerability in AppSync"

    Amazon Web Services (AWS) has patched a cross-tenant vulnerability in AWS AppSync that could allow malicious actors to use the cloud service to assume identity and access management roles in other AWS accounts, gaining access to and control over those resources. On September 1, Datadog security researchers discovered the bug and reported it to AWS. Five days later, an update was released to the AppSync service, which Datadog confirmed resolved the issue. According to AWS, no customers were affected by the vulnerability, and no customer action is required. AWS AppSync gives application developers a GraphQL interface to combine data from Amazon DynamoDB, AWS Lambda, and external Application Programming Interfaces (APIs). Developers can create integrations to allow AppSync to directly call APIs by setting up a role that grants AppSync the necessary Identity and Access Management (IAM) permissions. Since Datadog integrates with AppSync, security researchers at the company wanted to see if they could trick the AWS service into assuming a role and then accessing and controlling resources from other data sources. They described it as a confused deputy problem in a proof of concept, where an attacker convinces a service with higher-level privileges to perform an action for the attacker. The researchers used a mixed-case JSON payload to circumvent Amazon Resource Name (ARN) validation. An attacker could cross account boundaries and execute AWS API calls in victim accounts via IAM roles that trusted the AppSync service after bypassing the ARN validation. Using this method, attackers could breach AppSync-enabled organizations and gain access to resources associated with those roles. This would enable the attacker to interact with the data source as if they were the owner of it. This article continues to discuss the fix and potential impact of the vulnerability found in AWS AppSync.

    The Register reports "AWS Fixes 'Confused Deputy' Vulnerability in AppSync"

  • news

    Visible to the public "Quantum Locker Lands in the Cloud"

    Computerland, a Belgian company, shared information with the European threat intelligence community about the Quantum Locker gang's tactics, techniques, and procedures (TTPs) used in recent attacks. According to the information shared, the Quantum Locker gang used a specific tactic to target large enterprises in the North Atlantic and Central European (NACE) region that rely on cloud services. The recently disclosed technical details about recent intrusions confirm the Quantum Locker gang's ability to conduct sabotage and ransomware attacks even against companies that rely heavily on cloud environments. TTPs used in a recent attack included the complete takeover of the company's Microsoft cloud services via the compromise of the root account. All Microsoft services and users, including email and regular users, would be rendered inoperable until the Vendor responded, which could take several days depending on the reset request verification process. Furthermore, according to the insights on Q4 2022 attacks, Quantum Locker operators can find and delete all of the victim Microsoft Azure Blob storages in order to achieve secondary backup destruction and business data deletion. Even if cloud services theoretically support the restoration of old blobs and buckets, the recovery of "permanently deleted" data often takes days and may not even be available due to the provider's internal technical constraints. During their recent activities in North Europe, Quantum Locker operators' preferred initial targets were Information Technology (IT) administrators and networking personnel. Threat actors were able to gather sensitive administrative credentials by accessing their personal resources and shared Dropbox folders, allowing them to extend the attack on the cloud surface. Insights from the Belgian firm also confirm that Quantum Locker is combining these new techniques with more traditional ransomware delivery methods, such as the modification of domain Group Policies to distribute ransomware across on-premises Windows machines and users' laptops, as well as the exploitation of legitimate Any Desk software as a remote access tool. This article continues to discuss the use of a specific modus operandi by the Quantum Locker gang to target large enterprises relying on cloud services in the NACE region.

    Security Affairs reports "Quantum Locker Lands in the Cloud"

  • news

    Visible to the public "Fake Subscription Invoices Lead To Corporate Data Theft and Extortion"

    A threat actor known as Luna Moth has been stealing sensitive data and extorting money from small and medium-sized businesses through the use of social engineering tactics and legitimate software. The group avoids using ransomware in favor of convincing targeted employees to call a phone number operated by the attackers and install a remote access tool. Callback phishing, also known as Telephone-Oriented Attack Delivery (TOAD), is a social engineering attack in which the threat actor must interact with the target in order to achieve their goals. This attack style requires more resources but is less complex than script-based attacks, and it has a much higher success rate, according to Palo Alto Networks' Unit 42 researchers. The first lure is a phishing email that appears to be from a legitimate business, such as a fitness center, informing the recipient that they have subscribed to a service and that payment will be extracted using the payment method they previously specified. There are no malicious links or attachments in the body of the phishing email to trigger email security solutions. It instead contains one or more phone numbers through which the recipient can dispute the subscription, as well as a nine- or ten-digit confirmation number that the threat actors use to identify the specific recipient. Alternatively, the information is available in an attached PDF file. All of the numbers used by the attacker were registered with a Voice over IP (VoIP) provider. When the victim dialed one of the attacker's phone numbers, they were routed through a queue and eventually connected with an agent who sent a remote assist invitation for the remote support tool Zoho Assist. The attacker took control of the victim's keyboard and mouse, enabled clipboard access, and blanked out the screen to conceal their actions once the victim connected to the session. For data exfiltration, the threat actor has been known to install the remote support software Syncro and open-source file management tools Rclone or WinSCP. The attacker sends an extortion email after rooting through the system and exfiltrating sensitive data, threatening to sell or leak the data if they are not paid. This article continues to discuss Luna Moth's tactics and targets.

    Help Net Security reports "Fake Subscription Invoices Lead To Corporate Data Theft and Extortion"

  • news

    Visible to the public "Hackers Breach Energy Orgs via Bugs in Discontinued Web Server"

    Microsoft has announced that security flaws impacting a web server that has been discontinued since 2005 were used to target and compromise organizations in the energy sector. According to a report published in April by cybersecurity firm Recorded Future, state-backed Chinese hacking groups, including one identified as RedEcho, targeted multiple Indian electrical grid operators, compromising an Indian national emergency response system and the subsidiary of a multinational logistics company. The attackers gained access to the hacked entities' internal networks by using Internet-exposed cameras on their networks as command-and-control (C2) servers. According to Recorded Future, the group likely compromised and co-opted Internet-facing DVR/IP camera devices for C2 of Shadowpad malware infections, and used the open-source tool FastReverseProxy, to accomplish this. Microsoft said the attackers took advantage of a flaw in the Boa web server, a software solution that has been discontinued but is still used by Internet of Things (IoT) devices such as routers and cameras. Since Boa is one of the components used for signing in and accessing IoT device management consoles, it significantly raises the risk of critical infrastructure being breached via vulnerable and Internet-exposed devices running the vulnerable web server. According to the Microsoft Security Threat Intelligence team, Boa servers are widespread across IoT devices due to the web server's inclusion in popular Software Development Kits (SDKs). More than 1 million Internet-exposed Boa server components were detected online worldwide in a single week, according to Microsoft Defender Threat Intelligence platform data. Several known vulnerabilities affect Boa servers, including arbitrary file access (CVE-2017-9833) and information disclosure (CVE-2021-33558). Attackers can exploit these security flaws without authentication to remotely execute code after stealing credentials by accessing sensitive files on the targeted server. This article continues to discuss the exploitation of security vulnerabilities in a discontinued server to compromise energy sector organizations.

    Bleeping Computer reports "Hackers Breach Energy Orgs via Bugs in Discontinued Web Server"

  • news

    Visible to the public "This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos"

    A malicious extension for Chromium-based web browsers has been discovered to be distributed by ViperSoftX, a long-standing Windows information-stealer. The rogue browser add-on was dubbed VenomSoftX by a Czech-based cybersecurity firm due to the standalone features that allow it to access website visits, steal credentials, steal clipboard data, and even swap cryptocurrency addresses via an adversary-in-the-middle (AiTM) attack. Fortinet described ViperSoftX, which first surfaced in February 2020, as a JavaScript-based Remote Access Trojan (RAT) and cryptocurrency stealer. Sophos threat analyst Colin Cowie documented the malware's use of a browser extension to advance its information-gathering goals earlier this year. According to Avast researcher Jan Rubin, this multi-stage stealer has interesting hiding capabilities, such as hiding as small PowerShell scripts on a single line in the middle of otherwise innocent-looking large log files. ViperSoftX specializes in cryptocurrency theft, clipboard swapping, fingerprinting the infected machine, and downloading and executing arbitrary additional payloads or commands. ViperSoftX is typically spread through the use of cracked software for Adobe Illustrator and Microsoft Office that is hosted on file-sharing sites. The downloaded executable file contains a clean version of the cracked software as well as additional files that enable persistence on the host and contain the ViperSoftX PowerShell script. Newer variants of the malware can also load the VenomSoftX add-on from a remote server into Chromium-based browsers like Google Chrome, Microsoft Edge, Opera, Brave, and Vivaldi. This is done by looking for LNK files for the browser applications and changing the shortcuts with a command line switch that points to the path where the unpacked extension is stored. According to Rubin, the extension attempts to disguise itself as well-known and widely used browser extensions such as Google Sheets. This article continues to discuss the distribution and capabilities of ViperSoftX malware.

    THN reports "This Malware Installs Malicious Browser Extensions to Steal Users' Passwords and Cryptos"

  • news

    Visible to the public "Adversarial AI Attacks Highlight Fundamental Security Issues"

    Artificial Intelligence (AI) and Machine Learning (ML) systems trained on real-world data are increasingly being seen as vulnerable to attacks involving unexpected inputs to fool the systems. For example, contestants at the recent Machine Learning Security Evasion Competition (MLSEC 2022) successfully modified celebrity photos in order to have them be recognized as different people while minimizing obvious changes to the original images. The most common methods included merging two images, similar to a deepfake, and inserting a smaller image inside the original's frame. In another case, researchers from MIT, the University of California at Berkeley, and FAR AI discovered that a professional-level Go AI could be easily defeated with moves that convinced the machine that the game had ended. While the Go AI could easily defeat a professional or amateur Go player using a logical set of movies, an adversarial attack could easily defeat the machine by making decisions that no rational player would typically make. According to Adam Gleave, a doctoral candidate in AI at the University of California, Berkeley, and one of the primary authors of the Go AI paper, although AI technology may work at superhuman levels and even be extensively tested in real-life scenarios, it remains vulnerable to unexpected inputs. When presented with anomalous or malicious inputs, systems that have been trained to be effective against real-world situations by being trained on real-world data and scenarios may behave erratically and insecurely. The issue spans applications and systems. According to Gary McGraw, a cybersecurity expert and co-founder of the Berryville Institute of Machine Learning (BIML), a self-driving car could handle nearly every situation that a normal driver might encounter on the road, but it would act catastrophically during an anomalous event or one caused by an attacker. The real challenge of ML, he adds, is figuring out how to be flexible and do things as they should be done normally while also reacting correctly when an anomalous event occurs. Since few ML model and AI system developers focus on adversarial attacks and use red teams to test their designs, finding ways to cause AI/ML systems to fail is relatively simple. MITRE, Microsoft, and other organizations called on businesses to take adversarial AI attacks more seriously, describing current attacks in the Adversarial Threat Landscape for Artificial Intelligence Systems (ATLAS) knowledge base and noting that research into AI has skyrocketed, often with no robustness or security built in. This article continues to discuss the security issues emphasized by adversarial AI attacks.

    Dark Reading reports "Adversarial AI Attacks Highlight Fundamental Security Issues"

  • news

    Visible to the public "Public Wants to Build Cyber Resilience"

    Cyberattacks impacting thousands of Australian citizens' personal data have raised awareness of the dangers of insecure digital systems. According to researchers at Flinders University, consumers want to have a more active role in building more resilient systems to reduce risks of hacking, online deception, bots, and other threats. Their study of a nationally representative sample of 1,500 Australian citizens and focus groups with 62 people from three states looked at attitudes toward institutional trust, resilience, digital literacy, and perceptions of cyber threats. Even before the recent cyber breaches faced by Optus and Medibank Private customer bases, citizens surveyed were unconvinced that Australia is keeping up with cyber threats and interference in the country's economy, politics, or society. Not only are these citizens concerned about the government's technological capabilities, often citing negative experiences with online government services, but they also have reservations about businesses' investments in skills and commitments to cybersecurity, according to Flinders University researcher Dr Josh Holloway. They tended to be unaware of which public institutions and authorities are taking the lead in managing cyber threats and, collectively, expressed skepticism of social media and technology companies, media organizations, the federal government, and public service in general. Although survey respondents wanted greater capability and responsibility from the government and corporations, their trust in the process was lacking. The findings highlight the gap between Australian citizens' knowledge and engagement, and the top-down, technocratic, and elite-driven agencies' broad response to cyber threats. People must be educated about the reality of cyber risk and given the tools and information they need to participate in strategic efforts to improve cyber resilience, instead of just hearing about the consequences of successful cyberattacks. This article continues to discuss the study on peoples' understanding and threat perception regarding resilience to cyber-enabled foreign interference.

    Flinders University reports "Public Wants to Build Cyber Resilience"

  • news

    Visible to the public "Are We Building Cyber Vulnerability Into EV Charging Infrastructure?"

    Electric Vehicle (EV) charging stations are vulnerable to hacks, potentially disrupting the grid or resulting in the theft of users' personal information. The consequences could be severe in the absence of significant technological upgrades, regulations, and standards. A recent Sandia National Laboratories (SNL) study detailed potential problems that echo similar concerns raised by other academic researchers. According to Sandia's research, hackers could gain access to charging stations and overload the grid, or they could shut down a station by convincing it that it has drawn all the energy it requires. Yet, with EV companies rushing to expand their vehicle and charging options as part of a nationwide push to electrify transportation, observers say cybersecurity is not getting the attention it needs. According to Kayne McGladrey, field CSO at the security software company Hyperproof and a senior member of the Institute of Electrical and Electronics Engineers, companies are incentivized to be first to market, not necessarily the most secure to market. Since security costs money and takes time and resources, it naturally becomes a lower priority. Researchers have already demonstrated that EVs are vulnerable to attack, but the cybersecurity of charging infrastructure has largely gone unnoticed until recently. At a White House forum hosted by the Office of the National Cyber Director, government and EV industry leaders agreed to collaborate to assess current cybersecurity standards associated with EVs, what else is needed to keep the ecosystem safe, and the state of research and development in this area. According to a White House readout of the meeting, participants also pledged to collaborate and identify opportunities for harmonization. The Michigan Department of Transportation (MDOT) stated in its August 2022 state plan for EV infrastructure deployment that risks continue to intensify as technology advances, but it places the onus on its third-party vendors to be responsible for cybersecurity. MDOT stated that it would update its procurement process to meet cybersecurity and privacy standards. McGladrey urged companies to invest more in upgrading their hardware and software, and conducting regular penetration tests to improve the cybersecurity of EV charging infrastructure. Too much infrastructure currently relies on wireless networks that connect to the Internet and deliver over-the-air updates, thus calling for a more secure alternative. This article continues to discuss EV charging infrastructure cybersecurity risks.

    GCN reports "Are We Building Cyber Vulnerability Into EV Charging Infrastructure?"

  • news

    Visible to the public "GAO Checks Secret Service's Progress on Zero-Trust Architecture"

    According to the Government Accountability Office (GAO), the US Secret Service's zero-trust cybersecurity implementation plan needs to be updated. The government watchdog did, however, acknowledge the Secret Service's progress in this area. A zero-trust architecture is a set of cybersecurity principles that states that organizations must validate all attempts to access their systems and services. The zero-trust principle is based on the idea that no actor operating outside or inside an organization's network should be trusted. This architecture integrates comprehensive security monitoring, granular risk-based access controls, and system security automation into all aspects of the infrastructure. The federal government has begun to explore the use of zero-trust architecture. Since 2020, the National Institute of Standards and Technology (NIST) and the Office of Management and Budget (OMB) have provided federal agencies with direction and guidance on the use of such architecture. Furthermore, the Cybersecurity and Infrastructure Security Agency (CISA) issued a draft roadmap for the transition to zero-trust architecture in 2021, and the 2022 National Defense Authorization Act (NDAA) directed the Department of Defense (DOD) to develop a zero-trust strategy and model architecture. The US Secret Service has created an implementation plan for four zero-trust architecture-related milestones. The milestones are to self-assess the agency's Information Technology (IT) environment against federal guidance, implement cloud service offerings from a vendor, achieve event logging maturity, and transition the agency's IT infrastructure to a more advanced Internet protocol. GAO discovered that the Secret Service completed a self-assessment and made progress in implementing cloud services and achieving event logging maturity. Furthermore, the agency had planned to implement a more advanced Internet protocol, but had not met the long-standing OMB requirements for public-facing systems. GAO claims that by switching to this protocol, the agency will be able to take advantage of additional security features. This article continues to discuss the US Secret Service's progress toward zero-trust architecture and areas in need of improvement.

    HSToday reports "GAO Checks Secret Service's Progress on Zero-Trust Architecture"

  • news

    Visible to the public "OIG: HHS Must Modernize Its Approach to Cybersecurity"

    The Office of Inspector General (OIG) urged the US Department of Health and Human Services (HHS) to improve data governance, secure HHS systems, and modernize its approach to cybersecurity across the department in the 2022 edition of its annual report on HHS's top management and performance challenges. According to the report, persistent and growing cybersecurity threats heighten HHS's challenges with data and technologies used to carry out essential HHS missions. If not mitigated, these threats can jeopardize critical HHS program operations and potentially endanger the health and welfare of individuals served by HHS. The report highlighted many challenges that HHS faces in carrying out its mission of improving the health and well-being of all Americans while combating daily cyber threats. OIG stated that HHS constantly improves how it collects, manages, shares, and secures data. For example, the department is currently finalizing its HHS Data Strategy, which should assist the department in addressing data sharing, privacy, governance, and security issues. The report noted that challenges HHS must overcome include the persistent impact of data silos and legacy technology that do not easily support modern data governance and standardization, as well as inconsistencies in how HHS leverages and manages data across its programs. Eliminating or reducing data silos within HHS programs, ensuring the development of standardized data sets, and increasing appropriate access across programs are all critical to improving program management, evidence-based decision-making, and capitalizing on new technologies. In addition to improving data governance and standardization, OIG emphasized the importance of removing barriers to public health data access and encouraging data sharing among providers, patients, and payers. Furthermore, OIG emphasized the significance of improving HHS's own security posture, as underscored by President Biden's executive order on improving the federal government's security practices in May 2021. The HHS Office of Information Security is currently finalizing its Strategic Plan in support of the executive order, which calls for significant organizational changes. Because program needs and timeliness compete with cybersecurity controls and capabilities, the OIG described the challenge of securing HHS data as multifaceted and complex. This article continues to discuss OIG's report on harnessing and protecting data and technology to improve the health and well-being of individuals.

    HealthITSecurity reports "OIG: HHS Must Modernize Its Approach to Cybersecurity"