News Items

In 2022, the number of refugees worldwide reached high levels as over 108.4 million people have been forced to leave their homes due to persecution or violence. In the meantime, governments and aid organizations increasingly use biometrics for identifying and tracking refugees. Biometrics involves the collection of a person's physical or behavioral characteristics, such as fingerprints or voice. Organizations that collect personal physical data can store it in order to immediately identify a person, for example, by scanning their fingerprints or irises. The United Nations refugee agency, or UNHCR, is among the organizations that have expanded their biometrics programs in recent years to help identify refugees and provide lifesaving help. Joseph K. Nwankpa, a cybersecurity scholar at Miami University, believes it is essential to remember that while identifying people with biometrics may be convenient for organizations gathering the data, the practice poses inherent privacy risks that can endanger the safety of vulnerable individuals. This article continues to discuss Nwankpa's insights regarding the biometrics data-gathering process and cybersecurity challenges associated with biometrics.

The Conversation reports "Registering Refugees Using Personal Information Has Become the Norm - But Cybersecurity Breaches Pose Risks to People Giving Sensitive Biometric Data"

The oil and gas industry continues to be a critical pillar of the global economy, supporting millions of jobs worldwide and providing essential energy for households, businesses, and transportation. However, as digital technology increasingly permeates this industry, oil and gas companies are becoming more vulnerable to severe cyber threats. The industry's growing reliance on digital systems has increased the importance of developing and implementing strong cybersecurity strategies, which presents unprecedented challenges. The oil and gas sector relies on several external variables, thus complicating the industry's operational landscape and making cybersecurity a unique challenge. This article continues to discuss cybersecurity challenges in the oil and gas industry and ways to combat the unique security challenges of this sector.

BetaNews reports "Securing the Oil and Gas Industry"

Lindy Cameron, CEO of the UK National Cyber Security Centre, emphasizes that cybersecurity must be implemented into Artificial Intelligence (AI) systems. According to Cameron, it is essential to implement robust systems in the early phases of AI development. In the future, AI will play a role in numerous facets of daily life, from homes and cities to national security and even warfare. Although there are benefits to using AI, there are multiple risks. As companies race to develop new AI products, there is concern that security is being neglected. Companies competing to secure their position in the growing AI market may prioritize getting their systems to market as quickly as possible without considering the potential for misuse. The scale and complexity of AI models are such that it will be much more difficult to retrofit security if the proper fundamental principles are not applied during the early stages of development. Malicious AI attacks could have "devastating" consequences. AI systems can be used to generate malicious code for hacking into devices or to write fake messages for spreading misinformation on social media. This article continues to discuss AI security risks and the importance of building cybersecurity into AI systems.

BBC reports "AI Must Have Better Security, Says Top Cyber Official"

Odessa Mayor Javier Joven recently announced that someone had accessed the city's computer network numerous times since December using former Odessa City Attorney Natasha Brooks' accounts, which someone failed to deactivate following her termination on Dec. 13. The Odessa Police Department, with the assistance of other law enforcement agencies, launched an investigation after city officials discovered last week that sensitive information was transferred by email to a private account. Joven noted that a number of systems were accessed, such as Odessa Police Department reports, personnel information, and GovQA, which is the city's hosted system for public information requests. It's unknown at this time exactly how sensitive the transferred data was, but just the breach itself is concerning. Joven noted that it appears as though 200 emails and other data were accessed. Once the investigation concludes, the city will use all means available, including criminal charges, to ensure that everyone involved in this breach is punished to the full extent of the law. Joven noted that much of the information gathered could have been obtained through a Texas Public Information Act reques

Yahoo News reports: "Joven Claims City Had Major Data Breach"

According to research conducted by Searchlight Cyber, Initial Access Brokers (IABs) on the dark web are increasingly targeting the banking sector. In addition, the dark web intelligence company discovered evidence of insiders sharing information about their organization or being recruited by cybercriminals on the dark web, as well as threat actors conducting infrastructure reconnaissance to target financial service supply chains. The company noted in a new study that these threats also present banks with a significant opportunity. According to the company, security teams can modify and improve their defenses based on what might happen by using dark web intelligence on potential malicious activity while criminals are still in their operations' 'pre-attack' stage. The research is based on an investigation by analysts at Searchlight Cyber involving dark web data collected from 2020 to the present. This article continues to discuss key findings from Searchlight Cyber's analysis of dark web data.

CSO Online reports "Initial Access Broker Posts Targeting Banks Increase on Dark Web"

Google recently announced the release of Chrome 115 to the stable channel, with patches for 20 vulnerabilities, including 11 reported by external researchers. Google noted that four of the externally reported security defects are assessed with a "high severity" rating. Based on the bug bounties paid for them, the most important of these are CVE-2023-3727 and CVE-2023-3728, two use-after-free issues in WebRTC. Google says it handed out a $7,000 reward for each of them. The third high-severity flaw that Chrome 115 resolves is another use-after-free bug, this time in Tab Groups. Tracked as CVE-2023-3730, the vulnerability was awarded a $2,000 bug bounty. The fourth high-severity issue, CVE-2023-3732, is described as an out-of-bounds memory access in Mojo. Google noted that the bug was discovered by Google Project Zero researcher Mark Brand and, per their policies, no bug bounty will be issued for it. Google stated that Chrome 115 resolves six externally reported medium-severity vulnerabilities, which are described as inappropriate implementation flaws in the WebApp Installs, Picture In Picture, Web API Permission Prompts, Custom Tabs, Notifications, and Autofill components. This browser release also resolves a low-severity insufficient validation of untrusted input bug in Themes. Google says it has paid a total of $34,000 in bug bounty rewards to the reporting researchers. Google makes no mention of any of the newly resolved vulnerabilities being exploited in malicious attacks.

SecurityWeek reports: "Chrome 115 Patches 20 Vulnerabilities"

The US government has placed Cytrox and Intellexa on an economic blocklist for trafficking in cyber exploits. The US Department of Commerce's Bureau of Industry and Security (BIS) added the two surveillance technology vendors to the Entity List for trafficking in cyber exploits used to gain access to information systems. The Entity List maintained by BIS is a trade control list created by the US government. It identifies foreign individuals, organizations, and government entities subject to specific export controls and restrictions due to their participation in activities that threaten the national security or foreign policy interests of the US. This article continues to discuss the US government adding surveillance technology vendors Cytrox and Intellexa to an economic blocklist for trafficking in cyber exploits.

Security Affairs reports "US Gov Adds Surveillance Firms Cytrox and Intellexa to Entity List for Trafficking in Cyber Exploits"

WyrmSpy and DragonEgg, two previously undocumented Android spyware strains, have been linked to APT41, a prolific nation-state actor with ties to China. According to Lookout, an established threat actor such as APT41, known for exploiting web-facing applications and infiltrating traditional endpoint devices, adding mobile malware to its arsenal, demonstrates that mobile endpoints are high-value targets with corporate and personal data. Since at least 2007, APT41, also known as Axiom, Blackfly, Brass Typhoon, Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been known to target various industries for intellectual property theft. Recent attacks launched by the group involved Google Command and Control (GC2), an open source red teaming tool, to target media and employment platforms in Taiwan and Italy. This article continues to discuss APT41 targeting mobile devices with WyrmSpy and DragonEgg spyware.

THN reports "Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware"

According to the 2023 Verizon Data Breach Investigations Report (DBIR), small and medium-sized businesses (SMBs) are targeted by cybercriminals as much as large companies. SMBs are often found to underestimate their appeal as potential targets since they believe they are not worth the effort of attackers and that their data is of little value. However, their systems contain sensitive information, including employee and customer data as well as financial data. In addition, they are frequently used to access the systems of larger organizations (i.e., partners, customers, or suppliers). According to a recent Proofpoint study, cybercriminals often target SMBs to breach larger organizations, especially through regional Managed Service Providers (MSPs). This article continues to discuss how SMBs can up their cybersecurity game.

Help Net Security reports "Cybersecurity Measures SMBs Should Implement"

Jake Guidry, an Idaho National Laboratory (INL) intern, has developed a cybersecurity research tool to improve the security of Electric Vehicle (EV) charging. The AcCCS tool provides access capabilities through the Combined Charging System (CCS) communications protocol. AcCCS combines hardware and software, emulating the electronic communications that occur between an EV and a charger during the charging process. The tool provides researchers with a new vulnerability search method for EVs and charging stations. The AcCCS hardware has a charging port and cable that can be plugged into real-world equipment. No charging power travels through the device. When AcCCS is plugged into an EV, the vehicle's computer believes the battery is being charged. If plugged into a 350-kilowatt fast charging station, the station thinks it is charging an EV. According to Guidry, it is essentially mimicking one to deceive another. Researchers have already used AcCCS to hack a charging station and a vehicle. Then they demonstrated a mitigation technique against the cyberattacks. Future experiments will help researchers in developing industry best practice recommendations. This article continues to discuss the cybersecurity research tool developed to improve the security of EV charging.

Idaho National Laboratory reports "Intern Develops Technology to Find EV Charging Vulnerabilities"

The experience gained at the largest unclassified Department of Defense (DOD) cyber defense exercise helps the Ohio Cyber Range Institute (OCRI) at the University of Cincinnati (UC) develop the country's civilian cybersecurity operation in Ohio. Last month, in North Little Rock, Arkansas, over 800 National Guard soldiers, airmen, and civilian cyber professionals attended Cyber Shield 2023, including people from UC. Bekah Michael, associate professor-educator in the UC School of Information Technology (IT) and executive staff director of the OCRI, said the DOD exercise experience has been directly applied to developing cybersecurity exercises in Cincinnati. UC will host teams from the Ohio Cyber Reserve for a validation exercise this summer, marking Cincinnati's second consecutive year for a statewide cybersecurity exercise. Three teams from the Ohio Cyber Reserve, a volunteer force commanded by the state's adjutant general, will participate in the OCRI-hosted exercise. This year's exercise will be different from the previous year in that it will be a validation exercise rather than a training exercise. The teams responding to an attack in a training exercise can consult with and get direction from the event organizers and the group doing the cyberattacks. They do not receive additional instruction during a validation exercise since they must demonstrate their ability to respond to a critical cybersecurity incident. This article continues to discuss the cybersecurity exercise that UC will host.

The University of Cincinnati reports "UC Prepares to Host Statewide Cybersecurity Exercise"

Henry Ford Health has recently confirmed that an email phishing scheme led to a data breach affecting 168,000 patients. Patients were told Monday that someone conducting an email phishing scheme gained access to business email accounts on March 30, 2023. According to officials, that access was quickly discovered, and the email accounts were secured. According to the company, some patient information was contained in the affected emails, but it's unclear if that information was accessed. This discovery was made on May 16. The affected information might have included name, gender, date of birth, age, lab results, procedure type, diagnosis, date of service, telephone number, medical record number and/or internal tracking number. Henry Ford Health stated that it is adding security measures and further employee training.

WDIV reports: "Henry Ford Health Confirms Data Breach Affecting 168,000 Patients"

The administrators of Genesis Market on the dark web have announced the sale of their platform to a threat actor who will resume operations next month. In April, the FBI seized Genesis Market, a marketplace for stolen credentials, launched in 2017. Genesis Market was an invite-only marketplace, but invitation codes were not difficult to find online. The platform provided access to "browser fingerprints" that enable criminals to impersonate victims' web browsers, including IP addresses, operating system data, time zones, device information, session cookies, and more. Amazon, eBay, Facebook, Gmail, Netflix, PayPal, Spotify, and Zoom were among the most popular services to which Genesis Market provided access. The seizure of the platform was part of Operation Cookie Monster, a law enforcement operation. This article continues to discuss the administrators of the dark web Genesis Market selling the platform on a hacker forum.

Security Affairs reports "Admins of Genesis Market Marketplace Sold Their Infrastructure on a Hacker Forum"

Metior is an analysis framework developed by MIT researchers to simplify hardware and software design frameworks in order to enhance defense capabilities against known and unknown side-channel attacks. Using Metior, engineers could quantitatively evaluate how much information an adversary can steal through a specific side-channel attack. It is considered a simulation sandbox in which chip designers and other engineers can determine, based on their use case, what combination of defenses maximizes their protection against side-channel attacks. As Metior allows the quantitative measure of how much information is stolen, users can calculate the impact of it being stolen, so they can implement protections against the most impactful types of attacks. This article continues to discuss the new Metior framework that bridges hardware design and cybersecurity.

Tom's Hardware reports "'Metior' Defense Blueprint Against Side-Channel Vulnerabilities Debuts"

Identity and access management solutions provider JumpCloud has recently revealed that it was the target of a security breach caused by a sophisticated nation-state-sponsored threat actor. The company noted that the breach first came to light on June 27 when anomalous activity was detected on an internal orchestration system. The investigation traced the incident back to a spear-phishing campaign initiated by the threat actor on June 22, which resulted in unauthorized access to a specific section of JumpCloud's infrastructure. While no evidence of customer impact was found then, JumpCloud proactively bolstered its security measures by rotating credentials, rebuilding infrastructure, and fortifying its network and perimeter. The situation escalated on July 5 when unusual activity was discovered in the commands framework for a small group of customers, indicating that customer data had been compromised. In response, JumpCloud force-rotated all admin API keys and notified affected customers immediately. After a forensic investigation conducted with incident response partners and law enforcement, the attack vector was identified as data injection into the commands framework. JumpCloud emphasized that the breach was highly targeted and limited to specific customers.

Infosecurity reports: "JumpCloud Confirms Data Breach By Nation-State Actor"

Cybernews researchers further explored how privacy-invasive Artificial Intelligence (AI)-powered applications like ChatGPT are. Large Language Models (LLM)s such as OpenAI's ChatGPT, Meta's LLaMA, and Google's PaLM2 are the most notable examples of advanced Natural Language Processing (NLP) models. To train their algorithms, these models must collect enormous amounts of data, as more data means they can generate more natural responses that resemble human language. They have crawled the web to collect data, including content from social media platforms such as Reddit, Facebook, Twitter, and Instagram. However, a part of the data collected contains sensitive personal information. AI tools must also record user prompts and file uploads, including images or voice commands, to improve their algorithms' training. AI users may inadvertently divulge sensitive personal and professional information, exposing them to the possibility of exposure to third parties. This article continues to discuss how AI-powered apps impact user privacy, the benefits AI brings to social media applications, and privacy concerns around ChatGPT.

Cybernews reports "How Popular AI Apps Are Invading Your Privacy"

Security operations and threat intelligence teams are understaffed, overwhelmed with data, and juggling competing demands, all of which can be remedied by Large Language Model (LLM) systems. However, the lack of experience with the systems prevents many companies from using the technology. According to researchers, organizations that implement LLMs can better synthesize intelligence from raw data and expand their threat intelligence capabilities, but such programs require the support of the security leadership to be appropriately focused. John Miller, head of intelligence analysis at Mandiant, notes that teams should implement LLMs for solvable problems, but first, they must evaluate the utility of LLMs in an organization's environment. In a presentation titled "What Does an LLM-Powered Threat Intelligence Program Look Like?" to be given at Black Hat USA in early August, Miller and Ron Graf, a data scientist on the intelligence analytics team at Mandiant's Google Cloud, will demonstrate the areas in which LLMs can help security analysts in accelerating and enhancing cybersecurity analysis. This article continues to discuss where LLMs can be of help to security professionals.

Dark Reading reports "How AI-Augmented Threat Intelligence Solves Security Shortfalls"

The Cybersecurity and Infrastructure Security Agency (CISA) has published a factsheet outlining free tools and guidance for securing digital assets after migrating to cloud environments. The factsheet helps network defenders, incident response analysts, and cybersecurity professionals in mitigating the risk of information theft, exposure, data encryption, and extortion attacks. It helps identify, detect, and mitigate known vulnerabilities and cyber threats faced when managing cloud-based or hybrid environments. The highlighted tools supplement the built-in tools provided by cloud service providers and help bolster the resilience of network infrastructures, enhance security measures, identify malicious compromises, map potential threat vectors, and pinpoint malicious activity following a breach. This article continues to discuss the free tools shared by CISA to help improve the security of data in the cloud.

Bleeping Computer reports "CISA Shares Free Tools to Help Secure Data in the Cloud"

Law enforcement agencies regularly sell items confiscated in criminal investigations or unclaimed from lost-and-found inventories. Many of these items, including cars, jewelry, watches, and devices such as mobile phones, end up on online auction sites. People searching for a bargain can bid on cell phones in bulk, picking up dozens at low prices. However, according to a recent study conducted by security researchers at the University of Maryland (UMD), many phones sold at police property auction houses are not adequately wiped of personal data. The study, which lasted over two years and involved cell phones purchased from the largest police auction house in the US, led to the discovery of troves of personal information from previous owners that was freely accessible. The UMD team successfully bid on 228 phones, 61 (27 percent) of which contained personal data such as Social Security numbers, credit card information, banking information, passport data, driver's license photos, and more. This article continues to discuss the UMD team's discovery of privacy risks in cell phones purchased at police auctions.

The University of Maryland reports "UMD Researchers Uncover Privacy Risks in Cell Phones Purchased at Police Auctions"

There is criticism regarding Microsoft charging its cloud services customers additional fees to access security records after a China-based threat group compromised the email accounts of more than two dozen organizations, including US government agencies. The State and Commerce Departments are reportedly among the targets. The threat group responsible for the attacks, identified by Microsoft as Storm-0558, used forged authentication tokens to access Microsoft 365 (M365) accounts via Outlook Web Access and Outlook[.]com. Following the reveal of the attacks on July 11, Microsoft provided a more comprehensive account of the breach. Microsoft noted that the attacks had been mitigated for all customers and that the company was still investigating how the attackers got the forged tokens. This article continues to discuss the email hack that calls for Microsoft to make security logs free.

SC Media reports "Email Hack Prompts Call for Microsoft to Make Security Logs Free"

The owner of the infamous cybercrime website BreachForums has recently pleaded guilty in a US court to conspiracy to commit device fraud, access device fraud, and possession of child pornography. The man, Conor Brian Fitzpatrick, 21, of Peekskill, New York, was arrested on March 15, 2023, being charged with conspiracy to commit access device fraud. Fitzpatrick, known online as "Pompompurin," has admitted to investigators that he was the owner and administrator of the BreachForums portal. Also known as Breached, BreachForums was launched in 2022 as an alternative to RaidForums, a cybercrime marketplace that was taken down by law enforcement in February 2022. According to US law enforcement, BreachForums claimed to have over 340,000 members at the time it was shut down. The FBI noted that during its year of operation, the website became a top hacker marketplace, facilitating the trading of hacked or stolen data, including bank account information, Social Security numbers, personally identifiable information, hacking tools, online account credentials, and hacking services for hire. According to the plea agreement, Fitzpatrick faces up to 10 years in prison for conspiracy to commit access device fraud, 10 years in prison for solicitation for the purpose of offering access devices, and up to 20 years in prison for possession of child pornography. The maximum penalty for each count also includes a fine of $250,000, and supervised release.

SecurityWeek reports: "Owner of Cybercrime Website BreachForums Pleads Guilty"

Gamaredon, a threat actor with connections to Russia, was observed conducting data exfiltration operations within an hour of the initial compromise. As a vector of primary compromise, emails and messages in messengers (i.e., Telegram, WhatsApp, Signal) are used, in most cases, with previously compromised accounts, according to a published analysis by the Computer Emergency Response Team of Ukraine (CERT-UA). Gamaredon, also known as Aqua Blizzard, Armageddon, Shuckworm, and UAC-0010, is a state-sponsored actor connected to the SBU Main Office in the Autonomous Republic of Crimea. It is estimated that this group has infected thousands of government computers. This article continues to discuss recent findings and observations regarding Gamaredon.

THN reports "CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise"

Guest accounts in Azure AD (AAD) provide external third parties with limited access to corporate resources. The objective is to facilitate collaboration without excessive risk of exposure. However, enterprises may inadvertently overshare access to sensitive resources and applications with Azure AD guests, thus enabling data theft and other threats. An upcoming presentation at Black Hat USA will detail how a toxic combination of easily manipulable default guest account settings and connections within Microsoft's low-code development platform known as Power Apps can open the door for guest accounts to gain access to the corporate jewels. This article continues to discuss the possible data theft by rogue Azure AD guests through Power Apps.

Dark Reading reports "Rogue Azure AD Guests Can Steal Data via Power Apps"

Brett Callow, a threat analyst at Emsisoft, has been monitoring the MOVEit attack carried out by a notorious cybercrime gang, and he is currently aware of 347 impacted organizations, including 58 educational institutions in the United States. Callow noted that the number of impacted organizations includes both ones that were directly affected and ones that were indirectly hit. Callow believes more than 18.6 million individuals had their data compromised as a result of the MOVEit hack. Callow warned that the Cl0p ransomware group conducted the attack and is in possession of a massive quantity of data that could be useful for business email compromise (BEC) and phishing attacks.

SecurityWeek reports: "MOVEit Hack: Number of Impacted Organizations Exceeds 340"