News Items

  • news

    Visible to the public "Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware"

    Adware and other unwanted, potentially dangerous applications continue to be the most serious threat that mobile device users face today. However, attackers are constantly attempting to deploy more sophisticated mobile malware. The most recent example is "SandStrike," a booby-trapped Virtual Private Network (VPN) app used to install spyware on Android devices. The malware searches for and steals call logs, contact lists, and other sensitive data from infected devices. According to security researchers, it can also track and monitor specific users. SandStrike operators were observed attempting to install sophisticated spyware on devices belonging to members of Iran's Baha'i community, a Persian-speaking minority group. It remains unclear how many devices the threat actor may have targeted or infected. To entice users to download the weaponized app, the threat actors have set up multiple Facebook and Instagram accounts, each claiming to have over 1,000 followers. The social media accounts display religious-themed graphics intended to pique the interest of members of the targeted faith group. The accounts frequently include a link to a Telegram channel that provides a free VPN app for users who want to access sites that contain prohibited religious materials. In order to make the app fully functional, the threat actors have even set up their own VPN infrastructure. When a user downloads and installs SandStrike, it quietly collects and exfiltrates sensitive data associated with the infected device's owner. The operation is the latest in many espionage operations involving advanced infrastructure and mobile spyware, which is an arena populated by well-known threats such as NSO Group's Pegasus spyware as well as emerging problems such as Hermit. This article continues to discuss the SandStrike espionage-aimed Android malware.

    Dark Reading reports "Cyber-Threat Actor Uses Booby-Trapped VPN App to Deploy Android Spyware"

  • news

    Visible to the public "Black Basta Ransomware Gang Linked to the FIN7 Hacking Group"

    Sentinel Labs security researchers discovered evidence linking the Black Basta ransomware gang to the financially motivated hacking group FIN7, also known as "Carbanak." The analysis of tools used in attacks revealed signs that a FIN7 developer also authored the Endpoint Detection and Response (EDR) evasion tools used exclusively by Black Basta since June 2022. Sentinel Labs discovered an executable that displays a fake Windows Security GUI and tray icon, giving users the impression that Windows Defender is functioning normally. However, the malware disables Windows Defender, EDR, and antivirus tools in the background, ensuring that nothing interferes with the data exfiltration and encryption process. More samples linked to that tool were retrieved, and one was found packed with an unknown packer identified as 'SocksBot,' a backdoor that FIN7 has been using and developing since at least 2018. Furthermore, the backdoor connects to a command-and-control (C2) IP address belonging to "pq.hosting," a bulletproof hosting provider trusted and regularly used FIN7. They believe that the threat actor who created the impairment tool used by Black Basta is the same actor who has access to the packer source code used in FIN7 operations, establishing a possible link between the two groups for the first time. This article continues to discuss the evidence linking the Black Basta ransomware gang to the FIN7 hacking group.

    Bleeping Computer reports "Black Basta Ransomware Gang Linked to the FIN7 Hacking Group"

  • news

    Visible to the public "Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT"

    RomCom Remote Access Trojan (RAT) operators are expanding their campaigns by using rogue versions of software such as SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro. The operation's targets include victims in Ukraine and select English-speaking countries such as the UK. Considering the geography of the targets and the current geopolitical situation, the BlackBerry Threat Research and Intelligence Team believes the RomCom RAT threat actor is unlikely to be motivated by cybercrime. The latest findings follow the Canadian cybersecurity firm's reveal of a spear-phishing campaign aimed at Ukrainian entities in order to install a RAT known as RomCom RAT. To distribute the implant, the unknown threat actor has also been observed using trojanized variants of Advanced IP Scanner and pdfFiller as droppers. The most recent iteration of the campaign involves creating decoy lookalike websites with similar domain names, then uploading a malware-laced installer bundle of the malicious software and sending phishing emails to targeted victims. This article continues to discuss the operators of RomCom RAT using rogue versions of SolarWinds Network Performance Monitor, KeePass password manager, and PDF Reader Pro.

    THN reports "Hackers Using Rogue Versions of KeePass and SolarWinds Software to Distribute RomCom RAT"

  • news

    Visible to the public "Murray State Partners With PISCES to Support Cybersecurity"

    The Public Infrastructure Security Cyber Education System (PISCES) Project has partnered with Murray State University's Cyber Education and Research Center to provide security monitoring to local government entities, making Murray State the first university in Kentucky to partner on the project supporting local partners. The PISCES Project, funded by the Kentucky Office of Homeland Security (KOHS) and the Kentucky Intelligence Fusion Center (KIFC), will provide Murray State cybersecurity students with real-world experience as entry-level cyber analysts for local government entities. PISCES is a non-profit, non-government entity enabled by the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and the Pacific Northwest National Lab (PNNL). Its mission is to bring "a reliable high-quality pipeline" of cyber professionals into the workforce. Participation from state organizations such as KOHS and KIFC opens up new opportunities in Kentucky. The project is free to any local government that participates. PISCES will provide network monitoring from students to local government entities that cannot afford regular security monitoring. It is also simple for local governments to become involved. Murray State's collaboration will enable students to analyze network traffic for malware and cyber threats without having to read the information in the network traffic. The massive workforce shortage, as well as the cybersecurity challenges that governments face, can be overwhelming. This collaboration combines Murray State's Program of Distinction in Cybersecurity and its responsibility to support the state and region with the opportunity to provide real-world experience for students who will be on the front lines of identifying cybersecurity threats while also providing professionally trained and educated individuals who are willing to participate and grow together. The synergy created by this partnership will enable Murray State students to face real-world challenges while being guided by PISCES, Murray State, and local partners. This article continues to discuss Murray State University's Cyber Education and Research Center partnering with the PISCES Project to provide security monitoring to local government entities.

    Murray State University reports "Murray State Partners With PISCES to Support Cybersecurity"

  • news

    Visible to the public "Securing Africa's Cyberspace"

    According to a 2020 Global System for Mobile Communications Association (GSMA) report, 38 percent of African citizens are online. As Africa has a population of 1.4 billion people, it is clear that the continent is on the verge of a digital transformation. Although digitizing Africa represents a significant opportunity, it also poses significant threats and challenges. Incentives, affordable resources, and the ability to adapt to new models still need to be improved for digital solution providers. In addition, consumers are hesitant to put their trust in digital technologies. Furthermore, limited cybersecurity capacity remains a major issue. The CyLab-Africa initiative, a collaboration between Carnegie Mellon University's (CMU) CyLab Security and Privacy Institute and CMU-Africa, is working to tackle these challenges. The initiative, involving African cybersecurity experts, aims to improve the security of digital systems in Africa and other emerging markets. CyLab-Africa and the newly announced Upanzi Network have made efforts toward improving cybersecurity in Africa in their first year, focusing on stakeholder engagement within the cybersecurity ecosystem. Stakeholder engagement is especially important in cybersecurity. The Secretary-General of the United Nations has devised a strategy in which all stakeholders play a role in advancing a safer, more equitable digital world. In this strategy, the security chief discusses how access, trust, and resilience are critical success factors for Africa's digital transformation. The continent's cybersecurity backbone must be built on effective and efficient infrastructure, technology, and deliberate workforce development initiatives, thus calling for the participation of respective ecosystem stakeholders. Many of these stakeholder discussions center on Digital Public Goods (DPGs), which are open-source software, open data, open Artificial Intelligence (AI) models, open standards, and open content adhering to privacy and other applicable laws and best practices. This article continues to discuss the collaboration aimed at improving the cybersecurity of digital systems in Africa.

    CyLab reports "Securing Africa's Cyberspace"

  • news

    Visible to the public "Fortinet Patches 6 High-Severity Vulnerabilities"

    Fortinet recently informed customers about 16 vulnerabilities discovered in the company's products, including six flaws that have been assigned a "high" severity rating. One of the high-severity issues affects FortiTester, and it allows an authenticated attacker to execute commands via specially crafted arguments to existing commands. The company noted that FortiSIEM is affected by a vulnerability that allows a local attacker with command-line access to perform operations on the Glassfish server directly via a hardcoded password. The remaining high-severity flaws are stored and reflected cross-site scripting (XSS) bugs. They impact FortiADC, FortiDeceptor, FortiManager, and FortiAnalyzer. Some of them can be exploited remotely without authentication. The company stated that medium and low-severity vulnerabilities have been patched in FortiOS, FortiTester, FortiSOAR, FortiMail, FortiEDR CollectorWindows, FortiClient for Mac, and FortiADC. These security holes can be exploited for privilege escalation, XSS attacks, obtaining sensitive information, DoS attacks, bypassing protections, changing settings, and executing arbitrary commands.

    SecurityWeek reports: "Fortinet Patches 6 High-Severity Vulnerabilities"

  • news

    Visible to the public "Cybersecurity in the Energy Industry: Why Working Together Across the Value Chain Is Vital for Resilience"

    The energy and utility industries have been subjected to more organized cyberattacks, the consequences of which have been widely publicized. Supply chain attacks are becoming more visible in terms of number and impact. The SolarWinds attack alone impacted thousands of top companies and government agencies worldwide in 2021. The Colonial Pipeline attack disrupted millions of citizens' energy supply for a few days, cost millions to contain and recover from, and resulted in long-term brand damage. In 66 percent of the incidents, attackers focused on the suppliers' code to further compromise targeted customers. The exploitation of a single organization's weakness or vulnerability can bring an entire value chain down. Therefore, it is critical to investigate how to trust suppliers when what could lurk in their environments is unknown. It is also critical to address the question of how to build trust with customers who are unaware of your digital landscape. Trust itself can also become a vulnerability if it is not thoughtful, reciprocal, and verifiable through evidence. Every government agency, non-profit organization, global conglomerate, and small and medium-sized business relies on a supplier or partner to function digitally. Each has no choice but to overcome information asymmetry. When one operates an "enabling function" that is critical to a nation's growth and production, one must ensure trust through actions all along the value chain. Companies in the energy sector must operate in multiple locations, source goods from five continents, outsource services, and manage thousands of unique suppliers. Furthermore, the energy sector heavily relies on data to help build a reliable and flexible energy infrastructure. Third-party technologies are typically used as support, adding to the complexity and risk of their landscape. It is more complicated because 65 percent of organizations have not identified the third-parties whose failure could jeopardize their most critical functions. Companies should develop "third-party security principles" to govern how they engage suppliers on a common cybersecurity posture, so that security and privacy are considered in the procurement process and supplier life cycle. This article continues to discuss bolstering cybersecurity in the energy sector.

    World Economic Forum reports "Cybersecurity in the Energy Industry: Why Working Together Across the Value Chain Is Vital for Resilience"

  • news

    Visible to the public "Netskope Report: Phishing Still Alluring Bait"

    Phishing is still a popular method for obtaining usernames, passwords, multifactor authentication (MFA) codes, and other sensitive information. Although users are becoming more adept at detecting phishing attempts in email and text messages, they are much more susceptible to being tricked by phishing links in unexpected places such as websites, blogs, and third-party cloud apps, according to Ray Canzanese, threat research director at Netskope Threat Labs. According to the quarterly Netskope Cloud and Threat Report, threat actors are adjusting their methods, and phishing is increasingly coming from all directions. Netskope Threat Labs publishes a report on a specific topic every quarter, based on anonymized data collected from the Netskope Security Cloud from across millions of users. The report for this quarter focused on phishing attacks between July 1 and September 30, 2022. The report reveals that many users continue to fall for phishing scams despite widespread controls and training. According to Canzanese, technology and training are still insufficient to combat the growing volume and sophistication of phishing attacks. Based on the survey results, an average of 8 out of every 1,000 enterprise users clicked on a phishing link or attempted to access phishing content in some way. Canzanese pointed out that the initial reaction is that it is not a large number. The general assumption would be that 8 out of 100 would have been much more concerning, but in a large company with 100,000 users, that translates to about 800 employees falling victim to phishing every quarter, he said. It only takes one person to enter their credentials and end up with a Business Email Compromise (BEC) situation. The use of malicious links via spam on legitimate websites and blogs, and the use of websites and blogs created specifically to promote phishing content are the two primary phishing referral methods. These were responsible for the greatest number of successful phishing attempts (26 percent). This article continues to discuss key findings and points shared in the quarterly Netskope Cloud and Threat Report.

    VB reports "Netskope Report: Phishing Still Alluring Bait"

  • news

    Visible to the public "Unofficial Fix Emerges for Windows Bug Abused to Infect Home PCs With Ransomware"

    Acros Security has issued another unofficial patch to address a bug in Windows that Microsoft has not fixed yet, with this vulnerability being actively used to spread ransomware. The cybersecurity firm's small binary patch addresses a vulnerability in Microsoft's Mark-of-the-Web (MotW) feature, which is designed to place a flag in the metadata of files obtained from the Internet, USB sticks, and other untrustworthy sources. This flag ensures that when those files are opened, additional security safeguards are activated, such as Office blocking macros from running or the operating system verifying that the user truly intended to run that .exe. However, it is possible to circumvent this feature and have files downloaded from the Internet not carry the MotW flag, thus bypassing all of the protections when opened. For example, an attacker could prevent Windows from putting the MotW flag on files extracted from an untrusted ZIP archive. Bad actors can use this to trick users into opening ZIP archives and running malicious software without triggering the expected security safeguards. Will Dormann, a senior vulnerability analyst at Analygence, discovered the bug months ago. On October 10, IT watcher Kevin Beaumont reported that the bug was now being exploited in the wild. HP Wolf Security shared a report about a wave of ransomware infections in September that all started with a web download just days before the first patch was released. Victims were instructed to obtain a ZIP archive containing a JavaScript file posing as an antivirus or Windows software update. When the script was executed, it installed Magniber, a ransomware strain aimed at Windows home users. According to HP Wolf Security, it encrypts documents and can extort up to $2,500 from victims in order to restore their data. This article continues to discuss the unofficial patch released by Acros Security to address a flaw in Microsoft's MotW feature.

    The Register reports "Unofficial Fix Emerges for Windows Bug Abused to Infect Home PCs With Ransomware"

  • news

    Visible to the public "Alternative Authentication Methods Take Hold in Response to Digital Dangers"

    Businesses are increasingly trying to move away from using passwords to secure accounts as global issues spill over into the digital realm and hybrid working takes hold. According to the latest Trusted Access Report from the Cisco company Duo, the percentage of accounts allowing WebAuthn passwordless authentication has increased by 50 percent, and WebAuthn usage has increased fivefold since April 2019. Duo collaborated with the Cyentia Institute to analyze data from over 13 billion authentications on more than 49 million devices, over 490 thousand unique applications, and around 1.1 billion monthly authentications from across its customer base, which spans North America, Latin America, Europe, the Middle East, and Asia-Pacific. In addition to the increase in WebAuthn use, there was a 38 percent increase in multifactor authentication (MFA) using Duo in the last year. The findings also show that MFA is becoming more widely used around the world. Ireland has the highest increase in MFA use (52 percent), followed by Japan (32 percent). Cloud applications are also attributed to an increasing number of authentications, with a 24 percent increase in 2022. There has been more interest in location blocking, but relatively few currently use it. Ninety-one percent of Duo customers who implement device-based policies restrict access from China or Russia, and 63 percent block both countries. This article continues to discuss key findings from the 2022 Duo Trusted Access Report.

    BetaNews reports "Alternative Authentication Methods Take Hold in Response to Digital Dangers"

  • news

    Visible to the public "US Charges 8 People Over Cybercrime, Tax Fraud Scheme"

    The United States Department of Justice recently announced charges against eight individuals for their participation in a racketeering (RICO) conspiracy that involved hacking and tax fraud. The defendants, Andi Jacques, Monika Shauntel Jenkins, Louis Noel Michel, Jeff Jordan Propht-Francisque, Dickenson Elan, Michael Jean Poix, Vladimyr Cherelus, and Louisaint Jolteus, allegedly worked together to perform computer intrusions and fraud. Between 2015 and 2019, the defendants, along with others, including a now-deceased conspirator referred to as Rich4Ever4430, banded together in a cybercrime and fraud scheme involving tax returns. Jenkins, Michel, Propht-Francisque, Cherelus, and Rich4Ever4430, purchased on the dark web server credentials for Certified Public Accounting (CPA) and tax preparation firms and used them to access those systems and exfiltrate the tax returns of thousands. The stolen tax returns included taxpayers' names, birth dates, Social Security numbers, and financial information, which they used to perform identity theft and file thousands of false tax returns. The activity allegedly impacted more than 9,000 victims. According to the indictment, the conspirators created and operated fraudulent tax preparation businesses in south Florida and used them to file false tax returns. They also opened bank accounts in the name of these businesses to receive fake "tax preparer fees." The defendants also registered with the Internal Revenue Service (IRS), preparer tax identification numbers using victims' personal information to make their claims seem legitimate. The tax refunds resulting from the fake filings were directed to debit cards and bank accounts controlled by the defendants. If found guilty, the defendants face up to 20 years in prison for the RICO conspiracy count.

    SecurityWeek reports: "US Charges 8 People Over Cybercrime, Tax Fraud Scheme"

  • news

    Visible to the public "U of I Students Earn $37,000 to Bring Innovative Cybersecurity, Homebuilding Products to Market"

    University of Idaho (U of I) students won a total of $37,000 in Idaho's largest entrepreneurial competition, Boise Entrepreneur Week, because of their innovative solutions in cybersecurity and construction safety. Students from the U of I took first place in the annual competition hosted by Boise State University. Their winnings will help fund the development of multidisciplinary, team-designed business plans to address unique challenges. Winner of the Life's a Pitch competition and first place in the cybersecurity competition Intty Anantachote, a senior in virtual technology and design, was awarded $13,000 for her cybersecurity training tool called Gamified Scam Awareness Training. Her tool uses Virtual Reality (VR) to educate seniors and students about the dangers of social engineering scams that take advantage of a person's trust in order to steal money or sensitive information. Second place went to Ian King, David Trail, Nathan Higley, and Sophia Grace Sivula, who won $4,000 for NADIS, a cybersecurity safety company that helps businesses verify users with access privileges. This article continues to discuss the innovative cybersecurity and safety solutions that earned U of I students a total of $37,000.

    U of I reports "U of I Students Earn $37,000 to Bring Innovative Cybersecurity, Homebuilding Products to Market"

  • news

    Visible to the public "Russia Linked to Nearly 75% of Late 2021 Ransomware Attacks, Per Analysis"

    According to a new analysis from the Department of Justice's (DOJ) Financial Crimes Enforcement Network (FinCEN), Russian actors accounted for around three-quarters of all recorded ransomware incidents in the latter part of 2021, contributing to the sharp increase in ransomware attacks seen in 2021 versus 2020. FinCEN officials attributed 594 of the ransomware-related activities recorded between July and December 2021 to Russia-linked actors, out of a total of 793 reported to the agency during that time period. During that time, the total cost of incidents was $488 million. Earlier in October, FinCEN released a more extensive report explaining that the amount of money lost to ransomware attacks increased from $527 million in 2020 to $886 million in 2021, representing a 68 percent increase in the cost of malicious cyberattacks. Officials recorded 1,251 ransomware attacks in 2021, compared to only 602 incidents in 2020. The newer report concentrated on ransomware variants, or individual versions of ransomware, and the prevalence of Russian actors in malware deployment. During the review period in 2021, FinCEN authors examined 84 unique ransomware variants and identified approximately 58 percent as being associated with suspected Russian cyber actors. This article continues to discuss FinCEN's report on ransomware trends.

    NextGov reports "Russia Linked to Nearly 75% of Late 2021 Ransomware Attacks, Per Analysis"

  • news

    Visible to the public "Collegiate Students Fired up to Protect Virtual Solar Facility From Cyberattack"

    The Argonne National Laboratory will lead the 2022 CyberForce Competition, which will encourage college and university students in the US to consider cybersecurity careers that will protect the nation's energy systems. In the US Department of Energy (DOE) CyberForce Competition, college and university students from across the country will attempt to prevent a simulated cyberattack on an up-and-coming electric vehicle manufacturer's solar installation. The CyberForce Competition is part of the DOE's CyberForce Program, which aims to develop the next generation of cyber defenders. The CyberForce Competition provides students with an opportunity to learn and practice skills useful in careers that protect the nation's critical energy sector, such as power plants and renewable energy facilities. In order to engage students in compelling emergency scenarios, the competition employs realistic components such as cyber-physical infrastructure, lifelike anomalies and constraints, and actual users of the systems. Participants and volunteers gain knowledge and understanding of cyber-physical threats, vulnerabilities, and consequences due to the competition. They have a hands-on approach to infrastructure security, from servers and virtual machines to physical devices on their tables. Because their scores include users' ability to continue normal work operations, all competitors face the challenge of balancing security and usability. Students will be tasked in this year's scenario with assisting a fast-growing electric vehicle manufacturer in hardening and securing the systems of its recently acquired solar installation, which appears to be harmed. To protect and strengthen it against current and future attacks, a thorough inspection of its vulnerabilities and a series of innovations are required. This article continues to discuss the 2022 CyberForce Competition.

    SCIENMAG reports "Collegiate Students Fired up to Protect Virtual Solar Facility From Cyberattack"

  • news

    Visible to the public "UK Reveals GBP 6 Million Cybersecurity Support Package to Ukraine"

    UK Foreign Secretary James Cleverly revealed that the UK provided Ukraine with a GBP 6.35 million support package to help protect its critical national infrastructure and vital public services from cyberattacks. The UK's 'Ukraine Cyber Program' was activated shortly after Putin's invasion in February to counter increased Russian cyberattacks. In order to protect its operational security, the program has not been made public until now. Using the expertise of leading cybersecurity providers, the program has provided incident response support to entities of the Ukrainian government, protecting them from destructive cyberattacks such as Industroyer2. This prevents malicious actors from gaining access to critical information relevant to the war effort. In addition, the program has limited attacker access to critical networks and assisted Ukraine in hardening its critical infrastructure against future attacks. Furthermore, the UK has provided frontline cybersecurity hardware and software, such as firewalls to prevent attacks from taking hold, Distributed Denial-of-Service (DDoS) protection to ensure Ukrainian citizens can continue to access critical information, and forensic capabilities to allow Ukrainian analysts to fully understand the compromise of systems. This article continues to discuss the UK's Ukraine Cyber Program.

    HSToday reports "UK Reveals GBP 6 Million Cybersecurity Support Package to Ukraine"

  • news

    Visible to the public "CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication"

    The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has issued two fact sheets highlighting threats to accounts and systems that use certain types of multifactor authentication (MFA). In order to protect against phishing and other known cyber threats, CISA strongly advises all organizations to implement phishing-resistant MFA. CISA recommends using number matching to mitigate MFA fatigue if an organization using mobile push-notification-based MFA cannot implement phishing-resistant MFA. While number matching is not as strong as phishing-resistant MFA, it is said to be an interim mitigation strategy for organizations that may not be able to implement phishing-resistant MFA right away. This article continues to discuss the "Implementing Phishing-Resistant MFA" and "Implementing Number Matching in MFA Applications" fact sheets released by CISA.

    CISA reports "CISA Releases Guidance on Phishing-Resistant and Numbers Matching Multifactor Authentication"

  • news

    Visible to the public "Osaka Hospital Halts Services After Ransomware Attack"

    A major hospital in Osaka, Japan, has suspended routine medical services following a ransomware cyberattack that disrupted its electronic medical record systems. Osaka General Medical Center officials stated that emergency operations are continuing. During an investigation, the investigator found that the system had been attacked by a ransomware computer virus, with the threat actor allegedly sending an email in English to the hospital's server and demanding a ransom in Bitcoin. The hospital's director, Takeshi Shimazu, stated that the Center staff are working to restore the system and using paper medical records until the incident is resolved, as the attack has made it very difficult to calculate medical treatment fees or check details of patients' medical histories. Simon Chassar, CRO at Claroty, stated that with organizations continuing to connect cyber-physical systems to their networks, ransomware attacks against the healthcare industry will only increase. Chassar noted that organizations need to close their security gaps and have complete asset visibility across all their cyber-physical systems by implementing patching procedures for OT systems, IoT, and IoMT (Internet of Medical Things) devices. The hospital, operated by the Osaka Prefectural Hospital Organization, currently counts 865 beds and 36 departments.

    Infosecurity reports: "Osaka Hospital Halts Services After Ransomware Attack"

  • news

    Visible to the public "LockBit 3.0 Gang Claims to Have Stolen Data From Thales"

    The LockBit 3.0 ransomware group claims to have stolen data from the French defense and technology group Thales. Thales is a global high-tech leader, employing over 81,000 people worldwide. The company invests in digital and deep technology innovations such as big data, Artificial Intelligence (AI), connectivity, cybersecurity, and quantum to build a future of trust. On October 31, Thales was added to the LockBit 3.0 group's list of victims, threatening to publish stolen data by November 7, 2022, if the company did not pay the ransom. At this time, the ransomware gang has not released any samples of the allegedly stolen data. This article continues to discuss the LockBit 3.0 ransomware group claiming to have stolen data from the French defense and technology group Thales.

    Security Affairs reports "LockBit 3.0 Gang Claims to Have Stolen Data From Thales"

  • news

    Visible to the public "Mobile Phishing Attacks on Government Staff Soar"

    Security researchers at Lookout have discovered that mobile-based credential theft attacks against federal government employees increased by 47% from 2020 to 2021, exposing agencies to a serious risk of breaches. The security researchers analyzed more than 200 million devices and more than 175 million apps. The researchers found that around half (46%) of state, local, and federal US government employees were the target of mobile-based credential phishing attempts in 2021, up from 30% a year earlier. The researchers claimed that one in eight government employees were exposed to phishing threats last year via "social engineering within any app including social media platforms, messaging apps, games, or even dating apps." The researchers didn't mention SMS or email explicitly as phishing vectors, although these are perhaps the most popular. The researchers stated that phishing exposure means threat actors could steal credentials to hijack accounts to gain access to sensitive government data and systems or install malware to eavesdrop on conversations and steal logins that way. The researchers noted that part of the threat comes from the large number of unmanaged devices in use across federal, state, and local government. The researchers revealed a 55% increase in the use of such devices from 2020 to 2021 as BYOD and remote working became the norm across many organizations. The researchers noted that patching is also a problem. The researchers stated that nearly 50% of state and local government employees are currently running outdated Android operating systems, exposing them to hundreds of device vulnerabilities.

    Infosecurity reports: "Mobile Phishing Attacks on Government Staff Soar"

  • news

    Visible to the public  "32% Of Cybersecurity Leaders Considering Quitting Their Jobs"

    According to BlackFog research, 32 percent of CISOs or IT Security DMs in the UK and the US are considering leaving their current organization. One-third of those considering leaving their current job would do so within the next six months. This study, which looked into the frustrations and challenges that cybersecurity professionals face, also emphasized the impact of cyber incidents on turnover and job security. It was discovered that 41 percent of those who had previously served as a CISO or IT security leader at another organization either left or were let go due to an attack or data breach. When asked what aspect of their job they disliked the most, 30 percent said it was the lack of work-life balance, while 27 percent said it was too much time spent on firefighting rather than strategic issues. However, their role in keeping their organization safe from cyber threats was valued, with 44 percent of respondents stating that being the company's 'protector' and being able to keep everyone working securely is the most enjoyable aspect of their job. Fifty-two percent revealed having difficulty keeping up with new frameworks and models, such as zero trust. A further 20 percent considered it a "serious challenge" to keep their teams' skill levels in line with these. Fifty-four percent felt they were unable to keep up with information on the most recent cybersecurity solutions, such as anti-data exfiltration. Forty-three percent of respondents said it was difficult to keep up with the latest cybersecurity innovations. This number varied by country, with 49 percent of respondents in the US agreeing versus 36 percent in the UK. This article continues to discuss key findings from BlackFrog's survey of CISOs or IT Security DMs in the UK and the US.

    Help Net Security reports "32% Of Cybersecurity Leaders Considering Quitting Their Jobs"

  • news

    Visible to the public "The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical"

    Security experts have described two highly anticipated vulnerabilities recently patched by the OpenSSL Project team as issues that must be addressed quickly but do not require a drop-everything-else type of emergency response. Version 3.0.7 of the widely used cryptographic library addresses two buffer overflow vulnerabilities found in OpenSSL versions 3.0.0 to 3.0.6. Prior to the disclosure, security experts had warned that one of the issues, initially described as a "critical" Remote Code Execution (RCE) problem, could present a Heartbleed-level problem. However, this does not appear to be the case, as the OpenSSL project team stated in disclosing the flaw that it had decided to downgrade the threat to "high" based on feedback from organizations that had tested and analyzed the bug. The first flaw, tracked as CVE-2022-3602, could enable RCE under certain conditions, prompting some security experts to worry that the flaw could have far-reaching consequences. The second vulnerability, tracked under CVE-2022-3786, which was discovered while working on a fix for the first, could be used to cause Denial-of-Service (DoS) conditions. In order to exploit either of the new flaws, vulnerable servers would need to request client certificate authentication, which is unusual. Furthermore, vulnerable clients would have to connect to a malicious server, which is a common and defendable attack vector. This article continues to discuss the two recently patched OpenSSL bugs.

    Dark Reading reports "The Sky Is Not Falling: Disclosed OpenSSL Bugs Are Serious but Not Critical"

  • news

    Visible to the public "Dropbox Discloses Breach After Hacker Stole 130 GitHub Repositories"

    Dropbox has disclosed a security breach after threat actors stole 130 code repositories after accessing one of its GitHub accounts using stolen employee credentials. Dropbox's investigation discovered that the code accessed by the threat actors contained some credential information, primarily Application Programming Interface (API) keys used by Dropbox developers. A few thousand names and email addresses belonging to Dropbox employees, current and past customers, sales leads, and vendors were also included in the code and data surrounding it. The breach resulted from a phishing attack involving emails impersonating the CircleCI continuous integration and delivery platform and the redirection of victims to a phishing landing page where they were asked to enter their GitHub username and password. Employees were also asked to use their hardware authentication key to pass a One Time Password (OTP) on the same phishing page. This article continues to discuss the Dropbox breach that resulted in the theft of 130 code repositories.

    Bleeping Computer reports "Dropbox Discloses Breach After Hacker Stole 130 GitHub Repositories"

  • news

    Visible to the public "These Android Apps with a Million Play Store Installations Redirect Users to Malicious Sites"

    As part of an adware and information-stealing campaign, four Android apps released by the same developer were discovered directing victims to malicious websites. The apps, developed by Mobile Apps Group and currently available on the Play Store, have been downloaded over one million times. According to Malwarebytes, the websites are designed to generate revenue through pay-per-click ads and prompt users to install cleaner apps on their phones to deploy additional malware. The apps include "Bluetooth App Sender," "Bluetooth Auto Connect," "Driver: Bluetooth, Wi-Fi, USB," and "Mobile transfer: smart switch." One of the more common methods used by threat actors to bypass Google Play Store security measures is to use time-based delays to conceal their malicious behavior. Malwarebytes' analysis found that the apps wait approximately four days before opening the first phishing site in Chrome browser, and then launch more tabs every two hours. The apps are part of the HiddenAds malware operation, which has been active since at least June 2019 and has a history of illegally earning revenue by redirecting users to advertisements. This article continues to discuss the set of four Android apps directing victims to malicious websites as part of the HiddenAds malware operation.

    THN reports "These Android Apps with a Million Play Store Installations Redirect Users to Malicious Sites"

  • news

    Visible to the public "Laser Hack of Self-Driving Cars Can 'Delete' Pedestrians"

    In order to avoid obstacles and drive safely, self-driving cars, like human drivers before them, need to see what is around them. The most advanced autonomous vehicles typically employ LIDAR, a spinning radar-type device that serves as the vehicle's eyes by sending out a laser light and then recording the reflection from objects in the area. LIDAR constantly provides information about the distance to objects, allowing the car to determine what actions are safe. However, a team of researchers from the University of Florida, the University of Michigan, and the University of Electro-Communications in Japan, found that carefully timed lasers directed at an approaching LIDAR system can create a blind spot in front of the vehicle large enough to completely conceal moving pedestrians and other obstacles. The deleted data leads the cars to perceive that the road is safe, thus endangering anything in the attack's blind spot. According to University of Florida cybersecurity researcher and professor Sara Rampazzi, the team mimicked the LIDAR reflections with their laser to make the sensor discount other reflections coming in from genuine obstacles. The LIDAR still receives genuine data from the obstacle, but the data is automatically discarded because the sensor only sees the researchers' fake reflections. While the technology is simple, the attack is not, as the team demonstrated the attack from up to 10 meters away. The device must be perfectly timed and move with the car to keep the laser pointing in the right direction. This article continues to discuss the demonstrated laser attack capable of blinding autonomous vehicles.

    Cosmos Magazine reports "Laser Hack of Self-Driving Cars Can 'Delete' Pedestrians"

  • news

    Visible to the public "ASU Launches New Quantum Research Collaborative"

    The Quantum Collaborative, an initiative launched by Arizona State University (ASU), is expected to impact society and the American economy through new discoveries and applications in advanced quantum technology. It is a state-funded and global initiative that aims to increase understanding of this critical technology and forge partnerships to advance it. The Quantum Collaborative is comprised of a community of companies, academic institutions, startups, and initiatives working together across several strategic areas to deliver incremental advances across the emerging quantum technology landscape while also developing training and education for the future quantum workforce. For example, one of the founding academic partners, the University of Texas at San Antonio (UTSA), will contribute its extensive experience in cybersecurity, Artificial Intelligence (AI), and data science to address the challenges that quantum poses in protecting data and infrastructure. This article continues to discuss the Quantum Collaborative launched by ASU and the expertise that partnerships will bring in regard to cybersecurity, AI, data science, and more, as well as the potential for quantum computers to break today's encryption algorithms.

    ASU reports "ASU Launches New Quantum Research Collaborative"

  • news

    Visible to the public "CISA Funds Expanding Access to Cybersecurity Programs at HBCUs, K-12 Schools"

    Scams, attacks, and disinformation campaigns are increasingly targeting black communities across the US, thus prompting several initiatives to address the problem. CYBER.ORG, a workforce development organization, aims to address the issue through Project REACH, a feeder program designed to recruit K-12 students to pursue undergraduate cybersecurity degrees and strengthen the US cybersecurity workforce. The program was developed with funding from the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) to fill the more than 760,000 cybersecurity positions currently available and to raise awareness about cybersecurity issues in general. Project REACH began last year with a National Security Agency (NSA)-funded pilot at Grambling State University. Cybersecurity lessons were integrated into the curricula of three Louisiana high schools: Woodlawn High School, Huntington High School, and Southwood High School. According to Corisma Akins, cyber education specialist at CYBER.ORG, the goal was to improve students' foundational and technical cybersecurity skills, with an additional goal of increasing interest in Grambling State University's cybersecurity program. Project REACH improves access to cybersecurity education, resources to help students improve their cybersecurity skills, and opportunities to help students connect the dots to pursue cybersecurity careers. A recent study discovered that students in small and high-poverty school districts are significantly less likely to be exposed to cybersecurity education, resulting in considerably fewer pathways to entry into this critical field of study for lower-income and minority students. According to the same study, less than half of all K-12 classrooms in the US provide cybersecurity education. Akins explained that the expansion of Project REACH would help raise awareness of and access to cybersecurity education for black K-12 students, noting that the initiative includes outreach to educate black communities about cybersecurity. This article continues to discuss the goals and structure of Project REACH.

    The Record reports "CISA Funds Expanding Access to Cybersecurity Programs at HBCUs, K-12 Schools"

  • news

    Visible to the public "Culprit Behind Twilio Hack Traced to Earlier Vishing Attack That Nabbed Employee Credentials"

    Further investigation into an August smishing attack on Twilio has revealed a link to a previous vishing attack (voice phishing) attack. The malicious actor behind the August Twilio hack appears to have also hit the company in June in a separate incident that exposed a smaller amount of customer contact information. The Twilio hack in August resulted from a campaign that bombarded employees with SMS messages, eventually convincing one of them to visit a fake login page. The company recently completed its investigation into this incident, discovering that the same attacker was responsible for a smaller breach in June. However, in that previous incident, a vishing attack was used to convince a company employee to give up their login credentials over the phone. According to reports, the June vishing attack window lasted only about 12 hours and gave the attackers access to a "limited" amount of customer information. Those affected were notified in July, but the connection to the August attack is new. The August Twilio hack appears to have been launched shortly after customers were notified of the first attack, with the hacker changing their approach to pose as a member of the company's IT staff and attempt to get employees to enter credentials into a fraudulent Okta login portal. This article continues to discuss the vishing attack carried out by the perpetrator behind the August Twilio hack.

    CPO Magazine reports "Culprit Behind Twilio Hack Traced to Earlier Vishing Attack That Nabbed Employee Credentials"

  • news

    Visible to the public "Private Conversations Between ADF Members at Risk Due to Cyberattack on Australian Defense Contractor"

    A ransomware attack may have exposed up to 40,000 records of private communications between current and former Australian defense force members. Data from a communications network called ForceNet may have been stolen as a result of an attack on an outside Information and Communications Technology (ICT) service provider. According to Matt Keogh, minister for veterans' affairs and defense personnel, the stolen data set was from 2018 and contained 30,000 to 40,000 records. The defense remains confident that no personal information was obtained. However, they are still trying to figure out which current and former employees, including public servants, may have been affected. The recent cyberattacks in Australia, particularly those that have targeted Optus and Medibank, are concerning. The cyberattacks call on people to carefully guard their personal information and emphasize that governments must ensure that businesses take adequate security precautions. This article continues to discuss the ransomware attack on an Australian defense contractor that may have led to the exposure of up to 40,000 records of private communications between present and previous Australian defense force members.

    CyberIntelMag reports "Private Conversations Between ADF Members at Risk Due to Cyberattack on Australian Defense Contractor"

  • news

    Visible to the public "Yanluowang Ransomware Leaks Suggest Pseudo Chinese Persona, REvil Links"

    Leaked chat data from the Yanluowang ransomware organization reveals a fake Chinese persona and possible connections to other ransomware organizations. Although Yanluowang is named after the Chinese and Buddhist mythological figure Yanluo Wang, chat data revealed that those involved in the organization spoke Russian. In February 2022, the group's most prominent member, operating under the alias 'Saint,' responded in a discussion about the arrests of former REvil members, claiming that five of the individuals in a linked news report were "former classmates." REvil is still active, but its reign over the ransomware landscape ended in 2021 as a result of a coordinated international law enforcement operation to arrest many of its core members. The remaining lower-level cybercriminals are suspected of having either remained with the organization or moved on to work for more lucrative rivals. Many more messages in Russian were leaked, as were more active aliases, including 'Killanas,' who was the second most active user in the organization after Saint. According to KELA's analysis, Killanas is believed to have played a role in code assignment management, alongside 'Felix' as a tester and 'Stealer' as another organization member. Chat logs between Felix and Stealer appeared to show that an ESXi version of Yanluowang ransomware was being developed. The leak also includes source code snippets from the ransomware locker program's builder and decryption processes, but the authenticity of these has yet to be verified. This article continues to discuss the leak of the Yanluowang ransomware organization's internal chat logs.

    ITPro reports "Yanluowang Ransomware Leaks Suggest Pseudo Chinese Persona, REvil Links"

  • news

    Visible to the public "White House Hosts International Summit Aimed At Thwarting Ransomware"

    The White House has hosted a global ransomware summit to combat the threat of ransomware. The International Counter Ransomware Summit includes 36 participating countries and technology companies, including Microsoft, Siemens, Mandiant, and more. According to a senior administration official, the summit is part of an international partnership that spans most of the world's time zones and highlights the threat posed by cybercriminals and cyberattacks. In order to address challenges, the agenda focuses on five themes: increasing the resilience of all partners, disrupting cybercriminals, combating illicit finance, building private-sector partnerships, and strengthening global cooperation. The Resilience Working Group, which was established at the first summit last year, is said to have held two threat exercises in 2021 to ensure members could participate and learn from one another in order to implement best practices in the event of an attack. The administration also brought further attention to recent attacks, such as the September ransomware attack on the Los Angeles Unified School District, which caused service disruptions. Other attacks mentioned include those targeting hospitals in France and the UK, as well as a significant ransomware attack that occurred recently in Australia. This article continues to discuss the goals and highlights of the International Counter Ransomware Summit.

    SiliconANGLE reports "White House Hosts International Summit Aimed At Thwarting Ransomware"

  • news

    Visible to the public "New Gangs and New Tactics Mean More Victims of Ransomware"

    According to the latest 2022 Bi-Annual Cyber Threat Report from Deep Instinct, ransomware actors have been forming affiliate gangs and employing new tactics to draw more victims. The report reveals changes in ransomware gangs such as LockBit, Hive, BlackCat, and Conti. Conti has been divided into several splinter groups, including Quantum, BlackBasta, and BlackByte. Following the takedown of Conti, these three prominent former affiliate groups emerged under their own operations. The study also discovered a shift in tactics, with the use of documents to deliver malware decreasing as a result of Microsoft's decision to disable macros by default in Microsoft Office files. Threat actors have already begun to use alternative methods to distribute malware, such as LNK, HTML, and archive email attachments. Several vulnerabilities have also demonstrated the exploitability of both Windows and Linux systems, despite efforts to improve their security. According to an analysis of the Known Exploited Vulnerability (KEV) catalog published by the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the number of exploited in-the-wild vulnerabilities spikes every three to four months, and researchers anticipate another spike as the end of the year approaches. This article continues to discuss findings shared in Deep Instinct's 2022 Bi-Annual Cyber Threat Report.

    BetaNews reports "New Gangs and New Tactics Mean More Victims of Ransomware"

  • news

    Visible to the public "US Agencies Issue Guidance on Responding to DDoS Attacks"

    The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have recently released joint guidance for responding to distributed denial-of-service (DDoS) attacks. CISA noted that DDoS attacks that produce high volumes of traffic are difficult to respond to and recover from. Such attacks may lead to degradation of service, loss of productivity, extensive remediation costs, and reputational damage. CISA stated that organizations should include steps to address these potential effects in their incident response and continuity of operations playbooks. To mitigate the risk of a DDoS attack, CISA noted that organizations should be aware of all internet-facing assets and the vulnerabilities potentially impacting them. Organizations should also identify how users connect to the corporate network, enroll in a DDoS protection service, ensure they understand existing defenses, and implement a DDoS response plan. The guidance applies to federal agencies and private organizations alike and provides additional recommendations on how organizations can prepare for DDoS attacks and details the steps they should take when responding to an ongoing assault.

    SecurityWeek reports: "US Agencies Issue Guidance on Responding to DDoS Attacks"

  • news

    Visible to the public "FTC Orders Chegg to Improve Security Following Multiple Data Breaches"

    The Federal Trade Commission (FTC) recently announced that it has reached an agreement with education technology provider Chegg over the company's cybersecurity failures leading to several data breaches. Chegg is based in California and provides student services such as online tutoring and digital and physical textbook rentals to high school and college students. The security mishaps, the FTC says, have exposed the personal information of tens of millions of customers and employees, including their Social Security numbers, email addresses, and login information. The FTC noted that since 2017, Chegg allegedly experienced four security breaches, but the company failed to implement the necessary protections. The FTC is now requiring the company to improve its security stance, to collect less personal data than before, to allow users to access and erase their data, and to implement multi-factor authentication (MFA).

    SecurityWeek reports: "FTC Orders Chegg to Improve Security Following Multiple Data Breaches"

  • news

    Visible to the public "ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers"

    The National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and Office of the Director of National Intelligence (ODNI) have released Securing the Software Supply Chain: Recommended Practices Guide for Suppliers. The product was made through the Enduring Security Framework (ESF), a public-private cross-sector working group led by NSA and CISA that provides cybersecurity guidance to address high-priority threats facing the nation's critical infrastructure. In order to provide guidance to suppliers, ESF investigated the events leading up to the SolarWinds attack, which revealed that investment was required to develop a set of industry and government-evaluated best practices focusing on software suppliers' needs. Cyberattacks aim to disrupt, disable, destroy, or maliciously control a computing environment or infrastructure, as well as to destroy data integrity or steal controlled information. A malicious actor can exploit a single vulnerability in the software supply chain to cause severe harm to computing environments or infrastructure. Because software developers are required to securely develop and deliver code, verify third-party components, and harden the build environment, prevention is often considered their responsibility. However, the supplier is critical in ensuring software security and integrity. The software vendor is responsible for acting as a liaison between the customer and the software developer. Additional security features can be implemented through contractual agreements, software releases and updates, vulnerability notifications, and mitigations. This article continues to discuss the software supply chain guidance released for suppliers.

    NSA reports "ESF Partners, NSA, and CISA Release Software Supply Chain Guidance for Suppliers"

  • news

    Visible to the public "Researchers: 'CosMiss' Vulnerability Affecting Microsoft Azure Cosmos DB Could Give Attacker RCE Privileges"

    Researchers at Orca Security discovered a critical vulnerability in Azure Cosmos DB, a Microsoft-owned NoSQL database used for app development, in which authentication checks were missing from Cosmos DB Notebooks. According to the researchers, the "CosMiss" vulnerability would have allowed an attacker with knowledge of a notebook's forwardingID, the universally unique identifier of the Notebook Workspace, to have full permissions on the notebook without requiring authentication. This included read and write access and the ability to modify the file system of the notebook's container. Through the modification of the container file system, the researchers obtained Remote Code Execution (RCE) in the notebook container. Orca reported the flaw to the Microsoft Security Response Center (MSRC), which fixed the critical issue in two days. According to Avi Shua, co-founder and CEO of Orca Security, the lack of authentication checks in Cosmos DB Jupyter Notebooks was especially risky because Cosmos DB Notebooks are used by developers to create code and often include highly sensitive information, such as secrets and private keys embedded in the code. This article continues to discuss the CosMiss vulnerability affecting Microsoft Azure Cosmos DB.

    SC Magazine reports "Researchers: 'CosMiss' Vulnerability Affecting Microsoft Azure Cosmos DB Could Give Attacker RCE Privileges"

  • news

    Visible to the public "Samsung Galaxy Store Flaw Could Have Allowed Installing Malicious Apps on Target Devices"

    A now-patched vulnerability in Samsung's Galaxy Store app could have resulted in remote command execution on affected phones. The flaw is a cross-site scripting (XSS) bug that can be triggered when certain deep links are handled. The flaw affected Galaxy Store version 4.5.32.4 and was discovered by an independent security researcher via the SSD Secure Disclosure program. The researcher focuses on deep links set up for Samsung's Marketing and Content Service (MCS). The Samsung MCS Direct Page website parsed the parameter from the URL and then displayed it, but it did not encode, resulting in an XSS error. The expert discovered two functions, downloadApp and openApp, in the Class EditorialScriptInterface while analyzing the deeplink process code. The two functions enable getting the app ID and downloading or opening it from the store. This means that these two functions can be called using JS code. In this scenario, an attacker can inject and execute arbitrary code into the MCS website. This article continues to discuss the security flaw in the Galaxy Store app for Samsung devices that could have allowed remote command execution on affected phones.

    Security Affairs reports "Samsung Galaxy Store Flaw Could Have Allowed Installing Malicious Apps on Target Devices"

  • news

    Visible to the public "Bed Bath & Beyond Investigating Data Breach After Employee Falls for Phishing Attack"

    Bed Bath & Beyond recently revealed in an SEC filing that it suffered a data breach after an employee fell victim to a phishing attack. The retailer has only shared a few details as the investigation is ongoing. The company stated that it became aware of unauthorized access to some data after an employee was targeted in a phishing scam in October. The company noted that the hacker gained access to data on a hard drive and some shared drives the targeted employee had access to. The company stated that at this point in the investigation, there is no evidence that the compromised drives stored sensitive or personally identifiable information. This is not the first time Bed Bath & Beyond has disclosed a cybersecurity incident. In 2019, the retailer revealed that some customer accounts had been breached. At the time, the company said hackers had obtained username and password combinations from a breach at a different company and relied on the fact that many people use the same credentials for multiple online accounts.

    SecurityWeek reports: "Bed Bath & Beyond Investigating Data Breach After Employee Falls for Phishing Attack"

  • news

    Visible to the public "OT/ICS Cybersecurity Threats Remain High"

    Organizations' security postures have significantly matured in response to Operational Technology (OT) and Industrial Control Systems (ICS) cybersecurity threats. According to the SANS 2022 OT/ICS Cybersecurity Report, a Nozomi Networks-sponsored SANS Institute survey, despite progress, more than a third (35 percent) of respondents do not know whether their organizations have been compromised. In addition, attacks on engineering workstations have doubled in the last year. While organizations are proactively strengthening their digital defenses, the survey reveals that there is still work to be done. The risk to OT environment was rated as high or severe by 62 percent of respondents (down from 69.8 percent in 2021). Ransomware and financially motivated cybercrime ranked first (39.7 percent), followed by nation-state-sponsored attacks (38.8 percent). Non-ransomware criminal attacks ranked third (32.1 percent), closely followed by hardware/software supply chain risks (30.4 percent). While 10.5 percent of respondents said they had faced a breach in the previous 12 months (down from 15 percent in 2021), 35 percent said the engineering workstation was an initial infection vector (up from 18.4 percent last year). IT compromises continue to be the most common access vector (41 percent), followed by replication via removable media (37 percent). Sixty-six percent say their control system security budget has increased in the last two years, up from 47 percent the previous year. Fifty-six percent now detect compromises within the first 24 hours of an incident (up from 51 percent in 2021). Most (69 percent) say they go from detection to containment in 6 to 24 hours. This article continues to discuss key findings from the SANS 2022 OT/ICS Cybersecurity Report on OT/ICS cybersecurity threats and the maturing of ICS cybersecurity postures.

    Security Magazine reports "OT/ICS Cybersecurity Threats Remain High"

  • news

    Visible to the public "Cyberattacks in Healthcare Sector More Likely to Carry Financial Consequences"

    Netwrix released additional findings from its global 2022 Cloud Security Report for the healthcare sector, revealing that 61 percent of respondents in the healthcare industry experienced a cyberattack on their cloud infrastructure in the previous 12 months, compared to 53 percent in other sectors. The most common type of attack reported was phishing. Because the chances of success are higher in the healthcare sector, it is a lucrative target for attackers. Since patient health is the top priority for these organizations, IT security resources are often overstressed and focused on maintaining only the most essential functions, according to Dirk Schrader, VP of Security Research at Netwrix. Furthermore, the high value of data provides cybercriminals with more financial opportunities as they can either sell stolen, sensitive medical information on the dark web or extort a ransom for 'unfreezing' the medical systems used to keep patients alive. An attack in the healthcare sector is more likely to have financial ramifications. Only 14 percent of healthcare organizations say an attack had no effect on their business, compared to 32 percent of respondents from other industries. The most common types of damage caused by a cyberattack are unplanned expenses to cover security gaps and compliance fines. This article continues to discuss key findings from Netwrix's global 2022 Cloud Security Report regarding cyberattacks in the healthcare sector.

    Help Net Security reports "Cyberattacks in Healthcare Sector More Likely to Carry Financial Consequences"

  • news

    Visible to the public "Hackers Selling Access to 576 Corporate Networks for $4 Million"

    According to a new report, hackers are selling access to 576 corporate networks worldwide for a total cumulative sales price of $4,000,000. The findings come from the Israeli cyber-intelligence firm KELA, which published its Q3 2022 ransomware report, showing stable activity in the initial access sales sector but a significant increase in the value of the offerings. Although the number of network access sales remained roughly the same as in the previous two quarters, the total requested price has now reached $4,000,000. In comparison, the total value of initial access listings in Q2 2022 was $660,000, a decrease that coincided with the summer ransomware hiatus, which hampered demand. Initial Access Brokers (IABs) are hackers who sell access to corporate networks, typically through credential theft, webshells, or exploiting vulnerabilities in publicly exposed hardware. After gaining access to the network, threat actors sell it to other hackers, who use it to steal valuable data, launch ransomware, or engage in other malicious activity. The reasons IABs do not use network access vary, from a lack of diverse intrusion skills to a preference not to risk increased legal trouble. IABs continue to play an important role in the ransomware infection chain, despite being sidelined last year when large ransomware gangs that operated as crime syndicates had their own IAB departments. This article continues to discuss the hackers selling access to corporate networks for millions of dollars, which is fueling enterprise attacks.

    Bleeping Computer reports "Hackers Selling Access to 576 Corporate Networks for $4 Million"

  • news

    Visible to the public "Cyberattack Strikes Global Copper Conglomerate"

    Aurubis, a global recycler and provider of copper, has assured its customers that a cyberattack on October 28 did not halt production, but it did temporarily shut down the entire company's systems. According to the Aurubis corporate website, the company has a presence in 20 countries and employs approximately 6,900 people. Aurubis said in a statement that it disconnected its entire IT operation as a precaution, but that smelter sites across Europe and production facilities, including one in Buffalo, NY, remained operational. Meanwhile, local Buffalo news station WGRZ reported layoffs at the Aurubis plant in the area as a result of the breach. Meanwhile, teams are working with authorities to investigate the attack at headquarters in Hamburg, Germany. This article continues to discuss the Aurubis breach.

    Dark Reading reports "Cyberattack Strikes Global Copper Conglomerate"

  • news

    Visible to the public "Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution"

    ConnectWise, an IT service management software platform, has released software patches to address a critical security vulnerability in Recover and R1Soft Server Backup Manager (SBM). The vulnerability, defined as the neutralization of Special Elements in Output Used by a Downstream Component, could be exploited to result in remote code execution or the disclosure of sensitive information. According to ConnectWise's advisory, the critical flaw affects Recover v2.9.7 and earlier, as well as R1Soft SBM v6.16.3 and earlier. The root cause of the problem is an upstream authentication bypass vulnerability in the ZK open-source Ajax web application framework (CVE-2022-36537), which was first patched in May 2022. This article continues to discuss the critical RCE vulnerability found in Recover and R1Soft SBM.

    THN reports "Critical RCE Vulnerability Reported in ConnectWise Server Backup Solution"

  • news

    Visible to the public "Data Breach of Missile Maker MBDA May Have Been Real: CloudSEK"

    Back in July, the Adrastea threat actor group announced a data breach affecting MBDA, a European missile manufacturer having ties to NATO. At the time, the company promptly refuted the claims, saying that while some files were stolen, MBDA was not hacked, and its security systems remained intact. The missile maker also stated that the data made available online was "neither classified data nor sensitive." Security researchers at CloudSEK have now written a new advisory about the alleged hacking campaign against MBDA. The researchers were able to obtain and analyze the password-protected ZIP file containing the samples for the data breach. According to the researchers, the folder included files detailing the confidential personally identifiable information (PII) of MBDA's employees, alongside multiple standard operating procedures (SOPs) underlying the requirements for NATO's Counter Intelligence to avert threats related to Terrorism, Espionage, Sabotage, and Subversion (TESS). The researchers noted that the SOPs identify NATO collection and plan functions, responsibilities, as well as procedures used in support of NATO operations and exercises. The SOPs also include all activities of the Intelligence Requirement Management and Collection Management (IRM & CM) process that results in the effective and efficient execution of the intelligence cycle. The researchers noted that the obtained files also included internal sketches of cabling diagrams for missile systems, electrical schema diagrams, and documentation of activities tying the MBDA to the Ministry of Defence of the European Union. The researchers at CloudSEK noted that the reputation of Adrastea as a threat actor is currently low, as multiple concerns and complaints were recorded in the dark web forums where the hacker posted the alleged MBDA information. The researchers stated that this is the group's first recorded activity, so it is difficult to say whether or not the information posted is legitimate.

    Infosecurity reports: "Data Breach of Missile Maker MBDA May Have Been Real: CloudSEK"

  • news

    Visible to the public Pub Crawl #67


    Pub_Crawl_web.jpgPub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

  • news

    Visible to the public "Why a Hardware Bill of Materials Is a Critical Component for Securing Electronic Products"

    The ability of an organization to protect its most sensitive data comes down to ensuring that all of its bases are covered, which is difficult to do when the foundation is weak. Traditionally, the cybersecurity industry has focused on identifying and patching software vulnerabilities, but it is easy to forget that software is run on semiconductor chips, and if the hardware in a product or system is compromised, there could be harmful consequences. Because hardware security is often overlooked, transparency throughout the entire chip development cycle is more important than ever. Implementing a Hardware Bill of Materials (HBOM) not only contributes to that peace of mind but also allows for improved security and maintenance of electronic products. Chips can be found in phones, computers, automobiles, medical devices, and other devices. The US is also investing more in chip manufacturing, as evidenced by the recently passed CHIPS act, which includes $52 billion in funding to strengthen the nation's computer chip industry. Hardware, unlike software, cannot be patched, and the further into chip development, the more difficult it is to fix any flaws. When a vulnerability is discovered, it is often too late to fix, leaving organizations scrambling to determine the root cause of the problem. The "Augury" flaw impacting Apple's M1 chips demonstrates that taking a reactive approach to hardware security results in exposure to significant risk. Although an Experian-level Personally Identifiable Information (PII) security breach at the hardware level has not been seen yet, it is not a risk worth taking. Organizations need to get proactive by tracking and documenting hardware security vulnerabilities with HBOMs, which contain a detailed list of the hardware components' security, including security validation. HBOMs should include documentation of the security intention at the product planning stage based on security feature and verification requirements, the threat model that was considered during the design process, embedded security design components, and other factors. This article continues to discuss the vulnerability of semiconductor chips, the growing push for a Software Bill of Materials (SBOM), and what an HBOM should feature.

    CPO Magazine reports "Why a Hardware Bill of Materials Is a Critical Component for Securing Electronic Products"

  • news

    Visible to the public "Niche-Filling New Course Meets Aircraft and Spacecraft Industries' Workforce Need"

    The new Purdue Aviation and Space Cybersecurity course provides engineering students with valuable cyber-domain security knowledge while also providing computer science and cybersecurity majors with aeronautical and astronautical engineering knowledge. Aeronautical and astronautical engineering graduates typically lack a solid understanding of cyber risks and vulnerabilities, according to Joel Rasmus, director of the Purdue Center for Education Research in Information Assurance and Security (CERIAS), who formed the new course in response to industry members of the CERIAS Strategic Partnership Program. Rasmus also emphasized that cyber-focused students have not been prepared to understand the technical principles of size, weight, and power, as well as other engineering specifics. The demand for this dual expertise is high and increasing. Avionic systems, which are aircraft systems that combine aviation and electronics, include communications, navigation, and more, with each system and function being a potential target for malicious adversaries. The course is designed to teach students how to solve real-world problems. Using problem scenarios provided by industry members, teams of students work with Purdue faculty and industry mentors to develop solutions. Students from cybersecurity, computer science, data science, industrial engineering, aeronautical and astronautical engineering, and mechanical engineering will collaborate to address a specific industry concern. The students are working on a project sponsored by Boeing during the course's first semester, with the mission being to develop an algorithm that uses industry-accepted aeronautical engineering principles while also addressing the need for measurable cybersecurity. This article continues to discuss the new Purdue Aviation and Space Cybersecurity course and the importance of dual expertise.

    Purdue University reports "Niche-Filling New Course Meets Aircraft and Spacecraft Industries' Workforce Need"

  • news

    Visible to the public "5G Communications Security"

    Keith Gremban, an aerospace research professor at the University of Colorado Boulder, is leading a military-oriented research project aimed at enabling the secure use of 5G networks that could be controlled by an adversary. Gremban has received a $749,000 National Science Foundation (NSF) phase-one grant for his project called GHOST: 5G Hidden Operations through Securing Traffic. The project's goal is to ensure that American soldiers and infrastructure operators can use hostile 5G cellular networks in other countries without those countries gaining valuable operational information. The study will take two paths, with the first looking into ways to mask communications by creating constant background noise on cellular networks. The second track is to send out intentional false flag communications in order to confuse enemies. Gremban has assembled a team of multidisciplinary researchers from industry and academia, including Tamara Lehman, an assistant professor of electrical engineering whose research focuses on computer security from a hardware standpoint. This article continues to discuss the GHOST: 5G Hidden Operations through Securing Traffic NSF-backed project.

    University of Colorado Boulder reports "5G Communications Security"

  • news

    Visible to the public "Why Are There So Many Data Breaches? A Growing Industry of Criminals Is Brokering in Stolen Data"

    Researchers at Deakin University discuss the rise in cybercrime and who is responsible for the latest surge in cyberattacks. According to Deakin University's James Martin, Senior Lecturer in Criminology, and Chad Whelan, Professor of Criminology, the rising number of data breaches is being driven by the growth of a global illicit industry in which data is traded. Hackers known as "initial access brokers" are particularly skilled at illegally gaining access to victim networks and then selling this access to other cybercriminals. Hackers and initial access brokers are only one component of a vast and evolving cybercrime ecosystem. This ecosystem consists of various cybercriminal groups specializing in one aspect of online crime and then collaborating to perform the attacks. For example, ransomware attacks are one of the fastest-growing and most damaging types of cybercrime, involving malicious software that paralyzes a victim's device or system until a decryption key is provided following a ransom payment. Ransomware attacks earned cybercriminals more than $600 million in 2021 alone. The enormous amounts of money to be made in ransomware and the number of targets to choose from all over the world fuel the growth of a vast ransomware industry. These attacks are increasingly being carried out by networks of different cybercriminal groups, each of which specializes in a different stage of the attack. Initial access brokers often carry out the first stage of a ransomware attack. It is their job to gain access to a victim's network. Once they have gained access to a victim's network, they typically sell this access to other groups, who then steal data and use ransomware to take down the victim's computer systems. This type of crime has a massive and growing underground market. On both the dark web and surface web, dozens of online marketplaces provide services from initial access brokers. Their access to businesses can be purchased for as little as $10, though more privileged, administrator-level access to larger businesses can cost several thousands of dollars or more. This article continues to discuss insights into the cybercrime ecosystem behind the rise in cyberattacks.

    The Conversation reports "Why Are There So Many Data Breaches? A Growing Industry of Criminals Is Brokering in Stolen Data"

  • news

    Visible to the public "Ukraine Cybersecurity Head Says Cyberwar Affects Us All"

    In a keynote talk at the BlackBerry Security Summit, Ukraine's state cybersecurity officer, Victor Zhora, stressed that no country or company can protect itself and that now is not the time to isolate oneself. According to Zhora, the best way to combat cybercriminals is to work together, exchange information, and help one another. Wiper attacks, unlike traditional attacks, have the greatest impact on Ukraine's cybersecurity, he explained. They are a malicious wiping, overwriting, or removal of data from a victim's system. Zhora pointed out that Russia's aggression, both on land and in cyberspace, has been ongoing for years, with the official start of the war in February. Recent attacks against Ukraine include the IsaacWiper malware against Ukrainian government networks, Distributed Denial-of-Service (DDoS) against the Ukrainian banking sector and government websites, phishing attacks against both state and media organizations, and more. Cybercriminals have targeted nearly every industry, including nuclear power plants, transportation and logistics companies, and telecommunications providers. According to Zhora, Ukraine has received ongoing assistance from the global IT community, as well as governments and private sector experts. This includes hardware, software, cloud, and wireless systems, as well as cyber intelligence and consultancy. Cyber resilience is dependent on the global community's collaborative efforts. In Zhora's address to the corporate audience, he emphasized the importance of investing in and building a cybersecurity system as a strategic method to improve the state's cyber resilience. This article continues to discuss key points made by the chief digital transformation officer at the State Service of Special Communications and Information Protection of Ukraine.

    VB reports "Ukraine Cybersecurity Head Says Cyberwar Affects Us All"

  • news

    Visible to the public "Indiana University Building a Medical Device Security Lab With TriMedX"

    Indiana University Health is collaborating with TriMedX to establish a new cybersecurity lab that will assess and test the security of medical devices in the hopes of reducing cybersecurity threats during the device development process. TriMedX, specializing in clinical engineering and clinical asset management, will bring its technology expertise to Indiana University Health's medical device security lab, where there will be collaborative efforts on testing medical devices for security vulnerabilities and interoperability. The company has data on 92 percent of all active medical device models. The security lab's goal is to test the medical equipment in a risk-free environment for patients. Cyber researchers will evaluate new devices before they are implemented in hospitals. In addition, they will test configurations and security setups to determine which services must be turned on and which ports must be available on the network to ensure operational safety. They will also scan security testing equipment with no live impact on the network or patients. Both organizations say the goal is to eventually share these capabilities with other health systems. According to Indiana University Health and TriMedX, nearly 70 percent of medical devices will be connected by 2025. Meanwhile, reports show that hospitals continue to struggle with their Internet of Things (IoT) device security strategies. In one recent survey, over half of the respondents said their healthcare organizations had one or more cyberattacks involving connected medical devices in the previous 24 months, many of which, the FBI warns, are outdated. This article continues to discuss the collaboration between Indiana University Health and TriMedX to build a medical device security lab aimed at helping healthcare organizations remediate vulnerabilities before equipment reaches the patient floor.

    HealthcareITNews reports "Indiana University Building a Medical Device Security Lab With TriMedX"