News Items

Researchers predict that cybercriminals' abuse of Artificial Intelligence (AI) will soon lead to an influx of automated and multistage cyberattacks. Attack data collected between May and July indicate that cybercriminals are increasingly using social engineering techniques to deliver multistage payloads. According to researchers at Darktrace, there has been a 59 percent increase in malicious emails sent to potential victims, instructing them to complete a series of steps before delivering a malicious payload or attempting to gather sensitive information. Darktrace detected nearly 50,000 more of these attacks in July than in May, suggesting the potential use of automation. Darktrace did not conclusively declare that AI was involved in these attacks but rather that the technology could be used to expedite attacks. The Darktrace Cyber AI Research Centre predicts that the speed of these attacks will increase as greater automation and AI are incorporated and used by attackers. This article continues to discuss the abuse of AI beyond phishing.

SC Media reports "AI Abuse Grows Beyond Phishing to Multistage Cyberattacks"

Ticketing services agency See Tickets recently notified more than 300,000 individuals that their payment card data was stolen in a new web skimmer attack. Owned by Vivendi SA, See Tickets provides ticketing services for a broad range of event types, including comedy, festival, lifestyle, and sport, and operates both regional and international websites in North America and Europe. In May 2023, See Tickets became aware of unusual activity on some of its e-commerce websites. The company hired a forensics firm to investigate the unusual activity and discovered that, in May and June 2023, an unauthorized third party "inserted multiple instances of malicious code into a number of See Tickets' e-commerce checkout pages." Between February 28 and July 2, the malicious code collected and exfiltrated the information that users provided on those checkout pages, including their names, addresses, and payment card information.

SecurityWeek reports: "See Tickets Alerts 300,000 Customers After Another Web Skimmer Attack"

Microsoft announced in July that it had mitigated an email-targeting attack by a threat actor with ties to China, tracked as Storm-0558. Storm-0558 threat actors have been observed conducting cyber espionage, data theft, and credential access attacks against government agencies in Western Europe. An investigation revealed that an attack began on May 15, 2023, when Storm-0558 accessed the email accounts of about 25 organizations, including government agencies and consumer accounts associated with these organizations. The attackers forged authentication tokens to access user email with a Microsoft account consumer signing key they had acquired. Researchers discovered that the threat actors accessed email accounts through Outlook Web Access in Exchange Online and Outlook[.]com by forging authentication tokens. Microsoft has now released a comprehensive technical investigation into how attackers accessed the consumer signing key. The threat actors stole the signing key from a Windows crash dump after compromising a Microsoft engineer's corporate account. This article continues to discuss Storm-0558 stealing a signing key used to breach government email accounts from a Windows crash dump.

Security Affairs reports "Chinese Cyberspies Obtained Microsoft Signing Key From Windows Crash Dump Due to a Mistake"

Security researchers at BugProve have discovered dozens of vulnerabilities in security cameras made by Zavio. Zavio is a defunct Chinese company, but its security cameras are reportedly still deployed in the United States and Europe. Since Zavio has been shut down, the researchers worked with CCTV Camera Pros, the main distributor of Zavio cameras in North America, to verify the vulnerabilities and with the US Cybersecurity and Infrastructure Security Agency (CISA) to coordinate the disclosure and obtain CVE identifiers for the flaws. The researchers identified more than 34 memory corruption and command injection vulnerabilities affecting various Zavio IP camera models, specifically a daemon called "Onvif," which is used for integrations with various surveillance systems. According to the researchers, seven of the vulnerabilities can be exploited for unauthenticated remote code execution with root privileges. The researchers noted that these types of flaws can typically enable attackers to take complete control of the targeted device. IP cameras can be targeted to hijack their video feeds, but in the wild, they are mostly targeted by botnets and abused for DDoS and other attacks. While the researchers have found many individual vulnerabilities, CISA has decided to assign only two CVE identifiers, CVE-2023-4249 and CVE-2023-3959, due to the flaws stemming from the same core issues. Since the impacted Zavio cameras will not receive patches, users have been advised to replace the devices to prevent falling victim to cyberattacks. CCTV Camera Pros is informing customers that Zavio cameras are no longer available and is recommending alternatives. The researchers originally discovered the weaknesses in late 2022, but the disclosure process was long due to the vendor's failure to respond, and due to the time it took CISA to verify the vulnerabilities.

SecurityWeek reports: "Dozens of Unpatched Flaws Expose Security Cameras Made by Defunct Company Zavio"

Pandora, a variant of the Mirai botnet, has been spotted infiltrating inexpensive Android-based TVs and TV boxes to use them as part of a botnet to launch Distributed Denial-of-Service (DDoS) attacks. According to Doctor Web, the compromises are likely to occur during malicious firmware updates or when applications for accessing pirated video content are installed. Signed with publicly available Android Open Source Project test keys, it is likely that this update has been made available for download from multiple websites, according to the company. The service that runs the backdoor is included in boot[.]img, allowing it to survive system reboots. In the alternative distribution methods, researchers believe that users are tricked into installing applications for streaming pirated movies and TV shows via websites mainly aimed at Spanish-speaking users. This article continues to discuss the Mirai botnet variant Pandora.

THN reports "Mirai Botnet Variant 'Pandora' Hijacks Android TVs for Cyberattacks"

IBM recently notified customers and users of a Johnson & Johnson healthcare platform that their personal information may have been compromised as a result of a data breach. IBM explained that it provides services to Johnson & Johnson, which includes managing an application and third-party database for the company's Janssen CarePath patient support program. When Janssen became aware of a vulnerability that enabled unauthorized access to the CarePath database. IBM was informed about the security hole and worked with the database provider to address the issue. It's not uncommon for companies to become aware of vulnerabilities causing data exposure. However, an investigation revealed that in this case, there was unauthorized access to personal information in the impacted database on August 2. IBM stated that the affected information includes names, contact information, dates of birth, health insurance data, and medical information. IBM noted that social security numbers and financial account information were not stored in the database. The extent of the access could not be determined, but IBM has decided to notify CarePath users and customers whose information was exposed "out of an abundance of caution," offering them free credit monitoring services for one year. IBM noted that it found no evidence that the exposed information was misused. It's unclear how many individuals have been impacted by the incident, but Janssen says on its website that 1.16 million patients in the US were helped through the CarePath program in 2022.

SecurityWeek reports: "IBM Discloses Data Breach Impacting Janssen Healthcare Platform"

Staff shortages and limited budgets have long troubled local governments and school districts trying to defend themselves against cyberattacks. In Arizona, the statewide information security and privacy office known as Cyber Command provides free cloud-based security services to state and local agencies, a strategy known as whole-of-state cybersecurity. Since the tools are cloud-based security stacks, the state can add customers and enable them to connect from any location and device. This strategy has helped Arizona strengthen its cybersecurity. The program was launched in November 2020, and by February 2021, the statewide number of critical and important vulnerabilities decreased from over 11,000 to less than 1,000. This article continues to discuss the impact of Arizona's whole-of-state cybersecurity program.

Route Fifty reports "How One State Pushes Cybersecurity to Local Agencies"

The US Cybersecurity and Infrastructure Security Agency (CISA) has announced a voluntary pledge for manufacturers of K-12 Education Technology software to design products with improved security. CISA has received commitments from six K-12 software technology providers, including PowerSchool, Classlink, Clever, GG4L, Instructure, and D2L. CISA Director Jen Easterly emphasized that it is crucial to address K-12 cybersecurity issues by ensuring schools and administrators have access to safe and secure technology and software right out of the box. All K-12 software developers are encouraged to help CISA strengthen cybersecurity for the education sector by prioritizing security as a fundamental aspect of product development. This article continues to discuss the Secure by Design Pledge with K-12 Education Technology providers.

CISA reports "CISA Announces Secure by Design Pledge with K-12 Education Technology Providers"

University of Wisconsin-Madison researchers have developed a Proof-of-Concept (PoC) Chrome extension that can steal plaintext passwords from the HTML source code of nearly any website. In a recently published paper, the researchers detailed how a comprehensive analysis of the security of text input fields in web browsers revealed that their coarse-grained permission model violates two security design principles: least privilege and complete mediation. The researchers also identified two input field vulnerabilities, including plaintext passwords in the HTML source code of popular websites such as gmail[.]com. Cloudflare, Facebook, Amazon, Citibank, and Capital One are just a few other major websites that store plaintext passwords in their HTML source code. About 12.5 percent of the extensions on the Chrome web store have the necessary permissions to exploit these vulnerabilities, including some of the most widely used ad blockers and shopping add-ons. This article continues to discuss the researchers' key findings regarding security vulnerabilities in browser text input fields.

TechSpot reports "Rogue Chrome Extensions Can Steal Passwords From Websites Such as Gmail, Amazon & Facebook"

Security researchers at Truffle Security warn that thousands of the domains in the Alexa top 1 million websites list are leaking secrets, including credentials. The researchers noted that 4,500 of the analyzed websites exposed their .git directory. Created when a Git repository is initialized, a .git directory includes all the information necessary for a project, including code commits, file paths, version control information, and more. In the case of some websites, the researchers noted, this directory can include their entire private source code. Exposed .git directories could provide attackers with access to the entire source code, configuration files, commit history, and access credentials. The researchers stated that attackers could use this inside knowledge to mount an attack against the victim's web application or search the code for live credentials to third-party services like AWS. An analysis of the exposed credentials has revealed that AWS and GitHub keys were the most prevalent type of leaked secrets, accounting for 45% of all credentials. According to the researchers, an explanation for the large number of exposed GitHub tokens is the fact that they are often stored in the Git config file during remote repository cloning. The researchers noted that third-party email marketing services (like Mailgun, SendInBlue, Mailchimp, and Sendgrid) accounted for a large percentage of the leaked keys as well. Looking into the exposed GitHub credentials, the researchers discovered that roughly 67% of them were for accounts with admin-level privileges. All (100%) had repo permissions, which would enable an attacker to take arbitrary actions against all of the victim user's repositories, including, but not limited to, implanting malware in the code. Further analysis of the identified secrets revealed the exposure of a private RSA key corresponding to a domain's TLS certificate, potentially allowing attackers to conduct man-in-the-middle attacks. The researchers stated that they attempted to contact all impacted site owners after identifying and verifying the exposed secrets but noted that the endeavor was not successful in all cases.

SecurityWeek reports: "Thousands of Popular Websites Leaking Secrets"

According to a report by AppViewX and Forrester Consulting, of the organizations that have experienced data breaches, 58 percent were due to problems with digital certificates. Fifty-seven percent revealed that their organizations have incurred significant costs per service outage. According to the Forrester study, organizations have traditionally paid less attention to managing machine identities than human ones, in part because machine identities have different requirements and more complex lifecycle and security challenges. Digital certificates provide authentication and protection for sensitive information. However, few organizations are confident in their ability to effectively layer and manage identity security across machines and navigate privacy and security responsibility assignments. Fifty-eight percent of organizations that experienced a data breach attributed it to preventable certificate-management issues. Fifty-two percent of organizations that faced a service or application outage cited certificated-related issues as the cause. This article continues to discuss key findings from AppViewX and Forrester Consulting regarding digital certificate issues.

Help Net Security reports "Avoidable Digital Certificate Issues Fuel Data Breaches"

A threat actor known as W3LL developed a phishing kit to circumvent multi-factor authentication (MFA) and other tools. Over 8,000 Microsoft 365 corporate accounts have been compromised by the phishing kit. In ten months, security researchers discovered that W3LL's utilities and infrastructure were used in 850 phishing attacks to steal the credentials of over 56,000 Microsoft 365 accounts. W3LL's custom phishing tools were used in Business Email Compromise (BEC) attacks, resulting in significant financial losses. According to researchers, W3LL's inventory encompasses nearly the entire kill chain of a BEC operation and can be operated by "cybercriminals of all technical skill levels." This article continues to discuss the W3LL phishing kit.

Bleeping Computer reports "W3LL Phishing Kit Hijacks Thousands of Microsoft 365 Accounts, Bypasses MFA"

A new study reveals that most major car makers acknowledge they may be selling users' personal information. However, they are vague about the buyers. Half of them would share such information with the government or law enforcement without a court order. The proliferation of automobile sensors, ranging from telematics to digital control consoles, has transformed them into data-collection powerhouses. The latest "Privacy Not Included" survey by the non-profit Mozilla Foundation found that drivers have little to no control over the personal data collected by their vehicles. Given the history of manufacturers' vulnerability to hacking, the ambiguity of security standards is a major concern. This article continues to discuss key findings and points from the survey.

AP reports "Carmakers Are Failing the Privacy Test. Owners Have Little or No Control Over Data Collected"

Encryption is the most common method for protecting information. Information is encrypted using a Random Number Generator (RNG), which can be a computer program or the hardware itself. The RNG provides the keys to encrypt and unlock information at the receiving end. According to researchers, the Quantum Random Number Generator (QRNG) is the hardware method that provides the best randomness. Guilherme B. Xavier, a researcher at Linkoping University's Department of Electrical Engineering, and his research group, in collaboration with researchers at the Department of Physics, Chemistry, and Biology (IFM), have developed a new type of QRNG that can be used for encryption. The use of light-emitting diodes made from the crystal-like material perovskite is a new aspect of the researchers' QRNG. This article continues to discuss the new type of RNG for encryption developed at Linkoping University.

Linkoping University reports "Better Cybersecurity With New Material"

Dr. Yongfeng (Felix) Ge of Victoria University will develop an evolutionary computation-based framework to optimize privacy and utility issues associated with data storage and publishing. Recent large-scale data breaches in Australia, which resulted in the disclosure of personal information belonging to millions of people, have highlighted the need for enhanced data security systems. His project titled "Evolving privacy and utility in data storage and publishing" seeks to produce the theory and practical demonstration of building a reliable and robust system for privacy preservation and utility maintenance. This article continues to discuss the project aimed at developing a new framework for data privacy and utility.

Victoria University reports "VU Researcher to Develop New Framework for Data Privacy & Utility"

NoName057(16), a Russian hacker group, conducts Distributed Denial-of-Service (DDoS) attacks against European financial institutions, government websites, and transportation services. The group recently claimed responsibility for disrupting the websites of several banks and financial institutions in the Czech Republic and Poland, which it views as hostile to the Russian state due to their support for Ukraine. NoName057(16), like other pro-Kremlin hacktivist groups such as Killnet or the Cyber Army of Russia, carries out relatively easy and brief DDoS attacks with the help of hundreds of volunteers. The objective is to disrupt everyday life, even if it is just for a few minutes. Researchers note that some aspects distinguish this group from others. According to Pascal Geenens, director of cyber threat intelligence at the cybersecurity company Radware, NoName057(16) is considered a "lone wolf" in the Russian cybercrime landscape as the group does not form any alliances with other hackers and relies mainly on the custom-built DDoSia toolkit to execute its attacks. This article continues to discuss findings and observations regarding NoName057(16).

The Record reports "What's in a NoName? Researchers See a Lone-Wolf DDoS Group"

According to security researchers at Group-IB, cyber fraudsters have been observed increasingly exploiting vulnerabilities in air miles and customer service systems across the EU, the UK, and the US. The researchers noted that in 2022 alone, cases of loyalty fraud surged by 30%, impacting more than 75 airlines and involving over 2000 malicious resources. The researchers stated that one common tactic employed by fraudsters is the customer service scam. Scammers impersonate airlines' customer service through fake phone numbers. They lure victims into calling these numbers, often shared via various platforms, under the guise of booking flights or claiming refunds. The researchers noted that unsuspecting victims end up divulging their banking information, including credit card details. Fraudsters may even attempt to install remote access Trojans (RATs) on victims' devices, potentially gaining control over sensitive data. Fraudsters have also been observed employing tactics like phishing websites, promising victims enticing rewards or prizes.

Infosecurity reports: "Airlines Battle Surge in Loyalty Program Fraud"

Hackers are exploiting two MinIO vulnerabilities to compromise object storage systems, gain access to private information, execute arbitrary code, and take control of servers. MinIO is an open-source object storage service compatible with Amazon S3 and capable of storing up to 50TB of unstructured data, logs, backups, and container images. MinIO is a popular, cost-effective option due to its high performance and adaptability, especially for Artificial Intelligence (AI)/Machine Learning (ML) and data lake applications. The two vulnerabilities discovered chained in attacks by Security Joes' incident responders are tracked as CVE-2023-28432 and CVE-2023-28434, two critical flaws affecting all versions of MinIO before RELEASE.2023-03-20T20-16-18Z. During an incident response engagement, analysts discovered that attackers attempted to deploy a modified version of the MinIO application, named Evil MinIO. This article continues to discuss hackers exploiting MinIO vulnerabilities to breach corporate networks.

Bleeping Computer reports "Hackers Exploit MinIO Storage System to Breach Corporate Networks"

When considering how to invest their budgets, Original Equipment Manufacturers (OEMs) and their suppliers may be tempted to invest less in addressing cyber threats. So far, the attacks they have encountered have not been very sophisticated or harmful. However, the analysis of conversations in underground criminal message exchanges reveals that the pieces are in place for multi-layered, widespread attacks in the future. Given the typical length of the automotive industry's development cycles, waiting for more sophisticated attacks on connected vehicles is impractical. The world's automotive OEMs and suppliers are urged to prepare for the unavoidable transition from today's manual, car-modding hacks to tomorrow's user impersonation, account thefts, and other potential attacks. This article continues to discuss how connectivity is changing car crime, emerging fronts for next-generation attacks, the exploitation of connected cars, and positioning today for the future threat landscape.

Help Net Security reports "Connected Cars and Cybercrime: A Primer"

A non-profit organization used by millions on both sides of the Atlantic to recycle their possessions has admitted to suffering a data breach last month. The US-based Freecycle Network, which is also registered as a charity in the UK, claimed in an online notice that it discovered the incident on August 30. The organization claimed that the data affected includes usernames, User IDs, email addresses, and passwords. Because of the exposure of personal passwords, the organization noted that they are taking every measure to quickly inform members about the need to change their passwords. The organization advised that if users used the same password elsewhere, they should also change that account password. Freecycle noted that no other personal information was compromised, and the breach is being reported to the respective privacy authorities. Freecycle claims to have nearly 11 million members.

Infosecurity reports: "Freecycle Breach May Have Hit Millions of Users"

Customers of Okta, one of the leading providers of authentication services and Identity and Access Management (IAM) systems, report social engineering attacks targeting their Information Technology (IT) service desks to compromise administrator-level user accounts. Multiple Okta customers in the US have reported phishing efforts in which a caller tries to convince service desk employees to reset all multi-factor authentication (MFA) factors enrolled for highly privileged users. The attackers then used the compromised Okta Super Administrator accounts to abuse legitimate identity federation features that allowed them to impersonate users within the organization. When asked if Okta linked the attacks to a specific group, Okta's CSO, David Bradbury, said that other cybersecurity companies have attributed this behavior to threat actors known as Scattered Spider. According to security researchers, Scattered Spider, also known as UNC3944, Scatter Swine, and Muddled Libra, has been in operation since May 2022. This article continues to discuss the phishing campaign targeting Okta customers.

The Register reports "More Okta Customers Trapped in Scattered Spider's Web"

Researchers at Securonix found ransomware campaigns using Internet-exposed Microsoft SQL (MSSQL) databases as a launching point for attacks against victim systems. Oleg Kolesnikov, vice president of threat research at Securonix, says the typical attack sequence starts with brute-force attempts to access exposed MSSQL databases. According to Securonix researchers, it is unclear whether the hackers are making dictionary-based or random password spray attempts. Once a database's password is cracked, attackers expand their foothold within the target system and use MSSQL as a launchpad for various payloads, such as Remote Access Trojan (RAT) malware and ransomware. This article continues to discuss the exploitation of Internet-exposed MSSQL databases in ransomware campaigns.

The Record reports "Ransomware Attackers Are Targeting Exposed Microsoft SQL Databases, Report Says"

The threat intelligence company EclecticIQ has released a free decryption tool for the Key Group ransomware that enables victims to recover their data without paying the demanded ransom. Since at least January 2023, the Key Group ransomware gang has been in operation. Researchers believe that the financially-motivated gang primarily speaks Russian. The group is a less sophisticated threat actor focusing on financial gain by selling Personally Identifiable Information (PII) or initial access to compromised devices and demanding ransom payments. The researchers observed that the group's ransomware samples contained multiple cryptographic mistakes, which allowed them to develop a decryption tool for a ransomware version created on August 3, 2023. This article continues to discuss the release of a free decryptor for the Key Group ransomware.

Security Affairs reports "Researchers Released a Free Decryptor for the Key Group Ransomware"

North Korean state-sponsored hackers are responsible for the VMConnect campaign, which uploaded malicious packages to the Python Package Index (PyPI) repository. One of the packages mimicked the VMware vSphere connector module vConnector. The packages were uploaded at the beginning of August, with a package named "VMConnect" aimed at Information Technology (IT) professionals looking for virtualization tools. VMConnect had 237 downloads before its removal from the PyPI platform. Two additional packages containing the same code, named "ethter" and "quantiumbase," were downloaded 253 and 216 times, respectively. According to a new report, ReversingLabs links the campaign to Labyrinth Chollima, a subgroup of North Korean Lazarus hackers. This article continues to discuss the VMConnect PyPI campaign.

Bleeping Computer reports "North Korean Hackers Behind Malicious VMConnect PyPI Campaign"