News Items

In the physical world, the Red Cross, Red Crescent, and Red Crystal displayed on hospitals and ambulances across the globe are internationally recognized symbols of legal protection for the sick, the wounded, and those who care for them during armed conflict. Humanitarian relief and healthcare organizations are increasingly vulnerable to cyberattacks as they rely more on computer networks to provide care. Malicious cyber operations have disrupted relief efforts and contributed to delayed care, overmedication, and increased mortality. Therefore, the Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, collaborated with the International Committee of the Red Cross (ICRC) to create a technical framework to replicate the protection signaled by the ICRC's physical emblems in the digital realm. APL teamed up with the ICRC on a two-year research project involving experts from academic, humanitarian, and technical organizations. The team examined how a digital emblem could mark and identify medical and humanitarian organizations' digital assets, services, and data. The emblem would show their status as protected. The emblem's widespread visibility would enable more people to participate in its protection by design. Internet Service Providers (ISPs) monitor network traffic already. If protected parties are marked publicly, providers can more easily identify malicious traffic aimed at protected sites. If the digital emblem were to be incorporated into the international humanitarian legal framework, it would afford legal protection against cyberattacks. This article continues to discuss the technical framework developed to replicate the protection signaled by the ICRC's physical emblems in the digital world and how a digital emblem would work in the protection of medical and humanitarian entities against cyberattacks.

Johns Hopkins University Applied Physics Laboratory reports "Johns Hopkins APL Designs Framework for a Digital Red Cross"

The North Korean APT37 hacking group uses a new information-stealing malware called "FadeStealer" with a wiretapping feature, allowing the threat actor to eavesdrop and record from victims' microphones. It is believed that APT37, also known as Reaper and RedEyes, is a state-sponsored hacking group with a history of conducting cyber espionage attacks in line with North Korean interests. These attacks target North Korean defectors, academic institutions, and EU-based organizations. In the past, the hackers used custom malware known as "Dolphin" and "M2RAT" to execute commands and steal data, credentials, and screenshots from Windows devices and even mobile phones connected to the network. In a new report from the AhnLab Security Emergency Response Center (ASEC), researchers detail the new custom malware called "AblyGo backdoor" and "FadeStealer" that the threat actors have used in cyber espionage operations. This article continues to discuss the use of the new FadeStealer eavesdropping malware by the North Korean APT37 hacking group.

Bleeping Computer reports "APT37 Hackers Deploy New FadeStealer Eavesdropping Malware"

According to SUSE, increased cloud adoption has raised cloud security concerns among Information Technology (IT) teams, who are faced with challenges stemming from the widespread use of complex cloud environments. According to a survey, IT decision-makers have experienced an average of four cloud-related security incidents in the past year, with the number increasing to five in the US and decreasing to three in Europe. This contributes to the security concerns that hold back cloud technologies. Thirty-one percent of respondents cited cloud- or third-party-hosted data stores as their main cloud security concern. Runtime attacks launched by threat actors, security policy management, federation, and automation follow data stores as secondary concerns (29 percent each). Significantly more US IT decision-makers (35 percent) than European IT decision-makers (25 percent) cite security policy management, federation, and automation as their top cloud security concerns. This article continues to discuss key findings from SUSE's industry trend report "Securing the Cloud."

Help Net Security reports "US and European IT Decision-Makers Have Different Cloud Security Priorities"

Attacks on grid substations increased by 70 percent in 2022 alone. Therefore, engineers at the Department of Energy's (DOE) Oak Ridge National Laboratory (ORNL) expect new attack vectors and are taking measures against hackers using them. According to Peter Fuhr, head of ORNL's Grid Communications and Security group, the researchers try to stay ahead of cyber threats rather than just react to them after they occur. Recently, Fuhr's team demonstrated a novel method that encodes grid sensor data subliminally into a video feed using a rotating color wheel and a Fibonacci sequence decoding key that rotates the color wheel so that each sensor reading uses a unique color code. This novel implementation is a type of steganography that conceals critical information within the live video feeds from the grid substations themselves. According to Fuhr, the technique translates the encrypted character codes currently used by utilities into a color code hidden in the video feeds of cameras that already monitor substation activity. EPB effectively tested the technique for six months using a Virtual Local Area Network (VLAN) link between the central-EPB grid control center and its substations. This article continues to discuss the method ORNL developed to protect our critical grid infrastructure against hackers.

CACM reports "Keeping Hackers Off the Electrical Grid"

A ransomware attack and subsequent data breach at Harvard Pilgrim Health Care in April affected over 2.5 million members, but the system outage caused by the ransomware attack has prevented the insurer from directly informing many of the potential victims because the insurer could not access their contact information. Two months after the breach, the insurer is only just beginning to reach out to members directly, but many remain in the dark about whether their personal information was compromised. Harvard Pilgrim, part of health insurer Point32Health, first disclosed in mid-April that it had been the victim of a ransomware attack, affecting the systems it uses to service members, accounts, brokers, and providers. On May 23, the insurer disclosed that patient data had been stolen but declined to publicly say how many members were affected. The next day, however, the insurer informed the US Department of Health and Human Services Office for Civil Rights that millions of people's data potentially had been compromised. Potential victims include those who are or were enrolled in Harvard Pilgrim Commercial or Medicare health plans since March 28, 2012. The data in the accessed files could contain a slew of patient information, including names, addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and medical history such as diagnoses, treatment, dates of service, and provider names. A spokeswoman at Harvard Pilgrim Health Care stated that the system outage has prevented the insurer from contacting members directly "as contact information was not accessible." Harvard Pilgrim has instead sought to inform members through employers, insurance brokers, press releases, and its website, and has made credit monitoring services available through a website for those wishing to enroll. The spokeswoman also said that Harvard Pilgrim began alerting potentially affected members by mail starting June 15. The company noted that it has repaired several functions in the two months since the attack, including the ability to check member eligibility. It also has been issuing temporary member ID cards and distributed payments to providers that had been submitted before the attack. However, Harvard Pilgrim's website and many of its internal functions remain down. The insurer cannot process claims or requests for prior authorization. Some members said they were unable to use their insurance at all. While consumers wait for notification, a class-action lawsuit against the company is moving forward, spearheaded by a woman who said that her credit card was hacked following the cybersecurity breach.

The Boston Globe report: "Harvard Pilgrim Data Breach Affected Millions, Yet Insurer Struggled to Contact Many Potential Victims For Months"

The US Department of Agriculture (USDA) is investigating a "possible data breach" of a department contractor connected to a broader hack on multiple federal agencies that officials have blamed on Russian cybercriminals. A department spokesperson stated that they are aware of a possible data breach with a vendor that may impact a very small number of employees, and any employees whose data may have been affected will be contacted and provided support. The spokesperson noted that the data breach did not occur to the USDA network. Currently, the USDA estimates that fewer than 30 USDA employees may have been impacted by a third-party vendor data breach. No federal agencies have reported receiving demands, but corporate victims have previously reported demands of millions of dollars. The hackers last month began exploiting a vulnerability in widely used file-transfer software known as MOVEit, made by the Massachusetts-based firm Progress Software.

CNN reports: "USDA is Investigating a 'Possible Data Breach' of Contractor Related to The Global Russian Cybercriminal Hack"

More UK companies have signed on to help test a new cybersecurity approach. Over the past year, 36 UK companies have joined the "Digital Security by Design" program, a UK government-backed initiative to create a more secure digital future. They are experimenting with the Arm Morello board, a prototype of Arm's cybersecurity technology based on the Capability Hardware Enhanced RISC Instructions (CHERI) protection model developed by researchers at the University of Cambridge and SRI International. CHERI enables hardware and software to work together to prevent attackers' exploitation of security vulnerabilities. The Arm Morello board is considered a groundbreaking cybersecurity technology prototype that is secure by design. It is built with security features that do not depend on software updates or patches to defend against malicious actors. The technology can prevent and mitigate memory-related cyberattacks, which account for two-thirds of cyberattacks worldwide. This article continues to discuss UK companies being given trial access to the prototype cybersecurity technology and why this prototype is considered cutting-edge technology.

The University of Cambridge reports "More UK Companies Sign Up to Test Groundbreaking Cybersecurity Technology"

According to the technology market analyst Canalys, global spending on cybersecurity in the first quarter of 2023 increased by 12.5 percent to $18.6 billion, compared to the same period the previous year. The results released on Monday, June 19, were consistent with the company's best-case forecasts for the cybersecurity market and outpaced the rest of the technology industry. An April forecast by the management consulting company Gartner found that global Information Technology (IT) spending was projected to increase to $4.6 trillion in 2023, a 5.5 percent growth from 2022. Customers prioritized spending on the most critical projects and those with the highest return. Matthew Ball, a principal analyst at Canalys, noted that longer sales cycles, delays, and project downsizing have increased, while hardware refresh programs have been pushed to future quarters. Spending on identity security increased by 14.3 percent, while investments in Security Service Edge (SSE) within web and email security increased by 16 percent. This article continues to discuss new findings regarding cybersecurity spending.

SC Media reports "Cybersecurity Market Grew 12.5% In First Quarter, Outpacing Overall Tech Market"

The US Department of Justice (DOJ) is adding a new section to its National Security Division that will prosecute malicious foreign cyber activity, a top department official recently announced. The department wants to be more active in combating digital threats from outside the US. Assistant Attorney General Matthew Olsen, the division's chief, revealed that the entity will enable the division to expand the scope and speed of disruption campaigns and prosecutions of nation-state cyber threats and state-sponsored cybercriminals. The department's Criminal Division will maintain its computer crimes section. The decision to place cyber on an equal footing with the division's three existing sections comes as the DOJ has increased its own efforts to combat botnets, contain or eliminate malware outbreaks, and pursue digital criminals worldwide. This article continues to discuss the new DOJ unit aimed at prosecuting malicious foreign cyber activity.

The Record reports "New DOJ Unit Will Focus On Prosecuting Nation-State Cybercrime"

The exploitation of a pre-authentication command injection flaw, tracked as CVE-2023-20887, in VMware Aria Operations for Networks (previously vRealize Network Insight), has been observed in the wild. There are no workarounds available to mitigate the risk of exploitation, so enterprise administrators are advised to patch their deployments. The vulnerability is one of three recently discovered and privately communicated to VMware by Sina Kheirkhah of Summoning Team and an anonymous researcher. The company confirmed that a malicious actor with network access to VMware Aria Operations for Networks could perform a command injection attack resulting in Remote Code Execution (RCE). Kheirkhah published a proof-of-concept (PoC) exploit for the vulnerability on June 13, and according to GreyNoise, attempts to exploit the vulnerability began two days after. This article continues to discuss the VMware Aria Operations for Networks vulnerability.

Help Net Security reports "VMware Aria Operations for Networks Vulnerability Exploited in the Wild (CVE-2023-20887)"

In a recent campaign spanning from late 2022 to early 2023, a Chinese state-sponsored actor named "Flea" targeted foreign affairs ministries in the Americas. According to Broadcom's Symantec, the cyberattacks involved a new backdoor called "Graphican." Other targets included a government finance department, a company that markets products in the Americas, and an unidentified victim in a European country. In this campaign, Flea used many tools, the company said, describing the threat actor as "large and well-resourced." In addition to the new Graphican backdoor, the attackers used various living-off-the-land (LOTL) methods and tools previously associated with Flea. Since 2004, Flea, also known as APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, has been known to target governments, diplomatic missions, and embassies. This article continues to discuss the Chinese state-sponsored actor Flea targeting foreign affairs ministries in the Americas with the Graphican backdoor.

THN reports "Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor"

Microsoft is responding to Distributed Denial-of-Service (DDoS) attacks that recently interrupted the company's popular services, including Azure, Outlook, and OneDrive. Microsoft's Security Response Center (MSRC) released a comprehensive analysis of the crippling cyberattacks. The response outlines a series of Layer 7 DDoS attacks launched by a threat actor Microsoft tracks as "Storm-1359." A "Layer 7" attack is a DDoS attack that targets the application layer of the Internet protocol suite. The attack vector involves many requests to overwhelm the application layer and cause service interruptions or outages. Microsoft has determined that Storm-1359 has access to a large collection of botnets and tools, which could allow the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. MSRC reported that Storm-1359 appears to be focused on causing disruption and gaining publicity. This article continues to discuss Microsoft's response to recent DDoS attacks.

Techzine reports "Microsoft Issues Detailed Response to Layer 7 DDoS Attacks"

New research on the password behaviors of over 8,000 people in the UK, France, and Germany reveals that 75 percent of individuals put themselves at risk by not following widely accepted password best practices. Sixty-four percent of those surveyed by Keeper Security use either weak or repeated passwords for their online accounts. Additionally, more than a third of people report feeling overwhelmed in regard to improving their cybersecurity. Thirty-nine percent of respondents do not know if they have been breached, and 32 percent are unaware of whether their passwords are available on the dark web. Although 41 percent of respondents believe cybersecurity is too difficult to understand, older generations appear to be performing better. Only 20 percent of respondents of Generation Z use strong and unique passwords for every account, compared to 29 percent of baby boomers. Generation Z has the highest percentage of respondents who find cybersecurity overwhelming. This article continues to discuss key findings from Keeper Security's report on password management.

BetaNews reports "75 Percent of People Risk Being Hacked Through Poor Password Practice"

Gen Digital, the company behind known cybersecurity brands such as Avast, Avira, AVG, Norton, and LifeLock, has recently announced that employees' personal information was compromised in the recent MOVEit ransomware attack. The attack exploited a zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) software that Progress Software disclosed on May 31. Gen Digital revealed that employees' compromised personal information includes names, addresses, birth dates, and business email addresses. The company noted that they use MOVEit for file transfers and have remediated all of the known vulnerabilities in the system. The company said there was no impact to their core IT systems or services and that no customer or partner data has been exposed.

SecurityWeek reports: "Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack"

The Office of the Australian Information Commissioner (OAIC) recently announced that some of its files were stolen in a ransomware attack on law firm HWL Ebsworth. One of the largest law firms in Australia, HWL Ebsworth, stated that it became aware of the incident on April 28, after the Alphv/BlackCat ransomware gang boasted about the hack, and that it immediately informed the Australian authorities and started investigating the incident. The investigation indicates the threat actor had accessed and exfiltrated certain information on a confined part of the firm's system but not on their core document management system. On June 9, HWL Ebsworth noted that the ransomware group published on their leak site some of the data allegedly stolen from its systems. The law firm says it has yet to determine the full impact of the data breach and that it will notify all individuals whose personal information might have been compromised. On Saturday, June 10, HWL Ebsworth advised the OAIC that a document or documents relating to a limited number of OAIC files were included in the breach experienced by HWL Ebsworth. The incident reportedly impacted the NDIS Quality and Safeguards Commission, the Australian Federal Police, the Commonwealth Director of Public Prosecutions, the Department of Defence, the Department of Home Affairs, the Department of Foreign Affairs, and the Taxation Office as well. The National Australian Bank (NAB), one of the four largest banks in the country, also disclosed some impact from the incident, stating that a small percentage of its customers might have been affected. The Alphv/BlackCat ransomware gang has leaked roughly 1.5 terabytes of data from the roughly 3.6 terabytes it allegedly stole from HWL Ebsworth.

SecurityWeek reports: "Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack"

"Secrets" are considered sensitive pieces of information that grant access to a cloud environment. Orca Security's research reveals that attackers typically identify misconfigured and vulnerable assets within two minutes and immediately begin exploiting them. Orca Security conducted six months of research by setting up honeypots in nine different cloud environments. The purpose of these honeypots is to attract attackers by simulating misconfigured resources. Every honeypot contained a secret AWS key. Researchers monitored the honeypots to determine if and when an attacker would bite. The goal was to gain insight into the most frequently targeted cloud services, the time it takes for attackers to access public or readily accessible resources, and the time it takes for them to discover and use leaked secrets. Orca's report indicates that exposed secrets on GitHub, HTTP, and SSH were all detected in less than five minutes. AWS S3 Buckets were discovered in under an hour. This article continues to discuss findings from the analysis of cloud-focused cybercrime tactics.

Cybernews reports "Hackers Can Weaponize Exposed Cloud Secrets in Just 2 Minutes"

Researchers have discovered malicious files with backdoor capabilities, which they believe to be a component of a toolkit targeting Apple macOS systems. Researchers at Bitdefender found the set of malicious files with backdoor capabilities believed to be part of an advanced toolkit. According to the researchers, the investigation is ongoing, and the samples remain largely undetected. The researchers analyzed four samples submitted to VirusTotal, with the earliest sample uploaded on April 18, 2023, by an anonymous actor. Two of the three samples uploaded by a victim are backdoors written in Python that target Windows, Linux, and macOS. The first file identified by the researchers is "shared.dat," which, when executed, generates a unique device identifier UID and uses a routine to determine the operating system running on the target machine. The malware can be instructed to extract system information and run specific commands. This article continues to discuss researchers' discovery of malicious files with backdoor capabilities believed to be part of a toolkit targeting Apple macOS systems.

Security Affairs reports "Experts Found Components of a Complex Toolkit Employed in macOS Attacks"

Unidentified attackers are compromising poorly managed Linux SSH servers and instructing them to launch Distributed Denial-of-Service (DDoS) attacks while simultaneously mining cryptocurrency in the background. Tsunami, also known as Kaiten, is a DDoS bot often distributed in conjunction with Mirai and Gafgyt malware strains. The fact that Tsunami functions as an Internet Relay Chat (IRC) bot distinguishes it from other DDoS bots. It uses IRC to communicate with the threat actor. Since Tsunami's source code is publicly available, it is used by various threat actors. It is primarily used in attacks targeting Internet of Things (IoT) devices. Researchers from AhnLab's Security Emergency Response Center (ASEC) explained that it is also frequently used to target Linux servers. This article continues to discuss the targeting of poorly managed Linux SSH servers in DDoS and cryptomining attacks.

Help Net Security reports "Compromised Linux SSH Servers Engage in DDoS Attacks, Cryptomining"

Between June 2022 and May 2023, over 101,100 compromised OpenAI ChatGPT account credentials appeared on illicit dark web marketplaces, with India alone making up 12,632 stolen credentials. Group-IB noted that the credentials were discovered in information stealer logs for sale on the cybercrime underground. In May 2023, the number of available logs containing compromised ChatGPT accounts peaked at 26,802 records. The Asia-Pacific region has seen the greatest number of ChatGPT credentials for sale over the past year. Pakistan, Brazil, Vietnam, Egypt, the US, France, Morocco, Indonesia, and Bangladesh are other countries with the most compromised ChatGPT credentials. Most logs containing ChatGPT accounts have been breached by the Raccoon information stealer (78,348), followed by Vidar (12,987) and RedLine (6,646). This article continues to discuss the discovery of compromised OpenAI ChatGPT account credentials on illicit dark web marketplaces.

THN reports "Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces"

The Alphv/BlackCat ransomware gang recently took credit for the February 2023 cyberattack against the social media site Reddit. Reddit disclosed the breach shortly after being hacked earlier this year and described the incident as the result of a sophisticated and highly targeted phishing attack in which an employee's credentials and second-factor authentication tokens were stolen. Reddit noted that the attackers accessed internal documents, internal dashboards, business systems, source code, the information of hundreds of contacts and current and former employees, and advertiser data. Alphv/BlackCat ransomware gang over the weekend listed Reddit on its leak site and claimed to have stolen 80GB of data. No file-encrypting ransomware appears to have been deployed on Reddit's systems. The attackers are demanding a $4.5 million ransom to be paid in exchange for deleting the stolen data and that Reddit drops the API pricing changes set to go into effect this week.

SecurityWeek reports: "Ransomware Gang Takes Credit for February Reddit Hack"

Security researchers at Crossword Cybersecurity have recently discovered 2.2 million breached credentials linked to the UK's 100 top universities available on the dark web, putting staff, students, and their data at risk. The researchers who found the credentials claimed that over half (54%) belong to elite Russel Group institutions. The researchers stated that there is a potential risk to sensitive research if threat actors are able to access user accounts with compromised credentials. The researchers noted that over half (54%) of breached credentials came from UK universities with research facilities with government-funded programs in areas like nuclear energy and defense. The researchers found that the top 30 universities in the country are up to 50% more likely to have breached credentials than other institutions in the top 100 and that London's universities have more breached logins (506,330) than those in Scotland, Wales, and Northern Ireland combined (465,767).

Infosecurity reports: "Millions of UK University Credentials Found on Dark Web"

In April 2023, over 1,300 cybersecurity professionals and experts convened virtually for the first Zero Trust Symposium. The event was sponsored and co-hosted by the MIT Lincoln Laboratory, the Defense Acquisition University (DAU), and the Zero Trust Portfolio Management Office of the Department of Defense (DoD). In cybersecurity, the concept of a zero trust framework has gained significant attention in recent years. Zero trust is the practice of never implicitly trusting a device or user, even if they are already within a network. In this framework, a user and their device are continuously monitored and are only permitted access to job-critical applications and data. Zero trust concepts represent a departure from traditional network security, which for years has regarded a network as a "castle and moat" where, once inside the moat, users are often granted wide-reaching access. The strategy puts organizations at risk from malicious insiders or accounts with compromised credentials. This type of vulnerability has enabled numerous high-profile data breaches, including the 2015 Office of Personnel Management breach in which 22.1 million government personnel records were stolen. This article continues to discuss the event on zero trust that emphasized cultural shifts needed to reach a new cybersecurity norm.

MIT Lincoln Laboratory reports "Symposium Charts Progress to Zero-Trust Cybersecurity"

Researchers at Carnegie Mellon University (CMU) have launched a new website that provides a convenient and easy way for Android users to see how their data is collected and shared. The Android Network Traces (ANT) project maintains a database of more than 14,000 apps, providing comprehensive insight into the apps' data collection and sharing practices. Previously, the research team had created a website that graded the privacy of smartphone apps. However, they continued to receive the same questions regarding the types of data the apps collect, who receives it, and what it is used for. Therefore, Jason Hong, a professor at CMU's Human-Computer Interaction Institute, and members of the Human-Computer Interaction: Mobility Privacy Security Lab (CHIMPS), developed MobiPurpose to track network requests made by Android apps and classify data collection purposes. In their paper titled "Why Are They Collecting My Data?: Inferring the Purposes of Network Traffic in Mobile Apps," the authors describe how MobiPurpose parses each traffic request body into key-value pairs and uses supervised learning and text pattern bootstrapping to infer the data type and data collection purpose of each pair. MobiPurpose can predict the data collection purpose with an average accuracy of 84 percent. Using their method, the researchers collected network traces from thousands of apps and grouped them into five data type categories: network, device, general, location, and account. Then they transformed the information into easily readable charts on the ANT website. This article continues to discuss the research and development behind the new website highlighting Android apps' data collection and sharing practices.

CyLab reports "New Website Highlights Thousands of Android Apps' Data Collection Practices"

Millions of people in Louisiana and Oregon have recently had their data compromised in the sprawling cyberattack that has also hit the US federal government. Authorities stated that the breach had affected 3.5 million Oregonians with driver's licenses or state ID cards and anyone with that documentation in Louisiana. The Louisiana governor's office did not put a number on the number of victims, but over 3 million Louisianians hold driver's licenses. The states did not blame anyone in particular for the hack, but federal officials have attributed a broader hacking campaign using the same software vulnerability to a Russian ransomware gang. Authorities noted that the sweeping hack has likely exposed data at hundreds of organizations across the globe and also compromised multiple US federal agencies, including the Department of Energy, as well as data from major corporations in Britain like the BBC and British Airways. The Russian-speaking hackers that claimed credit are known to demand multimillion-dollar ransoms, though US and state governments say they have not received any demands. The data exposed in the breach of the Oregon and Louisiana motor vehicle departments may include Social Security numbers and driver's license numbers, prompting state authorities to advise their residents on how to protect themselves from identity fraud.

CNN reports: "Millions of Americans' Personal Data Exposed in Global Hack"