News Items

Baseboard Management Controllers (BMCs) are common server-class computer components. Cybercriminals could exploit the capabilities of these controllers to compromise industry and government systems. Neal Ziring, the Technical Director of the National Security Agency's (NSA) Cybersecurity Directorate, commented that implementing effective security defenses for these embedded controllers is often neglected. The firmware in these controllers is highly privileged, so malicious actors can use the firmware's capabilities to remotely control a critical server while evading traditional security tools. Therefore, organizations must take measures to protect servers with BMCs. NSA and the Cybersecurity and Infrastructure Security Agency (CISA) published the Cybersecurity Information Sheet "Harden Baseboard Management Controllers" to help network defenders. The guidance provides network defenders with recommendations and mitigations for securing their systems. This article continues to discuss the guidance released on hardening BMCs.

NSA reports "NSA and CISA Release Guide To Protect Baseboard Management Controllers"

A zero-day vulnerability in the Barracuda Email Security Gateway (ESG) discovered in late May has been exploited in a Chinese espionage campaign since October 2022, according to security researchers at Mandiant. The researchers noted that new threat actor UNC4841 began sending phishing emails as far back as October 10 last year. The researchers stated that these malicious emails contained file attachments designed to exploit the Barracuda bug CVE-2023-2868 to gain initial access to vulnerable appliances. Once a foothold had been established, the group used Saltwater, Seaside, and Seaspray malware to maintain a presence on the devices by masquerading as legitimate Barracuda ESG modules or services. The researchers noted that post-initial compromise, they observed UNC4841 aggressively target specific data of interest for exfiltration and, in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network or to send mail to other victim appliances. The researchers also observed UNC4841 deploy additional tooling to maintain a presence on ESG appliances. Barracuda discovered the campaign on May 19 and released patches to contain and remediate the threat two days later. However, the threat group switched malware and deployed new persistence mechanisms to maintain access. The researchers noted that between May 22 and 24, UNC4841 targeted victims in 16 countries with "high frequency" operations, prompting Barracuda to take the unusual step of urging customers to isolate and replace their appliances, whatever their patch status. The researchers stated that UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations.

Infosecurity reports: "Barracuda Zero-Day Exploited by Chinese Actor"

According to Proofpoint, cybercriminals resumed normal operations in 2022 following two years of pandemic-induced disruption. As COVID-19 medical and economic programs began to slow down, attackers were forced to find new ways to make a living by sharpening their social engineering skills, commercializing once-sophisticated attack techniques, and creatively seeking new opportunities. From scaling brute-force and targeted attacks on cloud tenants to an increase in conversational smishing attacks and the expansion of multi-factor authentication (MFA) bypass, the cyberattack landscape in 2022 saw significant developments on multiple fronts. Despite sending over 25 million messages in 2022, which is more than double the volume of the second most prominent threat actor, Emotet's presence has been unsteady, and the group has demonstrated a lack of adaptability to the post-pandemic threat landscape. This article continues to discuss key findings from Proofpoint's annual Human Factor report.

Help Net Security reports "Cybercriminals Return to Business as Usual in a Post-pandemic World"

Research published in the International Journal of Web Based Communities introduces a new method for identifying abnormal users in social networks, which involves analyzing multiple user behavior characteristics. Using the APIs of different social networks, Jian Xie of the College of Education at Fuyang Normal University in Fuyang, China, collected comprehensive data about users, including information about their accounts, the content they post, and the specific behaviors they exhibit. This data analysis allowed him to ascribe a set of attributes to users. Through attribute reduction, he eliminated redundant features and built a targeted attribute feature set to analyze suspicious accounts. Xie then used the data to train the XGBoost model, a Machine Learning (ML) algorithm, in order to develop a highly objective function that can quickly flag abnormal behavior on a social network. Xie was able to identify abnormal users with 95 percent accuracy. This level of accuracy in identification is enough to alert the system's administrators to any potential issues, which could then be manually investigated and handled (e.g., blocking malicious users). The approach could set the groundwork for developing highly effective social network security policies. This article continues to discuss the proposed approach to identifying abnormal users in social networks and its potential impact on security for social networking.

Inderscience reports "Detecting Deviators From the Norm - 'An Accurate Identification Method of Abnormal Users in Social Network Based on Multivariate Characteristics'"

The popular disposable email provider Temp Mail left its systems publicly accessible for over three months, thus risking potential security breaches and widespread malware distribution. The Cybernews research team recently discovered a configuration error in the Temp Mail system that exposed sensitive data. Temp Mail is a free disposable email service that enables users to receive email at a temporary address, which then self-destructs after a specified amount of time. The email service is a popular option for users who wish to avoid spam and protect their email addresses from disclosure when registering on different websites, blogs, and forums. The recently discovered misconfiguration could have allowed malicious actors access to the internal systems of Temp Mail, manipulate sensitive data, deliver malware on a large scale, and target users. The severity of the situation is highlighted by the fact that Temp Mail's Android app alone has over 10 million downloads. This article continues to discuss the Temp Mail system leaving sensitive data exposed and the potential impact of this exposure.

Cybernews reports "Popular Email Provider Leaves Systems Wide Open"

SAP on Tuesday announced the release of eight new security notes as part of its June 2023 Security Patch Day, including two notes that address high-severity vulnerabilities. Five other notes were updated. The most important of SAP's new security notes resolve a stored cross-site scripting (XSS) bug in UI5 Variant Management. The bug is tracked as CVE-2023-33991 (CVSS score of 8.2), and it can be exploited to gain user-level access to the UI5 Varian Management application and compromise confidentiality, integrity, and availability. The second high-severity flaw is a missing authentication issue in Plant Connectivity and Production Connector for Digital Manufacturing, tracked as CVE-2023-2827 (CVSS score of 7.9). SAP noted that it can be exploited to connect to a vulnerable application without a valid JSON Web Token (JWT). According to enterprise application security firm Onapsis, "in order to fully patch this vulnerability, both components must be patched, and JWT signature validation must be configured from the Cloud Connector settings." This week, SAP also updated two notes dealing with high-severity bugs in Knowledge Warehouse (CVE-2021-42063) and SAPUI5 (CVE-2023-30743). The updates only contain "minor textual or structural" changes from the previous notes. Of the eight new and updated medium-severity security notes that SAP released this week, six deal with XSS flaws in NetWeaver, CRM ABAP (Grantor Management), CRM (WebClient UI), and BusinessObjects. The other two notes resolve an information disclosure bug in S/4HANA and an SQL injection issue in Master Data Synchronization. The last security note published on SAP's June 2023 Security Patch Day resolves a low-severity denial-of-service (DoS) vulnerability in NetWeaver (Change and Transport System).

SecurityWeek reports: "SAP Patches High-Severity Vulnerabilities With June 2023 Security Updates"

Security researchers at Patchstack discovered that hundreds of thousands of ecommerce websites could be exposed to attacks due to a critical vulnerability in the WooCommerce Stripe Payment Gateway plugin. Tracked as CVE-2023-34000, the issue is described as an unauthenticated insecure direct object reference (IDOR) bug leading to information disclosure. The researchers noted that specifically, the flaw allows an unauthenticated attacker to view any information that a user provides when placing an order, including name, address, and email address. The security defect exists because the "javascript_params" and "payment_fields" functions lack proper access control and handle data in an insecure manner. The researchers stated that due to the lack of order ownership checks, an attacker can exploit the bugs to view order information in the site's page source or in the front end. The issue was resolved on May 30 with the release of WooCommerce Stripe Payment Gateway version 7.4.1. According to the official WordPress web store, the plugin has more than 900,000 active installations, and hundreds of thousands of them could be vulnerable to attacks based on available version use data.

SecurityWeek reports: "Hundreds of Thousands of eCommerce Sites Impacted by Critical Plugin Vulnerability"

There is a common misconception that a website with low traffic or that does not offer transaction-intensive online commerce does not need to prepare for Distributed Denial-of-Service (DDoS) attacks because it is not an attractive target. According to Jag Bains at TechRepublic, cybercriminals do not care about a website's popularity or offerings. In addition, hackers are always looking for new methods to launch even more complex and effective attacks that could have devastating financial and reputational outcomes for unprepared victims. It is currently simple and inexpensive to execute cyberattacks on a large scale. A DDoS attack can even be booked on one of many shady platforms, allowing low-skilled attackers to easily carry out such attacks without having to deal with the technology themselves. Therefore, not being prepared for DDoS attacks is no longer an option, no matter what a company's size, industry, or level of popularity is. This article continues to discuss the assumptions businesses should not make about their DDoS defenses and the steps they should take to reduce the likelihood of such attacks.

TechRepublic reports "DDoS Threats and Defense: How Certain Assumptions Can Lead to an Attack"

According to a new report by Akamai, hackers launched 14 billion attacks against the e-commerce industry in 15 months, placing it at the top of the list of targets for Application Programming Interface (API) and web application exploits. Researchers found that the volume of attacks against e-commerce companies is primarily due to the digitalization of the industry and the wide variety of vulnerabilities hackers can exploit in the web applications of their intended targets. E-commerce companies store sensitive data such as Personally Identifiable Information (PII) and payment account details, making them a lucrative target for cybercriminals, according to researchers who analyzed web attacks from January 1, 2022, to March 31, 2023. Retail, hotel, and travel companies topped the list of 13 industries with 14.5 billion attacks, or more than one-third of all attacks explored by Akamai. The high-tech industry ranked second with approximately 9 billion attacks, followed by the financial services industry with around 7 billion. This article continues to discuss e-commerce companies being the top targets for API and web application exploits.

BankInfoSecurity reports "E-Commerce Firms Are Top Targets for API, Web Apps Attacks"

Researchers at B42 Labs have shared some findings from their exploratory research on the application of Large Language Models (LLMs) to malware automation, examining how a potential new type of autonomous threat may manifest in the near future. The researchers explored the potential architecture of an autonomous malware threat based on four main steps: Artificial Intelligence (AI)-assisted reconnaissance, reasoning and planning, and AI-assisted execution. They demonstrated the possibility of using an LLM to recognize infected environments and determine which malicious actions would be most appropriate for the environment. In order to leverage LLMs in the complex task of generating code on the fly to accomplish the malicious objectives of the malware agent, they adopted an iterative code generation strategy. This article continues to discuss findings from B42 Labs researchers' analysis of the application of LLMs to malware automation.

Security Affairs reports "LLM meets Malware: Starting the Era of Autonomous Threat"

Hackers are posing as cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept (PoC) exploits for zero-day vulnerabilities that infect Windows and Linux with malware. The alleged researchers advertise these malicious exploits through a fake cybersecurity company called "High Sierra Cyber Security," which promotes the GitHub repositories on Twitter, likely targeting cybersecurity researchers and companies engaged in vulnerability research. The repositories seem legitimate, as the users who maintain them even use headshots to impersonate real security researchers from Rapid7 and other security companies. The same personas maintain Twitter accounts to lend credibility to their research and code repositories, such as GitHub, as well as to attract victims from the social media platform. According to VulnCheck, this campaign has been active since at least May 2023, promoting exploits for zero-day vulnerabilities in software such as Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange. This article continues to discuss the impersonation of cybersecurity researchers to publish fake PoC exploits that push Windows and Linux malware.

Bleeping Computer reports "Fake Zero-Day PoC Exploits on GitHub Push Windows, Linux Malware"

A Chinese cyber espionage group that researchers previously spotted targeting VMware ESXi hosts has been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest Virtual Machines (VMs). Researchers from Mandiant discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have been monitoring for some time. They disclosed the vulnerability to VMware, which then issued a patch to address it. VMware Tools, a collection of services and modules for improved administration of guest operating systems, contains the zero-day vulnerability, tracked as CVE-2023-208670. The vulnerability enables attackers to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest VMs without the need for guest credentials and without the activity being logged by default. VMware rated the vulnerability as having a medium severity because an attacker must already have root access to an ESXi host in order to exploit it. This article continues to discuss UNC3886 and the threat actor's exploitation of a zero-day vulnerability in VMware Tools.

Dark Reading reports "Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs"

Scientists from the University of Science and Technology of China (USTC) of the Chinese Academy of Sciences (CAS) and their collaborators from Tsinghua University, Jinan Institute of Quantum Technology, and Shanghai Institute of Microsystem and Information Technology (SIMIT) have achieved point-to-point long-distance Quantum Key Distribution (QKD) over a distance of 1,002 kilometers. This achievement sets a new world record for non-relay QKD and offers a solution for high-speed intercity quantum communication. QKD is based on quantum mechanics principles and enables the secure distribution of keys between two remote parties. It can attain the highest level of security for confidential communication when combined with the "one-time pad" encryption technique. However, QKD's range has been limited by channel loss and system noise. This study's achievement has significant implications for the development of secure quantum communication. This article continues to discuss the achievement of point-to-point long-distance QKD over a distance of 1,002 km.

SCIENMAG reports "USTC Achieves Thousand-Kilometer Quantum Key Distribution"

According to the FBI's Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) is a sophisticated scam targeting businesses and individuals performing legitimate transfer-of-funds requests. The scam is often perpetrated when someone compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized fund transfers. BEC is not always associated with a request to transfer funds. BEC attack variations often involve compromising legitimate business email accounts and requesting Personally Identifiable Information (PII), Wage and Tax Statement (W-2) forms, and cryptocurrency wallets from employees. The BEC scam continues to evolve, targeting small local businesses, larger companies, and personal transactions. In 2022, the IC3 observed an increase in the reporting of BEC incidents. BEC attacks have been reported in all 50 states and 177 countries. According to the financial data reported to the IC3 for 2022, banks in Hong Kong and China were the primary international destinations of fraudulent funds. The UK, which often serves as an intermediary stop for funds, Mexico, and Singapore followed. This article continues to discuss the concept of BEC attacks, statistical data on these attacks, and suggestions for protecting against BEC attacks.

HSToday reports "Business Email Compromise: The $50 Billion Scam"

France's foreign minister recently announced that France had prevented a hybrid digital attack on the ministry's website, likely carried out by Russian state-linked actors, along with attacks on other government websites and French media sites. Foreign Minister Catherine Colonna also said France believed there was a broader campaign of spreading disinformation in France by Russian protagonists. Colonna noted that this campaign is notably based upon creating fake internet pages to hack into the identity of national media and government websites, as well as by creating fake accounts on social media networks. Moscow has consistently denied that it carries out hacking operations. However, Colonna said Russian embassies and Russian cultural institutes were also involved in this campaign and reaffirmed France's support for Ukraine in its conflict with Russia.

Reuters reports: "France Says it Thwarted Attack on Websites From Russian State-Linked Actors"

Professor Kevin Jones and Dr. Kimberly Tam at the University of Plymouth share their expertise and provide some answers regarding whether clean maritime solutions are resilient to cyberattacks at sea. Companies throughout the UK are benefiting from a funding boost aimed at accelerating the development of clean maritime solutions, which will create a supportive but competitive environment at a time when innovations and new challenges are emerging. However, in order for solutions to be long-lasting, they must be not only effective but also resilient. Many of these solutions rely heavily on cutting-edge technology, which increases their vulnerability to cyberattacks. Therefore, cybersecurity must be considered in the early phases of technological development. Only by combining efficiency and security can we ensure clean technologies' short- and long-term viability. This includes bolstering the security of the data that the technology uses and generates, and reducing the likelihood of cyber-physical effects, such as a Denial-of-Service (DoS) attack, which could prevent clean maritime solutions from functioning. This article continues to discuss insights on the resilience of maritime solutions to cyberattacks at sea.

The University of Plymouth reports "Are Clean Maritime Solutions Resilient to Cyber-Attacks at Sea?"

Intellihartx, a company providing patient balance resolution services to hospitals, is starting to inform roughly 490,000 individuals that their personal information was compromised in the GoAnywhere zero-day attack earlier this year. Disclosed in early February and linked to the infamous Cl0p ransomware gang, the cyberattack exploited a zero-day vulnerability in Fortra's GoAnywhere managed file transfer (MFT) software. Tracked as CVE-2023-0669 and leading to remote code execution, the flaw had been exploited starting January 28. Intellihartx says it has concluded its review of the data potentially compromised during the attack and has also identified the impacted individuals. The company stated that the affected information includes names, addresses, insurance data and medical billing, diagnosis and medication information, birth dates, and Social Security numbers. Intellihartx says it is not aware of the compromised information being misused. However, the Cl0p gang has made the data allegedly stolen from the company available on its leak site.

SecurityWeek reports: "Intellihartx Informs 490k Patients of GoAnywhere-Related Data Breach"

There are disagreements among security researchers regarding the danger posed by the recently discovered malware "CosmicEnergy" to critical infrastructure. Last month, the threat intelligence company Mandiant identified CosmicEnergy as a "plausible threat" to electric grid operators. Mandiant first identified the malware after the code was uploaded to a public malware scanning tool in December 2021. In an analysis report released last month, the company noted that there was evidence indicating that it had been designed as a red teaming tool for simulated power disruption exercises. According to the report, given that threat actors use red team tools and public exploitation frameworks for targeted threat activity, CosmicEnergy is believed to pose a plausible threat to impacted electric grid assets. In a report published last week, however, researchers from the industrial cybersecurity company Dragos noted that the malware is not yet mature enough to endanger Operational Technology (OT) networks. Dragos also mentioned CosmicEnergy's probable origins as a training tool for detection development, figuring that while its discovery should prompt organizations to reevaluate OT security, there was no immediate threat to OT environments. Jimmy Wylie, technical lead malware analyst and lead author, commented that there are no indications that an adversary is actively deploying CosmicEnergy. This article continues to discuss disputes regarding the CosmicEnergy malware.

SC Magazine reports "CosmicEnergy's Threat to Critical Infrastructure in Dispute"

Security researchers have recently discovered a breach at Zacks Investment Research dating back to 2020, which appears to have impacted millions of customers. So far, the stock research and analysis firm has made no public disclosure about the incident. However, a post on the breach site HaveIBeenPwned revealed that a trove of data numbering nearly nine million customers are being widely shared on a popular hacking forum. Security researchers noted that the most recent data was dated May 2020 and included names, usernames, email and physical addresses, phone numbers, and passwords stored as unsalted SHA-256 hashes. The publication of the data means that customers should expect follow-on phishing and other attacks. In January, the firm revealed a data breach that affected an estimated 820,000 customers, which it said occurred "sometime between November 2021 and August 2022." This particular incident involved a legacy database of customers who signed up for the Zacks Elite product between November 1999 and February 2005.

Infosecurity reports: "Historic Zacks Breach Impacts Nearly Nine Million"

A study involving high-interaction honeypots with a Remote Desktop Protocol (RDP) connection accessible from the public web demonstrates that attackers are relentless and follow a daily schedule that closely resembles office hours. Researchers at GoSecure, a threat detection and response company with headquarters in the US and Canada, logged close to 3.5 million login attempts to their RDP honeypot system over the course of three months. At the NorthSec cybersecurity conference in Montreal, Canada, Andreanne Bergeron, a GoSecure cybersecurity researcher, explained that the honeypots are tied to a research program aimed at understanding attacker strategies, which could then be translated into prevention advice. The honeypot has operated intermittently for more than three years and continuously for over a year, but the data compiled for the presentation only represents three months, from July 1 to September 30, 2022. During this time period, the honeypot was hit 3,427,611 times by more than 1,500 unique IP addresses. However, the total number of login attempts for the entire year reached 13 million. This article continues to discuss the GoSecure researchers' experiment involving its RDP honeypot system.

Bleeping Computer reports "RDP Honeypot Targeted 3.5 Million Times in Brute-Force Attacks"

According to Trend Micro, security leaders recognize that the cloud and how cloud security teams operate today are becoming increasingly critical to business and Information Technology (IT) operations. Therefore, cloud security and the foundational practices of their teams will be integrated into the Security Operations Center (SOC) in the coming years to increase efficiencies. Leaders who have navigated cloud security successfully are well-equipped to navigate a similar transition to the modern SOC landscape. Software consumes everything, creating system infrastructure increasingly defined as code and dependent on large volumes of data, with automation serving as the foundation for delivering value at accelerating rates. These concepts are foundational to teams building and securing in the cloud, but SOC and IT infrastructure teams' tooling, such as cross-detection and response (XDR), also use them and can benefit from absorbing the scale, skills, and expertise of cloud teams. Trend Micro predicts that viable SOC tools will increasingly incorporate cloud protection capabilities. This article continues to discuss Trend Micro's predictions regarding cloud security.

Help Net Security reports "Incorporating Cloud Security Teams Into the SOC Enhances Operational Efficiencies"

Transferring sensitive data to non-Health Insurance Portability and Accountability Act (HIPAA)-covered entities may result in compliance complications, data breaches, lawsuits, and patient privacy risks. Third-party tracking tools promise functionality but may transmit sensitive data back to technology companies, potentially threatening the privacy of patients. Multiple high-profile healthcare data breaches and lawsuits against hospitals and technology companies over the use of third-party tracking tools prompted researchers to further examine the trend. Matthew McCoy, assistant professor of medical ethics and health policy at the University of Pennsylvania and one of the study's authors, noted that prior to the study, there had been some investigative reporting on the use of tracking technologies on the websites of small groups of hospitals. McCoy, together with Ari B. Friedman, assistant professor of emergency medicine at the University of Pennsylvania, and their colleagues set out to explore the prevalence of tracking technologies on hospital websites. The researchers discovered third-party tracking technologies on 98.6 percent of all US nonfederal acute care hospital websites. This article continues to discuss analytics tools and third-party tracking technologies posing threats to patients' privacy.

HealthCareExecIntelligence reports "How Analytics Tools, Third-Party Tracking Tech Pose Threats to Patient Privacy"

Researchers expect a rise in Log4J exploits as cybercriminals continue to find new methods to circumvent the ongoing implementation of Microsoft's anti-phishing measures. Microsoft blocked the enablement of VBA macros in Office documents by default in 2022, after the Information Technology (IT) community had demanded it for years. Therefore, one of the leading methods for delivering malware via Office documents and phishing emails was nullified. Since then, ESET researchers have observed a global increase in exploits targeting the Log4J vulnerability. Researchers are uncertain as to the cause of the increase in attempts, but cybercriminals may be seeking new attack methods now that phishing with malicious documents has become more difficult. This article continues to discuss the expected rise in Log4J exploits, the latest Log4J numbers, and the effectiveness of blocking VBA macros.

ITPro reports "Log4J Exploits May Rise Further as Microsoft Continues War on Phishing"

According to researchers at the San Francisco-based company Robust Intelligence, a feature in Nvidia's Artificial Intelligence (AI) software can be manipulated to disregard safety restrictions and reveal private information. The "NeMo Framework" developed by Nvidia enables developers to work with various Large Language Models (LLMs), the underlying technology that drives generative AI products such as chatbots. The chipmaker designed the framework to be adopted by businesses. Researchers at Robust Intelligence discovered they could easily circumvent so-called guardrails intended to ensure the AI system's safe use. After using the Nvidia system on its own data sets, it took Robust Intelligence analysts hours to get LLMs to overcome restrictions. In one test scenario, the researchers instructed the Nvidia system to replace the letter 'I' with the letter 'J.' This action triggered the release of Personally Identifiable Information (PII) from a database. This article continues to discuss researchers manipulating a feature in Nvidia's AI software to reveal sensitive information.

Ars Technica reports "Nvidia's AI Software Tricked Into Leaking Data"