News Items

  • news

    Visible to the public "Latest Healthcare Data Breaches Have Varying Impacts on Health Data"

    Legacy Post Acute Care in California notified patients of a data breach between January 19 and March 3, 2022. In September, an unauthorized party accessed several employee email accounts over two months. Patient names, Social Security numbers, treatment information, health insurance information, financial information, prescription information, and more were all stored in the email accounts. Legacy Post Acute Care stated that it was not aware of any identity fraud or information misuse related to the incident. The Administrative Fund of the Detectives' Endowment Association, Inc., Police Department of New York (NYCDEA) reported a data breach that involved Protected Health Information (PHI) on more than 21,000 individuals. In December 2021, the NYCDEA discovered suspicious activity in its email system. Although the incident was discovered last year, the investigation into the effects of the breach was not completed until October 3, 2022. Names, addresses, financial account numbers, medical history, health insurance information, usernames and passwords, dates of birth, and driver's license numbers may have been involved in the incident, depending on the individual. The NYCDEA stated that it had no evidence that any information had been misused. The organization provided affected individuals with a year of credit monitoring and identity theft protection services. This article continues to discuss the latest string of healthcare data breach notifications from a California post-acute care facility, a New York police union, and a Colorado Federal Qualified Health Center (FQHC).

    HealthITSecurity reports "Latest Healthcare Data Breaches Have Varying Impacts on Health Data"

  • news

    Visible to the public "Yakima Neighborhood Health Services Notice of Data Security Incident"

    Yakima Neighborhood Health Services ("YNHS") recently learned of a data security incident that may have impacted data belonging to certain current and former patients. On October 4, 2022, a file containing certain individuals' personal and protected information was inadvertently distributed to one individual. Upon learning of this accidental disclosure, YNHS took steps to ensure the recipient deleted the file from their possession. YNHS has no evidence that any information potentially involved in this incident has been misused, but out of an abundance of caution, YNHS is informing affected individuals about the steps they can take to help protect their information. The potentially affected information may include individuals' names, dates of birth, medical record numbers, and medical treatment locations. On November 10, 2022, YNHS completed the process of identifying current address information for the affected individuals in order to create a written notification of the incident and send it via US mail.

    Dark Reading reports: "Yakima Neighborhood Health Services Notice of Data Security Incident"

  • news

    Visible to the public "Zendesk Vulnerability Could Have Given Hackers Access to Customer Data"

    Security researchers at Varonis stated that an SQL injection vulnerability in Zendesk Explore could have allowed a threat actor to leak Zendesk customer account information. Zendesk Explore is the analytics and reporting service of Zendesk, a popular customer support software-as-a-service solution. According to the researchers, two vulnerabilities in Zendesk Explore could have allowed an attacker to access conversations, comments, email addresses, tickets, and other information stored in Zendesk accounts with Explore enabled. The researchers noted that the two issues were reported to Zendesk and patched before they could have any impact on customer data. The researchers said that they have no evidence that any Zendesk Explore customer accounts were exploited, and Zendesk started working on a fix the same day it was reported. While analyzing Zendesk's products, the researchers discovered that they use multiple GraphQL APIs and that one of the object types in Zendesk Explore contained multiple nested encodings. Further investigation revealed the presence of a plaintext XML document containing name attributes vulnerable to an SQL injection attack. The researchers noted that they discovered a logical access flaw that allowed them to "steal data from any table in the target Zendesk account's RDS, no SQLi required." The researchers stated that Zendesk quickly resolved the issue, and there is no longer this flaw in Explore. No action is needed from current customers to fix the vulnerabilities discovered by the researchers.

    SecurityWeek reports: "Zendesk Vulnerability Could Have Given Hackers Access to Customer Data"

  • news

    Visible to the public "Montana State Receives $4.47 Million Award for Improving Cybersecurity"

    Montana State University (MSU) is leading a new effort to reduce software vulnerabilities across various systems, building on nearly five years of helping the Departments of Defense (DOD) and the Department of Homeland Security (DHS) in improving methods for resisting cyberattacks. The project, which is funded by a three-year, $4.47 million DHS contract, is based on advanced computing and data science techniques. The goal is to create innovative tools for identifying computer code that cybercriminals or foreign enemies could exploit. A team of eight faculty members from MSU, Idaho State University (ISU), Washington State University (WSU), and Rochester Institute of Technology (RIT) will develop computer models capable of analyzing software during the development process, a process known as quality assurance, and identify code that could be hacked once the software is used. The project builds on work begun in 2018, when project leader and principal investigator Clem Izurieta applied his cybersecurity expertise to a project with MSU's Techlink Center to improve software used by DOD to manage its facilities. The MSU team created an innovative framework for identifying software vulnerabilities using multiple existing tools. This success enabled Izurieta's team to secure $3.1 million in DHS funding in 2020 for a collaboration with the Idaho National Laboratory (INL) under an interagency agreement aimed at developing new methods of evaluating software vulnerabilities. The scope is expanded by the new project to include cloud-based software and Industrial Control Systems (ICS). The new project will also make use of cutting-edge computing advances such as Machine Learning (ML), which uses algorithms and statistical models to dynamically adapt to data patterns. According to ML expert Brad Whitaker, assistant professor in the Department of Electrical and Computer Engineering, this approach will allow cybersecurity tools to comb through computer code and spot potential problems. This article continues to discuss the new effort to reduce software vulnerabilities across a wide range of systems.

    MSU reports "Montana State Receives $4.47 Million Award for Improving Cybersecurity"

  • news

    Visible to the public "Android Malware: A Million People Downloaded These Malicious Apps Before They Were Finally Removed From Google Play"

    Google has removed some malicious apps from the Google Play Store that were downloaded by over a million Android users. The apps infected smartphones with malware and bombarded devices with malicious pop-up ads. According to cybersecurity researchers at Malwarebytes, the four identified as malicious were from a developer called Mobile apps Group. These apps were called 'Bluetooth Auto Connect,' 'Bluetooth App Sender,' 'Mobile transfer: smart switch,' and 'Driver: Bluetooth, Wi-Fi, USB.' The apps show no signs of malicious intent for at least a few days after installation. Furthermore, the malware does not immediately bombard victims with pop-ups and malicious links once the activity begins. First, after displaying the initial pop-up, the malware waits two hours before displaying the next ad. Following the initial delay, the app repeatedly opens tabs in Google Chrome to display advertising links in an attempt to generate clicks in order to generate revenue. The victim does not need to be actively using their phone for the pop-ups to appear, as the links can be opened in the background. This intrusive activity has made Malwarebytes classify the malware as Trojan malware instead of adware. Although the apps are no longer available for download, users who have already installed them will remain infected with malware unless they manually uninstall them. This article continues to discuss the removal and capabilities of the four malicious Android apps.

    ZDNet reports "Android Malware: A Million People Downloaded These Malicious Apps Before They Were Finally Removed From Google Play"

  • news

    Visible to the public "'Unauthorized Transactions' Lead to Missing Funds at FTX"

    The cryptocurrency exchange platform FTX says unsanctioned actors stole customers' digital assets, thus initiating a rush to disconnect digital wallets from the Internet. A message posted on the FTX Telegram page warned users of malware on the platform. According to the security firm PeckShield, the FTX account drainer's wallet address currently holds approximately $340 million in cryptocurrency. Elliptic, a security firm, estimated the stolen assets to be worth $477 million. According to the company, the hacker exchanged more than $220 million for other tokens via decentralized exchanges, obscuring the flow of funds on the blockchain and avoiding seizure. Following its Chapter 11 filing, the FTX platform halted transactions, began transferring funds to a cold wallet, and began a fact review and mitigation exercise. Kraken Chief Security Officer Nicholas Percoco revealed that the identity of the hacker is known amid reports of the hacker using the cryptocurrency exchange Kraken to move funds. This article continues to discuss the draining of hundreds of millions in cryptocurrency from the now-bankrupt cryptocurrency exchange platform FTX.

    BankInfoSecurity reports "'Unauthorized Transactions' Lead to Missing Funds at FTX"

  • news

    Visible to the public "Organizations Warned of Critical Vulnerability in Backstage Developer Portal Platform"

    According to researchers at Oxeye, Backstage, an open platform for building developer portals, is affected by a critical vulnerability whose exploitation could have a serious impact on a targeted enterprise. Backstage was developed by Spotify and donated to the Cloud Native Computing Foundation. It provides a catalog for managing all of the user's software, software templates to make it easier to create projects, and open-source plugins that can be used to expand its customizability and functionality. The researchers noted that the platform is used by many major organizations, including Netflix, American Airlines, Doordash, Palo Alto Networks, HP, Siemens, LinkedIn, and Booz Allen Hamilton. The researchers stated that Backstage is affected by a critical vulnerability related to a security hole found earlier this year by Oxeye in the popular sandbox library VM2. The VM2 flaw, dubbed SandBreak and tracked as CVE-2022-36067, can allow a remote attacker to escape the sandbox and execute arbitrary code on the host. Backstage has been using VM2 and the researchers discovered that CVE-2022-36067 can be exploited for unauthenticated remote code execution in Backstage by abusing its software templates. The researchers noted that Backstage can hold integration details to many organization systems, such as Prometheus, Jira, ElasticSearch, and others. Thus, successful exploitation has critical implications for any affected organization and can compromise those services and the data they hold. The researchers reported their findings to Backstage developers through Spotify's bug bounty program in mid-August. The flaw was fixed roughly 10 days later with the release of version 1.5.1, which includes a patched version of VM2. The researchers stated that if you're using a template engine in your application, make sure you choose the right one in relation to security. The researchers noted that robust template engines are extremely useful but might pose a risk to one's organization.

    SecurityWeek reports: "Organizations Warned of Critical Vulnerability in Backstage Developer Portal Platform"

  • news

    Visible to the public "Police Celebrate Arrest of 59 Suspected Scammers"

    According to Europol, a recent month-long anti-fraud crackdown across Europe arrested 59 suspected scammers. Europol noted that the operation ran through October as part of the 2022 e-Commerce Action (eComm 2022) initiative. It saw 19 countries come together in a bid to root out criminal groups that use stolen card data to order high-value goods from online shops before selling them at a profit. Europol's European Cybercrime Centre (EC3) and the Merchant Risk Council led the operation, with assistance from merchants, logistic companies, banks, and payment card schemes. Europol noted that police in participating countries tracked the locations where fraudulently purchased goods were delivered before arresting individuals at those addresses and confiscating the items. Europol stated that investigations are still ongoing in various countries, with more arrests expected in the coming weeks.

    Infosecurity reports: "Police Celebrate Arrest of 59 Suspected Scammers"

  • news

    Visible to the public "Avast Details Worok Espionage Group's Compromise Chain"

    Avast researchers observed the recently discovered espionage group Worok abusing Dropbox API to exfiltrate data via a backdoor hidden in seemingly harmless image files. The experts began their investigation from an ESET analysis of attacks on organizations and local governments in Asia and Africa. Avast experts captured several PNG files containing a data-stealing payload. They stated that data is collected from victims' machines using the Dropbox repository, and attackers communicate with the final stage using Dropbox API. In highlighting the compromise chain, they revealed how attackers first deployed the first-stage malware, identified as CLRLoader, which loads the next-state payload PNGLoader. The threat actors are deploying the malicious code by exploiting Proxyshell vulnerabilities. The attackers then deploy their custom malicious tools using publicly available exploit tools. The researchers discovered two variants of PNGLoader, both of which were used to decode the malicious code hidden in the image and execute a PowerShell script or a .NET C#-based payload. The PowerShell script has remained elusive, but the cybersecurity firm noted that it was able to identify a few PNG files from the second category that contained steganographically embedded C# malware. Avast adds a third stage to the compromise chain detailed by ESET with the discovery of a .NET C# payload known as DropboxControl. DropboxControl is an information-stealing backdoor involving the use of the Dropbox service for command-and-control (C2) communication. The backdoor is capable of running arbitrary executables, downloading and uploading data, deleting and renaming files, capturing file information, sniffing network communications, and stealing metadata. The author of CLRLoader and PNGLoader did not create DropboxControl because of significant differences in the source code and its quality. This article continues to discuss details regarding the Worok espionage group's compromise chain.

    Security Affairs reports "Avast Details Worok Espionage Group's Compromise Chain"

  • news

    Visible to the public "SSVC: Prioritization of Vulnerability Remediation According to CISA"

    As 2021 set a record for the number of vulnerabilities published and threat actors improved their ability to weaponize vulnerabilities, timely and improved prioritization and remediation of vulnerabilities should be a goal for all organizations. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) publishes lists of the most exploited vulnerabilities regularly and maintains a catalog of Known Exploited Vulnerabilities (KEV) that everyone is welcome to use, but as useful as these resources are, organizations still struggle when deciding which security holes should be fixed first. As a result, the agency has updated and promoted the Stakeholder-Specific Vulnerability Categorization (SSVC) system they use. According to Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, better vulnerability management is achievable, and it entails using automation, clarifying the impact of vulnerabilities, and prioritizing vulnerabilities. The Common Security Advisory Framework (CSAF) provides a standardized format for ingesting vulnerability advisory information, simplifying asset owners' triage and remediation processes. With the help of the SSVC Calculator and the SSVC system, vulnerabilities could be prioritized based on specific attributes such as state of exploitation, technical impact, the potential for automated exploitation, impact on an organization's mission essential functions, and impact on public well-being. This article continues to discuss the prioritization of vulnerability remediation with the help of the SSVC guide.

    Help Net Security reports "SSVC: Prioritization of Vulnerability Remediation According to CISA"

  • news

    Visible to the public "42,000 Sites Used to Trap Users in Brand Impersonation Scheme"

    'Fangxiao' is a malicious for-profit organization that has established a massive network of more than 42,000 web domains that impersonate well-known brands in order to redirect users to sites promoting adware apps, dating sites, or 'free' giveaways. The imposter domains appear to be part of a massive traffic generation scheme that generates ad revenue for Fangxiao's own sites as well as more visitors for 'customers' who buy traffic from the group. The threat actors are based in China, according to a report by Cyjax. They have been spoofing over 400 well-known brands in retail, banking, travel, pharmaceuticals, transportation, finance, and energy since 2017. Coca-Cola, McDonald's, Knorr, Unilever, Shopee, Emirates, and other brands are mentioned in the report, with many fake sites offering extensive localization options. Victims of Fangxiao are often redirected to sites that infect them with the Triada Trojan or other malware. However, no link has been established between the operators of these sites and Fangxiao yet. Fangxiao registers approximately 300 new brand impersonation domains per day in order to generate massive traffic for its customers and its own sites. The malicious operators have used at least 24,000 landing and survey domains to promote their fake prizes to victims since the beginning of March 2022. Users find their way to these sites via mobile advertisements or after receiving a WhatsApp message containing the link, which usually makes a special offer or informs the recipient that they have won something. This article continues to discuss findings surrounding the massive Fangxiao campaign.

    Bleeping Computer reports "42,000 Sites Used to Trap Users in Brand Impersonation Scheme"

  • news

    Visible to the public "Researchers Say China State-backed Hackers Breached a Digital Certificate Authority"

    As part of an ongoing campaign that began in March 2022, a suspected Chinese state-sponsored actor breached a digital certificate authority as well as government and defense agencies in Asian countries. Symantec linked the attacks to an adversarial group dubbed Billbug, noting the use of tools previously associated with this actor. The activity appears to be motivated by espionage and data theft, though no data has been reported stolen to date. Billbug, also known as Bronze Elgin, Lotus Blossom, Lotus Panda, Spring Dragon, and Thrip, is an Advanced Persistent Threat (APT) group believed to be working in support of Chinese interests. Government and military organizations in South East Asia are primary targets. Backdoors such as Hannotog and Sagerunex were used by the adversary in 2019 attacks, with intrusions observed in Hong Kong, Macau, Indonesia, Malaysia, the Philippines, and Vietnam. Both implants are intended to provide persistent remote access to the victim network, even though the threat actor is known to use an information-stealer known as Catchamas in special cases to exfiltrate sensitive data. The targeting of a certificate authority is significant because if the attackers were successful in gaining access to certificates, they could use them to sign malware with a valid certificate, enabling it to avoid detection on victim machines, according to Symantec researchers. It could also intercept HTTPS traffic by using compromised certificates. This article continues to discuss the breach of a digital certificate authority as well as government and defense agencies by the Billbug APT group.

    THN reports "Researchers Say China State-backed Hackers Breached a Digital Certificate Authority"

  • news

    Visible to the public "Researchers Sound Alarm on Dangerous BatLoader Malware Dropper"

    A dangerous new malware loader called BatLoader, with features for determining whether it is on a business system or a personal computer, has begun rapidly infecting systems worldwide. VMware Carbon Black researchers are tracking the threat, finding that its operators are using the dropper to distribute various malware tools on victim systems, including a banking Trojan, an information stealer, and the Cobalt Strike post-exploit toolkit. The threat actor's strategy has been to host the malware on compromised websites and use Search Engine Optimization (SEO) poisoning methods to lure users to those sites. BatLoader heavily relies on batch and PowerShell scripts to gain an initial foothold on a victim machine and download additional malware, thus making the campaign difficult to detect and block, particularly in its early stages. In the last 90 days, VMware's Carbon Black Managed Detection and Response (MDR) team observed 43 successful infections, in addition to numerous other unsuccessful attempts in which a victim downloaded the initial infection file but did not execute it. Nine of the victims were in the business services sector, seven were in the financial services sector, and five were in manufacturing. Organizations in the education, retail, information technology, and healthcare sectors were also victims. When BatLoader infects a personal computer, it installs Ursnif banking malware and the Vidar information stealer. If it reaches a domain-joined or corporate computer, it installs Cobalt Strike as well as the Syncro remote monitoring and management tool, in addition to the banking Trojan and information stealer. According to VMware Carbon Black, while several aspects of the BatLoader campaign are unique, several aspects of the attack chain are similar to the Conti ransomware operation. The overlaps include an IP address used by the Conti group in a campaign exploiting the Log4j vulnerability and the use of Atera, a remote management tool used by Conti in previous operations. This article continues to discuss the researchers' findings and observations regarding the BatLoader malware dropper.

    Dark Reading reports "Researchers Sound Alarm on Dangerous BatLoader Malware Dropper"

  • news

    Visible to the public "Delivery Confirmation in Messenger Apps Reveals Recipient's Location"

    A security vulnerability in messenger services has been discovered by an international research team led by Dr. Theodor Schnitzler of TU Dortmund University. They discovered that measuring the time it takes for a message to be delivered makes it possible to distinguish different locations of a person in a user's contact list. Users of WhatsApp, Threema, and Signal are all familiar with the process of marking a message with a check mark after it has been sent. When the message is delivered to its intended recipient, a second check mark appears as confirmation. However, under certain conditions, the time between the first and second check marks appearing can be used to determine the location of the target cell phone. During a trip in Abu Dhabi, Dr. Schnitzler and his international colleagues noticed that a Messenger message sent to Germany took longer than usual to be marked as received with the second check mark. They connected a smartphone to laptop software that sent a message every ten seconds to recipient cell phones in Germany, the Netherlands, Greece, and the United Arab Emirates to study this phenomenon, and then analyzed the data traffic that occurred. The team discovered that the time it took for the delivery confirmation to arrive varied depending on the destination country. With this information, they were able to determine which of these countries the recipient device was located. They did this with an accuracy of 74 percent on Signal and WhatsApp and 84 percent on Threema. In a subsequent step, the researchers repeated the experiment on a local level, sending messages to smartphones in various cities and towns throughout the Ruhr region using the software. They were also able to determine the location of the recipient cell phone with an accuracy of more than 90 percent in some cases by measuring a characteristic delivery time based on location. It is also possible to read data very reliably to find out whether the receiving device is connected to a Wireless Local Area Network (WLAN) network or using mobile Internet. This article continues to discuss the security gap researchers found in WhatsApp, Threema, and Signal messenger services.

    TU Dortmund University reports "Delivery Confirmation in Messenger Apps Reveals Recipient's Location"

  • news

    Visible to the public "SMB Cybersecurity Concerns Persist Amid Geopolitical Tensions"

    OpenText Security Solutions surveyed 1,332 security and Information Technology (IT) professionals in the US, the UK, and Australia, finding that small and medium-sized businesses (SMBs) are concerned that geopolitical tensions will worsen ransomware threats. Eighty-eight percent of respondents admitted to being concerned or extremely concerned about an attack affecting their business, while more than half (57 percent) of SMBs surveyed expressed concern about their cybersecurity budget shrinking due to rising inflation rates. However, Grayson Milbourne, security intelligence director at OpenText, believes that small businesses should be more concerned about Ransomware-as-a-Service (RaaS) rather than geopolitical tensions. He explains that the war in Ukraine has resulted in many Russian cybercrime groups being doxed and their operations being disrupted. He added that this has been beneficial to SMBs in the short term because some of the most organized threat actor groups are inactive, at least for now. However, SMBs remain a primary focus and target of RaaS threat actors, making it more important than ever for SMBs to strengthen their security. Despite the need to be prepared for RaaS attacks, the survey found that most respondents (60 percent) are not confident or only somewhat confident in their ability to defend against a ransomware attack, thus providing additional motivation for threat actors to target SMBs. More than two-thirds (67 percent) of small businesses surveyed said security awareness training was done twice a year or less. A little less than a third (31 percent) of these SMBs said they only conduct security awareness training once a year, and one in ten only if an employee fails a phishing test. This article continues to discuss findings from OpenText Security Solutions' survey of security and IT professionals as well as key steps SMBs must take to defend themselves against ransomware.

    Security Boulevard reports "SMB Cybersecurity Concerns Persist Amid Geopolitical Tensions"

  • news

    Visible to the public "Security Solutions In A World Of IoT Devices"

    Internet of Things (IoT) devices pose unprecedented levels of risk for exploitation. According to security experts, anything connected to the Internet is potentially hackable. Therefore, securing connected devices is a challenge that electronics manufacturers must focus on to avoid having their devices hacked. Marcel van Loon, senior principal engineer of systems architecture at Rambus, has provided a high-level overview of some of the tried and tested security solutions that can be used to build more secure IoT devices. Connected devices have a wealth of information that attackers want. In order to stage a ransomware attack, malicious actors may want to disable access to a device's functionality or gain access to the device's data. They may use a device as a staging point to gain access to the network to which the device is linked. This staging point can then be used to launch attacks on additional security-sensitive devices. Attackers may also be interested in the processor resources or network bandwidth represented by a specific device. If they gain control of many devices, these resources can be used to launch a Denial-of-Service (DoS) attack. Furthermore, devices that use actuators or sensors, for example, to open doors or turn off electricity, can be attacked, leaving key functions in the home or workplace vulnerable. Implementing a field-proven secure boot mechanism to ensure only trusted software can run on the device is one way to protect an IoT device by design. This can be accomplished by using a Read-Only Memory (ROM)-based code mechanism to authenticate the software, which employs key material that an attacker cannot modify. Using a Root of Trust module to boot the device strengthens the boot process even more. It allows for the secure implementation of other security-sensitive functions such as firmware/software updates, secure debug access control, and boot image confidentiality. Using encryption to protect software confidentiality makes it more difficult for an attacker to find potential vulnerabilities, but it does need the key material used to decrypt the software to be confidential. An attacker could gain code execution on the device after boot in devices that also run a lot of complex software that is vulnerable to logical attacks, meaning the firmware decryption key must never be readable from the device, and its use must be limited to device initialization. This article continues to discuss some security solutions that can be used to develop more secure IoT devices.

    SemiEngineering reports "Security Solutions In A World Of IoT Devices"

  • news

    Visible to the public "How User Experience and Behavioural Science Can Guide Smart Cybersecurity"

    Human error was responsible for 82 percent of cybersecurity breaches in the last year. For example, the Colonial Pipeline ransomware attack that brought down the largest fuel pipeline in the US and caused shortages resulted from a compromised password and password reuse. JBS, the world's largest meat producer, was hacked because of a Qbot malware infection believed to have spread via a phishing email. Hackers are subverting detection and carrying out social engineering attacks using technology advancements that defenders use to protect users, such as Machine Learning (ML) and Artificial Intelligence (AI). Today's phishing attacks are increasingly targeted and designed to evade traditional email detection methods. Attackers use AI to perform large-scale reconnaissance from social media profiles, replicate trusted contacts' communication styles, and create convincing deepfake audio or video messages for use in ransomware or spear phishing attacks. The three-dimensional environment of the metaverse may also make such social engineering methods more effective. This means that people must be more empowered and informed than ever before in order to identify and respond to new threats. We live in a digital age in which the average person spends six or more hours per day online, has ten connected devices in the home, and has at least 100 online accounts. Therefore, governments, private sector players, and educational institutions must all invest in citizen education. The Estonian government's cyber education model can serve as a reference, with investments in education and training programs made in collaboration with academia and the private sector. In order to empower people to take more responsibility, the government has focused on training all citizens, from informing the elderly about cybersecurity to teaching kindergarten students how to code. In addition, teenagers have been taught how to run security checks on devices belonging to their parents and family members. Private sector organizations should make cyber awareness and training materials available to both customers and non-customers in order to benefit society as a whole. This article continues to discuss the need for a more holistic approach to cybersecurity that considers human behavior.

    World Economic Forum reports "How User Experience and Behavioural Science Can Guide Smart Cybersecurity"

  • news

    Visible to the public "Australia Is Considering a Ban on Cyber Ransom Payments, but It Could Backfire. Here's Another Idea"

    In less than two months, Australia experienced two of the largest personal data breaches in its history, the first involving Optus and the second involving Medibank. In both cases, the hackers attempted and failed to extort a ransom in exchange for not disclosing personal information. So far, the Optus hackers have only released a small portion of the data and claim to have deleted the rest, whereas the Medibank hackers have released the records of over one million people and have threatened to release more data. As a result, the Australian government is looking to strengthen its cybersecurity defenses, including through the formation of a taskforce to retaliate against the Medibank hackers. Clare O'Neil, Minister for Cybersecurity, has stated that the Australian government is considering making ransom payments to cybercriminals illegal. The concept has gained traction, but the question is whether the cure will be worse than the disease. In some cases, paying a ransom may already be illegal for Australian organizations, such as if the payment funds further criminal or terrorist activity by groups sanctioned by the United Nations. However, Macquarie University researchers point out that attribution of cyberattacks is difficult, and it is only sometimes possible to know whether paying a specific group would be a crime. An organization may pay a ransom only to discover later that it violated the law. A ban on ransom payments would significantly reduce the profits amassed by criminal gangs targeting Australia. Banning ransom payments may be a good idea in cases like the recent Optus and Medibank hacks, where the ransom was demanded to "not leak" sensitive information. It could relieve the targeted organization of the burden of making a decision, as well as mitigate the public's judgment of that decision. It would also reduce the possibility of criminals receiving ransom payments, making their operations less profitable. However, unlike the Optus and Medibank breaches, many ransoms are paid to decrypt targeted computers. Some ransomware attacks involve hackers encrypting a company's computers, data, and backups. In many cases, failure to restore those data can lead to the business's demise. In such cases, prohibiting ransom payments may discourage organizations from reporting breaches. They may pay the ransom to continue doing business, even if it is illegal. If this occurs, it will reduce the overall transparency of breach reporting and may lead to hackers blackmailing victims into not disclosing the hack. This article continues to discuss the response to the Medibank hack, when banning ransom payments is effective, the problems with a ban, and an alternative solution.

    The Conversation reports "Australia Is Considering a Ban on Cyber Ransom Payments, but It Could Backfire. Here's Another Idea"

  • news

    Visible to the public "The Top 12 Password-Cracking Techniques Used by Hackers"

    As cryptography and biometrics became more widely available, the flaws in the password authentication method became more apparent. Weak and easy-to-guess passwords are common, as the UK's National Cyber Security Center (NCSC) discovered that one in every six people uses their pets' names as passwords, making them highly predictable. In addition, these passwords are frequently reused across multiple sites, with one-third of people (32 percent) using the same password to access various accounts. There are ways to address this issue, including implementing robust multi-layer authentication. It is also worthwhile to consider cybercriminals' steps to hack an account and know how they operate in order to develop better solutions for mitigating risk. ITPro compiled a list of the top 12 password-cracking techniques used by attackers to assist individuals and businesses in preparing. These methods include phishing, social engineering, malware, brute force attacks, dictionary attacks, mask attacks, rainbow table attacks, network analyzers, spidering, offline cracking, shoulder surfing, and guessing. When a password is stored on a system, it is typically encrypted with a hash or a cryptographic alias, making the original password impossible to determine without the corresponding hash. To get around this, hackers keep and share directories that store passwords and their corresponding hashes, which are built from previous hacks, thus reducing the time it takes to break into a system. Rainbow table attacks, one of the highlighted password-cracking techniques used by hackers, go one step further by storing a pre-compiled list of all possible plain text versions of encrypted passwords based on a hash algorithm, instead of just providing a password and its hash. Hackers can then compare these listings to any encrypted passwords found in a company's system. This article continues to discuss some of the most common and effective methods used by hackers to steal passwords.

    ITPro reports "The Top 12 Password-Cracking Techniques Used by Hackers"

  • news

    Visible to the public "Unpatched Zimbra Platforms Are Probably Compromised, CISA Says"

    According to a new cybersecurity advisory by the Cybersecurity and Infrastructure Security Agency (CISA), security teams running unpatched, internet-connected Zimbra Collaboration Suites (ZCS) should go ahead and assume compromise and take immediate detection and response action. CISA flagged active Zimbra exploits for CVE-2022-24682, CVE-2022-27924, CVE-2022-27925, which are being chained with CVE-2022-37042, and CVE-2022-30333. CISA noted that the attacks lead to remote code execution and access to the Zimbra platform. CISA stated that the result could be quite risky when it comes to shielding sensitive information and preventing email-based follow-on threats. ZCS is a suite of business communications services that includes an email server and a Web client for accessing messages via the cloud. CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) provided detection details and indicators of compromise (IoCs) to help security teams. According to an AcZimbra advisory, threat actors may be targeting unpatched ZCS instances in both government and private sector networks. CISA and the MS-ISAC strongly urged users and administrators to apply the guidance in the recommendations section of the cybersecurity advisory to help secure their organization's systems against malicious cyberactivity.

    Dark Reading reports: "Unpatched Zimbra Platforms Are Probably Compromised, CISA Says"

  • news

    Visible to the public "Canadian Supermarket Chain Sobeys Hit by Ransomware Attack"

    Sobeys, a Canadian supermarket and pharmacy chain, is recovering from a cyberattack that might have involved the Black Basta ransomware. Sobeys is the second largest supermarket chain in Canada and a wholly-owned subsidiary of Empire Company Limited, which operates more than 1,500 stores across the country under brands such as Foodland, IGA, Lawtons, Needs, Safeway, and more. The company disclosed on November 7 that it fell victim to a cyberattack that impacted some in-store systems at its supermarkets and pharmacies. By Friday, the company was able to fully restore impacted systems at its pharmacies. The company stated that its stores are currently experiencing system issues that are affecting some of the services offered. All their stores remain open and are not experiencing significant disruptions at this time. Last week, the company reportedly informed Canadian privacy watchdogs that it had suffered a data breach, which suggests that personal information might have been compromised during the incident. The company has not shared specific information on the type of cyberattack it fell victim to, but ransomware attacks typically cause prolonged system disruptions. The attack appears to have involved the Black Basta ransomware, but researchers have found no mention of the Sobeys incident on the gang's leak website. Black Basta was initially observed in April 2022 but rose to fame fast, becoming one of the most prevalent ransomware families within roughly two months.

    SecurityWeek reports: "Canadian Supermarket Chain Sobeys Hit by Ransomware Attack"

  • news

    Visible to the public "Containers: The Ultimate Trojan Horse"

    Containers are designed to be unchangeable. Once created, the image is permanent, and all container instances spawned from it will be identical. Furthermore, because the container is defined as code, its contents, intents, and dependencies are all explicit. As a result, if used correctly, containers can help reduce supply chain risks. However, attackers have taken note of these advantages, as many threat actors are using containers to deploy malicious payloads and even scale up their operations. The Sysdig Threat Research Team (Sysdig TRT) investigated what is truly lurking in publicly available containers for the Sysdig 2022 Cloud-Native Threat Report. Docker Hub houses millions of pre-made container images in convenient, self-contained packages that include all required software. Public registries also host official content and images signed by Verified Publishers, providing some trust that they are not malicious and can be safely used. While public registries save developers time, if a user is not cautious, the container they pull may contain malicious elements. Threat actors value how much friction this technology eliminates from developer workflows. They rely on the fact that many developers may not thoroughly examine what is installed. According to the Sysdig threat report, malicious actors are using Docker Hub to deliver malware, backdoors, and more to users and businesses. One practice to be aware of is typosquatting, which occurs when an image is disguised as legitimate while concealing something malicious within its layers. Its name could be a misspelling, or the attacker could rely on a developer negligently copying some instructions containing the bad path. Over the course of several months, the Sysdig TRT examined over 250,000 Linux images. During the analysis, 1,777 images were discovered to contain various types of malicious IPs or domains, as well as embedded credentials. This article continues to discuss key findings from the Sysdig 2022 Cloud-Native Threat Report.

    BetaNews reports "Containers: The Ultimate Trojan Horse"

  • news

    Visible to the public "Supply Chain Compromise and Disinformation Rank High in EU's Top 10 Cyber Threats"

    After engaging in an 8-month foresight exercise, the European Union Agency for Cybersecurity (ENISA) has identified and ranked the top cybersecurity threats expected to emerge by 2030. ENISA's top emerging cybersecurity threats include supply chain compromise of software dependencies, advanced disinformation campaigns, the rise of digital surveillance authoritarianism, human error and exploited legacy systems within cyber-physical ecosystems, targeted attacks enhanced by smart device data, a lack of analysis and control of space-based infrastructure and objects, and more. ENISA brainstormed in a Threat Identification Workshop with the help of the ENISA Foresight Expert Group, the CSIRTs Network, and EU CyCLONe experts to discover solutions to emerging challenges in the 2030 horizon. ENISA Executive Director Juhan Lepassaar stated that mitigating future risks cannot be delayed or avoided. This is why predicting the future is the best insurance policy. It is critical to take all preventative measures now to ensure that resilience is increased over time for a better cybersecurity landscape in 2030 and beyond. The exercise demonstrates that the threats identified and ranked are extremely diverse and include those that are most relevant today. However, ENISA states that today's threats will need to be addressed because their nature will have changed. The agency also observed that increased reliance and the widespread adoption of new technologies are important factors driving the changes. Such factors complicate the exercise and make understanding the threats even more difficult. This article continues to discuss ENISA's identification and ranking of the top 10 cybersecurity threats to emerge by 2030.

    HSToday reports "Supply Chain Compromise and Disinformation Rank High in EU's Top 10 Cyber Threats"

  • news

    Visible to the public "Australia Considers Ban on Ransomware Payments After Medibank Breach"

    The Australian government recently announced that it is considering banning ransomware payments in response to the Medibank data breach. The group behind the hack has been linked by the Australian Federal Police (AFP) to Russian cyber-criminals with connections to the REvil cyber gang, allegedly dismantled by Russia's Federal Security Service earlier this year. The Australian government is now suggesting making ransomware payments illegal to decrease the profitability of data breaches for criminal organizations. Australia's home affairs minister Clare O'Neil recently made a statement confirming a new cyber-policing model between the AFP and the Australian Signals Directorate to deliver "new tough policing" on cybercrime. Roughly 100 officers will be part of the new partnership that would act as a joint standing operation against cyber criminals. However, according to Jordan Schroeder, managing CISO at Barrier Networks, the idea of a task force is insufficient to ensure protection against ransomware attacks in Australia, particularly at a time of sustained cyberattacks against companies in the country. Schroeder noted that making ransomware payments illegal in one jurisdiction "could push the payment of ransomware underground, which will hide these crimes and make coordinated responses with law enforcement difficult, or it could even force companies to use third parties in other jurisdictions to make payments on their behalf, which will not solve the problem." Schroeder suggests that the Australian government should consider what the criminals would do in response to such regulations, not just how to punish the victims trying to recover from data breaches. More generally, Schroeder stated that a better focus for the Australian government could be on equipping organizations with better defenses against ransomware. This would include raising awareness around cybercrime techniques and introducing legislation on minimum cybersecurity requirements for businesses.

    Infosecurity reports: "Australia Considers Ban on Ransomware Payments After Medibank Breach"

  • news

    Visible to the public "Ransomware Gang Offers to Sell Files Stolen From Continental for $50 Million"

    LockBit ransomware group is offering to sell files allegedly stolen from German car parts giant Continental for $50 million. Continental reported in August that it had been targeted in a cyberattack that resulted in hackers accessing some of its systems. The company said at the time that the attack had been "averted" and that business activities were not affected. LockBit recently revealed on its leak website that it was behind the attack on Continental and threatened to make public information stolen from the company. Shortly after announcing the Continental hack, the cybercriminals published what appeared to be messages exchanged between them and the company's representatives. The messages suggested that negotiations had failed. The hackers have now published four screenshots demonstrating that they possess data from Continental systems. In addition, the page dedicated to the automotive company now displays three buttons. One of them can be used to extend with 24 hours the time until files are published, which costs $100. Two other buttons can be used to "destroy all information" or "download data at any moment." Both of these options have a $50 million price tag. Given the ransom amount, the attackers likely believe the stolen information can be of great value to the victim's competitors. The hackers claim to have stolen a total of 40 Gb of files, and the screenshots they have published suggest that they have gained access to technical documents and source code.

    SecurityWeek reports: "Ransomware Gang Offers to Sell Files Stolen From Continental for $50 Million"

  • news

    Visible to the public "Thales Denies Getting Hacked as Ransomware Gang Releases Gigabytes of Data"

    French aerospace, defense, and security giant Thales claims to have found no evidence of its IT systems getting breached after a well-known ransomware group published gigabytes of data allegedly stolen from the company. LockBit last week published a 9.5 Gb archive file apparently containing information belonging to Thales. The malicious hackers previously announced that they would make files public unless Thales paid a ransom. The leaked files seem to include both technical and corporate documents. LockBit claims to have obtained highly sensitive information related to the company's operations and "commercial documents, accounting files, customer files, drawings of clients structures, and software." Thales did confirm that a breach had occurred, just not of its own systems. The company is aware of two likely sources of the theft. One of them has been confirmed to be the user account of a partner on a dedicated collaboration portal, which resulted in the disclosure of "a limited amount of information." Thales stated that, as of now, there is no impact on the Group's operations. French publication LeMonde reported that the leaked data is related to Thales contracts and partnerships in Malaysia and Italy.

    SecurityWeek reports: "Thales Denies Getting Hacked as Ransomware Gang Releases Gigabytes of Data"

  • news

    Visible to the public "Man Arrested in Ontario For Alleged LockBit Ransomware Involvement"

    A Russian and Canadian national has recently been charged with conspiracy to intentionally damage protected computers and to transmit ransom demands in connection with the LockBit global campaign. Mikhail Vasiliev, 33, was apprehended in Bradford, Ontario, and is currently in custody in Canada, awaiting extradition to the US. The Department of Justice (DoJ) noted that this arrest resulted from over 2.5 years of investigating the LockBit ransomware group, which has harmed victims in the United States and worldwide. Vasiliev allegedly actively participated in the LockBit campaign, conspiring with other threat actors to spread the ransomware and issue demands. If charged, he may face a maximum of five years in prison, a fine of up to $250,000, or twice the gross financial gain or loss from the scheme (whichever is greatest). According to the DoJ, the LockBit ransomware variant first appeared around January 2020 and has since been deployed against roughly 1000 victims in the United States and worldwide. Further, LockBit members have made at least $100m in ransom demands and have extracted tens of millions of dollars in ransom payments from their victims.

    Infosecurity reports: "Man Arrested in Ontario For Alleged LockBit Ransomware Involvement"

  • news

    Visible to the public "New AI Model Can Help Prevent Damaging and Costly Data Breaches"

    Privacy experts at Imperial College London have developed an Artificial Intelligence (AI) algorithm capable of automatically testing privacy-preserving systems for potential data leaks. According to the researchers, this is the first time AI has been used to automatically find vulnerabilities in this type of system, which is used by Google Maps, Facebook, and more. Imperial's Computational Privacy Group analyzed attacks on Query-Based Systems (QBS). These systems are controlled interfaces through which analysts can query data to extract useful aggregate information about the world. Then they created QuerySnout, a new AI-enabled method, to detect attacks on QBS. QBS provides analysts access to statistical collections derived from individual-level data such as location and demographics. They are currently used in Google Maps to display real-time information on how busy an area is, as well as in Facebook's Audience Measurement feature to estimate audience size in a specific location or demographic to improve advertising promotions. The team discovered that powerful and accurate attacks against QBS can be easily detected with the press of a button. QuerySnout learns which questions to ask the system to obtain answers. It then learns to automatically combine the responses in order to detect potential privacy vulnerabilities. The model can create an attack using Machine Learning (ML). The attack involves a collection of queries that combines the answers to reveal specific private information. This process is completely automated and uses the 'evolutionary search' method to enable the QuerySnout model to discover the appropriate questions to ask. This process takes place in a 'black-box setting,' meaning the AI only needs access to the system but does not need to understand how it works to detect vulnerabilities. This article continues to discuss the new AI algorithm developed by privacy experts at Imperial London College to automatically test privacy-preserving systems for potential data leaks.

    Imperial College London reports "New AI Model Can Help Prevent Damaging and Costly Data Breaches"

  • news

    Visible to the public "Knock, Knock: Aiphone Bug Allows Cyberattackers to Literally Open (Physical) Doors"

    A flaw in a number of popular digital door-entry systems offered by Aiphone allows hackers to gain access to the systems by using a mobile device and a Near-Field Communication (NFC) tag. The devices in question, including GT-DMB-N, GT-DMB-LVN, and GT-DB-VN, are used by high-profile customers such as the White House and the Houses of Parliament of the UK. Cameron Lowell Palmer, a researcher with the Norwegian security firm Promon, discovered the flaw and the fact that there is no limit to the number of times an incorrect password can be entered on some Aiphone door-lock systems. After discovering the admin passcode, the malicious actor could inject the serial number of a new NFC tag containing the admin passcode back into the system's log of approved tags. This would provide the attacker with both the plaintext code that can be entered into the keypad and an NFC tag that can be used to gain access to the building without touching any buttons at all. There is no digital trace of the hack because the Aiphone system does not keep logs of attempted entries. Promon first informed Aiphone of the problem in June 2021. The company stated that systems built before December 7, 2021, are unfixable, but systems built afterward include a feature that limits the number of passcode attempts that can be made. Despite the troubling findings, Palmer describes this type of Internet of Things (IoT) security oversight as "fairly typical." Adding NFC was a win from an administrative standpoint, but it exposed the system to this new attack vector, he explains. The system began with some reasonable design choices, but the addition of the NFC interface made the design dangerous. This product appears to be based on the concept of physical security, and when NFC was added, they added a touchless high-speed data port on the building's exterior, which violated the premise. This article continues to discuss the vulnerability affecting several Aiphone GT models using NFC technology and enables malicious actors to potentially gain access to sensitive facilities.

    Dark Reading reports "Knock, Knock: Aiphone Bug Allows Cyberattackers to Literally Open (Physical) Doors"

  • news

    Visible to the public  "Unwanted Emails Steadily Creeping Into Inboxes"

    According to Hornetsecurity research, 40.5 percent of work emails are unwanted. The Cyber Security Report 2023, which examined over 25 billion work emails, also reveals significant changes in the nature of cyberattacks in 2022, showing the ongoing, expanding threats to email security and the importance of caution in digital workplace communications. Phishing is still the most common type of email attack, accounting for 39.6 percent of all detected threats. Archive files (i.e., ZIP and 7z) sent via email account for 28 percent of threats, down from 33.6 percent last year, with HTML files increasing from 15.3 percent to 21 percent, and DOC(X) increasing from 4.8 percent to 12.7 percent. New cybersecurity trends and techniques for businesses to be aware of were also tracked. Since Microsoft disabled macro settings in Office 365, there has been a significant increase in HTML smuggling attacks delivering malware via embedded LNK or ZIP files. Microsoft 365 makes document sharing simple, but end users often overlook the effects of how files are shared, as well as the security implications. According to Hornetsecurity, 25 percent of respondents were either unsure or assumed that Microsoft 365 was impervious to ransomware threats. This article continues to discuss key findings from the new Hornetsecurity Cyber Security Report.

    Help Net Security reports "Unwanted Emails Steadily Creeping Into Inboxes"

  • news

    Visible to the public "Ukraine Says Russian Hacktivists Use New Somnia Ransomware"

    Russian hackers infected multiple Ukrainian organizations with a new ransomware called 'Somnia.' The Computer Emergency Response Team of Ukraine (CERT-UA) confirmed the outbreak in an announcement on its portal, attributing the attacks to 'From Russia with Love (FRwL),' also known as 'Z-Team,' which they track as UAC-0118. On Telegram, the group previously admitted to developing the Somnia ransomware and even posted evidence of attacks against Ukrainian tank manufacturers. The hacking group uses fake websites that look like the 'Advanced IP Scanner' software to trick Ukrainian organization employees into downloading an installer. The installer deploys the Vidar stealer, which steals the victim's Telegram session data in order to take control of their account. The threat actors then use the victim's Telegram account in an unspecified manner to steal Virtual Private Network (VPN) connection data. If the VPN account is not secured with two-factor authentication (2FA), the hackers use it to gain unauthorized access to the victim's employer's corporate network. The intruders set up a Cobalt Strike beacon, steal data, and use Netscan, Rclone, Anydesk, and Ngrok to conduct various surveillance and remote access operations. According to CERT-UA, FRwL has launched several attacks on computers belonging to Ukrainian organizations since the spring of 2022, with the assistance of initial access brokers. The agency also points out that the most recent samples of the Somnia ransomware strain used in these attacks utilize the AES algorithm, whereas Somnia previously used the symmetric 3DES algorithm. This article continues to discuss the Russian hacktivists' use of a new Somnia ransomware strain.

    Bleeping Computer reports "Ukraine Says Russian Hacktivists Use New Somnia Ransomware"

  • news

    Visible to the public "New 'Earth Longzhi' APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders"

    APT41, a Chinese Advanced Persistent Threat (APT), has been targeting entities in East and Southeast Asia, as well as Ukraine, at least since 2020. Trend Micro, which named the espionage team Earth Longzhi, said the actor's long-running campaign could be divided into two parts based on the toolset used to attack its targets. The first wave, from May 2020 to February 2021, is said to have targeted Taiwan's government, infrastructure, and healthcare industries, as well as the Chinese banking sector, whereas the second wave, from August 2021 to June 2022, is said to have infiltrated high-profile victims in Ukraine and several Asian countries. According to the cybersecurity firm, the victimology patterns and targeted sectors overlap with attacks carried out by Earth Baku, a distinct sister group of APT41, also known as Winnti. Some of Earth Baku's malicious cyber activities have been linked to groups known as SparklingGoblin and Grayfly by other cybersecurity firms. This article continues to discuss researchers' findings regarding the Earth Longzhi APT.

    THN reports "New 'Earth Longzhi' APT Targets Ukraine and Asian Countries with Custom Cobalt Strike Loaders"

  • news

    Visible to the public "Cybersecurity Researchers Show How Attackers Can See Your Online Ads Knowing Only Your Email Address"

    New research reveals that online adversaries can view or manipulate the online user-targeting process applied by third-party advertisers through the use of their target's email address. A four-person team of researchers from the Georgia Institute of Technology, University of Illinois Chicago (UIC), and New York University (NYU) presented their findings at the ACM Conference on Computer and Communications Security (CCS). Much of today's online advertising is specifically tailored to individuals based on their browsing history, location, and various other factors gathered by third-party advertising networks. This information is collected through tracking cookies, which are distributed by third-party advertisement networks and linked to unique identifiers such as email addresses. These cookies enable advertisers to build detailed profiles of Internet users. However, as the researchers discovered, this system can be influenced by malicious actors. Once an attacker has obtained a user's email address, they can access the information collected by any third-party advertiser monitoring a specific user's targeted advertisement stream. This could enable malicious actors to gain insight into an individual's detailed browsing history, such as online retailers and travel websites. Third-party advertising networks have no direct relationship with users, so if they want to track user activity across devices, they must rely on identity information provided by other websites, such as email addresses, according to Paul Pearce, assistant professor in Georgia Tech's School of Cybersecurity and Privacy (SCP). Their research demonstrates that the way information is passed to advertising networks is both insecure and difficult to verify. If an attacker knows a victim's email address, they can pose as a user to the advertising network, causing real privacy issues. This vulnerability is called advertising identity entanglement, and it occurs when attackers trick advertising networks into correlating the attacker's tracking cookies with a targeted person's email address, looping them into the data being gathered by third-parties. According to Pearce and his colleagues' paper, adversaries can also use the process to send advertisements of any kind to their targets. This article continues to discuss how attackers can intercept targeted advertising via advertising network identify entanglement.

    Georgia Tech reports "Cybersecurity Researchers Show How Attackers Can See Your Online Ads Knowing Only Your Email Address"

  • news

    Visible to the public "Fed and SLG Agencies Need to be on Guard Against Mobile Attacks"

    According to new Lookout research, mobile threats to federal, state, and local governments are on the rise. Mobile phishing and device vulnerability risks have increased within government agencies since 2021. Data analyzed by Lookout found that nearly half of phishing attacks aimed at government personnel in 2021 attempted to steal credentials, up from 30 percent in 2020. Furthermore, one in every eight government employees will be vulnerable to phishing attacks in 2021. With over two million federal government employees, this represents a significant potential attack surface, as it only takes one successful phishing attempt to compromise an entire agency. Although mobile and cloud apps have helped agencies stay productive while employees telework, they also significantly increase the risk of successful attacks, according to the report. Federal, state, and local governments increased their reliance on unmanaged mobile devices by 55 percent between 2020 and 2021, and more than one-third of state and local government employees used their own devices in 2021. According to Lookout, this indicates a shift toward Bring-Your-Own-Device (BYOD) in order to support a larger remote workforce. From 2020 to 2021, mobile phishing encounter rates increased in both managed and unmanaged devices at 48 percent and 25 percent, respectively. The steady rise continued through the first half of 2022. Looking specifically at the federal government, Lookout observed a decrease in phishing exposure rates for unmanaged federal devices, implying that agencies increased security awareness for BYOD participants. However, phishing exposure rates for managed federal devices increased from 2020 to 2021 before declining in the first half of 2022. Lookout predicts that holiday-themed phishing attacks will increase exposure rates in the second half of 2022. This article continues to discuss key findings from Lookout's report on the rise in mobile phishing credential theft targeting the US public sector.

    MeriTalk reports "Fed and SLG Agencies Need to be on Guard Against Mobile Attacks"

  • news

    Visible to the public "ICS Cybersecurity Report: Control Systems Remain Highly Targeted by Threat Actors as Organizations Forced to Rapidly Mature Programs"

    According to the 2022 SANS OT/ICS Cybersecurity Report, hackers continue to show a strong interest in Industrial Control Systems (ICS), but organizations are much more prepared following the high-profile incidents of 2021. However, this is not a universal trend, as 35 percent of organizations are still unable to determine if they have been compromised, and 17 percent are still not monitoring Operational Technology (OT) system security. Nozomi Networks, a cybersecurity leader, and the SANS Institute, a leading research and training organization, conducted the survey, incorporating the feedback of over 330 ICS cybersecurity managers, analysts, and architects from firms all over the world. In 2021, criminal ransomware groups crossed the line into attacking critical infrastructure systems and attempting to cause physical, real-world damage, most notably with highly disruptive attacks on Colonial Pipeline and the meat-packing giant JBS. According to the 2022 ICS Cybersecurity Report, the industry is responding to these incidents by being better prepared and more willing to budget for ICS cybersecurity overall. However, many organizations are still vulnerable and face challenges in catching up with the threat landscape. The majority of organizations now consider ICS threats to be extremely serious. Twenty-two percent rated them as "critical," while 41 percent rated them as "high," indicating a slow but steady increase over the years. According to the survey, 80 percent of security professionals now have a role that emphasizes ICS (up from 50 percent the previous year), showing an increasing awareness that the worlds of standard Information Technology (IT) security and ICS cybersecurity are significantly different and require different skill sets. The majority of respondents who split their time between ICS and a business role say that ICS now takes precedence. Respondents also shared their top individual ICS cybersecurity challenges, revealing that integrating aging legacy systems with modern IT networks was the top concern. This has been a persistent problem because industrial equipment is generally designed to last for decades and did not begin anticipating Internet-based threats until recently. Concerns were also expressed about how modern IT systems still need to be designed to interface with industrial equipment and control systems. Another major concern is a lack of IT personnel who understand OT operational requirements, as well as a lack of labor to implement existing security plans. This article continues to discuss key findings from the 2022 SANS OT/ICS Cybersecurity Report.

    CPO Magazine reports "ICS Cybersecurity Report: Control Systems Remain Highly Targeted by Threat Actors as Organizations Forced to Rapidly Mature Programs"

  • news

    Visible to the public "Why Privacy and Security Are the Biggest Hurdles Facing Metaverse Adoption"

    The hype surrounding the metaverse is growing within the big-tech economy. Gartner predicts that by 2026, 25 percent of the global population will spend at least an hour per day in the metaverse, whether to shop, work, attend events, or socialize. However, the variety of technologies that enable the metaverse, such as Virtual Reality (VR), Augmented Reality (AR), 5G, Artificial Intelligence (AI), and blockchain, all raise privacy and data security concerns. According to an Agora report, one-third of developers (33 percent) believe these are the most difficult obstacles for the metaverse to overcome. According to another Gartner report, as a result of imploding cybersecurity threats, insider activity, and an increase in attack surfaces and vulnerabilities, 75 percent of all organizations will restructure risk and security governance for digital transformation. In addition, recent legislation has addressed personal data privacy. For example, the General Data Protection Regulation (GDPR) grants consumers the "right to be forgotten," requiring businesses to be prepared to remove consumers' information when requested. It also requires private enterprises to obtain people's permission before storing their data. Helping businesses with compliance is a growing business, and European regulators are becoming more stringent in their enforcement actions. As regulations tighten, organizations seeking metaverse leadership must prioritize data privacy and security more than ever. Although digital privacy on websites is now fairly well-regulated, the metaverse is still in its infancy, with no legislation in place to enforce privacy. This article continues to discuss security and privacy concerns regarding the metaverse.

    VB reports "Why Privacy and Security Are the Biggest Hurdles Facing Metaverse Adoption"

  • news

    Visible to the public "Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products"

    Cisco recently announced the release of patches for 33 high and medium-severity vulnerabilities impacting enterprise firewall products running Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC) software. Cisco noted that the most severe of the security defects is CVE-2022-20927, a bug in the dynamic access policies (DAP) functionality of ASA and FTD software, allowing a remote, unauthenticated attacker to cause a denial-of-service (DoS) condition. Cisco stated that due to improper processing of data received from the Posture (HostScan) module, an attacker could send crafted HostScan data to cause the affected device to reload. Cisco stated that an equally severe (CVSS score of 8.6) is CVE-2022-20946, a DoS vulnerability in the generic routing encapsulation (GRE) tunnel decapsulation feature of FTD software releases 6.3.0 and later. The issue exists because of memory handling errors during the processing of GRE traffic. Cisco noted that an attacker can exploit the flaw by sending crafted GRE payloads through an affected device, causing it to restart. Cisco stated that three other high-severity DoS vulnerabilities that they resolved this week impact the Simple Network Management Protocol (SNMP) feature and the SSL/TLS client of ASA and FTD, and the processing of SSH connections of FMC and FTD. According to Cisco, these bugs exist due to insufficient input validation, improper memory management when SSL/TLS connections are initiated, and improper error handling when the establishment of an SSH session fails, respectively. Cisco noted that the other high-severity flaws resolved this week include a default credentials issue in ASA and FMC and a secure boot bypass in Secure Firewalls 3100 series running ASA or FTD. Cisco this week issued advisories for a total of 26 medium-severity vulnerabilities in its enterprise firewall products. The most important of the advisories deals with 15 cross-site scripting (XSS) bugs in the web-based management interface of FMC.

    SecurityWeek reports: "Cisco Patches 33 Vulnerabilities in Enterprise Firewall Products"

  • news

    Visible to the public "IBM Launches Its Most Powerful Quantum Computer With 433 qubits"

    International Business Machines Corp (IBM) recently launched its most powerful quantum computer to date called the Osprey, a 433-qubit machine that has three times the number of qubits than its Eagle machine announced last year. The number of qubits, or quantum bits, indicates the power of the quantum computer, which uses quantum mechanics. Quantum computers are one day expected to speed up certain calculations millions of times faster than the fastest supercomputers today. IBM's director of research, Dario Gil, said IBM is still on track to launch a computer with over 1000 qubits but for further scaling was working on a new approach. Gil stated that as IBM pushes the limits of the size of the Osprey chip, they have been designing and engineering the whole architecture for quantum computing based on modularity. IBM is calling the modular system Quantum System Two. IBM noted that Quantum System Two is the first truly modular quantum computing system so that you can continue to scale to larger and larger systems over time. Gil stated that modularity means the chips themselves are going to have to be interconnected to one another. IBM noted that it is trying to have this system online by the end of next year, and it would be the building blocks for "quantum-centric supercomputing" by connecting multiple Quantum System Twos. IBM noted that it could build a system with up to 16,632 qubits by linking three of these systems. IBM currently has over 20 quantum computers worldwide, and customers can access them through the cloud.

    Reuters reports: "IBM Launches Its Most Powerful Quantum Computer With 433 qubits"

  • news

    Visible to the public "NSA Releases Guidance on How to Protect Against Software Memory Safety Issues"

    The National Security Agency (NSA) has issued guidance to help software developers and operators in preventing and mitigating software memory safety issues, which make up a large portion of exploitable vulnerabilities. The "Software Memory Safety" Cybersecurity Information Sheet discusses how malicious cyber actors can use poor memory management to gain access to sensitive information, execute unauthorized code, and cause other negative consequences. Memory management flaws have been exploited for decades and are still far too prevalent today, according to Neal Ziring, Cybersecurity Technical Director. In order to eliminate these vulnerabilities from malicious cyber actors, it is critical to consistently use memory-safe languages and other protections when developing software. Using a memory-safe language can help prevent programmers from introducing memory-related problems. The language implements automatic protections by combining compile time and runtime checks. These built-in language features prevent the programmer from unintentionally introducing memory management errors. C#, Go, Java, Ruby, Rust, and Swift are examples of memory-safe languages. Microsoft and Google have both stated that software memory safety issues account for roughly 70 percent of their vulnerabilities. Poor memory management can also result in technical issues such as incorrect program results, program performance degradation over time, and program crashes. This article continues to discuss NSA's guidance on software memory safety.

    NSA reports "NSA Releases Guidance on How to Protect Against Software Memory Safety Issues"

  • news

    Visible to the public "GitHub Launches Channel to Ease Vulnerability Disclosure Process for Open-Source Software"

    GitHub, the world's largest open-source software development community, has added a communication channel to its platform to make it easier for security researchers to report vulnerabilities to project maintainers. Reporting vulnerabilities has always been difficult. While researchers typically feel obligated to notify users of potentially exploitable bugs, there is a lack of clear instructions on contacting project maintainers. Furthermore, many open-source projects are managed and supported by small groups of volunteers who update or fix broken code in their spare time. Researchers can now report bugs to maintainers directly and privately, because of a new feature announced at GitHub Universe 2022, a global developer event for cloud, security, community, and Artificial Intelligence (AI). According to Justin Hutchings, GitHub's director of product management, in the past, because it was difficult to find correct contact information, security researchers always reported the vulnerabilities on social media or even created public issues, potentially leading to public disclosure of the vulnerability details. Using the news feature, when a researcher reports an issue, maintainers are notified, and they can choose whether to accept it, ask more questions, or reject it. This way, maintainers will have more control over how researchers communicate vulnerability details, while reducing the number of times maintainers are contacted publicly or through unwelcome means. GitHub also believes it will reduce the likelihood of vulnerabilities being exposed to the public prior to fixes. According to Hutchings, private vulnerability reporting is free, and anyone can now sign up for the public beta. The team intends to make it widely available in early 2023. While a communication channel increases the likelihood of positive outcomes in the disclosure process, Jamie Scott, founding product manager at Endor Labs, cautioned that it also entails greater ethical responsibility within the open-source community. This article continues to discuss GitHub's launch of a new channel to make it more straightforward for security researchers to report vulnerabilities to project maintainers.

    SC Magazine reports "GitHub Launches Channel to Ease Vulnerability Disclosure Process for Open-Source Software"

  • news

    Visible to the public "Two Malware Variants Linked to China Infect Uyghur-language Apps, as Per Cybersecurity Research"

    More than a third of Uyghur-language Android apps distributed through social media or downloaded from unofficial app stores are infected with malware. Lookout Inc., a cybersecurity company, based in San Francisco, discovered two new malware variants responsible for infecting the apps. These enable cybercriminals to secretly view and transfer users' private photos, chats, and contacts. Cyberespionage against Uyghurs has been ongoing for nearly a decade, employing a variety of viruses. However, the most recent attacks are larger and more sophisticated, according to Kristina Balaam, Staff Threat Intelligence researcher at Lookout. She pointed out that the new malware is more difficult to detect because it is hidden in a wider range of programs, and that the attacks were extremely active. Balaam warned that people are still being actively targeted and compromised. According to Bloomberg, many targeted applications include Uyghur-language dictionaries, translation, and Uyghur-script keyboards. Battery management, video players, radio, GPS, and religious texts are among the other infected programs on Uyghur-language social media platforms and download stores. Because Android users in China cannot access Google Play, they instead download software from unlicensed app stores or potentially malicious links shared on messaging apps such as Telegram. According to Lookout's findings, Uyghurs living abroad may have downloaded malicious applications from unauthorized marketplaces or clicked on dangerous links. Meanwhile, they allegedly delete popular Chinese apps such as TikTok and WeChat to avoid detection. Lookout analysts believe the attackers are Chinese because their infrastructure is similar to that used in previous Uyghur surveillance efforts linked to China. They discovered, in particular, that one of the servers used in the attack contained Mandarin language files. This article continues to discuss infected Uyghur-language Apps linked to China.

    Tech Times reports "Two Malware Variants Linked to China Infect Uyghur-language Apps, as Per Cybersecurity Research"

  • news

    Visible to the public "Foxit Patches Several Code Execution Vulnerabilities in PDF Reader"

    Popular PDF document reader Foxit Reader has recently been updated to address multiple use-after-free security bugs that could be exploited for arbitrary code execution. This week, Cisco's Talos security researchers published information on four vulnerabilities in Foxit Reader's JavaScript engine that could be exploited to achieve arbitrary code execution. The issues tracked as CVE-2022-32774, CVE-2022-38097, CVE-2022-37332, and CVE-2022-40129, have a CVSS score of 8.8 and are described as use-after-free vulnerabilities. The researchers noted that a specially crafted PDF document could trigger the reuse of previously freed memory, which can lead to arbitrary code execution. The researchers stated that an attacker looking to exploit these vulnerabilities would need to trick a user into opening a malicious file. According to the researchers, if the Foxit browser plugin extension is enabled, the bugs can be triggered when the user navigates to a malicious website. The researchers reported the security defects to Foxit in September. This week, Foxit released version of its PDF reader to address all issues. Users are advised to update to the latest software iteration as soon as possible.

    SecurityWeek reports: "Foxit Patches Several Code Execution Vulnerabilities in PDF Reader"

  • news

    Visible to the public "CISA Issues Vulnerability-Management Tools Dependent on Industry Action"

    The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has released a set of documents to help agencies and other organizations prioritize software vulnerability remediation. However, the use of the guidance is largely dependent on vendors providing the information required to carry out such a process. CISA Executive Assistant Director Eric Goldstein encourages businesses to use "Stakeholder Specific Vulnerability Categorization (SSVC)," a process first articulated by CISA in collaboration with the Software Engineering Institute at Carnegie Mellon University (CMU), to determine which system bugs should be addressed first. Under a May 2021 executive order on improving national cybersecurity, agencies are under a Binding Operational Directive (BOD) to receive and address vulnerability reports from security researchers within specific timelines, and they are deciding what evidence they might require from software vendors attesting to secure development practices. CISA used the SSVC methodology to create its catalog of hundreds of known exploitable vulnerabilities, which agencies are also required to reference when applying a framework for addressing weaknesses they already know exist in their enterprises, according to Goldstein. However, not all software flaws are widely known or recorded as a Common Vulnerability and Exposure (CVE). In Goldstein's vision for improving vulnerability management practices, the SSVC prioritization methodology is the third step in a three-step process. First, greater automation in vulnerability management is required, including expanding the use of the Common Security Advisory Framework (CSAF). Second, widespread Vulnerability Exploitability Exchange (VEX) should make it easier for organizations to determine whether a given product is affected by a vulnerability. This article continues to discuss CISA's release of documents aimed at guiding the prioritization of software vulnerability remediation by agencies and other organizations.

    NextGov reports "CISA Issues Vulnerability-Management Tools Dependent on Industry Action"

  • news

    Visible to the public "LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover"

    Security researchers at Palo Alto Networks have discovered LiteSpeed Web Server vulnerabilities and noted that they can be exploited to take complete control of a targeted server. The researchers said that the security holes were found during an audit of OpenLiteSpeed, the open source version of the LiteSpeed performance-focused web server made by LiteSpeed Technologies. The researchers stated that the vulnerabilities impact both versions, which have been patched with the release of OpenLiteSpeed and LiteSpeed 6.0.12. The researchers noted that the vulnerabilities can be exploited to compromise the targeted web server and execute arbitrary code with elevated privileges. However, the flaws cannot be exploited without authentication. The attacker must first use a brute-force attack or social engineering to obtain valid credentials to the web server's dashboard. The first vulnerability, rated "high severity" and tracked as CVE-2022-0073, is related to a field that allows users to specify a command to be executed when the server starts. The second vulnerability, also rated "high severity" and tracked as CVE-2022-0074, can be leveraged by an attacker who has exploited the previous flaw to escalate privileges from "nobody" to "root." The third issue, CVE-2022-0072, is a directory traversal bug that can be exploited to bypass security measures and access forbidden files.

    SecurityWeek reports: "LiteSpeed Vulnerabilities Can Lead to Complete Web Server Takeover"

  • news

    Visible to the public "Merced College Knocked Offline in Apparent Malware Attack"

    Following a malware attack, a community college in California was recently taken offline, and its services were disrupted. On November 3, Merced College went offline, with the school stating on Twitter that it was experiencing a significant network disruption and that most of the district's technology functions were unavailable. All network communications, online platforms, the college website, and other technology services were taken down by the attack. In a November 8 update, Merced stated that it had hired "some of the best experts in the field" and that the team was working to determine whether personal identification information had been compromised. In response to the attack, the college has also set up a temporary website at to provide students and faculty with information. The malware attack has brought Merced College to its knees, and students and employees still do not fully know what is happening to their personal data as the systems appear to be still down. The cyberattack on Merced comes months after a ransomware attack took down the Los Angeles School District. After refusing to pay the ransom demands, 500 gigabytes of data stolen from the school district were leaked online a month later. This article continues to discuss the malware attack that took Merced College offline.

    SiliconANGLE reports "Merced College Knocked Offline in Apparent Malware Attack"

  • news

    Visible to the public "Cryptojacking Malware Sees a 230 Percent Increase in 2022"

    Cryptocurrency mining has grown by 230 percent in popularity among cybercriminals in the past year, as it is expensive regarding machinery and energy consumption. If cybercriminals cryptojack someone else's machine to do it, they could make a lot of money. Despite the 'crypto winter,' which has seen the value of cryptocurrencies plummet and the cryptocurrency industry face a liquidity crisis, criminal activity targeting the cryptocurrency industry does not appear to be slowing down any time soon. According to new research, 215,843 new cryptocurrency miners appeared and took over computers in 2022, and cryptocurrency mining can earn cybercriminals around $40,500 per month. The majority of the increase in mining has occurred in the third quarter, with over 150,000 new miners discovered between July and September. Mining for Monero (XMR) is the most common among the samples examined (48 percent). This currency is well-known for its technologies that anonymize transaction data in order to maximize privacy, making identifying addresses trading Monero, transaction amounts, balances, or transaction histories impossible, all of which are very appealing to cybercriminals. Miners are typically distributed via malicious files disguised as pirated content, such as films, music, games, and software. At the same time, unpatched vulnerabilities pose a significant risk to users while also serving as an appealing lure for cybercriminals who use them to spread miners. According to the researchers' telemetry, almost every sixth vulnerability-exploiting attack was accompanied by a miner infection. This article continues to discuss the increase in cryptojacking malware.

    BetaNews reports "Cryptojacking Malware Sees a 230 Percent Increase in 2022"

  • news

    Visible to the public "Qatar World Cup Firms Urged to Upgrade Cyber-Threat Model"

    Security researchers at Digital Shadows are warning organizing bodies and key partners of the FIFA World Cup in Qatar to enhance their resilience against a potential barrage of cyber threats. The researchers collected threat data on the event over a 90-day period. The researchers claimed that the world's most-watched sporting event would invite scrutiny from various threat actors. The researchers noted that scams could present themselves in many forms. For example, financially motivated threat actors often plant malicious URLs spoofing these events to fraudulent sites, hoping to maximize their chances of scamming naive internet users for a quick profit. The researchers noted that at the same time, hacktivist groups may exploit the public attention given to such events to exponentially increase the reach of their message. The researchers stated that state-sponsored advanced persistent threat (APT) groups may also decide to target global sporting events like the Qatar 2022 World Cup to achieve state goals. The researchers are urging organizations to take a risk-based approach to cybersecurity ahead of the event, focusing on cyber-hygiene best practices such as regular patching, multi-factor authentication (MFA), and phishing awareness. The article continues to discuss the key risks to the organizing body and key partners of the FIFA World Cup.

    Infosecurity reports: "Qatar World Cup Firms Urged to Upgrade Cyber-Threat Model"

  • news

    Visible to the public "Microsoft Attributes 'Prestige' Ransomware Attacks on Ukraine and Poland to Russian Group"

    Microsoft officially linked cyberattacks involving the 'Prestige' ransomware to the Russian hacking group named IRIDIUM. According to Microsoft, the ransomware was used in a series of attacks targeting the transportation and logistics sectors in Ukraine and Poland last month. The Microsoft Threat Intelligence Center (MSTIC) believes that IRIDIUM most likely carried out the Prestige ransomware-style attack in November 2022. IRIDIUM is a Russia-based threat actor, publicly overlapping with Sandworm, which has been consistently active in the Ukrainian war and has been linked to destructive attacks since the war's start. According to Microsoft, the attribution was based on several indicators, including the infrastructure used in the attacks and forensic artifacts. The company's security team stated that it discovered evidence that Iridium had compromised multiple Prestige victims dating back to March. Prior to October, the group maintained access, and Microsoft previously stated that the group behind the attacks had already gained a high level of access to targeted networks via unknown means. The campaign, according to Microsoft researchers, may highlight a measured shift in IRIDIUM's destructive attack calculus, indicating increased risk to organizations directly supplying or transporting humanitarian or military aid to Ukraine. Russia has used various wipers and ransomware in its cyberattacks on Ukraine and other countries opposing its invasion. Before deploying the ransomware, the attackers were seen using two Remote Code Execution (RCE) tools: the commercial RemoteExec and the open-source Impacket WMIexec. They used additional tools in some environments to extract credentials or gain additional access. This article continues to discuss Microsoft's attribution of Prestige ransomware attacks to the Russia-based threat actor IRIDIUM.

    The Record reports "Microsoft Attributes 'Prestige' Ransomware Attacks on Ukraine and Poland to Russian Group"

  • news

    Visible to the public "CISA Says Midterm Voting Uncompromised By Cyberattacks"

    The Cybersecurity and Infrastructure Security Agency (CISA) stated on Wednesday that cyberattacks did not disrupt or compromise the midterm voting procedures. CISA noted that it had not seen any evidence that any voting system deleted or lost votes, changed votes, or was compromised in any part of the country. CISA urges everyone to look towards their state and local election officials for the most accurate and up-to-date information about vote counts and to remain patient as election officials continue to do their jobs and carry out the certification process. This statement comes a month after CISA first urged voters to critically evaluate any information they received about the midterms as foreign actors may seek to sow doubt about the result.

    Infosecurity reports: "CISA Says Midterm Voting Uncompromised By Cyberattacks"

  • news

    Visible to the public  "US Health Dept Warns of Venus Ransomware Targeting Healthcare Orgs"

    The US Department of Health and Human Services (HHS) has issued a warning about Venus Ransomware attacks targeting healthcare organizations in the country. HHS' security team also mentions at least one incident in which Venus Ransomware was deployed on the networks of a US healthcare organization. According to the Health Sector Cybersecurity Coordination Center (HC3), there is no known data leak site that Venus Ransomware threat actors are using. Venus Ransomware was discovered in mid-August 2022 and has since spread across the networks of dozens of corporate victims around the world. The threat actors behind the Venus Ransomware attacks are known for encrypting Windows devices by hacking into victims' publicly exposed Remote Desktop services. The ransomware will delete event logs, Shadow Copy Volumes, and disable Data Execution Prevention on compromised endpoints, in addition to terminating database services and Office apps. Venus Ransomware has been relatively active since August, with new submissions uploaded to ID Ransomware daily. Previous alerts have warned of threat actors using the Maui and Zeppelin ransomware payloads in attacks on Healthcare and Public Health (HPH) organizations. This article continues to discuss healthcare organizations being targeted by Venus Ransomware attacks and other ransomware operations targeting healthcare organizations across the US this year.

    Bleeping Computer reports "US Health Dept Warns of Venus Ransomware Targeting Healthcare Orgs"