News Items

A joint team recently conducted a new cybersecurity course at the Norwegian University of Science and Technology (NTNU) in Alesund. NTNU's program for the maritime industry has offered a new course called "Maritime digital security." Participants explored existing digital threats and conducted an experimental cyberattack on a ship. The primary focus is on cyber risk management and building resilience. Where Information Technology (IT) and people intersect, digital vulnerability exists. According to Marie Haugli-Sandvik and Erlend Erstad, Ph.D. candidates in the Department of Ocean Operations and Civil Engineering at NTNU, security breaches can occur through the ship's systems, the port system, and the people who run or supervise these systems. They are examining how the maritime industry could be better prepared for cyberattacks. The maritime digital security course devised and led by the two Ph.D. candidates appears to be the first of its kind in Norway. Haugli-Sandvik surveyed 293 deck officers from 11 major Norwegian offshore shipowners. Eighty-three percent of respondents reported getting some cybersecurity training, while 15 percent said they had never received training. Two percent were unaware of their training status. Sixty-six percent of the surveyed deck officers were unsure or disagreed that they had sufficient training to handle a cyber incident on board. Such incidents can impact ship operations, as they could disrupt administrative systems for passenger lists, sailing licenses, and more. This article continues to discuss the development, purpose, and contributions of the NTNU course on maritime digital security.

SCIENMAG reports "What Do You Do if a Hacker Takes over Your Ship?"

According to a new report by the Financial Services Information Sharing and Analysis Center (FS-ISAC), Russia's war with Ukraine caused a rise in politically motivated hacktivism that continues to this day, significantly impacting the cyber threat landscape for financial services. FS-ISAC's annual global intelligence threat report revealed that the cyber threats faced by the financial industry have worsened because of the war, as both sides consist of hacktivist groups who have conducted Distributed Denial-of-Service (DDoS) attacks, website takeovers, and other activities, with many targeting financial institutions in countries whose governments are at odds with Moscow and Vladimir Putin. Many of these attacks are considered relatively low-impact. However, they still show how the Internet has helped turn today's geopolitical conflicts into an activity for hackers with strong political preferences worldwide. The report emphasized that financial organizations in countries that Russia considers hostile have been singled out for attacks and named as targets on Telegram and other hacktivist forums. Although the attacks have not yet caused significant damage, they should be noted for their potential to temporarily disrupt companies and governments, as well as draw media attention. This article continues to discuss wartime hacktivism impacting the financial services industry.

SC Magazine reports "Report: Wartime Hacktivism Is Spilling over into the Financial Services Industry"

Through edge computing, computation and data storage are brought closer together, reducing the amount of data sent to and from the cloud. Although edge computing reduces some security risks by keeping data near its source, it also adds new security threats. Assistant professor of computer science and engineering in the McKelvey School of Engineering at Washington University in St. Louis, Ning Zhang, won a three-year award from Intel to support work in ensuring the availability of the Intel Trusted Edge Platform (TEP). Zhang contributes his knowledge in system security and national defense to the development of novel theories and technologies for protecting the TEP ecosystem, including servers, networks, software, and algorithms. Zhang's focus is on edge-enabled Cyber-Physical Systems (CPSs), such as self-driving cars, implantable medical devices, and robots, which are especially vulnerable to security threats because of their continuous interaction with the physical world. Zhang and his team are working on designing customized defenses to guarantee real-time system availability, even when the system is under attack, ensuring the security of these systems. This article continues to discuss the project aimed at improving the security of edge-enabled CPSs.

Washington University in St. Louis reports "Securing Edge-Enabled Cyber-Physical Systems"

According to security researchers at EasyDMARC, only 1.2% of nearly 10 million .org domains in circulation have fully implemented DMARC to mitigate the risk of phishing. The researchers reviewed over 9.9 million verified .org email domains and found that just 376,497 (3.8%) had implemented the Domain-based Message Authentication, Reporting, and Conformance (DMARC) security standard. The researchers noted that DMARC helps to prevent phishing by automatically flagging and blocking any incoming emails thought to be spoofed. For it to be effective, organizations must set their systems to a "reject" policy which means any suspect emails are automatically blocked before they hit the recipient's inbox. A "quarantine" policy will allow the messages through but ensure they are directed to the spam folder, while "p=none" will let suspect emails straight through. Unfortunately, the researchers noted that of the small 3.8% of global .org domains with DMARC deployed, 171,486 (45.6%) had been incorrectly configured, so the organization lacked visibility into received or blocked emails. Additionally, of those with DMARC, over half (58%) had no policy, while 15% had selected a quarantine option. The researchers stated that the top 100 .org domains by traffic fared a little better: three-quarters had DMARC, and around a quarter (27%) of these had set their policy to p=reject. With .org primarily used by non-profits, the findings are a concern for the sector.

Infosecurity reports: "Just 1% of Dot-Org Domains Are Fully DMARC Protected"

According to a new report from the European Union Agency for Cybersecurity (ENISA), ransomware attacks are the most pressing cyber threat faced by the transportation sector. This is the first time the agency has analyzed threats to the aviation, maritime, railway, and road sectors. ENISA emphasizes that while most ransomware attacks have so far targeted Information Technology (IT) systems such as databases, ransomware groups are likely to target and disrupt Operational Technology (OT) systems in the near future, potentially causing victims even greater harm. OT systems commonly monitor or control mechanical operations, making them important to the safety of airports, ports, rail traffic, and other parts of the transportation industry. ENISA stated that it has not received "reliable information" on a cyberattack harming the safety of transportation, but that the risk of cyberattacks on OT systems is increasing as a result of digital transformation's integration of traditionally segmented IT and OT systems. In addition, the organization stated that the supposed urgency of the transportation sector "to pay ransom to avoid any critical business and social impact" could be encouraging further attacks. While the bulk of transportation sector attacks in 2022 were motivated by financial gain, the maritime industry proved to be of particular interest to state-sponsored groups. This article continues to discuss key points made by ENISA's report on the transport threat landscape.

The Record reports "Ransomware 'Likely' to Target Transportation OT Systems, Warns EU Cyber Agency"

Researchers have discovered attacks by a sophisticated threat actor involving a previously unknown malicious framework called CommonMagic and a new backdoor called PowerMagic. Since at least September 2021, both pieces of malware have been used in ongoing espionage operations against organizations in the administrative, agriculture, and transportation sectors. According to researchers, the hackers are interested in gathering data from victims in Donetsk, Lugansk, and Crimea. Once within the victim network, the CommonMagic espionage campaign's perpetrators can use different plugins to steal documents and files from USB devices. The malware can also take screenshots using the Windows Graphics Device Interface (GDI) Application Programming Interface (API) every three seconds. The researchers suspect spear phishing or a similar technique was used to deliver a URL referring to a ZIP archive containing a malicious LNK file. This article continues to discuss CommonMagic and PowerMagic.

Bleeping Computer reports "Hackers Use New PowerMagic and CommonMagic Malware to Steal Data"

Security researchers have observed that advances in deep learning algorithms, audio editing, and synthetic voice generation are making it increasingly feasible to replicate a person's voice convincingly. In addition, Artificial Intelligence (AI)-driven chatbots such as ChatGPT are beginning to create realistic scripts with adaptive real-time responses. Combining these technologies with voice generation transforms a deepfake from a static recording into a lifelike avatar capable of carrying on a convincing phone conversation. Researchers behind the DeFake Project of the Rochester Institute of Technology, the University of Mississippi, Michigan State University, and more are working to detect video and audio deepfakes as well as reduce the damage they inflict. Voice phishing (vishing) scams are the most common voice deepfakes encountered in the workplace and at home. For example, in 2019, criminals scammed an energy company out of $243,000 by imitating the voice of its parent company's boss to instruct an employee to transfer funds to a supplier. In 2022, people were conned out of an estimated $11 million by simulated voices. This article continues to discuss security researchers' concerns regarding voice deepfakes and how people can avoid getting scammed by them.

The Conversation reports "Voice Deepfakes Are Calling - Here's What They Are and How to Avoid Getting Scammed"

Security teams are urged to double-down on their efforts to patch the two-year-old VMware ESXi server vulnerability that impacted thousands of VMware customers. According to a blog post published by AT&T Cybersecurity on March 20, companies that have not installed the patch are at risk of falling victim to ransomware. The ESXiArgs ransomware campaign hit around 3,200 VMware ESXi servers worldwide, according to a Censys search. The most affected country was France, followed by the US, Germany, and Canada. BlueVoyant's director of external cyber assessments, Lorri Janssen-Anessi, advised security teams to install VMware ESXi updates promptly. If companies are unable to update, they should configure their system to minimize risks, including disabling the port targeted by ransomware. In addition, all organizations using the impacted VMware software should conduct thorough system scans to detect any indicators of compromise. This article continues to discuss the need for security teams to double-down on patching VMware ESXi servers.

SC Media reports "Security Researchers Double-Down on the Need to Patch VMware ESXi Servers"

According to research conducted by Cybernews, the entertainment industry giant Lionsgate leaked users' IP addresses and details about the content they have viewed on its movie-streaming platform. Researchers discovered that the movie-streaming platform Lionsgate Play had exposed user data via an open ElasticSearch instance. They found 20GB of unsecured server logs containing nearly 30 million entries, the oldest of which was from May 2022. The logs exposed subscribers' IP addresses together with information on their devices, operating system, and web browser. Logs also revealed the platform's usage data, which is commonly used for analytics and performance tracking. URLs found in logs contained the titles and IDs of the content that users watched, as well as their search queries. Researchers also discovered unidentified hashes with logged HTTP GET requests, records of client requests usually used to get data from a web server. Malicious actors can use the combination of IP addresses and device information to launch targeted attacks on users and deliver malicious payloads to their devices. This article continues to discuss the leak of user data by the video-streaming platform Lionsgate Play.

Cybernews reports "Lionsgate Streaming Platform with 37M Subscribers Leaks User Data"

Associates in Dermatology (AID), a healthcare provider with offices in New Albany and Clarksville, is notifying community members of a data breach issue. Recently the provider announced in a news release that Virtual Private Network (VPN) Solutions faced a ransomware issue that could potentially affect patients of the dermatology clinic. The company provides electronic health record management software for the provider. The data breach occurred around October 31, 2021, leading to a forensic investigation. The investigation concluded in January of this year. VPN "identified files pertaining to AID that potentially contained sensitive information." The company said that on March 10, 2023, AID determined that the compromised files may have also contained personally identifiable information. AID is working to identify all the specific individuals and the type of data that was impacted by VPN's breach in order to provide sufficient notice. AID has no reason to believe that any individual's information has been misused as a result of this event. AID said that compromised data may include patients' names, addresses, Social Security numbers, dates of birth, medical conditions, treatments, diagnoses, test results, health insurance policy numbers, subscriber identification numbers, and health plan beneficiary numbers. The data that VPN identified as compromised varied with each individual.

Yahoo News reports: "Associates in Dermatology Responds to Data Breach"

Security researchers at Mandiant have analyzed the zero-day vulnerabilities disclosed in 2022 and found that over a dozen of them were used in attacks believed to have been carried out by cyberespionage groups. The researchers noted that the cybersecurity community cannot reach an agreement on the definition of a zero-day vulnerability. Some define as zero-day as any vulnerability whose details are made public before a patch is released, while others only assign a zero-day classification to flaws that were actually exploited in attacks before a fix was made available. The researchers stated that only vulnerabilities that were exploited in the wild before a patch was released were included in their zero-day analysis. According to the researchers, 55 zero-day vulnerabilities came to light last year. While this is a significant drop from the 81 discovered in 2021, it's still more than in any other previous year. The researchers noted that many of the zero-days found last year were not publicly attributed to a known threat actor. Of the ones that were attributed, 13 were linked to cyberespionage groups, including seven believed to have been exploited by Chinese state-sponsored groups. Chinese hackers targeted vulnerabilities such as CVE-2022-30190 (the Windows flaw known as Follina), CVE-2022-42475, and CVE-2022-41328 (Fortinet product vulnerabilities). The researchers stated that two of the zero-days attributed to state-sponsored threat actors were linked to North Korea, and two were tied to Russia. Three vulnerabilities were exploited by commercial spyware vendors such as Candiru and Variston. One flaw was seen being exploited by both China and Russia and spyware vendors as well. The researchers stated that four of the zero-days spotted in 2022 were likely exploited by financially motivated threat actors, including CVE-2022-29499 (by Lorenz ransomware), and CVE-2022-41091 and CVE-2022-44698 (by Magniber ransomware). Of the 55 zero-days that emerged in 2022, 18 impacted Microsoft products, 10 impacted Google products, and 9 were found in Apple products. Other affected vendors included Fortinet, Mozilla, Sophos, Trend Micro, Zimbra, Adobe, Atlassian, Cisco, Mitel, SolarWinds, Zoho, QNAP, and Citrix. As for product types, 19 flaws impacted desktop operating systems, followed by browsers (11), security, IT, and network management products (10), and mobile operating systems (6).

SecurityWeek reports: "Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant"

Through 37 in-depth interviews with global CEOs, a team of researchers from the University of Oxford and ISTARI revealed the emotions and challenges associated with effectively managing cyber risk. They have shared the findings of their joint CEO Report on Cyber Resilience, which applies a top-management perspective to cybersecurity risks and emphasizes CEOs' critical role in establishing cyber resilience. It presents insights from one-hour face-to-face interviews with American, Asian, and European CEOs whose companies' average annual revenue is $12 billion, with an average of 40,000 employees. Nine CEOs had led their organization through a severe cyberattack. Under anonymity, the CEOs discussed their feelings, frustrations, and regrets regarding cyber threats and security. The CEOs admitted that they are formally accountable for cybersecurity to regulators, shareholders, and their boards. However, most (72 percent) reported being uncomfortable about making cybersecurity-related decisions, often prompting them to delegate responsibility for and understanding of cybersecurity to their technology teams, which can compromise resilience. All interviewed CEOs stated that they feel accountable for cybersecurity, but a parallel ISTARI survey of CISOs revealed that two European (50 percent) and nearly a third of US (30 percent) CISOs did not believe that their CEOs feel accountable. According to the research, this perception gap is partially due to the notion of accountability. CEOs should view themselves as co-responsible with their CISO for cyber resilience, rather than as solely responsible. This article continues to discuss findings from interviews with global CEOs regarding what they think about cyber risk as well as the mindsets CEOs need to lead cyber-resilient businesses.

The University of Oxford reports "What Do CEOs Really Think about Cyber Risk? First-Of-Its-Kind Study Reveals All"

Threat actors are delivering cryptocurrency stealers to .NET developers via the NuGet repository and impersonating multiple legitimate packages through typosquatting. According to JFrog security researchers Natan Nehorai and Brian Moussalli, who identified this ongoing campaign, three of the malicious NuGet packages have been downloaded more than 150,000 times in a month. It is possible that a large number of .NET developers had their systems compromised, but the massive number of downloads could indicate that the attackers were attempting to legitimize their malicious NuGet packages. When creating their NuGet repository profiles, the threat actors used typosquatting to mimic Microsoft software developers working on the NuGet .NET package manager. The malware installed on compromised systems can be used to steal cryptocurrency by exfiltrating the victims' cryptocurrency wallets using Discord webhooks, extracting and executing malicious code from Electron archives, and auto-updating by querying the command-and-control (C2) server under the control of the attacker. This article continues to discuss threat actors targeting and infecting .NET developers with cryptocurrency stealers through the NuGet repository and impersonating legitimate packages via typosquatting.

Bleeping Computer reports "Hackers Target .NET Developers with Malicious NuGet Packages"

As part of a new campaign, poorly managed Linux SSH servers are being targeted with several forms of malware called ShellBot. AhnLab Security Emergency Response Center (ASEC) explained that ShellBot, also known as PerlBot, is a Distributed Denial-of-Service (DDoS) bot malware written in Perl that uses the Internet Relay Chat (IRC) protocol to connect with the command-and-control (C2) server. ShellBot is installed on servers with weak passwords after threat actors use scanner malware to detect systems with SSH port 22 open. Using a list of known SSH credentials, a dictionary attack is initiated to breach the server and install the payload, after which the IRC protocol is used to communicate with a remote server. This includes the ability to receive commands that enable ShellBot to execute DDoS attacks and exfiltrate gathered data. ASEC reported identifying three different ShellBot variants. This article continues to discuss the new ShellBot DDoS malware variants targeting Linux SSH servers.

THN reports "New ShellBot DDoS Malware Variants Targeting Poorly Managed Linux Servers"

The Global Positioning System (GPS) is inexpensive and easy to use because a device only needs to receive and interpret signals, not transmit, respond, or authenticate them. However, what makes GPS valuable also makes it so vulnerable, says Aanjhan Ranganathan, a professor at the Khoury College of Computer Sciences. Ranganathan received the National Science Foundation (NSF) Career Award for his research on GPS. Ranganathan explained that GPS is especially vulnerable to attacks due to its reliance on unsecured signals transmitted from satellites 20,000 kilometers above. By the time the signals reach the ground, they are already weak. $20 worth of equipment can render GPS devices incapable of receiving any signal. Alternatively, $100 worth of equipment can transmit signals that appear to originate from GPS satellites. This is known as "spoofing," in which a malicious actor fakes the source of a signal. Ranganathan tricked a drone into thinking it was somewhere it was not by spoofing the signals it was receiving. As he manipulated the GPS inputs, the drone drifted laterally to keep "standing still." The controller displayed no movement since the drone believed it was maintaining its position. Ranganathan successfully co-opted the drone without hacking it, bypassing its security protocols. The effects of spoofing are subtle and extensive. A malicious state could interfere with airplanes attempting to land, delaying flights. A cyber terrorist could steal military drones by making them land behind enemy lines. Due to the reliance of current timekeeping on GPS, a determined hacker could cost a bank billions of dollars by manipulating the timing of stock trades. This article continues to discuss the vulnerability of GPS to attacks and Ranganathan's research aimed at addressing this vulnerability.

Northeastern University reports "GPS Is Critical to Modern Life. It's Also Vulnerable, and This Researcher Is Out to Fix That."

The Play ransomware group has targeted Royal Dirkzwager, a Dutch company specializing in optimizing shipping processes and managing maritime and logistic information flows. The ransomware group added the company to its Tor data leak site and announced that it stole personal data, employee IDs, passports, contracts, and other information. The group posted a 5 GB archive as evidence of the attack, threatening to leak the entire dump if the company does not pay the demanded ransom. Royal Dirkzwager CEO Joan Blaas stated that the ransomware attack had no effect on the company's operations but confirmed that the malicious actors stole critical information from the organization's infrastructure. The company informed the Dutch Data Protection Authority and said it is negotiating with the ransomware gang. Since July 2022, the Play ransomware gang has been active, targeting the City of Oakland, the Cloud services company Rackspace, and more. Cybercrime groups consider the shipping industry a lucrative target. In January, around 1,000 vessels were affected by a ransomware attack on DNV, one of the largest maritime software providers. This article continues to discuss the Play ransomware attack against the Dutch maritime logistics company Royal Dirkzwager and the targeting of the shipping industry by cybercriminals.

Security Affairs reports "Play Ransomware Gang Hit Dutch Shipping Firm Royal Dirkzwager"

January through April is tax season in the US, during which businesses and employees fill in W-2 forms for the Internal Revenue Service (IRS). Threat actors try to steal the W-2 forms, which legitimate employees use. According to the IRS' Information Sharing and Analysis Center (ISAC), the number of reports of suspicious activity related to tax refunds quadrupled to eight million in 2022 compared to 2021. Kevin Kirkwood, the deputy CISO at LogRhythm and a cybersecurity expert, emphasizes that malicious actors exploit tax season to launch spear-phishing attacks with a single target in mind: the W-2 form. Kirkwood explains that stealing W-2 forms can be profitable since cybercriminals can use them to file fake tax returns and receive reimbursement for payments they never made. Criminals often impersonate a company's chief executive or other trustworthy employees in these attacks. The article continues to discuss what a tax-season phishing campaign looks like, as well as what businesses and employees should look out for to avoid falling victim to such attacks.

Cybernews reports "Watch Out: Tax Crooks Are Phishing for Your W-2 Form"

According to security researchers at Juniper Research, the cost of fraudulent robocalls to victims will increase 9% from 2022 to reach $58bn globally this year. The researchers noted that auto-dialing software that delivers pre-recorded messages is widely available and used by both legitimate marketers and scammers. The researchers warned that fraudsters will continue to outwit attempts to mitigate their efforts, driving robocall scam losses to $70bn globally by 2027. The researchers stated that efforts to combat these scams include STIR/SHAKEN, a US industry initiative designed to tackle the caller ID spoofing used by many scammers to hide their true identities. North America is the region most impacted by fraudulent robocalls, set to account for over half of all losses in 2023. The researchers noted that STIR/SHAKEN has done some good, reducing growth in robocall fraud-related losses in North America by an estimated 85% between 2022 and 2023. The researchers are forecasting a decline in losses in the region for the first time by 2025 and urged stakeholders outside North America to adopt their own version of the framework and initiatives to stop call forwarding and other typical fraudulent call tactics. The researchers added that brand authentication technology could play a key role over the coming years in tackling robocall fraud by enabling users to definitively verify the authenticity of a brand on their smartphone screen before picking up.

Infosecurity reports: "Scam Robocalls Forecast to Cost $58bn This Year"