News Items

  • news

    Visible to the public President signs K-12 Cybersecurity Act into Law

    President Biden signed the K12 Cybersecurity Act which should strengthen the cybersecurity of US K-12 schools. This includes assessing the cybersecurity risks effecting K-12 schools such as securing information systems and protecting student and employee data. Other goals include developing guidelines for this sector to minimize risks, publishing an online training toolkit, and posting the assessment findings and recommendations online. All this effort will be under the direction of the CISA director.
  • news

    Visible to the public "Autom Cryptomining Campaign Launched 125 Attacks in the Wild in Q3 2021"

    Over the past three years, Team Nautilus researchers at Aqua Security have been tracking a cryptomining campaign dubbed Autom using honeypots. According to the researchers, the attackers behind the campaign have changed their tactics over the three-year period. They have shifted from attacking the honeypots to launching attacks in the wild. A Shodan search found that they executed 125 attacks in the wild during the third quarter of 2021. In 2019, the attackers did not apply any special techniques to hide their cryptomining. In 2020, they hid themselves and disabled various security mechanisms, including Uncomplicated Firewall (UFW) and Non-Maskable Interrupt (NMI). This year, the attackers downloaded and obfuscated shell script from a remote server to hide the cryptomining campaign. To prevent security tools from understanding their intentions, the attackers encoded the script in base64 five times. The attackers' continued improvement and sophistication of their methods and campaigns further emphasize the importance of exploring behavior-based detection and other advanced detection capabilities. This article continues to discuss changes made by the attackers behind the Autom cryptomining campaign observed over the past three years.

    SC Magazine reports "Autom Cryptomining Campaign Launched 125 Attacks in the Wild in Q3 2021"

  • news

    Visible to the public "Cybersecurity 2022: More Fraud, More Fakes, More Crypto Scams"

    Cybersecurity experts are sharing their predictions regarding cybercrime and cybersecurity in 2022. The Identity Theft Resource Center (ITRC) in San Diego, dedicated to minimizing risk and mitigating the impact of identity compromise and crime, predicts that ransomware will catch up or surpass phishing attacks as the number one cause of data breaches. Single incidents targeting multiple individuals or organizations will impact more victims across communities and geographic regions. The center also predicts social media account takeover in the performance of cyberattacks will use followers and individual networks to create new victim chains. Ilia Sotnikov, vice president for user experience and security strategist at Netwrix, predicts hackers will increasingly leverage home networks as infrastructure as it is easier to infect such networks with malware than professionally secured enterprise IT environments. The increased processing power and bandwidth connectivity in residences will make home networks more attractive to malicious actors. Nicholas Brown, CEO of Hitachi ID Systems, predicts an increase in the adoption of the Zero Trust security model, which maintains strict access controls and does not trust anyone by default, including those already within the network perimeter. This article continues to discuss cybersecurity experts' predictions pertaining to cybercrime and cybersecurity strategies in the coming year.

    TechNewsWorld reports "Cybersecurity 2022: More Fraud, More Fakes, More Crypto Scams"

  • news

    Visible to the public "The Worst Hacks of 2021"

    WIRED has highlighted the worst hacks of 2021, including breaches, leaks, data exposures, ransomware attacks, state-sponsored hacking campaigns, and more. The first incident spotlighted is the ransomware attack against Colonial Pipeline in early May, which led to increases in gas prices, panic buying, and localized fuel shortages. The attack forced the company to shut down different portions of the pipeline in order to contain the malware. The Russia-linked ransomware gang DarkSide was identified as the perpetrator of the attack on Colonial Pipeline. This incident brought further attention to how dangerous the disruption of the petrochemical pipeline industry could be. This article continues to discuss the ransomware attack against Colonial Pipeline, SolarWinds hacking spree, Twitch breach, exploitation of vulnerabilities in Microsoft's Exchange Server software, ransomware attack suffered by the world's largest meat processing company, and other notable incidents of the year.

    WIRED reports "The Worst Hacks of 2021"

  • news

    Visible to the public "PYSA Ransomware Gang is The Most Active Group in November"

    Researchers at NCC group have discovered that PYSA (Mespinoza) and Lockbit were the most active ransomware gangs in the threat landscape in November 2021. The security researchers observed a 400% increase in the number of attacks, compared with October, that hit government organizations. The PYSA ransomware group (aka Mespinoza) was behind 50 percent more ransomware attacks in November than in October. PYSA ransomware operators focus on large or high-value finance, government, and healthcare organizations. According to the researchers, North America and Europe continued to be the most targeted regions in November, with 154 and 96 victims respectively, while in Europe, most of the ransomware infections were observed in the UK, France, Italy, and Germany.

    Cyber Defense Magazine reports: "PYSA Ransomware Gang is The Most Active Group in November"

  • news

    Visible to the public "Fake Christmas Eve Termination Notices Used as Phishing Lures"

    A newly discovered phishing campaign is sending out fake employee termination notices and phony omicron-variant exposure warnings. One of the suspicious emails found by security researchers told the target that their employment would cease as of Dec. 24 and that the decision was not reversible. An attached password-protected Excel file promised additional details. Once a recipient opened a file, a blurred form appeared with a button to "Enable Content," which enabled the file to run an automated script through its macros feature, a technique intended to help automation that simultaneously has been abused for years for malicious purposes. After the button was clicked, a pop-up window appears saying, "Merry X-Mas Dear Employees!" The Dridex malware is downloaded to the victim's computer from a Discord server and begins stealing credentials. Dridex is a trojan dating back to 2014 that typically spreads through email phishing campaigns and is associated with credential theft. Dridex has been used to steal more than $100 million from financial institutions and banks spread across 40 countries, according to the U.S. Treasury Department. Another Dridex-laced email in the same campaign contained the subject line "Positive OMICRON results." The email warns the victim that they'd been exposed to a coworker who tested positive for the omicron variant of COVID-19 sometime between Dec. 17 and 19. The email then tells the victim to click on an attached document to view additional information.

    CyberScoop reports: "Fake Christmas Eve Termination Notices Used as Phishing Lures"

  • news

    Visible to the public "Lights Out: Cyberattacks Shut Down Building Automation Systems"

    A building automation engineering firm located in Germany suffered a cyberattack that locked it out of the Building Automation System (BAS) it had constructed for an office building client, resulting in loss of contact with hundreds of BAS devices, such as light switches, motion detectors, shutter controllers, and more. The company found that three-quarters of the BAS devices in the office building system network had been locked down with the system's own digital security key, which the attacker took control over. The attack forced the firm to revert back to manually flipping central circuit breakers on and off to control the building's lights. According to Thomas Brandstetter, the co-founder and general manager of Limes Security, whose security firm was contacted by the engineering firm, the BAS devices were bricked as they were wiped to the point that they had no additional functionality. Limes Security was able to retrieve the hijacked Bus Coupling Unit (BCU) key from one of the bricked device's memory, which required creative hacking. The engineering firm was then able to reprogram the BAS devices and run the building's lighting, window shutters, motion detectors, and other systems again. However, this incident is not an anomaly as Limes Security has been receiving other reports of similar attacks on BAS systems running on BAS technology widely used in Europe called KNX. Another engineering firm in Europe experienced a similar type of attack on a KNX BAS system that also locked it out. The common theme among these attacks is that many of the professionals who install and manage BAS systems are not involved in IT or security team operations. BAS systems are instead often handled by engineers and building management firms, with IT and security teams rarely crossing paths with BAS operations. This article continues to discuss the cyberattack against the German building automation engineering firm that resulted in the loss of contact with BAS devices, other similar attacks on BAS systems, and a common security gap associated with such systems.

    Dark Reading reports "Lights Out: Cyberattacks Shut Down Building Automation Systems"

  • news

    Visible to the public "Fisher-Price's Chatter Phone Has a Simple but Problematic Bluetooth Bug"

    The Fisher-Price Chatter phone is a classic kids toy that has been revamped for adults as it can now make and receive calls over Bluetooth using a nearby smartphone. The Chatter is now more like a novelty Bluetooth speaker with a microphone that activates when the handset is lifted. Security researchers discovered a design flaw in the modernized toy that could allow it to be used to eavesdrop on users. According to the founder of Pen Test Partners, Ken Munro, one of the main concerns is that the Chatter lacks a secure pairing process to block unauthorized phones in Bluetooth range from connecting to it. Pen Test Partners discovered a similar Bluetooth vulnerability several years ago in a child's toy doll called My Friend Cayla, which paired with another person's phone if the parent's phone went out of range. The doll was pulled from shelves when it was found recording what children were saying after it connected to its app. This article continues to discuss findings surrounding the Fisher-Price Chatter phone's Bluetooth flaw and other similar vulnerabilities discovered in children's toys.

    TechCrunch reports "Fisher-Price's Chatter Phone Has a Simple but Problematic Bluetooth Bug"

  • news

    Visible to the public "Chinese Spies Exploit Log4Shell to Hack Major Academic Institution"

    CrowdStrike's Falcon OverWatch team has discovered that China-linked cyberespionage group Aquatic Panda exploited the Log4Shell vulnerability to compromise a large academic institution. As part of a recent campaign, the OverWatch security researchers observed Aquatic Panda leveraging a modified version of the Log4j exploit for initial access and then performing various post-exploitation operations, including reconnaissance and credential harvesting. The researchers stated that in their attempt to compromise the unnamed academic institution, the attackers targeted a VMware Horizon instance that employed the vulnerable Log4j library. The attackers performed connectivity checks via DNS lookups for a subdomain running on the VMware Horizon instance under the Apache Tomcat service. Next, Aquatic Panda executed multiple Linux commands on a Windows host on which the Apache Tomcat service was running, including some aimed at deploying attacker tools hosted on remote infrastructure. The adversaries performed reconnaissance from the host, seeking to better understand privilege levels and domain details, and also attempted to stop a third-party endpoint detection and response solution. After deploying additional scripts, the hackers attempted to execute PowerShell commands to retrieve malware and three VBS files believed to constitute a reverse shell. Aquatic Panda also made several attempts at credential harvesting by performing memory dumps and preparing them for exfiltration by compressing them. The researchers stated that the target organization was alerted to the suspicious activity immediately after detection and quickly implemented their incident response protocol to patch the vulnerable software and prevent further malicious activity.

    SecurityWeek reports: "Chinese Spies Exploit Log4Shell to Hack Major Academic Institution"

  • news

    Visible to the public "Security Professionals View Ransomware and Terrorism as Equal Threats"

    Sapio Research surveyed over 1,500 security professionals on behalf of the machine identity management provider Venafi. Of those who participated in the survey, 60 percent reported considering ransomware and terrorism equal threats. The findings reflect the views of the US Department of Justice (DOJ), which announced that it would prioritize ransomware attacks at the level previously only reserved for terrorism. Two-thirds of the security professionals revealed that their organization had been hit by ransomware over the past 12 months, with both large and small companies being impacted. More than 70 percent of the respondents expressed confidence in their current security tools to help protect them from future ransomware attacks despite the increase in attacks. However, this confidence was found to vary by job title, as security team leaders were slightly less confident than C-level executives in the effectiveness of their current tools. This article continues to discuss findings from the survey regarding security professionals' perception of ransomware, confidence in the efficacy of their current security tools, and decision to give in to attackers' demands for ransom payments.

    HealthITSecurity reports "Security Professionals View Ransomware and Terrorism as Equal Threats"

  • news

    Visible to the public "T-Mobile Reportedly Suffers Another, Smaller Data Breach"

    T-Mobile has reportedly suffered another data breach a few months after a huge breach in August. The new breach seems to have affected a smaller group of customers, and the total amount of customers affected is still unknown. The customers affected by the breach received notifications of "unauthorized activity" that consisted of hackers checking out customer proprietary network information (CPNI), pulling off a physical SIM swap, or both. An unapproved physical SIM swap enables an adversary to take over one's phone number and could allow the adversary to potentially gain access to accounts linked to the device if the adversary had the device password. CPNI includes all the data T-Mobile has about your phone calls, which, according to the carrier, means "features of your voice calling service (e.g., international calling), usage information (like call logs including date, time, phone numbers called, and duration of calls), and quantitative data like minutes used." CPNI doesn't contain any billing-related information, like names or addresses.

    CNET reports: "T-Mobile Reportedly Suffers Another, Smaller Data Breach"

  • news

    Visible to the public "Logistics Company D.W. Morgan Exposed 100 GB of Data From Clients, Including Fortune 500 Companies"

    An Amazon S3 bucket belonging to the logistics company D.W. Morgan was discovered to be open, exposing more than 100 GB of sensitive data about shipments and clients, including Fortune 500 companies such as Cisco and Ericsson. The Website Planet security team identified the open AWS S3 bucket on November 12, 2021, and alerted the company the same day. According to the researchers, the database stored over 100 GB of data, including 2.5 million files consisting of financial, shipping, transportation, and personal details on D.W. Morgan's employees and clients. Although the database was discovered in November, the research team only recently shared information about the discovery. It remains unclear as to whether threat actors accessed the S3 bucket's content while it was unprotected. Exposed customers face the potential of being targeted in phishing campaigns or falling victim to fraud because of the sensitive data stored on D.W. Morgan's misconfigured bucket. This article continues to discuss the discovery of D.W. Morgan's open Amazon S3 bucket and the potential consequences of this exposure.

    CyberIntelMag reports "Logistics Company D.W. Morgan Exposed 100 GB of Data From Clients, Including Fortune 500 Companies"

  • news

    Visible to the public "QNAP NAS Devices Hit in Surge of eCh0raix Ransomware Attacks"

    QNAP network-attached storage (NAS) device users have been reporting eCh0raix (also known as QNAPCrypt) ransomware attacks on their systems. The threat actor behind the eCh0raix ransomware attacks appears to have amplified their activity a week before Christmas. The ID ransomware service confirmed the surge in eCh0raix ransomware attacks as submissions increased on December 19 and decreased towards December 26. The initial infection vector remains unclear as some users admitted that they inadequately secured the device, leaving it exposed to the Internet over an insecure connection. Others have claimed that QNAP's Photo Station contains a vulnerability that led to the execution of eCh0raix ransomware attacks. Regardless of the initial infection vector, the eCh0raix ransomware actor appears to create a user in the administrator group, thus allowing them to encrypt all files on the NAS system. Researchers have seen eCh0raix ransomware demands ranging from $1,200 to .$3,000 in bitcoins. There is a free decryptor for files locked with an older version (before July 17, 2019) of eCh0raix ransomware, but there is currently no free solution to decrypt data locked by the ransomware's latest variants (versions 1.0.5 and 1.0.6). This article continues to discuss the recent jump in eCh0raix ransomware attacks.

    Bleeping Computer reports "QNAP NAS Devices Hit in Surge of eCh0raix Ransomware Attacks"

  • news

    Visible to the public "FDA, CISA Warn of Fresenius Kabi Infusion Pump Flaws"

    The Food and Drug Administration (FDA) recently released an alert about the Cybersecurity and Infrastructure Security Agency's (CISA) warning of a dozen vulnerabilities identified in specific components of Germany-based medical device manufacturer Fresenius Kabi's Agilia Connect Infusion System. According to CISA's advisory, if an attacker were to successfully exploit these vulnerabilities, they could gain access to sensitive information, modify settings, or carry out actions as an unauthorized user. The product components of the Agilia Connect Infusion System affected by the vulnerabilities are used globally. These products were found to contain vulnerabilities such as inadequately protected credentials, improper access control, uncontrolled resource consumption, plaintext storage of passwords, cross-site scripting, the use of a broken cryptographic algorithm, the use of unmaintained third-party components, and more. CISA says the vulnerabilities are collectively assigned a CVSS v3 base score of 7.5. Fresenius Kabi released a statement saying that these flaws have been solved through software upgrades. However, the company also identified approximately 1,200 Link+ infusion pump devices that would need hardware changes. Until replacements are made in customers' installation, the company urges users to follow CISA's recommendations for temporary alternatives. This article continues to discuss the discovery, potential impact, and mitigation of Fresenius Kabi infusion pump security flaws.

    Healthcare Info Security reports "FDA, CISA Warn of Fresenius Kabi Infusion Pump Flaws"

  • news

    Visible to the public "Bots Are Stealing Christmas!"

    Security researchers at Kasada released new data on the latest fraud and malicious automation trends. The researchers observed a 4x increase in automated online gift card lookup attempts during the holiday season. The researchers also observed a 10x increase in malicious login attempts due to credential stuffing. The researchers discovered a new type of sophisticated all-in-one bot (AIO) called the Grinch Bot. The Grinch Bot has been used prominently during hype drop sales and is more efficient and effective than its predecessors. The team observed in recent hype sales that this new Grinch Bot spikes from 0% to 99% of the total bot requests for the duration of the sale, and then once the inventory is gone, it disappears until the next drop. The researchers also observed that most Black Friday bad bots come from the USA, followed by Australia and the UK. CEO of Kasada stated that the level of sophistication they have witnessed within the botting community is at an all-time high as they continue to collaborate and improve upon their methods to conduct online fraud and generate profits through the use of malicious automation.

    Help Net Security reports: "Bots Are Stealing Christmas!"

  • news

    Visible to the public "Shutterfly Says Ransomware Attack Impacted Manufacturing"

    Shutterfly, an online platform for photography and personalized products, has confirmed that a ransomware attack has affected some of its services. Shutterfly operates multiple services and brands, such as BorrowLenses, GrooveBook, Lifetouch, Shutterfly, Snapfish, Spoonflower, and Tiny Prints. The online retail and manufacturing platform helps users create products such as cards, gifts, home decor, invitations, photo books, and more. The company noted that portions of their Lifetouch and BorrowLenses business, Groovebook, manufacturing, and some corporate systems have been experiencing interruptions because of the ransomware attack. The company also noted that the Shutterfly.com, Snapfish, Spoonflower, and TinyPrints sites were not affected. Shutterfly has hired third-party cybersecurity experts to help with the investigation. While the company has yet to assess the full scope of the breach, the company said that the incident did not impact the credit card data, financial information, or social security numbers of BorrowLenses, Lifetouch, Shutterfly.com, Snapfish, Spoonflower, or TinyPrints customers, as no such information is stored on the company's systems. The company refrained from sharing further details on the incident or the type of ransomware that was used in the attack.

    SecurityWeek reports: "Shutterfly Says Ransomware Attack Impacted Manufacturing"

  • news

    Visible to the public "New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking"

    Schneider Electric has released patches for flaws found in its EVlink electric vehicle charging stations. The security vulnerabilities affect EVlink City (EVC1S22P4 and EVC1S7P4), Parking (EVW2, EVF2, and EVP2PE), Smart Wallbox (EVB1A) devices, and some end-of-life (EOL) products. Tony Nasr is the researcher credited for discovering the seven vulnerabilities in these charging stations. They include cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs, which attackers could exploit to perform actions on behalf of a legitimate user. The security holes also include a weakness that can be used to gain access to the web interface of a charging station through brute-force attacks. Another one of the flaws, given a CVSS score of 9.3, is a server-side request forgery (SSRF) vulnerability. According to Schneider Electric, the failure to patch or mitigate these flaws could result in the charging stations' settings and accounts being altered and compromised. The tampering of such elements could lead to denial-of-service (DoS) attacks, resulting in unauthorized use of the charging station, service interruptions, and more. Exploiting the Internet-connected charging stations does not require the attacker to have access to the Local Area Network (LAN). The adversary would scan the Internet for viable electric vehicle charging stations before trying to take advantage of their security flaws. However, if the charging station cannot be accessed via the Internet, the adversary is assumed to have access to the LAN through Wi-Fi network password cracking or other malicious activity. This article continues to discuss the new flaws putting electric vehicle charging stations at risk of remote hacking.

    Security Week reports "New Flaws Expose EVlink Electric Vehicle Charging Stations to Remote Hacking"

  • news

    Visible to the public "Reducing Software Supply Chain Vulnerability: Lessons Learned from Log4j"

    Federal IT teams are trying to patch the Log4j vulnerabilities and follow guidance issued by the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), which requires federal agencies to mitigate the vulnerabilities. Log4j is an open-source Apache Java-based logging framework used by developers to keep a record of activity within software applications and online services. Log4j vulnerabilities present a significant problem because nearly all large organizations use Java in some way. For example, an organization might use Java in an air-gapped environment, which makes it more difficult to patch than in a traditional DevOps environment. In addition, it has been revealed that the Log4j vulnerabilities have unknowingly existed since 2013, making the impact far-reaching. Organizations are encouraged to explore the different ways in which the risk and impact of these vulnerabilities can be reduced. The first option to resolving the issue in multiple layers and improving the overall security of Log4j is to immediately upgrade all Log4j dependencies to the newest version (2.15.0). If an organization cannot update, another option is to disable message lookups, which also adds an extra layer of protection if it is suspected that not all Log4j dependencies have been properly updated. Disabling message lookups can protect against third-party Java packages that depend on or embed a vulnerable version of Log4j and have not yet been properly patched. This article continues to discuss the impact and mitigation of the Log4j vulnerabilities and best practices that cyber leaders should follow to provide a strong defense against exploits from future vulnerabilities.

    MeriTalk reports "Reducing Software Supply Chain Vulnerability: Lessons Learned from Log4j"

  • news

    Visible to the public "Organizations Targeted With Babuk-Based Rook Ransomware"

    Security researchers have found a new ransomware variant dubbed Rook. Rook shows numerous similarities with Babuk, and security researchers have discovered that it was built using Babuk code that was leaked online earlier this year. Rook was initially seen on VirusTotal on November 26, and its first victim was identified on November 30. Rook was first used on a financial institution, where the ransomware encrypted the organization's files, and the Rook gang stole roughly one terabyte of data to use it for extortion. Security researchers stated that the ransomware is being distributed via a third-party framework, such as Cobalt Strike, but phishing emails carrying Rook have also been observed. Once executed on the victim's machine, the malware attempts to terminate all processes that may impede the encryption process. The attackers also attempt to disable security products and delete volume shadow copies to prevent victims from recovering their data. During the encryption, the ransomware appends the .ROOK extension to the encrypted files and, once the process has been completed, it deletes itself from the machine. Rook's operators engage in double-extortion, threatening victims to make stolen data public unless a ransom is paid in exchange for a decryption tool. On their website on the Tor network, the gang has already listed three victim companies and data stolen from those that proved uncooperative.

    SecurityWeek reports: "Organizations Targeted With Babuk-Based Rook Ransomware"

  • news

    Visible to the public "Flaws in WordPress Plugin Put 3 Million Websites at Risk"

    Severe vulnerabilities have been discovered in the All In One SEO WordPress plugin, affecting over 3 million websites. The vulnerabilities could allow an attacker to take advantage of a SQL injection issue and a privilege-escalation bug. The two vulnerabilities found in the plugin, when paired, can become an exploit chain that enables an attacker to take over a website as long as they have an account. WordPress websites allow any user to create an account by default. A new account is automatically ranked as a subscriber that can only write comments. The exploitation of the vulnerabilities enables subscriber accounts to have more privileges than just writing comments, and when abused together, the flaws allow an attacker to gain control over an unpatched WordPress website. According to Marc Montpas, a security research engineer at Automattic who first detected the vulnerabilities during an internal audit of the All In One SEO plugin, the SQL injection vulnerability could grant attackers access to privileged information contained by the affected site's database, such as usernames and hashed passwords. The privilege-escalation bug could give malicious actors access to protected REST API endpoints, thus enabling users with low-privileged accounts to perform remote code execution (RCE) on impacted websites. This article continues to discuss the discovery, analysis, and mitigation of the critical vulnerabilities in the All In One SEO plugin, as well as the rise in WordPress plugin exploitation.

    BankInfoSecurity reports "Flaws in WordPress Plugin Put 3 Million Websites at Risk"

  • news

    Visible to the public "CISA Releases Free Scanner to Spot Log4j Exposure"

    The Cybersecurity and Infrastructure Security Agency (CISA) has published a new scanning tool to help organizations find unpatched Log4j instances in their IT environment. CISA posted the Log4j Scanner to GitHub. CISA noted that this repository provides a scanning solution for the Log4j remote code execution vulnerabilities (CVE-2021-44228 & CVE-2021-45046). CISA stated that the information and code in this repository is provided 'as is' and was assembled with the help of the open-source community and updated by CISA through collaboration with the broader cybersecurity community. CISA also said the scanning tool would only help security teams "look for a limited set of currently known vulnerabilities in assets owned by their organization." They warned that there might be "unknown" ways for threat actors to leverage the vulnerabilities.

    Infosecurity reports: "CISA Releases Free Scanner to Spot Log4j Exposure"

  • news

    Visible to the public "Community of Ethical Hackers Needed to Prevent AI's Looming 'Crisis of Trust'"

    An international team of risk and machine-learning experts, led by researchers at the University of Cambridge's Centre for the Study of Existential Risk (CSER), recommends that the Artificial Intelligence (AI) industry creates a global community composed of ethical hackers and threat modelers dedicated to testing the potential harm of new AI products in order to gain the trust of governments and the public. The experts encourage the use of red team hacking, audit trails, bias bounties, and other techniques by companies building intelligent technologies to prove their integrity before releasing AI products for the wider public. AI systems' novelty and black box nature, as well as the race to get products to the marketplace, has delayed the development and adoption of auditing or third-party analysis. According to the experts, incentives for increasing trustworthiness should go beyond regulation. A new publication authored by the team outlines a series of concrete measures that AI developers should adopt. AI developers should consider the idea of AI red teaming, also known as white-hat hacking, which involves ethical hackers playing the role of malicious external agents. Such hackers would be called in to execute attacks against any new AI or strategize how the AI can be used for malicious purposes in order to find any weaknesses or potential harm. Although some big companies have the internal capability of conducting a red teaming assessment, the experts recommend the creation of a third-party community that can independently interrogate new AI products and share findings to benefit all AI developers. They also call for a global resource that can offer high-quality red teaming to small companies and research labs developing AI products. The report highlights the potential use of bias and safety bounties to improve openness and increase public trust in AI. It would also be beneficial to develop platforms dedicated to sharing information about cases where undesired AI behavior could be harmful to humans. This article continues to discuss recommendations for filling gaps in the trustworthy development of AI.

    The University of Cambridge reports "Community of Ethical Hackers Needed to Prevent AI's Looming 'Crisis of Trust'"

  • news

    Visible to the public "IT Security: Computer Attacks with Laser Light"

    IT security experts of the Karlsruhe Institute of Technology (KIT) have demonstrated that air-gapped computer systems are still susceptible to being attacked. In a project titled LaserShark, the researchers have shown that it is possible to transmit data to light-emitting diodes (LEDs) of regular office devices through the use of a directed laser. Using this method, attackers can secretly communicate with air-gapped computers over lengths of several meters. Air-gapping is the physical isolation of a computer or network to ensure that it does not connect to the Internet or other Internet-connected system. This security mechanism is intended to protect the computer or network from unsecured networks. According to the researchers, previous attempts to evade such air-gapped protection through electromagnetic, acoustic, or optical channels only work at short distances or low data rates. In addition, they often only allow for data exfiltration. The new LaserShark attack shows that an adversary can introduce data into and retrieve from air-gapped systems without the need for any additional hardware on-site at the targeted device. This hidden optical communication involves LEDs already built into office devices, such as those used to display status messages on printers or telephones. The researchers established a hidden communication channel over a distance of up to 25 m that can be used bi-directionally by directing laser light to built-in LEDs and recording their response. This optical attack could be used against commercially available office devices employed at companies, universities, and more. The LaserShark project emphasizes the importance of optically protecting critical IT systems as well as conventional information and communication technology security measures. This article continues to discuss the presented LaserShark attack that establishes fast bi-directional communication into air-gapped computer systems.

    KIT reports "IT Security: Computer Attacks with Laser Light"

  • news

    Visible to the public "New Phishing Campaign Luring Users With Fake Surveys and Giveaways"

    Group-IB security experts have uncovered a new global cyberespionage phishing campaign aimed at harvesting users' personal and financial information. The malicious campaign has been targeting users in more than 90 countries, including South Korea, Italy, Canada, and the US. The scammers behind it used fake surveys and impersonated different brands. According to the Group-IB researchers, over 120 global organizations have been mimicked by the campaign. Attackers sent fake invitations to victims to participate in a survey for a prize. The survey link took victims to a hacker-controlled phishing site that gathers sensitive data, including users' full name, email, postal address, phone number, bank card data, and more. Various digital marketing tools such as contextual advertising, SMS, mailouts, and pop-up notifications were used by the fraudsters to lure victims. Group-IB found that the fraudsters registered domain names that look like the official ones. They also discovered that a user gets caught up in traffic cloaking after clicking the targeted link, which allows cybercriminals to display different content to different users based on certain parameters. More than 10 million people were reportedly impacted by this scam, with damages totaling an estimated $80 million per month. This article continues to discuss the tactics, tools, targets, and impact of the new global phishing campaign.

    CISO MAG reports "New Phishing Campaign Luring Users With Fake Surveys and Giveaways"

  • news

    Visible to the public "NCA Donates 225 Million Passwords to Have I Been Pwned"

    The UK's National Crime Agency (NCA) donated over 225 million passwords found during the course of its crime-fighting, to Have I Been Pwned (HIBP). HIBP is a free service used to check credentials stolen or leaked through past data breaches. The service stored 613 million compromised passwords in its databases before the NCA's donation. Originally, the NCA offered a bank of more than 585 passwords, but after duplicates were parsed out, the owner of the site, Troy Hunt, found more than 225 million passwords that were not already in the HIBP database. According to the NCA, the donated passwords were discovered in a company's cloud storage facility and were an accumulation of known and unknown datasets. The agency engaged with HIBP because the compromised credentials were in the public domain but could not be attributed to any company or platform. Hunt also revealed that the Federal Bureau of Investigation (FBI) will collaborate with HIBP on an injection pipeline into the site. The FBI has been helping HIBP in the development of an open-source tool that law enforcement and crime-fighting agencies can use to feed compromised credentials into the HIBP website through an injection pipeline. This article continues to discuss the donation of millions of compromised passwords to HIBP and efforts to create an injection pipeline into the site for agencies such as the FBI and NCA.

    ITPro reports "NCA Donates 225 Million Passwords to Have I Been Pwned"

  • news

    Visible to the public "Consumers Warned of Surging Delivery Text Scams Ahead of Christmas"

    Consumers have been warned to stay vigilant of delivery scam texts while online shopping for Christmas. Security researchers at Proofpoint found that delivery 'smishing' scams are surging amid the busiest shopping period of the year. Over half (55.94%) of all reported smishing text messages impersonated parcel and package delivery companies so far in Q4 2021. This compares to just 16.37% of smishing attempts in Q4 2020, more than tripling the proportion year-on-year. The researchers also observed a significant drop-off in other types of smishing scams in Q4 2021 compared to Q4 2020. For example, text scams impersonating financial bodies and banks made up 11.73% of smishing attacks in 2021, compared to 44.57% in 2020. The data comes from the NCSC's 7726 text message system, operated by Proofpoint. This system enables customers to report suspicious texts.

    Infosecurity reports: "Consumers Warned of Surging Delivery Text Scams Ahead of Christmas"

  • news

    Visible to the public "Identifying Fake Voice Recordings"

    Researchers at the Horst Gortz Institute for IT Security at Ruhr-Universitat Bochum are exploring how data generated using Artificial Intelligence (AI), known as deepfakes, can be distinguished from real data. Deepfakes refer to synthetic media, including images, audio, and videos, manipulated or created using AI. Advancements in deepfakes will present security challenges as cybercriminals will use such forms of fake media to pose as legitimate individuals to steal money or other critical assets. Deepfakes can also be used to spread misinformation across social media platforms. Furthermore, the use of such media will strengthen social engineering attacks because cybercriminals will not need to be skilled in hacking to execute attacks. They can use deepfakes to impersonate high-level users and trick others into revealing sensitive information, which could then be used to access protected systems. Exploring the realm of audio deepfakes, the researchers found that real and fake voice recordings are different in the high frequencies. Based on the analysis of artificial audio files and recordings of real speech, the researchers developed algorithms capable of distinguishing between deepfakes and actual speech. Their algorithms are designed to be a starting point for other researchers to develop new detection methods. This article continues to discuss the study on audio deepfake detection.

    RUB reports "Identifying Fake Voice Recordings"

  • news

    Visible to the public "BEC Attack on Monongalia Health System"

    A three-hospital health system in West Virginia has become the victim of a business email compromise (BEC) scam that began with a phishing attack. Monongalia Health System, Inc. (MHS) had no idea that its cybersecurity defenses had been penetrated until a vendor reported not receiving a payment from the healthcare provider on July 28, 2021. An investigation was launched, which determined that threat actors had compromised several email accounts belonging to MHS employees between May 10, 2021, and August 15, 2021, gaining unauthorized access to emails and attachments. Threat actors used one account belonging to an MHS contractor to impersonate Monongalia Health System and attempt to fraudulently obtain funds by wire transfer. In a security notice, MHS said that while the threat actors had not accessed the healthcare provider's electronic health records system, some patient and employee data that was stored in the compromised email accounts had been breached. This information included names, Medicare health insurance claim numbers (which could contain Social Security numbers), addresses, dates of birth, patient account numbers, health insurance plan member ID numbers, medical record numbers, dates of service, provider names, claims information, medical and clinical treatment information and/or status as a current or former MHS patient. MHS has begun mailing notice letters to patients whose information may have been involved in the security incident.

    Infosecurity reports: "BEC Attack on Monongalia Health System"

  • news

    Visible to the public "CISA, Cybersecurity Centers From Australia, NZ, UK, and Canada Release Log4j Advisory"

    Cybersecurity leaders from the US, Australia, Canada, New Zealand, and the UK have issued a new Log4j advisory. The guide covers technical details, mitigations, and resources for addressing vulnerabilities in the Apache Log4j software library. This is a joint project involving the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal Bureau of Investigation (FBI), Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Computer Emergency Response Team New Zealand (CERT NZ), New Zealand National Cyber Secure Centre (NZ NCSC), and the UK's National Cyber Security Centre (NCSC-UK). According to the organizations, the joint advisory is a response to the active exploitation of Log4j vulnerabilities by threat actors globally. Work has been done with entities in public and private sectors since the first vulnerability was detected to identify vulnerable products as well as raise awareness among affected organizations. A number of groups from North Korea, Iran, Turkey, and China, along with several ransomware groups and cybercriminal organizations, have been observed exploiting the Apache Log4j vulnerabilities. This article continues to discuss the joint cybersecurity advisory providing critical guidance that any organization using products with Log4j should implement, other efforts to help organizations address the issue, and other findings surrounding Log4j vulnerabilities.

    ZDNet reports "CISA, Cybersecurity Centers From Australia, NZ, UK, and Canada Release Log4j Advisory"

  • news

    Visible to the public "Attackers Bypass Microsoft Patch to Deliver Formbook Malware"

    Researchers from Sophos Labs have discovered the use of a novel exploit that can bypass a patch for a critical vulnerability impacting the Microsoft Office file format. Attackers weaponized a publicly available proof-of-concept Office exploit to deliver malware called Formbook. This malware was being distributed via spam emails for about 36 hours before it disappeared. The vulnerability, tracked as CVE-2021-40444, is a critical remote code execution (RCE) flaw that can allow attackers to secretly execute any code or commands on a target machine. Microsoft released a patch in September to address the flaw then shared how attackers have been exploiting the vulnerability to deliver custom Cobalt Strike payloads. In late October, the Sophos researchers discovered the 36 hour-campaign involving the new exploit. The attackers reworked the original exploit by putting the malicious Word document inside a specially crafted RAR archive. According to the researchers, the updated attack's short lifespan indicates that it could have been a dry run experiment, which could return in the future. This article continues to discuss the bypassing of a patched Microsoft Office flaw to deliver Formbook malware.

    Help Net Security reports "Attackers Bypass Microsoft Patch to Deliver Formbook Malware"

  • news

    Visible to the public "Solving the Challenges of Shifting Security Left"

    During the "Shift Left and Extend Right" trend, developers are finding that they need to implement stronger security practices into their processes. Idan Plotnik, the co-founder and CEO of Apiiro, an application risk management platform provider, has discussed how developers can mitigate critical security risks to better protect their organization. Plotnik explained that it is a significant challenge to shift security completely to the left as it will lead to too many noisy tools sending an overload of alerts that lack context. He emphasized the importance of adding more context throughout the process to empower developers. Plotnik suggests that the addition of more security context to existing DevOps practices will make achieving an automated DevSecOps process much more feasible. Having context that can be automated will increase the speed of DevOps, allow developers to provide more value in less time, reduce costs, and reduce risks earlier in the development process. However, an issue faced by many organizations regarding the implementation of security into their development processes is deciding where to start. Plotnik encourages organizations to start at having visibility and building trust within their team. Developers should continuously explore security processes through training or reading. This article continues to discuss the challenges faced in shifting security left and how to solve them.

    SDTimes reports "Solving the Challenges of Shifting Security Left"

  • news

    Visible to the public "Ransomware Threat Just as Urgent as Terrorism, Say Two-Thirds of IT Pros"

    Researchers from Venafi have found that nearly two-thirds (60%) of security professionals believe the threat of ransomware should be treated with the same urgency as terrorism. The survey of 1500 IT security decision-makers from the UK, US, Australia, France, and Germany highlights the growing concerns about the scale and damage of ransomware attacks, which have surged during the COVID-19 crisis. More than two-thirds (67%) of respondents from organizations with over 500 employees experienced a ransomware attack over the past 12 months. For organizations with 3000-4999 employees, that figure rose to an astonishing 80%. Of those organizations that have been breached, 17% admitted they paid the ransom. US respondents paid most often (25%), while Australian firms paid the least often (9%). Worryingly, over a third (37%) of the IT decision-makers admitted they would pay a ransom following a successful attack. However, over half (57%) of this group said they would reverse that decision if they were required to publicly report the payment. The researchers stated that this requirement could be put into law in the US under the Ransomware Disclosure Act, a bill recently introduced to the US Senate. This would force organizations to disclose any ransom payments to the Department of Homeland Security (DHS). Despite the growing menace of ransomware, over three-quarters (77%) of the respondents said they were confident the tools they have in place will protect them from these attacks. Australian IT decision-makers had the most confidence (88%) of all the countries included. However, the survey also found that most organizations do not use security controls that can prevent ransomware attacks early in their life cycle. For example, just 21% restrict the execution of all macros within Microsoft Office documents and under a fifth (18%) restrict the use of PowerShell using group policy.

    Infosecurity reports: "Ransomware Threat Just as Urgent as Terrorism, Say Two-Thirds of IT Pros"

  • news

    Visible to the public "Ubisoft Reveals Player Data Breach Came from User Error"

    Ubisoft has admitted that data on some players may have been taken after a breach of its IT systems stemming from human error. The French gaming giant stated that the misconfiguration of its IT infrastructure was quickly identified, but not before unauthorized individuals were able to access and perform a "possible copy" of the information. The data stolen was from players of the wildly popular Just Dance game. The data in question was limited to "technical identifiers," which include GamerTags, profile IDs, and Device IDs, as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on social media profiles. Ubisoft noted that their investigation has not shown that any Ubisoft account information has been compromised due to this incident. Ubisoft claimed all affected players would be contacted via email shortly and would be able to follow up with any queries by getting in touch with the firm's support team.

    Infosecurity reports: "Ubisoft Reveals Player Data Breach Came from User Error"

  • news

    Visible to the public "Attackers May Influence Security Equipment by Exploiting Flaws in Metal Detector Peripherals"

    Security researchers with Cisco Talos recently discovered multiple vulnerabilities in a device from Garrett Metal Detectors that could be exploited to allow remote attackers to evade authentication requirements, alter metal detector setups, and execute arbitrary code on the device. The flaws exist in the Garrett iC module, which provides network access to the Garrett PD 6500i or Garrett MZ 6100 walk-through metal detectors commonly implemented at security checkpoints. The module might be used by attackers to remotely monitor metal detector statistics such as the activation status of the alarm and the number of people that have passed through the detector. In addition, they could change the device's sensitivity level, posing a significant security threat. Some of the vulnerabilities, tracked as CVE-2021-21901, CVE-2021-21903, CVE-2021-21905, and CVE-2021-21906, are described as stack-based overflow flaws that an attacker can exploit by sending a specially crafted packet to the device. Other flaws, tracked as CVE-2021-21904, CVE-2021-21907, CVE-2021-21908, and CVE-2021-21909, are directory traversal vulnerabilities that enable an attacker to conditionally read, write, and delete files on the device. This article continues to discuss the source, potential exploitation, impact, and disclosure of flaws that could impair the functionality of two widely used walk-through metal detectors made by Garrett.

    CyberIntelMag reports "Attackers May Influence Security Equipment by Exploiting Flaws in Metal Detector Peripherals"

  • news

    Visible to the public "F-Secure Uses Flaw in At-Home COVID-19 Test To Fake Results"

    Security researchers at F-Secure identified a vulnerability in a home test for COVID-19. The exploitation of this flaw could allow a malicious actor to alter test results, changing them from positive to negative or vice versa. According to the researchers, it is possible to manipulate the Ellume COVID-19 Home Test via the Bluetooth device that analyzes the nasal sample and communicates with the app to report the test results. The researchers determined that the COVID-19 test result could be changed before the Ellume app processes the data by altering only the byte value representing the status of the test in two different types of traffic called STATUS and MEASUREMENT_CONTROL_DATA, and then calculating new Cyclic Redundancy Check (CRC) and checksum values. They were able to change a negative test to positive through the exploitation of the vulnerability. The flaw, now fixed by Ellume, could have been used by highly skilled individuals or organizations with cybersecurity expertise in an attempt to evade public health measures meant to help prevent the spread of COVID-19. For example, a skilled threat actor could have used the flaw to ensure that an individual gets a negative result every time they are tested. Ellume has been advised to conduct further analysis of results to flag spoofed data, implement extra obfuscation checks in the Android app, and more. This article continues to discuss the discovery of a Bluetooth vulnerability in Ellume's at-home COVID-19 test and how the company responded to this finding.

    TechRepublic reports "F-Secure Uses Flaw in At-Home COVID-19 Test To Fake Results"

  • news

    Visible to the public "Escalation in Healthcare Data Breaches"

    The number of healthcare data breaches reported in the United States has increased for the third month in a row. Records kept by the Department of Health and Human Services' Office for Civil Rights (OCR) indicate that the total number of reported data breaches impacting the US health sector in 2021 is likely to be higher than the total reported in any previous year. In November, the OCR received reports of 68 data breaches in which 500 or more health records were exposed. This number was 15.25% higher than the 59 breaches reported in October. The total number of data breaches of 500 or more records reported to the OCR from January 1 to November 30 is 614. The worst month for data breaches in the healthcare sector so far this year has been June, in which 70 breaches of 500 or more records were reported. While the number of individual data breaches has been increasing in recent months, the total number of records impacted by data breaches has diminished from October to November. Geographical analysis of data breaches recorded in November reveals that more breaches (seven) were reported in California and New York than in any other states. Maryland and Pennsylvania each reported four breaches, while two breaches each were reported in Illinois, Indiana, Michigan, Minnesota, New Mexico, Tennessee, Texas, Virginia, and the District of Columbia.

    Infosecurity reports: "Escalation in Healthcare Data Breaches"

  • news

    Visible to the public "Ransomware Attackers Have 'Industry Standards' Too"

    The actors behind ransomware attacks are creating industry standards to define ideal targets for their malicious campaigns. In July 2021, researchers with the threat intelligence company KELA found 48 discussion threads on dark web marketplaces in which there were users claiming to be digital attackers looking to purchase access into networks. Actors were found to be active participants in the Ransomware-as-a-Service (RaaS) supply chain, consisting of operators, affiliates, and middlemen. Based on those discussion threads, it was determined that ransomware actors seek specific criteria when looking to buy network accesses. According to KELA, these factors include geography, revenue, disallowed sectors, and disallowed countries. For example, nearly 50 percent of the ransomware actors mentioned the US as their preferred location for targets, followed by Canada, Australia, and European countries. In regard to revenue, ransomware attackers preferred victims that make a minimum of $100 million, on average. These findings are consistent with some of the ransomware attacks that have occurred in 2021, such as the attack against the US-based Colonial Pipeline Company, which made $1.32 billion in revenue in 2020. This article continues to discuss findings on the creation of industry standards by ransomware attackers based on KELA's analysis of discussion threads on dark web marketplaces, as well as how businesses can defend against ransomware.

    Security Intelligence reports "Ransomware Attackers Have 'Industry Standards' Too"

  • news

    Visible to the public "Hackers Can Penetrate 93% of Local Networks"

    Researchers at Positive Technologies have found that cyberattackers can breach 93% of organizations' network perimeters and gain access to their resources. The study showed results from the company's penetration testing projects in the second half of 2020 and the first half of 2021. In the 93% of cases where the researchers were able to penetrate local company networks, it only took them an average of two days to do so. Another worrying finding was that an insider could gain complete control over the infrastructure of the organization in all of the organizations analyzed. The organizations included in the analysis came from a range of vital sectors, including finance (29%), fuel and energy (18%), government (16%), industrial (16%), and IT (13%). The most common way of penetrating a corporate network was credential compromise (71% of organizations). This mainly resulted from easily guessable passwords, including account passwords used for system administration. The researchers noted that most organizations had no network segmentation by business processes, enabling threat actors to develop several attack vectors simultaneously.

    Infosecurity reports: "Hackers Can Penetrate 93% of Local Networks"

  • news

    Visible to the public "Security Flaws Found in a Popular Guest Wi-Fi System Used in Hundreds of Hotels"

    A security researcher named Etizaz Mohsin discovered that the Airangel HSMX Gateway, used by hundreds of hotels to provide and manage guest Wi-Fi networks, contains security flaws, putting hotel guests' personal information at risk. According to Mohsin, the Internet gateway contains easily guessable hardcoded passwords that could allow an attacker to gain remote access to the gateway's settings and databases, which consists of records pertaining to the guests using the Wi-Fi. With this type of access, a malicious actor could steal guest records as well as change the gateway's networking settings to redirect unsuspecting guests to malicious websites. The security researcher found five vulnerabilities that could compromise the gateway, including information belonging to guests. He shared a screenshot with TechCrunch that shows the administration interface of one hotel's vulnerable gateway exposing a guest's name, room number, and email address. Mohsin reported the flaws to Airangel, but the UK-based networking gear maker still has not fixed them as the company said the device has not been sold since 2018 and was no longer supported. However, the device is still used by many hotels, malls, and convention centers globally. Internet scans found that there are over 600 gateways accessible from the Internet alone. The actual number of vulnerable devices is likely higher. Most of the hotels affected by the security flaws are located in Germany, Russia, the UK, and across the Middle East. This article continues to discuss the discovery, potential exploitation, and impact of the security flaws found in the widely used guest Wi-Fi system.

    TechCrunch reports "Security Flaws Found in a Popular Guest Wi-Fi System Used in Hundreds of Hotels"

  • news

    Visible to the public "New Log4j Patch Released to Fix DoS Flaw"

    Apache has released a new patch for Log4j to mitigate a high severity vulnerability, as researchers separately found a new attack vector for the Log4Shell bug. The open-source web server community had previously released a patch to fix the now-infamous CVE-2021-44228 flaw in the popular logging utility. However, in an update, the researchers admitted that this fix did not address a newly discovered issue in Log4j, which has been given a CVSS score of 7.5. Apache Log4j2 versions 2.0-alpha1 through 2.16.0 did not protect from uncontrolled recursion from self-referential lookups. The news comes as researchers at Blumira made a discovery that effectively expands the attack surface for Log4Shell, by enabling Javascript WebSocket connections to trigger the remote code execution bug on unpatched Log4j instances. The researchers at Blumira stated that previously, they understood that the impact of Log4j was limited to vulnerable servers, but this newly discovered attack vector means that anyone with a vulnerable Log4j version on their machine or local private network can browse a website and potentially trigger the vulnerability. The threat from Log4Shell is now so significant that the US Cybersecurity and Infrastructure Security Agency (CISA) on Friday updated its patching deadline for federal agencies from December 24 to "immediately."

    Infosecurity reports: "New Log4j Patch Released to Fix DoS Flaw"

  • news

    Visible to the public "ESF Members, NSA and CISA Publish the Fourth Installment of 5G Cybersecurity Guidance"

    The National Security Agency (NSA) and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) have published the fourth installment pertaining to securing the integrity of 5G cloud infrastructures titled "Ensure Integrity of Cloud Infrastructure." As the popularity of 5G networks and devices continues to grow, it is essential to bolster platform security to strengthen systems against malicious cyber activity and persistence. The guidance was created by the Critical Infrastructure Partnership Advisory Council (CIPAC) Cross Sector Enduring Security Framework (ESF) Working Group, which is a public-private working group led by NSA and CISA. It provides cybersecurity guidance that addresses high-priority threats faced by the nation's critical infrastructure. The guidance provided by the document covers platform integrity, build time security, launch time integrity, and microservices infrastructure integrity. Jorge Laurel, NSA Project Director for ESF, has emphasized the importance of implementing cybersecurity mitigations at the foundation level and carrying them forward in order to have a secure 5G core. This article continues to discuss the 5G cybersecurity guidance provided by the Ensure Integrity of Cloud Infrastructure document.

    CISA reports "ESF Members, NSA and CISA Publish the Fourth Installment of 5G Cybersecurity Guidance"

  • news

    Visible to the public "Play a Video Game, Learn Cybersecurity Skills"

    A team at Carnegie Mellon University welcomes anyone interested in exploring the world of cybersecurity to play a video game named "Katalyst," which introduces players to command line operations, password hashing, and the Python programming language commonly used by cybersecurity professionals. Katalyst is the result of a project in which students were tasked with developing a video game that houses a collection of cybersecurity challenges. The game will be featured at picoCTF, an annual cybersecurity competition run by Carnegie Mellon's CyLab Security and Privacy Institute geared towards middle and high school students. This article continues to discuss the goals, development, and design of the Katalyst cybersecurity video game, as well as the aim of CMU's picoCTF.

    CyLab reports "Play a Video Game, Learn Cybersecurity Skills"

  • news

    Visible to the public "US and Australia Enter CLOUD Act Agreement"

    The United States has entered into an agreement with Australia to share electronic data to help facilitate the investigation of serious crimes. The crimes that fall under the category of serious include terrorism, ransomware attacks, and the sexual abuse of children. The landmark agreement was authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a bill passed by Congress in 2018. The Department of Justice Office of Public Affairs said that the agreement will offer strong protection for the rule of law, privacy, and civil liberties while helping police to obtain the data they need faster and more efficiently. The Department of Justice Office of Public Affairs also said that this agreement paves the way for more efficient cross-border transfers of data between the United States and Australia so that the governments can more effectively counter serious crime. The CLOUD Act Agreement will now undergo Parliamentary and Congressional review processes in both countries.

    Infosecurity reports: "US and Australia Enter CLOUD Act Agreement"

  • news

    Visible to the public "The Best Way to Protect Personal Biomedical Data From Hackers Could Be to Treat the Problem Like a Game"

    The National COVID Cohort Collaborative, the Personal Genome Project, and other modern biomedical research require large amounts of data specific to individuals. Therefore, such projects face the critical challenge of making detailed datasets publicly available without violating anyone's privacy. Many programs that gather and circulate genomic data try to conceal personal information that could be used to re-identify individuals included in the data. However, residual data can be used to discover personal information from other sources, which could then be correlated with biomedical data to reveal subjects' identities. For example, comparing an individual's DNA data with public genealogy databases such as Ancestry.com can sometimes provide the person's last name. This piece of information can be used in conjunction with demographic data to track down the person's identity through online public record search engines. Researchers at the Vanderbilt Center for Genetic Privacy and Identity in Community Settings have developed methods for assessing and mitigating privacy risks faced in sharing biomedical data. Their methods can be used to protect personal demographics, genome sequences, and other data types from attacks on anonymity. The research group's recent work uses a two-player leader-follower game to model interactions between a data subject and a potentially adversarial data user. In the model, the data subject moves first, deciding what data to share, and then the adversary moves, deciding whether to launch an attack based on the data shared. This work aims at creating a systematic approach to reason about the risks that also account for the shared data's value. The game-based approach provides a more realistic estimate of re-identification risk and helps find data-sharing strategies that balance utility and privacy. This article continues to discuss the importance of protecting personal biomedical data from hackers and the use of game theory to find the best ways to share such data while protecting subjects' anonymity.

    The Conversation reports "The Best Way to Protect Personal Biomedical Data From Hackers Could Be to Treat the Problem Like a Game"

  • news

    Visible to the public "Keeping the World Connected, Without Sacrificing Privacy"

    A multi-university team led by the University of Michigan industrial operations and engineering assistant professor Raed Al Kontar is looking at a new type of connected device infrastructure called the Internet of Federated Things (IoFT) that could do more for users while reducing the amount of data shared. Such efforts are important as the amount of personal data uploaded by smartphones and other Internet-connected devices to the cloud raises privacy concerns. The team envisions a new model that takes advantage of connected devices' power and does more data processing as well as decision-making on edge devices instead of on cloud-based servers. The server would be more of a coordinator as it aggregates key findings stemming from edge devices and allows the network to learn from them. This article continues to discuss the multi-university research on a new paradigm for connected devices aimed at maintaining the world's connectivity without sacrificing privacy.

    The University of Michigan reports "Keeping the World Connected, Without Sacrificing Privacy"

  • news

    Visible to the public "Malicious Joker App Scores Half-Million Downloads on Google Play"

    Beware of Joker malware found in the Color Message app. The malware is part of a an app that promises better colors, emojis and screen overlays. What it really does is subscribe users to unwanted paid premium services controlled by the attackers in a fleeceware attack. Users should monitor bills closely to catch these add-on fees. While these apps are often found outside the Official Google Play store, sometimes they are able to outsmart Google Play's protections by using as little code as possible and hiding it while keeping a small footprint which is hard to detect.

    Threatpost reports "Malicious Joker App Scores Half-Million Downloads on Google Play"

  • news

    Visible to the public New Fleeceware attack adds premium charges to users' accounts.

    Beware of Joker malware found in the Color Message app. The malware is part of a an app that promises better colors, emojis and screen overlays. What it really does is subscribe users to unwanted paid premium services controlled by the attackers in a fleeceware attack. Users should monitor bills closely to catch these add-on fees. While these apps are often found outside the Official Google Play store, sometimes they are able to outsmart Google Play's protections by using as little code as possible and hiding it while keeping a small footprint which is hard to detect.
  • news

    Visible to the public "Spider-Man Fans Warned About Scams Leveraging New Movie"

    Researchers at Kasperksy have discovered that fraudsters are leveraging the latest Spider-Man movie to spread malicious files and phishing pages. The researchers found numerous phishing websites pop up ahead of the movie premiere, purporting to show the movie online. These sites asked users to register and enter their credit card information to access the film. If a victim entered their card information, then they would have their payment data stolen by the fraudsters. Unsurprisingly, the victims were unable to stream the feature. In addition to tricking users into giving away payment information, adversaries are trying to entice Spider-Man fans into downloading malicious files, believing they are downloading the movie. These include downloaders that can install other unwanted programs, adware, and Trojans. The latter of these can allow the threat actors to perform actions that are not authorized by the user, such as gathering data, modifying data, or disrupting the performance of computers. The researchers also found that fraudsters are leveraging the growing popularity of fan theories and fan art around the Spider-Man franchise to boost interest in their malicious websites. Some malicious sites use fan art featuring all the Spider-Man actors rather than official movie posters.

    Infosecurity reports: "Spider-Man Fans Warned About Scams Leveraging New Movie"

  • news

    Visible to the public "Meta: Surveillance-for-Hire Firms Hit 50,000 Victims"

    Meta has removed seven "surveillance-for-hire" companies from its platform that target blameless victims in over 100 countries worldwide. Facebook's parent company revealed in a report published yesterday that the seven companies are based in China, Israel, India, and North Macedonia. Their services are said to have targeted an estimated 50,000 victims, including journalists, dissidents, critics of authoritarian regimes, families of opposition, and human rights activists. Four entities are based in Israel: Cobwebs Technologies, Cognyte, Black Cube, and Bluehawk CI. Israel has a significant stake in the global surveillance market, notably through the work of controversial firm NSO Group, which WhatsApp launched a legal case against in 2019. Meta said the organizations operate across the three phases of targeting activity: "reconnaissance" via automated software, "engagement" in a bid to build trust with the individual, and "exploitation" via phishing emails and messages. The company noted that although public debate has mainly focused on the exploitation phase, it's critical to disrupt the entire lifecycle of the attack because the earlier stages enable the later ones. The company also noted that if we can collectively tackle this threat earlier in the surveillance chain, it would help stop the harm before it gets to its final, most serious stage of compromising people's devices and accounts. There are signs that the US government is now taking the activities of surveillance companies like these seriously. In November, the Treasury added NSO Group to its entity list, making it harder for the firm to buy components from US companies.

    Infosecurity reports: "Meta: Surveillance-for-Hire Firms Hit 50,000 Victims"

  • news

    Visible to the public "All Change at the Top as New Ransomware Groups Emerge"

    Researchers at Intel 471 have found that the Ransomware as a Service (RaaS) landscape underwent another major shift in the third quarter as new variants emerged to become the dominant players in the ecosystem. The researchers stated that 60% of the attacks they tracked during the period were tied back to four variants: LockBit 2.0, Conti, BlackMatter, and Hive. Of these, LockBit 2.0 was the most prolific, accounting for a third (33%) of observed attacks, followed by Conti (15%), BlackMatter (7%), and Hive (6%). The researchers stated that due to law enforcement, infighting amongst groups, or people abandoning variants altogether, the RaaS groups dominating the ecosystem at this point in time are completely different than just a few months ago. Even with the shift in variants, the researchers noted that ransomware incidents as a whole are still on the rise. From July to September 2021, the researchers observed 612 ransomware attacks that can be attributed to 35 different ransomware variants. Among those attacks, several lesser-known variants have supplanted prominent ones that rose in notoriety over the first half of 2021. LockBit 2.0's rise has been particularly notable, as it was only discovered in June 2021 following the disappearance of LockBit late last year.

    Infosecurity reports: "All Change at the Top as New Ransomware Groups Emerge"