News Items

  • news

    Visible to the public SoS Musings #55 - Strengthening Power Grid Cybersecurity

    SoS Musings #55 -

    Strengthening Power Grid Cybersecurity

  • news

    Visible to the public Cyber Scene #62 - From Cyber Week Back to the Future

    Cyber Scene #62 -

    From Cyber Week Back to the Future

  • news

    Visible to the public Cybersecurity Snapshots #24 - Cybercriminals Feeling the Heat From Law Enforcement

    Cybersecurity Snapshots #24 -

    Cybercriminals Feeling the Heat From Law Enforcement

  • news

    Visible to the public Spotlight on Lablet Research #24 - Development of Methodology Guidelines for Security Research

    Spotlight on Lablet Research #24 -

    Development of Methodology Guidelines for Security Research

  • news

    Visible to the public "Alarming Rise in Cyberattacks Against Healthcare Facilities, 68 Attacks in Q3 2021 Only"

    Last month saw an alarming rise in cyberattacks against healthcare facilities. Ransomware attacks across the globe locked 68 care providers out of their respective networks during Q3 of this year alone, threatening patient safety and privacy. Experts stated that as healthcare facilities modernize, their legacy OT equipment becomes vulnerable to hackers. Water, HVAC, oxygen, electrical, and other critical systems are connected, yet may fall short of proper cybersecurity monitoring and protection. Ilan Barda, CEO of Radiflow, stated that "accessing patient data is worrisome, but the idea of hackers gaining access to components in a specific ward or even a single operating room is alarming." The CEO also noted that CISOs at facilities should focus on both IT systems and OT environments, starting from risk assessment to threat monitoring. He also stated that there should be continuous holistic risk management for more mature organizations that combine both IT and OT systems.

    Help Net Security reports: "Alarming Rise in Cyberattacks Against Healthcare Facilities, 68 Attacks in Q3 2021 Only"

  • news

    Visible to the public "HP Printer Hijack Bugs Impact 150 Models"

    Security researchers at F-secure have discovered two vulnerabilities in multi-function printers (MFPs) which impacted 150 product models. Specifically, the researchers found a physical access port vulnerability (CVE-2021-39237) and a font parsing bug (CVE-2021-39238) in HP's MFP M725z device. These vulnerabilities turned out to affect scores more products in the FutureSmart line dating back to 2013. CVE-2021-39238 is the more dangerous of the two as it can be exploited remotely, potentially by tricking an employee into visiting a malicious website to conduct a "cross-site printing" attack. Here, the website could automatically print a document containing a maliciously crafted font on a vulnerable MFP, said the researchers. This would allow an attacker to execute arbitrary code on the machine to steal any printed, scanned, or faxed information, including device passwords. The researchers also claimed that it could also enable attackers to launch deeper attacks into the corporate network to spread ransomware, steal data from more sensitive data stores and achieve other goals. The researchers also found that the bugs are wormable, meaning multiple MFPs on the same network could be automatically impacted. HP has issued patches for the vulnerabilities, which are described as "medium" (CVE-2021-39237) and critical severity (CVE-2021-39238).

    Infosecurity reports: "HP Printer Hijack Bugs Impact 150 Models"

  • news

    Visible to the public "Big Data Privacy for Machine Learning Just Got 100 Times Cheaper"

    Computer scientists at Rice University have discovered a method that cuts the cost for companies to implement a rigorous form of data privacy called differential privacy when using or sharing large databases for Machine Learning (ML). ML could benefit society in many ways if data privacy is ensured. If ML systems are trained to search for patterns in large databases containing medical or financial records, there is significant potential for improving medical care or identifying patterns of discrimination. However, that is currently impossible as data privacy methods do not scale. Therefore, the Rice University researchers proposed the use of a technique called locality-sensitive hashing, which they found could create a small summary of a large database of sensitive records. They dubbed the method RACE, drawing its name from the summaries, or "repeated array of count estimators" sketches. According to the researchers, it is safe to make RACE sketches publicly available. They are also useful for algorithms involving kernel sums, which are fundamental to ML, and ML programs that perform classification, ranking, and other common tasks. Companies can use RACE to benefit from large-scale, distributed ML and maintain differential privacy. This article continues to discuss the new method that slashes the cost of implementing differential privacy.

    Rice University reports "Big Data Privacy for Machine Learning Just Got 100 Times Cheaper"

  • news

    Visible to the public "Devious 'Tardigrade' Malware Hits Biomanufacturing Facilities" 

    The cybersecurity nonprofit Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) recently disclosed findings regarding the sophisticated malware strain called Tardigrade, named after the resilient micro-animal. Researchers at the biomedical and cybersecurity firm BioBright found out that Tardigrade malware not only locks down computers but also adapts to its environment, conceals itself, and operates autonomously when it is cut off from its command-and-control (C&C) server. These discoveries were made when BioBright delved deeper into the use of Tardigrade in a ransomware attack against a biomanufacturing facility this spring. According to BIO-ISAC, of which BioBright is a member, Tardigrade is believed to have been developed by a well-funded, motivated Advanced Persistent Threat (APT) group based on its sophistication and other clues gathered from its digital forensics investigation. The malware is also said to be actively spreading in the biomanufacturing industry, causing disruption and destruction, and carrying out espionage. It offers a wide array of customization options and has the functionality of a Trojan. Once it is installed on a victim's network, it looks for stored passwords, deploys a keylogger, establishes a backdoor for attackers, and more. This article continues to discuss the discovery and sophistication of Tardigrade malware.

    Wired reports "Devious 'Tardigrade' Malware Hits Biomanufacturing Facilities"

  • news

    Visible to the public "A Nanoantenna for Long-Distance, Ultra-Secure Quantum Communication"

    A nanoantenna has been built by researchers from Japan that brings quantum information networks closer to practical use. Researchers at Osaka University, in collaboration with their partners, have significantly improved photon-to-electron conversion using a metal nanostructure, which is a step forward in the development of advanced technologies for data sharing and processing. Classical computer information relies on simple on/off readouts, while quantum information is based on more complex and secure readouts, such as electron spin and photon polarization. Researchers have proposed semiconductor nanoboxes known as quantum dots for storing and transferring quantum information, but quantum repeater technologies face limitations. For example, current methods for converting photon-based information to electron-based information have been proven to be inefficient. The researchers aimed to address this challenge of information conversion and transfer. One researcher explained that converting single photons into single electrons in gallium arsenide quantum dots (materials commonly used in quantum communication research) is not efficient enough. Therefore, the team designed a nanoantenna containing tiny concentric gold rings to focus light onto a single quantum dot, which results in their device giving a voltage readout. They improved photon absorption by a factor of up to 9. This article continues to discuss the nanoantenna designed for long-distance, secure quantum communication.

    SciTechDaily reports "A Nanoantenna for Long-Distance, Ultra-Secure Quantum Communication"

  • news

    Visible to the public "Yanluowang Ransomware Tied to Thieflock Threat Actor"

    Links between the tactics and tools demonstrated in attacks suggest a former affiliate has switched loyalties, according to new research. Researchers at Symantec have found that a threat actor previously tied to the Thieflock ransomware may now be using the emerging Yanluowang ransomware in a series of attacks against U.S. corporations. The researchers found ties between Thieflock and Yanluowang, the latter of which they revealed in October after observing its use against a large organization. One of the researchers stated that the finding demonstrates how "little loyalty" there is among ransomware actors, particularly those who act as affiliates of RaaS operations. Since August, the researchers found that a threat actor has been using Yanluowang to target mainly financial companies in the United States. The actor also has attacked companies in the manufacturing, IT services, consultancy, and engineering sectors with the novel ransomware.

    Threatpost reports: "Yanluowang Ransomware Tied to Thieflock Threat Actor"

  • news

    Visible to the public "Data Breach at Panasonic"

    The Panasonic Corporation has disclosed a data security incident in which an undisclosed amount of data was compromised. Pansonic Corporation discovered that an adversary had gained access to its network on November 11. An internal investigation was launched that determined that the intruder had accessed some data stored on a file server. Panasonic did not say how much data was compromised in the incident or whether any sensitive information was accessed. Japanese news outlets Mainichi and NHK reported that the data breach went on for four months, from June 22 to November 3. NHK claimed that sensitive data, including information on the company's partners, personal details pertaining to customers and employees, and technical files from Panasonic's operations in Japan, was accessed in the intrusion. A principal threat hunter at Netenrich stated that the reported delay in detection "demonstrates that companies are continuing to lag behind attackers."

    Infosecurity reports: "Data Breach at Panasonic"

  • news

    Visible to the public Dear Colleague Letter: REU and RET Supplemental Funding in CISE

    NSF 21-028

    Dear Colleague Letter: Research Experiences for Undergraduates (REU) and Research Experiences for Teachers (RET) Supplemental Funding in Computer and Information Science and Engineering

    December 04, 2020

    Dear Colleagues:

  • news

    Visible to the public Solicitation: NSF 22-512 Designing Accountable Software Systems (DASS)

    Designing Accountable Software Systems (DASS)

    PROGRAM SOLICITATION
    NSF 22-512

    REPLACES DOCUMENT(S):
    NSF 21-554

    National Science Foundation

    Directorate for Computer and Information Science and Engineering
         Division of Computing and Communication Foundations
         Division of Information and Intelligent Systems
         Division of Computer and Network Systems

  • news

    Visible to the public Solicitation: NSF 22-502 National Artificial Intelligence Research Institutes

    National Artificial Intelligence Research Institutes

    https://beta.nsf.gov/funding/opportunities/national-artificial-intelligence-research-institutes

    Important Information for Proposers

    A revised version of the NSF Proposal & Award Policies & Procedures Guide (PAPPG) (NSF 22-1), is effective for proposals submitted, or due, on or after October 4, 2021. Please be advised that, depending on the specified due date, the guidelines contained in NSF 22-1 may apply to proposals submitted in response to this funding opportunity.

  • news

    Visible to the public NeTS Program in CISE/CNS Seeking Federal Employee Program Officer(s) for Networking Topics

    The NeTS program in CISE/CNS is seeking Federal employee program officers for networking topics.  See https://www.usajobs.gov/GetJob/ViewDetails/615205300.

    Summary

    The National Science Foundation is seeking a qualified candidate for an Interdisciplinary (Program Director) position for the Networking Technology Systems - Wireless (NeTS) program in the the Division of Computer Network Systems (CNS) within the Directorate for Computer and Information Science and Engineering (CISE), Alexandria, VA.

  • news

    Visible to the public NSF-CNS 2021-7680: Interdisciplinary (Program Director)

    Interdisciplinary (Program Director)

    Division: Computer and Network Systems (CISE/CNS)

    Directorate: Computer and Information Science and Engineering (CISE)

    Job Type: STEM

    Appointment Type: Temporary / Rotator

    Pay Grade/Scale: AD-04


    Position Summary

  • news

    Visible to the public "Over 300,000 Android Users Have Downloaded These Banking Trojan Malware Apps"

    More than 300,000 Android smartphone users have downloaded banking Trojans via malicious apps that bypassed detection by the Google Play app store. According to cybersecurity researchers at ThreatFabric, four different forms of malware were distributed to victims through malicious versions of document scanners, QR code readers, cryptocurrency apps, and other commonly downloaded apps. The malicious apps often provided the same functions as legitimate apps to avoid raising users' suspicion. They were able to evade Google Play detections as the process of malware delivery only began when the app had been installed. Anatsa was found to be the most prolific of the four malware families as over 200,000 users have installed it. The researchers describe Anatsa as an advanced banking Trojan that can steal usernames and passwords, and use accessibility logging to capture everything displayed on the user's screen. The QR code scanner, one of the malicious apps designed to deliver the Anatsa malware, has been installed by 50,000 users alone. This app's download page shows a significant number of positive reviews, which encourage people to download it. Alien is the second most prolific of the malware families, with nearly 95,000 installations through malicious apps, including a gym and fitness app. Hydra and Ermac are the other two forms of malware, which have a combined total of 15,000 downloads and have been linked to Brunhilda, a cybercriminal group known to target Android devices with banking malware. This article continues to discuss findings surrounding password-stealing Android banking Trojans disguised as legitimate apps and the continued evolution of the Android banking malware echo-system.

    ZDNet reports "Over 300,000 Android Users Have Downloaded These Banking Trojan Malware Apps"

  • news

    Visible to the public "Hospital Ransomware Attacks Go Beyond Healthcare Data"

    Results from a 2021 Ponemon study further highlight the targeting of the healthcare industry by ransomware attackers. The study surveyed 597 Health Delivery Organizations (HDO), 42 percent of which had faced ransomware attacks over the past couple of years. About 36 percent attributed those ransomware attacks to a third party. Those attacks have lowered many HDOs' confidence in their ability to reduce the risks of ransomware attacks, as 61 percent revealed that they were not confident in their defenses against ransomware. Most of the respondents said that a successful cyberattack had led to longer stay lengths for patients. Many of the respondents also revealed that ransomware attacks had delayed medical procedures and tests, resulting in poor outcomes for patients. This article continues to discuss key findings from the Ponemon study on how ransomware attacks directly affect patients, notable cyberattacks on hospitals, and how healthcare organizations can defend themselves against ransomware attacks.

    Security Intelligence reports "Hospital Ransomware Attacks Go Beyond Healthcare Data"

  • news

    Visible to the public "Rapid Money Laundering Response Helps Intercept $27m"

    International law enforcers have arrested over 1,000 suspects and seized nearly $27m in criminal funds associated with online fraud and money laundering, according to Interpol. Interpol stated that its Haechi-II operation took place over four months from June to September 2021, bringing together investigators from 20 countries plus Hong Kong and Macao. The crackdown allowed police to close 1660 cases and block 2350 bank accounts linked to illegal activity. Interpol stated that this was done in many cases via a new global mechanism piloted during the campaign, known as the Anti-Money Laundering Rapid Response Protocol (ARRP). In one case, ARRP reportedly led to the rapid interception of $8m headed to Chinese bank accounts after a Colombian textiles firm was defrauded in a sophisticated business email compromise (BEC) scam.

    Infosecurity reports: "Rapid Money Laundering Response Helps Intercept $27m"

  • news

    Visible to the public "Report Details Best Practices for Railway Cybersecurity"

    The European Union Agency for Cybersecurity (ENISA) has released a new report that details best practices for the cyber risk management of railway organizations. ENISA calls on European Railway Undertakings (RUs) and Infrastructure Managers (IMs) to address cyber risks systematically in their risk management processes. The report delves into applicable methods and practical examples on addressing and mitigating cyber risks that European RUs and IMs should consider. The best practices presented by the report are based on railway stakeholders' feedback. In order to manage cyber risks, RUs and IMs should identify what needs to be protected. The report highlights five key areas, including services provided by stakeholders, devices that support those services, the physical equipment used to provide the services, the people who maintain or use them, and the data used. ENISA's report also covers available threat taxonomies and lists threats that can be used as the basis. Examples of cyber risk scenarios analyzed in the report can help railway stakeholders when they conduct a risk analysis as they show how asset and threat taxonomies can be used together and are based on known incidents and actual feedback. Tho article continues to discuss the report released by ENISA to help improve railway cybersecurity.

    Homeland Security Today reports "Report Details Best Practices for Railway Cybersecurity"

  • news

    Visible to the public "Ransomware Operators Threaten to Leak 1.5TB of Supernus Pharmaceuticals Data"

    Biopharmaceutical company Supernus Pharmaceuticals last week confirmed it fell victim to a ransomware attack that resulted in a large amount of data being exfiltrated from its network. The Rockville, Maryland-based company says the attack likely happened in mid-November, when a ransomware group accessed data on certain systems, deployed malware to prevent access to files, and then threatened to leak the exfiltrated files. To date, the company has not paid any ransom and has been able to restore all of the information encrypted by the criminal ransomware group. The company believes that the adversaries will likely attempt to exploit the improperly obtained information. On Thanksgiving, the Hive ransomware group claimed responsibility for the attack, saying that it breached Supernus Pharmaceuticals' network on November 14 and that it managed to exfiltrate a total of 1,268,906 files totaling 1.5 terabytes of data. The hacking group announced on their leaks website on the Tor network that the stolen information will be posted online soon.

    SecurityWeek reports: "Ransomware Operators Threaten to Leak 1.5TB of Supernus Pharmaceuticals Data"

  • news

    Visible to the public GoDaddy managed WordPress customers part of big hack

    Over 1.2 million GoDaddy customers were impacted by a recent hack. GoDaddy is the world’s largest domain registrar and it’s managed WordPress hosting include a number of associated companies like 123Reg, Domain Factory, Host Europe, and others. An unauthorized third party using stolen credentials was able to get into the system back in September and lurked undetected until November 17th. Customers id’s and emails were stolen for 1.2 active and inactive Managed WordPress customers. SFTP and database usernames and passwords for active customers were also stolen—and have now been reset.
  • news

    Visible to the public "Deeper Defense Against Cyberattacks"

    A KAUST team of researchers has developed a method to improve upon the detection of malicious intrusions to combat the growing threat of cyberattacks against industrial control systems. Internet-based industrial control systems are largely used in the monitoring and operation of factories and critical infrastructure. These systems have relied on costly dedicated networks in the past, but they have been increasingly moved online, thus making them more inexpensive and accessible. However, moving these systems online has also made them more susceptible to being attacked. The researchers explained that conventional security solutions such as firewalls and antivirus software are not appropriate for protecting industrial control systems because they have distinct specifications. The complexity of industrial control systems also makes it difficult for even the best algorithms to detect unusual activity that might indicate an intrusion by malicious actors. Deep learning is a branch of machine learning proven to be adept at recognizing complex patterns. Deep learning is powered by artificial neural networks and is trained rather than programmed. Different examples are provided to the deep learning model from which to learn in order to improve its accuracy as it continues to function. The team trained and tested five different deep learning models using data from the Mississippi State University's Critical Infrastructure Protection Center. These were simulations of different attack types, such as distributed denial-of-service (DDoS) and packet injection, on power systems and gas pipelines. The ability of the deep learning models to detect intrusions was compared to state-of-the-art algorithms. The best algorithms typically had an accuracy rate between 80 and 90 percent, while each deep learning model was between 97 and 99 percent accurate. When the researchers stacked all five deep learning models, the accuracy increased to more than 99 percent. This article continues to discuss the stacked deep learning method demonstrated by the KAUST team that offers an improved way to detect hacking into industrial control systems.

    KAUST Discovery reports "Deeper Defense Against Cyberattacks"

  • news

    Visible to the public "New Chip Hides Wireless Messages in Plain Sight"

    Researchers at Princeton University have developed a method that incorporates security into the physical nature of wireless transmissions to prevent eavesdropping. Encryption methods currently used to protect communications from eavesdroppers can be difficult to scale toward high-speed and ultra-low-latency systems for 5G and beyond because the nature of encryption requires information to be exchanged between the sender and receiver to encrypt and decrypt a message. This exchange increases the vulnerability of the link to attacks. In addition, it requires computing that increases latency, which is the amount of time spent between sending instructions on a network and data arrival. Latency is an essential measure for tasks such as autonomous driving and industrial automation. Lessening time to action is critical for networks supporting self-driving cars, robots, and other latency-critical cyber-physical systems. The new millimeter-wave wireless microchip developed by the team enables wireless transmissions to prevent interception without reducing the 5G network's latency, efficiency, and speed. As a result, the technique will make it hard for malicious actors to eavesdrop on high-frequency wireless transmissions, even if there are multiple colluding actors. The method shapes the transmission itself instead of depending on encryption to thwart eavesdroppers. An attempt to intercept the message by interfering with the main transmission would cause problems in the transmission and be detectable by the intended user. In theory, it is possible for multiple eavesdroppers to work together to collect noise-like signals and try reassembling them into an understandable transmission, but the number of receivers needed to do that would be extraordinarily large, according to the researchers. This article continues to discuss the new chip developed by the Princeton researchers to foil would-be eavesdroppers.

    Princeton University reports "New Chip Hides Wireless Messages in Plain Sight"

  • news

    Visible to the public "Malware Samples Target Windows Installer Flaw"

    According to researchers at Cisco Talos, there are malware samples in the wild attempting to exploit a recently disclosed zero-day flaw in Microsoft's Windows Installer software component. The exploitation of this flaw can allow an attacker with access to a limited user account to gain administrator privileges. The issue comes from an inadequate patch released on November 9 for CVE-2021-41379. On November 22, the researcher who originally discovered the flaw released proof-of-concept (PoC) exploit code on GitHub and other security researchers confirmed that the exploit code still worked. The vulnerability was initially ranked as a medium-severity flaw with a CVSS base score of 5.5. An attacker would need to gain access to the targeted system and be able to execute low-privilege code to exploit the initial flaw. However, the release of functional PoC is expected to drive additional exploitation of the vulnerability. Jaeson Schultz, the technical leader with Cisco Talos, said three malware samples related to the flaw have been found. Using CVE-2021-41379, an attacker could abuse the Windows Installer service by creating a junction. Meanwhile, the PoC exploit code allows an attacker to overwrite the discretionary access control list (DACL) for Microsoft Edge Elevation Service that identifies users who are allowed or denied access to different securable objects. This would allow a malicious actor to replace any executable file on the system with an MSI file and run code as an administrator. The vulnerability affects versions of Microsoft Windows, including Windows 11 and Server 2022. This article continues to discuss the discovery of malware samples targeting a local privilege escalation flaw in Windows Installer.

    Duo reports "Malware Samples Target Windows Installer Flaw"

  • news

    Visible to the public "GoDaddy Announces Data Breach"

    Data belonging to up to 1.2 million WordPress customers has been exposed in a security incident at GoDaddy. The domain registrar web-hosting company said on Monday that an unauthorized third party had gained access to its systems by exploiting a compromised password. The investigation into the incident found that the unauthorized third party had been able to access WordPress customers' data since September 6. The intrusion was not detected until last week. During the investigation, it was determined that the unauthorized third party gained access to email addresses and customer numbers belonging to Managed WordPress customers with active or inactive accounts. The details of SSL (Secure Sockets Layer) private keys belonging to an unspecified number of active customers were also exposed to the unauthorized third party.

    Infosecurity reports: "GoDaddy Announces Data Breach"

  • news

    Visible to the public "Most US Healthcare Apps Susceptible to Cyberattack"

    Researchers at Outpost24 found that vulnerabilities exist in most of the web applications used by leading healthcare providers in the United States. The researchers found that 90% of the web applications used by US healthcare operators are susceptible to cyberattacks. The researchers assessed the internet-exposed applications of the top 20 largest pharma and healthcare organizations in the European Union and in the US to identify common attack vectors and exploitable flaws. The researchers found that 85% of the top 20 pharma and healthcare applications had an external attack surface score of 30 or above out of 58.24. Outpost24 classified such a score as 'critically exposed,' indicating a "high susceptibility for security and vulnerability exposure." Healthcare organizations in the United States were found to be more at risk than their European counterparts. The researchers stated that while US organizations had an average risk exposure score of 40.5, the score for healthcare organizations in the EU was 32.79. The researchers also found that a quarter of the web applications run by healthcare organizations in the US presented a cybersecurity risk. Out of a total of 6069 web applications run over 2197 domains, 3% were considered as "suspect" by researchers, and a further 23.74% were found to be running on vulnerable components. Although EU healthcare organizations run almost four times as many web applications as those in the US, the percentage of apps deemed to be risky was lower in the EU than in the US. Of the 20,394 web applications run by EU healthcare organizations over 9216 domains, 3.3% were considered to be suspect, and 18.3% were running on vulnerable components. The top three attack vectors identified across healthcare organizations in the EU and the US include Degree of Distribution, Page Creation Method, and Active Content.

    Infosecurity reports: "Most US Healthcare Apps Susceptible to Cyberattack"

  • news

    Visible to the public "Philips Working on Patches for Vulnerabilities Found in Medical Products"

    Researchers at the industrial cybersecurity firm Nozomi Networks discovered several vulnerabilities in some of Philips' medical products, including the IntelliBridge hub, Patient Information Center iX (PIC iX), and Efficia CM Series. Philips and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) issued advisories for the vulnerabilities. According to one advisory, two of the flaws were found in IntelliBridge EC 40 and EC 80 Hub patient monitoring systems that integrate point-of-care devices with hospital information systems. These vulnerabilities stem from the use of hardcoded credentials and authentication bypass. If an attacker were to successfully exploit these flaws, they could gain unauthorized access to the Philips IntelliBridge EC40/80 hub and then execute software, modify device configuration, update patient data, and more. This article continues to discuss the potential exploitation and impact of the security vulnerabilities identified in certain patient monitoring and medical device interface products from Philips.

    Security Week reports "Philips Working on Patches for Vulnerabilities Found in Medical Products"

  • news

    Visible to the public "Wind Turbine Giant Vestas Says Data Was Compromised in Security Incident"

    Vestas Wind Systems, one of the world's largest wind turbine manufacturers, discovered a cybersecurity incident on November 19, 2021, and has since then been working together with external partners to contain the situation and mitigate its impact. Preliminary findings from the investigation of the incident show that parts of Vesta's internal IT infrastructure have been affected, and that data has been compromised. However, according to the firm, there is no evidence that the incident has impacted third-party operations, including customer and supply chain operations. This article continues to discuss the security incident affecting Vestas and the continued targeting of the energy sector in cyberattacks.

    CyberScoop reports "Wind Turbine Giant Vestas Says Data Was Compromised in Security Incident"

  • news

    Visible to the public "US Department of Energy Names University of Central Florida as the Winner of the CyberForce Competition"

    The US Department of Energy (DOE) announced the University of Central Florida as the national winner of its seventh CyberForce Competition, which challenged 120 US college and university teams from 33 states and the District of Columbia to stop a simulated cyberattack. David Turk, the Deputy Secretary of Energy, emphasized the importance of building and maintaining a highly-skilled cybersecurity workforce to protect and defend the nation's energy systems as the development of the clean energy grid of the future continues and cyber threats grow. The CyberForce Competition is a part of DOE's CyberForce Program, which aims to foster and build the next generation of energy sector cyber defenders. Through the program, students can develop and strengthen skills essential to a career focused on protecting the nation's critical infrastructure, such as power plants. Each CyberForce Competition is an interactive event based on a scenario where participants can test their cyber defense skills. This year's scenario challenged participants to harden and secure a hydropower company's systems as well as systems belonging to its recently acquired subsidiaries against a cyberattack while still providing service to customers. The University of California, Santa Cruz, won second place, and Pennsylvania State University won third place in the competition. This article continues to discuss the goals and success of the CyberForce Competition, and the results of this year's event.

    Office of Cybersecurity, Energy Security, and Emergency Response reports "US Department of Energy Names University of Central Florida as the Winner of the CyberForce Competition"

  • news

    Visible to the public "Avoid a Privacy Nightmare With 'Lean Privacy Review'"

    Sometimes companies conduct privacy reviews on new applications or services to identify any potential privacy issues before they are released. Privacy reviews are typically carried out with involvement from privacy experts and lawyers. Therefore, these reviews tend to cost a considerable amount of money and time, thus making them infeasible for many companies. In addition, they rarely involve actual feedback from users. A new study conducted by Carnegie Mellon University CyLab researchers proposes a new type of privacy review that is not only cheaper but also makes it easy to get feedback directly from users early in the development process. The study titled "Lean Privacy Review: Collecting Users' Privacy Concerns of Data Practices at a Low Cost" has been published in an issue of ACM Transactions on Computer-Human Interaction. According to Haojian Jin, the study's lead author, Lean Privacy Review (LPR) can reveal privacy concerns that actual people have, at a significantly lower cost and wait time than that of a formal review. The authors emphasized that LPR is not meant to replace the formal privacy review, as privacy experts and lawyers are still essential to the process. Rather, it improves the formal review to make it easier and more efficient. LPR is said to be especially useful in the early design stages. This article continues to discuss how LPR improves upon the formal privacy review and how the researchers evaluated LPR.

    CyLab reports "Avoid a Privacy Nightmare With 'Lean Privacy Review'"

  • news

    Visible to the public "This Tool Protects Your Private Data While You Browse"

    A team of computer scientists from the University of California San Diego and Brave Software developed a tool named SugarCoat to protect users' private data while they browse the web. The tool targets scripts that harm users' privacy, such as those used to track browsing history around the web but are still important for some websites to function. SugarCoat replaces such scripts with scripts consisting of the same properties but without privacy-harming features. It is designed to be integrated into Brave, Firefox, and other privacy-focused browsers, as well as browser extensions like uBlock Origin. Most existing content-blocking tools either block or enable a script to run, depending on whether it is included on a public list of privacy-harming scripts. However, in practice, some scripts are both privacy-harming and needed for websites to function, with most tools ultimately choosing to allow these scripts to run as an exception. There are currently over 6,000 exception rules that allow privacy-harming scripts to run. The researchers propose that content-blocking tools replace a script's source code with an alternative privacy-preserving version rather than blocking the script or allowing it to run. This would ensure that content-blocking tools do not break the web pages that embed these scripts, and that the scripts cannot access private data. SugarCoat addresses this gap by automatically generating privacy-preserving replacement scripts. The tool uses the PageGraph tracing framework to follow the privacy-harming scripts' behavior throughout the browser engine. It scans this data to identify when and how the scripts communicate with Web Platform Application Programming Interfaces (APIs) that expose privacy-sensitive data. Then it rewrites the scripts' code to talk to SugarCoat APIs instead, which look like the Web Platform APIs but do not expose private data. This article continues to discuss the purpose, development, and capabilities of the SugarCoat tool.

    UC San Diego News Center reports "This Tool Protects Your Private Data While You Browse"

  • news

    Visible to the public "Most Ethical Hackers Identifying Vulnerabilities They Did Not See Before the Pandemic"

    New research from Bugcrowd found that around 80 percent of ethical hackers have recently discovered a vulnerability that they had not seen before the pandemic. Of the ethical hackers, 74 percent agreed that the number of vulnerabilities has increased since the start of the pandemic. According to Bugcrowd's annual survey of ethical hackers, 91 percent said point-in-time testing cannot secure companies all year-round. Casey Ellis, the founder and CTO at Bugcrowd, calls on companies to conduct continuous testing instead of point-in-time testing, which is testing at a particular moment. Continuous testing should be carried out from development through market launch and beyond. This article continues to discuss key findings from Bugcrowd's survey of ethical hackers.

    SC Media reports "Most Ethical Hackers Identifying Vulnerabilities They Did Not See Before the Pandemic"

  • news

    Visible to the public "Less than Half of Consumers Change Passwords Post-Breach"

    Researchers at Identity Theft Resource Center have found a "shockingly high" disconnect between awareness of best practices following a data breach and actions taken. The researchers polled over 1000 US consumers to gauge their understanding of and response to breach incidents involving personal information. The researchers found that more than half (55%) of social media users have had their accounts compromised in the past, so there's generally a high level of awareness about what can be done to enhance personal security. However, nearly a fifth (16%) of respondents said they took no action following a breach. Less than half (48%) changed affected passwords, and only a fifth (22%) changed all of their passwords. The researchers stated that that is particularly worrying when 85% admitted to reusing log-ins across multiple accounts, putting them at risk of credential stuffing. When asked why they don't use unique passwords, 52% said it's too difficult to remember their passwords, 48% don't trust or know how to use password managers, and 46% don't think it's important or believe their password practices are good enough. Only 3% followed best practice advice following a breach notice and put a credit freeze in place to prevent fraudsters from running up debts on new lines of credit taken out in victims' names. Of the respondents that didn't take any action after a breach, the researchers found that a quarter (26%) of them claimed that they took no action after a breach notice because they believed that their data was already out there, while slightly more (29%) naively thought third-party organizations would handle the issue. Nearly a fifth (17%) claimed they didn't know what to do, while 14% thought the notice itself was a scam.

    Infosecurity reports: "Less than Half of Consumers Change Passwords Post-Breach"

  • news

    Visible to the public "Banks Must Report Major Cyber Incidents Within 36 Hours Under Finalized Regulation"

    Banks must report major cybersecurity incidents to federal officials within 36 hours under a rule that U.S. financial regulators finalized on Thursday. Beginning in May 2022, financial executives will need to be more forthcoming about computer system failures and interruptions, such as ransomware or denial-of-service attacks that have the potential to disrupt customers' ability to access their accounts or impact the larger financial system. The rule is dubbed the Computer-Security Incident Notification Requirements for Banking Organizations. One Bank CEO stated that the financial services industry is a top target, facing tens of thousands of cyberattacks each day. The Bank CEO noted that enhanced harmonization of regulatory standards and supervision to reduce the amount of duplicative or redundant rules would help enable firms to devote more resources to security and better protect investors.

    CyberScoop reports: "Banks Must Report Major Cyber Incidents Within 36 Hours Under Finalized Regulation"

  • news

    Visible to the public "'PerSwaysion' Phishing Campaign Still Ongoing, and Pervasive"

    Research conducted by SeclarityIO analyzed data on a phishing kit called PerSwaysion, which has been used in thousands of attacks worldwide and is a significant threat to organizations across multiple sectors. The phishing kit allows cybercriminals to easily launch a phishing campaign with less effort. This threat involves the use of Microsoft file-sharing services, such as Sway, SharePoint, and OneNote, to trick unsuspecting users into visiting malicious credential-stealing websites. Findings from the analysis of PerSwaysion indicate that the campaign was launched as far back as at least October 2017. Despite the public disclosure of the phishing kit and related TTPs, the campaign is still active. Data from URLscan revealed that within the last 18 months, about 7,403 people from across 14 sectors visited 444 unique PerSwaysion phishing portals. The victims were from financial services, healthcare, aerospace, engineering, technology, the government, and other sectors. David Pearson, co-founder and CEO of SeclarityIO, estimates that the number of organizations impacted by the campaign since May 2020 is in the high hundreds. The PerSwaysion kit consists of templates for spoofing account login pages belonging to Microsoft, Google, Facebook, Twitter, AOL, and other trusted brands. In some PerSwaysion attacks, URL shorteners such as bit.ly and tiny.cc were used to try bypassing email filters and to make malicious URLs look legitimate. In other attacks, email platforms such as sendgrid.net were used to deliver phishing lures directly to user email inboxes. Other observed tactics included luring users to legitimate but compromised websites, redirecting users through online ads, and performing open redirects to reroute users. The attack infrastructure of the kit includes a front-end phishing portal, a template hosting site, a redirector site, and the credential collection site itself. This article continues to discuss key findings surrounding the PerSwaysion phishing campaign.

    Dark Reading reports "'PerSwaysion' Phishing Campaign Still Ongoing, and Pervasive"

  • news

    Visible to the public "Phishers Leverage Bait Attacks to Harvest Personal Data"

    According to a new report from Barracuda, bait attacks performed through free email services such as Gmail increase Asia-Pacific organizations' vulnerability to phishing and other email threats. Bait attacks involve an initial email designed to harvest targeted victims' login information or private data, which is then used in future phishing attacks. Attackers often perform bait attacks to find out the victim's email account or trick the victim into an email conversation, leading to a phishing attack. Bait emails are difficult for traditional phishing detectors to prevent because they typically do not contain any text, malicious links, or attachments. Over 10,500 organizations admitted to having been targeted by at least one bait attack in September 2021. This article continues to discuss the concept of a bait attack, Barracuda's experiment on bait attacks, and recommended email security measures to mitigate the risks associated with such email threats.

    CISO MAG reports "Phishers Leverage Bait Attacks to Harvest Personal Data"

  • news

    Visible to the public "IoT Security Incidents Increase as Healthcare Leans into Connected Health"

    According to a white paper recently released by Medigate and Crowdstrike, more than 80 percent of healthcare organizations reported experiencing a security incident involving Internet of Things (IoT) devices over the past 18 months. Although telehealth, remote patient monitoring tools, wearable technology, and other digital tools help enhance connected healthcare, they still increase the risk of IoT security incidents. The paper explains that IoT devices provide an expanded attack surface for malicious actors. It also points out that cybercriminals disproportionately target healthcare organizations. It was highlighted that a healthcare record is often valued 50 times more than a stolen credit card on the dark web. Personal health information (PHI) is worth more as there are many ways for bad actors to monetize it. Such information could be used for ransoms, fraudulent medication prescriptions, and fake claims for medical treatment. This article continues to discuss the increase in IoT security incidents as more healthcare organizations rely on connected health solutions.

    HealthITSecurity reports "IoT Security Incidents Increase as Healthcare Leans into Connected Health"

  • news

    Visible to the public "K-12 School Districts Failing at Cloud Security"

    American K-12 school districts are vulnerable to cyberattacks targeting data in cloud applications, according to researchers at EdWeek Research Center. The researchers conducted an online survey between July 14 and September 15, 2021, that was filled out by 214 administrators who said they had at least a medium level of influence on technology decisions. Respondents included 54 technology officers, 52 district superintendents, and 30 curriculum and instruction directors. The researchers found that 30% of K-12 school districts do not have a cloud security platform in place to monitor and protect the data stored in cloud applications. Half of the respondents said either they did not have a platform in place or had no idea if a platform had been implemented in their district. Nearly a third (31%) did not know if their cybersecurity platform consistently monitors the level of risk of files shared with users outside the district's domain or monitors for potential violations of government regulations. More than a quarter (28%) of respondents stated that they did not know if their cybersecurity platform monitors the level of risk of files shared within or uploaded into their domains or if it reports who has access. Most respondents (86%) said they use cloud-based learning management systems (LMS) or plan to move these systems to the cloud. The researchers also found that the median budget district administrators have available for cybersecurity is $20,000 annually, of which 20% will go toward protecting cloud applications in 2022.

    Infosecurity reports: "K-12 School Districts Failing at Cloud Security"

  • news

    Visible to the public "Ethical Hackers Stymie $27bn of Cybercrime"

    Researchers at Bugcrowd have found that ethical hackers have prevented $27bn worth of cybercrime during the COVID-19 pandemic. The research is based on the analysis of survey responses and security research conducted on the platform from May 1, 2020, to August 31, 2021, in addition to millions of proprietary data points collected on vulnerabilities from 2,961 security programs. Nearly three-quarters of respondents (74%) said vulnerabilities had increased since the outbreak of COVID-19. Most hackers (80%) found a vulnerability they had not encountered before the pandemic. Almost half of the hackers (45%) said they believe that lack of scope inhibits the discovery of critical vulnerabilities. The researchers also found that most (91%) of ethical hackers do not believe that point-in-time testing can secure companies year-round. The researchers stated that 79% of ethical hackers taught themselves how to hack using online resources. The researchers also noted that this is the youngest and most ethnically diverse generation of ethical hackers in history.

    Infosecurity reports: "Ethical Hackers Stymie $27bn of Cybercrime"

  • news

    Visible to the public "Serious Security Vulnerabilities in DRAM Devices"

    Researchers from ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm Technologies discovered serious vulnerabilities in DRAM devices widely used in computers, tablets, and smartphones. Rowhammer has been an underlying problem with DRAM for several years. It is an attack in which a fundamental weakness of DRAM is exploited. All data stored in DRAM is volatile and must be refreshed more than ten times per second because DRAM chips only use a single capacitor-transistor pair to store and access one bit of information. Over time, the capacitors leak charge. The computer will not know whether the value of the stored bit was 1 or 0 once the capacitors have leaked too much charge. In addition, each time a memory row is activated to be read or written onto, the currents flowing inside the chip can cause the capacitors in neighboring rows to leak charge faster. This was pointed out as an unavoidable consequence of the continuously growing density of electronic components contained by DRAM chips. An attacker can repeatedly activate or hammer a memory row to induce bit errors in a neighboring row. In principle, that bit error can be exploited to gain access to a computer's restricted areas. Following the discovery of Rowhammer, chip manufacturers have tried solving the problem by implementing mitigation measures in DRAM modules. However, the problem remains as the researchers found that the Target Row Refresh (TRR) mitigation developed to address the Rowhammer problem is weak. The TRR mitigation involves different circuits built into the memory that can detect unusually high activation frequencies of certain rows, thus helping guess where an attack is occurring. A control circuit refreshes the presumed victim row prematurely, forestalling possible bit errors as a countermeasure. The researchers found that this hardware-based immune system only detects simple attacks. They devised a software called Blacksmith, which systematically tries out complex hammering patterns at different points in the hammering cycle then checks if a particular pattern led to bit errors. For all of the 40 different DRAM devices tested, Blacksmith always found a pattern that induced Rowhammer bit errors. This article continues to discuss the testing of DRAM devices that led to the discovery of serious security vulnerabilities.

    ETH Zurich reports "Serious Security Vulnerabilities in DRAM Devices"

  • news

    Visible to the public "US, UK Warn of Iranian Hackers Exploiting Microsoft Exchange, Fortinet"

    The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Australian Cyber Security Centre (ACSC), and the UK's National Cyber Security Centre (NCSC) issued a joint advisory warning of the ongoing exploitation of Microsoft Exchange ProxyShell and Fortinet vulnerabilities by an Iranian-backed hacking group. According to CISA, the Iranian government-sponsored Advanced Persistent Threat (APT) group has been observed exploiting Fortinet vulnerabilities since March 2021 and a Microsoft Exchange ProxyShell vulnerability since October 2021. The group exploited these vulnerabilities to gain initial access to systems before carrying out operations, including deploying ransomware. ACSC has also observed the APT group using the Microsoft Exchange vulnerability in Australia. The Iranian state hackers have targeted US critical infrastructure sectors such as transportation and healthcare, as well as Australian organizations, with the goal of gaining access to targets that could later be used for data exfiltration, ransomware deployment, and other malicious purposes. This article continues to discuss the information shared in the joint advisory pertaining to the Iranian-sponsored hacking group.

    Bleeping Computer reports "US, UK Warn of Iranian Hackers Exploiting Microsoft Exchange, Fortinet"

  • news

    Visible to the public "Breakthrough Research Could Lead to Simple, Efficient Method of Quantum Encryption"

    A team of researchers from the Hebrew University of Jerusalem (HU) and the University of Tubingen in Germany has shared findings that bring us closer to a simple and efficient method of quantum encryption. Quantum computers will be faster and use significantly less electricity than today's computers, but they are also expected to render today's encryption algorithms obsolete in the future. Most computer security currently relies on mathematical manipulations that ensure a high level of security. It would take billions of years for regular computers to break one of those encryption codes. We need new encryption methods that rely on the laws of physics rather than mathematical equations in our quantum future. One approach is to use the quantum properties of particles of light called photons to securely encrypt a message so that attempts to hack it are detectable by both the sender and recipient. However, finding a suitable source of single photons has been a major challenge. Banks and government departments are already investing in quantum encryption involving laser beams, but they often release several photons at once or none at all. A source that can emit a fast but steady stream of single photons in one direction and at room temperature is required for optimum security. The team developed a system in which fluorescent crystals in the form of specks are used. These specks are so small that special microscopes would be needed to see them. Each quantum dot is measured at much less than a thousandth of the width of a human hair. A laser beam shone at the quantum dot causes it to emit a stream of single photons. The device is useful for both quantum encryption and quantum computation. This article continues to discuss the team's research breakthrough towards a better method of quantum encryption.

    AZoQuantum reports "Breakthrough Research Could Lead to Simple, Efficient Method of Quantum Encryption"

  • news

    Visible to the public "Emotet is Rebuilding its Botnet"

    Cybersecurity professionals are unsurprised by the apparent return of Emotet malware. The malware's creators APT group TA542 hired Emotet out to other cybercriminals, who used it to install malware, such as banking trojans or ransomware, onto victims' computers. Emotet's botnet infrastructure was dismantled in January as part of a coordinated action by authorities in Canada, France, Germany, Lithuania, the Netherlands, the United Kingdom, the United States, and Ukraine. Now, a team of researchers from Cryptolaemus, G DATA, and AdvIntel have reported observing the TrickBot trojan launching what appears to be a new loader for Emotet. One researcher stated that the new variant of the infamous malware follows a similar path of delivering both malicious Office or ZIP files, in addition to other command-and-control (C2) payloads. The security researcher also noted that many cybercriminal groups could return to using Emotet over the next few months.

    Infosecurity reports: "Emotet is Rebuilding its Botnet"

  • news

    Visible to the public HoTSoS 2022 Program Chairs: Adam Tagert & Benjamin Ujcich

    HoTSoS 2022 Program Chairs: Adam Tagert & Benjamin Ujcich

    The HoTSoS team is excited to announce that Adam Tagert and Benjamin Ujcich will serve as Co-Chairs of Symposium Programing for 2022!

  • news

    Visible to the public HoTSoS 2022 General Chair: Sayan Mitra

    HoTSoS 2022 General Chair: Sayan Mitra

    The HoTSoS team is excited to announce that our General Chair for the 2022 program is Sayan Mitra!

  • news

    Visible to the public "Why Are You Still Using QWERTY? 2021's Most Common Passwords Revealed"

    Researchers at Nordpass analyzed password habits worldwide and revealed that we are still performing poorly regarding strong credential management. Major online service providers now often enforce strong passwords with lower-case and capital letters, numbers, and special characters and may also encourage and enforce multi-factor authentication (MFA). However, businesses may not impose the same standards. In addition, ghost and forgotten accounts, hardcoded credentials, and the re-use of username and password combinations are still common problems today. Nordpass evaluated a database containing 4TB of leaked passwords, which originated from the US, Canada, Russia, Australia, and Europe. Among the findings, the researchers found that a "stunning" number of people like to use their own name as a password ("charlie" appeared as the 9th most popular password in the UK in 2021). According to the researchers, the most common passwords in 2021, worldwide, were:

    1. 123456 (103,170,552 hits)
    2. 123456789 (46,027,530 hits)
    3. 12345 (32,955,431 hits)
    4. qwerty (22,317,280 hits)
    5. password (20,958,297 hits)
    6. 12345678 (14,745,771 hits)
    7. 111111 (13,354,149 hits)
    8. 123123 (10,244,398 hits)
    9. 1234567890 (9,646,621 hits)
    10. 1234567 (9,396,813 hits)

    ZDNet reports: "Why Are You Still Using QWERTY? 2021's Most Common Passwords Revealed"

  • news

    Visible to the public "Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash"

    Security researchers with Positive Technologies shared information about two vulnerabilities found in Diebold Nixdorf ATMs. The exploitation of these security flaws could have allowed an attacker to replace the firmware on the system and withdraw cash. The vulnerabilities, tracked as CVE-2018-9099 and CVE-2018-9100, were discovered in the Wincor Cineo ATMs with the RM3 and CMD-V5 dispensers. Diebold acquired Wincor Nixdorf in 2016, and then the companies merged. The ATMs were found to have a set of security measures implemented to prevent black box attacks, including end-to-end encrypted communication with the cash dispenser, but the researchers discovered that it was possible to work around such measures. They were able to bypass the command encryption between the ATM computer and the cash dispenser, and replace the ATM firmware with an outdated one. Then they exploited the flaws to make the system spew cash. Although encryption is applied to prevent black box attacks, the researchers figured out that an attacker could extract the keys used for encryption and forge their own firmware to load on the compromised ATM. The system performs firmware integrity checks as an extra step for protection. However, researchers identified the components involved within the check process in the code that verifies the firmware signature and in the firmware. Diebold Nixdorf, which issued patches for the vulnerabilities, suggests implementing physical authentication when an operator performs firmware installation as an extra layer of protection against unauthorized access. This article continues to discuss the discovery, potential exploitation, and impact of the Diebold Nixdorf ATM flaws.

    Security Week reports "Diebold Nixdorf ATM Flaws Allowed Attackers to Modify Firmware, Steal Cash"

  • news

    Visible to the public "Hackers Fire Off Hoax Email Messages From FBI Account After Exploiting Misconfigured Server"

    The FBI discovered that hackers sent a barrage of fake emails over the weekend using an FBI email account to falsely warn recipients that an attacker stole their information. The nonprofit spam-tracking service Spamhaus Project estimated that the hoax email campaign comprised as many as 100,000 messages. The FBI stated that the hackers temporarily broke in via a software misconfiguration for its Law Enforcement Enterprise Portal that the bureau uses to communicate with state and local law enforcement agencies. The FBI noted that while the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI's corporate email service. The FBI also noted that no actor was able to access or compromise any data or PII on the FBI's network. The incident is only the latest to see major parties who investigate cyberattacks hacked themselves, and a reminder that common errors like software misconfigurations can undermine the security of virtually anyone. Security researcher Kevin Beaumont stated that he thinks many people will be watching the public response by the FBI to this attack in the coming weeks. The researcher also noted that the FBI could be as transparent as possible about the breach, which may aid companies in the future in how to handle breaches that affect them.

    CyberScoop reports: "Hackers Fire Off Hoax Email Messages From FBI Account After Exploiting Misconfigured Server"

  • news

    Visible to the public  "BotenaGo Malware Could Threaten Millions of Routers and IoT Devices"

    Cybersecurity researchers at AT&T Alien Labs detailed BotenaGo, a new form of Internet of Things (IoT) malware that leverages more than 30 different exploits. According to the researchers, BotenaGo applies different methods to attack targets and creates a backdoor on compromised devices. As it uses over 30 exploits, BotenaGo could impact millions of routers and IoT devices, warned the researchers. The malware has been detected as a variant of the IoT botnet Mirai by some anti-virus suites. Although the payload initially appears similar, it is significantly different because it is written in the Go programming language. Go has been growing in popularity among developers and malware authors. BotenaGo scans the Internet for vulnerable targets. An analysis of the code found that the attacker is presented with a live global infection counter showing the number of compromised devices at any given time. The attackers can exploit the vulnerabilities in the Internet-facing devices and execute remote shell commands, potentially creating a gateway to the wider network if inadequately secured. They could also use this option to distribute malicious payloads. However, at the time of analysis, these payloads had been removed from the servers hosted by the attackers. BotenaGo has the potential to compromise millions of devices affected by the vulnerabilities detailed by the researchers, but currently, there is no apparent communication with a command-and-control (C2) server. The researchers suggest that BotenaGo could be one module of a larger malware suite that is currently not being used in attacks. They also suggest that a beta version of it was accidentally released early and it could still be in development. This article continues to discuss recent findings surrounding the BotenaGo Malware.

    ZDNet reports "BotenaGo Malware Could Threaten Millions of Routers and IoT Devices"