News Items

Security researchers at Perception Point have observed a 356% growth in the number of advanced phishing attacks attempted by threat actors in 2022. The total number of cyberattacks increased by 87%. The researchers noted that among the reasons behind this growth is the fact that malicious actors continue to gain widespread access to new tools, including artificial intelligence (AI) and machine learning (ML)-powered tools. These have automated the process of generating sophisticated attacks, including those characterized by social engineering as well as evasion techniques. The researchers stated that the changing threat landscape has resulted from the swift adoption of new cloud collaboration apps, cloud storage, and productivity services for external collaboration. Threat actors have adapted to this shift, with 2022 experiencing a 161% surge in attacks on cloud storage and collaboration apps, though email and the browser remained the leading attack vectors. Overall, phishing was the most pervasive threat, accounting for 67.4% of all attacks. The researchers noted that last year also experienced a significant increase in business email compromise (BEC) attacks, which grew by 83%. Microsoft was the brand most impersonated in malicious emails, 3.3x more than the next most copied brand, LinkedIn.

Infosecurity reports: "Advanced Phishing Attacks Surge 356% in 2022"

The CTO of CTERA, Aron Brand, discusses how the ILOVEYOU virus ushered in the era of social engineering in the digital world. The digital world experienced a cyberattack in 2000 that altered the approach to cybersecurity. The ILOVEYOU worm, also known as the Love Bug or Love Letter For You, infected over 10 million Windows personal computers within days of its emergence on May 5, 2000. Major companies, including Ford Motor Company, AT&T, and Microsoft, as well as government organizations, were forced to shut down their email services in order to contain the damage. Since an estimated 10 percent of the world's computers connected to the Internet were compromised, the total damage could have exceeded $10 billion. Many people were drawn in by the seemingly innocent "love letter" email attachment, demonstrating how vulnerable humans are to social engineering tactics. Although there have been technological advancements throughout the years, the human brain remains the most difficult vulnerability to fix. In the digital era, technological aspects of cybersecurity are often the focus of discussion, but the human factor remains the chain's weakest link. As we observe the emergence of Large Language Models (LLMs) such as ChatGPT and deepfake technologies, the potential for social engineering attacks on a large scale becomes a more alarming concern. This article continues to discuss the ILOVEYOU worm and the human aspect of security.

SC Magazine reports "How the ILOVEYOU Worm Exposed Human Beings as the Achilles Heel of Cybersecurity"

Dark Frost is a new botnet launching Distributed Denial-of-Service (DDoS) attacks against the gaming industry. According to a new technical analysis by Akamai security researcher Allen West, the Dark Frost botnet, modeled after Gafgyt, QBot, Mirai, and other malware strains, has grown to include hundreds of compromised devices. The botnet's targets include gaming companies, game server hosting providers, online streamers, and other gaming community members with whom the threat actor has had direct interactions. As of February 2023, the botnet consists of 414 machines with instruction set architectures, such as ARMv4, x86, MIPSEL, MIPS, and ARM7. Dark Frost appears to have been assembled using source code stolen from multiple botnet malware strains, including Mirai, Gafgyt, and QBot. After flagging the botnet on February 28, 2023, Akamai reverse-engineered it and estimated its attack potential to be approximately 629.28 Gbps via a UDP flood attack. Researchers believe the threat actor has been active since at least May 2022. This article continues to discuss findings and observations regarding the Dark Frost botnet.

THN reports "Dark Frost Botnet Launches Devastating DDoS Attacks on Gaming Industry"

Attackers are using encrypted restricted-permission messages (.rpmsg) attached to phishing emails in order to steal Microsoft 365 account credentials. According to researchers from Trustwave, the campaigns are low-volume, targeted, and use trusted cloud services, such as Microsoft and Adobe, to deliver emails and host content. The initial emails are sent from compromised Microsoft 365 accounts and appear to target recipient addresses where the sender may be familiar. The phishing emails are sent from a compromised Microsoft 365 account to employees working in the billing department of the recipient company. This article continues to discuss phishers' use of encrypted restricted-permission messages to steal Microsoft 365 account credentials.

Help Net Security reports "Phishers Use Encrypted File Attachments to Steal Microsoft 365 Account Credentials"

Researchers at Carnegie Mellon University's (CMU) Software Engineering Institute (SEI) have published a blog post explaining the concept of adversarial Machine Learning (ML) as well as examining the motivations of adversaries and what researchers are doing to mitigate their attacks. They also provided a taxonomy of what an adversary can accomplish or what a defender needs to defend against. Due to the significant growth of ML and Artificial Intelligence (AI), adversarial tactics, techniques, and procedures (TTPs) have generated a great deal of interest and expanded. When ML algorithms are used for a prediction model and then incorporated into AI systems, the focus is typically on making performance as high as possible and ensuring that the model can make accurate predictions. This emphasis on capability often places security as a secondary concern to other priorities, such as using properly curated datasets for training models, applying domain-appropriate ML algorithms, and tuning parameters and configurations for optimal results and probabilities. However, research has demonstrated that an adversary can influence an ML system by manipulating the model, the data, or both. By doing so, an adversary can force an ML system to learn, do, or reveal the wrong information. This article continues to discuss the concept of adversarial ML, how adversaries seek to influence models, and defending against adversarial AI.

Carnegie Mellon University reports "The Challenge of Adversarial Machine Learning"

Sophisticated threat groups are increasingly compromising Managed Service Providers (MSPs) and launching supply chain attacks against their small and medium-sized downstream customers. The analysis of data from more than 200,000 small and medium-sized businesses (SMBs), including regional MSPs, between the first quarters of 2022 and 2023 revealed the increased interest of APTs in this segment as a means to launch attacks against a large number of companies in a single geographic region. MSPs, in conjunction with solution providers and resellers, help end users with the deployment, customization, and management of cloud services and other technologies. Regional MSPs serve customers in concentrated geographic areas. Compromising these organizations could enable attackers to target "trusted relationships" between MSPs and their customers. According to Proofpoint, regional MSPs protect hundreds of SMBs local to their geography, many of which have inadequate and often non-enterprise-grade cybersecurity defenses. APT actors have observed this disparity between the levels of protection offered and the potential for gaining access to desirable end-user environments. This article continues to discuss APT groups increasingly targeting MSPs.

Decipher reports "More APTs Eye Managed Service Providers in Supply Chain Attacks"

Delaware's transportation department, which controls more than 90% of roads in a state with the lowest average elevation in the country, is tasked with implementing evacuation plans during high water, which is a bureaucratic nightmare considering how quickly conditions can change. Delaware's transportation department is now using machine learning and AI to help. The department stated that for humans to monitor thousands of detectors or data sources is overwhelming. That's where AI comes in. Rather than sending a crew to the scene to block an impassable road, the system uses sensors to detect weather threats and even can predict them. Then, it sends the information directly to drivers through cellphone alerts while broadcasting them simultaneously on electronic highway signs. The department noted that the amount of data keeps growing, with many automated cars now able to not only inform their drivers of the dangers ahead but also feed the system to warn others. Researchers at Missouri University of Science and Technology tested an earlier version of a flood prediction analysis system on the Mississippi River between 2019-22. Steve Corns, an associate professor of engineering management and systems engineering who co-authored the study, said the system was able to detect in minutes what used to take hours. But now, Corns said, the capabilities are even more advanced and useful.

The Associated Press reports: "Delaware Taps Artificial Intelligence to Evacuate Crowded Beaches When Floods Hit"

DevOps platform GitLab recently resolved a critical-severity vulnerability impacting both GitLab Community Edition (CE) and Enterprise Edition (EE). An open source end-to-end software development platform, GitLab helps developers and organizations build, secure, and operate software. The platform has approximately 30 million registered users. The vulnerability is tracked as CVE-2023-2825 and can lead to arbitrary file reads. The newly addressed security defect has the maximum CVSS score of 10. The company noted that an unauthenticated malicious user can use a path traversal vulnerability to read arbitrary files on the server when an attachment exists in a public project nested within at least five groups. The web-based Git repository will release details on the bug next month after 30 days have passed since the patch was made available. According to GitLab, the issue was introduced in GitLab CE/EE version 16.0.0 and was resolved on Tuesday with the release of version 16.0.1 of the platform. The flaw was reported by a researcher named "pwnie" via GitLab's HackerOne-hosted bug bounty program. Given the severity of the bug, all GitHub users running version 16.0.0 of GitLab CE or EE are strongly advised to upgrade to the latest version of the platform as soon as possible. The patch has already been deployed on GitLab[.]com. GitLab did not mention if this vulnerability was being exploited in malicious attacks.

SecurityWeek reports: "GitLab Security Update Patches Critical Vulnerability"

Google has announced the 0.1 Beta version of GUAC, which stands for Graph for Understanding Artifact Composition. It will help organizations secure their software supply chains. The search giant is making the open source framework available as an Application Programming Interface (API) for developers to integrate their tools and policy engines. GUAC aims to compile software security metadata from various sources into a graph database that illustrates the relationships between software, thus enabling organizations to determine how one piece of software impacts another. According to Google's documentation, GUAC provides organizations with organized and actionable insights into their software supply chain security position. It should consolidate Software Bill of Materials (SBOM) documents, SLSA attestations, OSV vulnerability feeds, a company's internal private metadata, and more to help create a clearer risk profile and visualize the relationships between artifacts, packages, and repositories. This article continues to discuss the 0.1 Beta version of GUAC.

THN reports "GUAC 0.1 Beta: Google's Breakthrough Framework for Secure Software Supply Chains"

Researchers at Inky have discovered a phishing campaign designed to steal business email account credentials by impersonating OpenAI, the company behind the ChatGPT Artificial Intelligence (AI)-driven chatbot. ChatGPT has rapidly gained popularity and is now widely used by individuals and businesses, which is why cybercriminals are increasingly trying to impersonate the brand. In the initial phase of the attack, the victim receives a seemingly legitimate email purportedly sent by OpenAI. To continue using their ChatGPT account setup, the email requests that the recipient verifies their email address. To further deceive the victim, the threat actors manipulate the sender's domain to make it appear as though the email came from their company's Information Technology (IT) support. This article continues to discuss the new phishing campaign targeting ChatGPT users.

Help Net Security reports "Phishing Campaign Targets ChatGPT Users"

As part of a new national center, UC Santa Cruz (UCSC) researchers will play an important role in protecting US transportation systems from cyber threats. Researchers at UCSC will focus on enhancing the Artificial Intelligence (AI) systems powering autonomous vehicles such as driverless cars. Nine universities will collaborate on the new National Center for Transportation Cybersecurity and Resilience (TraCR) with the support of a five-year, $20 million grant from the US Department of Transportation. The center will develop hardware and software to defend Internet-connected transportation systems against cyberattacks. Associate Professor Alvaro Cardenas, who will serve as the center's associate director at UCSC, emphasizes that as AI agents become more pervasive in transportation infrastructures, we will need expertise in various areas to operate these systems securely. This article continues to discuss the major transportation cybersecurity project and the UCSC engineers participating in it.

UC Santa Cruz reports "UC Santa Cruz Engineers Join Major Transportation Cybersecurity Project"

The National Security Agency (NSA) and its partners have identified indicators of compromise (IOCs) related to a People's Republic of China (PRC) state-sponsored cyber actor using living off the land (LOTL) techniques to target networks across the critical infrastructure of the US. NSA is leading US and Five Eyes partner agencies in releasing the "People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection" Cybersecurity Advisory (CSA) to help network defenders in hunting and detecting this type of malicious activity by PRC actors on their systems. The partner agencies include the US Cybersecurity and Infrastructure Security Agency (CISA), FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), New Zealand National Cyber Security Centre (NCSC-NZ), and UK National Cyber Security Centre (NCSC-UK). The CSA provides an overview of hunting tips and recommended practices. It contains examples of the actor's commands and signatures for detection. The authoring agencies also provide a summary of IOC values, such as unique command-line strings, hashes, file paths, exploitation of CVE-2021-40539 and CVE-2021-27860 vulnerabilities, and file names commonly used by this actor. This article continues to discuss the release of guidance regarding a PRC state-sponsored cyber actor targeting US critical infrastructure.

NSA reports "NSA and Partners Identify China State-Sponsored Cyber Actor Using Built-in Network Tools When Targeting US Critical Infrastructure Sectors"

AT&T recently patched a vulnerability that would have allowed anyone to hijack someone's account on the telecommunications company's official website by using the account holder's phone number and ZIP code. Joseph Harris, a cybersecurity researcher, uncovered the flaw earlier this year, discovering a way to exploit an account merging feature for malicious purposes. The vulnerability enabled him to effectively merge his account with that of anyone else, granting him the ability to change the password and assume control of that account. There is no evidence that the vulnerability was exploited beyond the researcher, according to an AT&T spokesperson who verified the issue and stated that it was promptly resolved through the company's bug bounty program. AT&T has approximately 81.5 million postpaid customers and 19 million prepaid customers. According to Harris, the vulnerability was relatively easy to exploit. After creating a free profile on the company's website, an attacker could navigate to the "combine accounts" tab and select "already registered accounts." After inputting the victim's phone number and ZIP code, the masked user ID and password prompt would appear. Harris explained that hackers could intercept the request of the password being entered and use the website's backend to forward the password request to accounts the hacker controls. Harris successfully tested the attack technique using his own accounts. This article continues to discuss the issue that would have enabled AT&T website account takeover.

The Record reports "AT&T Resolves Issue That Would Allow Account Takeover Through ZIP Code and Phone Number"

Today's cars and autonomous vehicles use millimeter wave (mmWave) radio frequencies to facilitate self-driving or assisted driving functions that protect passengers and pedestrians. However, this connectivity can also leave them vulnerable to cyberattacks. To improve the safety and security of autonomous vehicles, researchers from the lab of Dinesh Bharadia, an affiliate of the UC San Diego Qualcomm Institute (QI), and faculty member in the university's Jacobs School of Engineering Department of Electrical and Computer Engineering, along with colleagues from Northeastern University developed a novel algorithm designed to simulate an attacking device. The algorithm, which is described in the paper titled "mmSpoof: Resilient Spoofing of Automotive Millimeter-wave Radars using Reflect Array," enables researchers to identify areas where autonomous vehicle security can be improved. The team developed an algorithm that mimics a spoofing attack. Previous attempts to develop an attacking device for testing cars' resistance had limited feasibility, assuming that the attacker can synchronize with the victim's radar signal to initiate an attack, or that both cars are physically connected via a cable. This article continues to discuss the attacker device developed to improve autonomous vehicle security.

University of California San Diego reports "Team Develops New 'Attacker' Device to Improve Autonomous Car Safety"

SoS Musings #73 -

Insider Threats Are Still on the Rise

Technology and mobile devices are most commonly associated with younger users, but older individuals are not far behind. Pew Research Center estimates that approximately 61 percent of older people in the US own a smartphone. This market is expected to expand as the population ages, and a constellation of mobile apps designed for this demographic is also expanding. These apps may help older users remain in touch with loved ones, assist with health-related tasks, and enhance their social lives, but they are not risk-free. According to a new paper by Concordia researchers, some of the most popular apps designed for older adults pose significant privacy and data risks. The researchers examined 146 popular Android apps and discovered that 95 of them, or roughly two-thirds, do not adequately protect users in one or more ways. According to them, it is a significant risk for a population that may be unaware of the inherent perils of an increasingly interconnected world. The paper's main author, Pranay Kapoor, pointed out that many of these apps contain essential health or medication information. An attacker could potentially exploit the vulnerabilities in these apps to alter the medication or the reminders to take it. Even minor alterations can have profound consequences. This article continues to discuss apps designed for older adults containing multiple security vulnerabilities.

Concordia University reports "Apps for Older Adults Contain Security Vulnerabilities"

Aayush Jain received the 2022 ACM Doctoral Dissertation Award for his dissertation entitled "Indistinguishability Obfuscation From Well-Studied Assumptions." From well-studied hardness conjectures, Jain's dissertation established the feasibility of mathematically rigorous software obfuscation. The primary objective of software obfuscation is to render source code unintelligible without altering its functionality. Additional conditions can be added, such as requiring the transformed code to perform similarly to the original or even the same. As a mechanism for software security, software obfuscation must have a solid mathematical foundation. The mathematical object that Jain's thesis creates, indistinguishability obfuscation, is regarded as a "master tool" in the context of cryptography, not only for achieving long-desired cryptographic goals such as functional encryption but also for broadening the field of cryptography itself. For example, indistinguishability obfuscation helps achieve software security objectives that were previously only in software engineering. This article continues to discuss Jain's dissertation "Indistinguishability Obfuscation From Well-Studied Assumptions."

ACM reports "UCLA Computer Grad Constructs 'Crown Jewel of Cryptography'"

An updated version of the commodity malware known as Legion includes enhanced capabilities to compromise SSH servers and Amazon Web Services (AWS) credentials linked to DynamoDB and CloudWatch. Cado Labs researcher Matt Muir said the recent update demonstrates a broadening of scope, with new capabilities such as compromising SSH servers and retrieving additional AWS-specific credentials from Laravel web applications. The developer's targeting of cloud services improves with each release. Legion, a Python-based hacking tool, was first documented by the cloud security company in April, describing its ability to breach vulnerable SMTP servers and extract credentials. It is also known to exploit web servers operating Content Management Systems (CMS), use Telegram as a data exfiltration point, and use stolen SMTP credentials to send spam SMS messages to a list of dynamically-generated US mobile numbers. Legion's capability to exploit SSH servers using the Paramiko module is also a notable addition. It includes functionality to retrieve additional AWS-specific credentials for DynamoDB, CloudWatch, and AWS Owl from Laravel web applications. This article continues to discuss the updated Legion malware.

THN reports "Legion Malware Upgraded to Target SSH Servers and AWS Credentials"

For users seeking to modify their privacy settings on websites such as Facebook and Google, the process often feels like a scavenger hunt. In many cases, these settings are spread across multiple pages, requiring at least five clicks to locate the desired option. In a new study titled "Less is Not More: Improving Findability and Actionability of Privacy Controls for Online Behavioral Advertising," researchers from Carnegie Mellon University's (CMU) CyLab Security and Privacy Institute and the University of Michigan explore design options for making settings related to advertising preferences on Facebook more discoverable. The researchers also try to understand how design changes would affect users' behaviors and sentiments towards settings and the platform. The study focuses on two variables: the entry points a user would click on to locate the correct ad settings and the level of actionability within the ad control interface. This article continues to discuss the study on improving the findability and actionability of privacy controls.

CyLab reports "Less Is Not More; Mapping a Better Route to User Ad Settings"

The US Department of the Treasury recently announced sanctions against four entities and one individual for engaging in malicious cyber activities on behalf of the North Korean government. The US Department of the Treasury stated that North Korean threat actors, such as the infamous Lazarus group, launch malicious campaigns targeting organizations and individuals worldwide to generate illicit revenue to support the Pyongyang regime and its priorities. According to the Treasury's Office of Foreign Assets Control (OFAC), North Korean threat actors are trained at the Pyongyang University of Automation, with many of them landing jobs within units of the Reconnaissance General Bureau (RGB), the country's primary intelligence bureau. RGB, which was designated by OFAC in 2015 as being subordinated to the North Korean government, also controls the Technical Reconnaissance Bureau and its cyber unit, the 110th Research Center. The US says that the 110th Research Center is responsible for numerous cyberattacks, including the devastating DarkSeoul campaign, and for the theft of sensitive government information from South Korea related to military defense and response planning. The US announced that Pyongyang University of Automation, the Technical Reconnaissance Bureau, and the 110th Research Center are being designated pursuant to EO 13687 for being agencies, instrumentalities, or controlled entities of the Government of North Korea or the Workers' Party of Korea.

SecurityWeek reports: "US Sanctions North Korean University for Training Hackers"

A team of researchers from UC San Diego and Purdue University has discovered a hidden feature of Intel processors that can enhance security, including shutting down an entire class of Spectre attacks capable of providing an attacker with sensitive information such as passwords or encryption keys. In their 2023 IEEE Security and Privacy paper titled "Half&Half: Demystifying Intel's Directional Branch Predictors for Fast, Secure Partitioned Execution," the researchers have completely reverse-engineered the conditional branch predictor for all of Intel's flagship processors. No prior work had fully deciphered these predictors, even those introduced over 12 years ago. The researchers successfully reverse-engineered the structure, sizes, and lookup functions of these predictors. This article continues to discuss computer scientists discovering, for the first time, that the popular Intel processor already has a key security feature that protects against attacks, including Spectre.

UC San Diego reports "Surprise: A Small Change Leads to Big Results for Computer Security"

In an attack on Apria Healthcare, cybercriminals stole the credit card information of nearly two million customers. Apria is a leading provider of home medical equipment delivery and clinical support in the US. The attackers reportedly stole financial information, including account numbers and credit/debit card numbers. The attackers also accessed account security codes, access codes, passwords, and PINs. From April 5 to May 7, 2019, an unauthorized third party allegedly accessed Apria's systems. The malicious actors then re-entered the systems between August 27 and October 10, 2021. The company claims to have found no evidence of funds being removed, and there have been no reports of misuse of disclosed personal data. This article continues to discuss the attack on the medical equipment provider.

Cybernews reports "Hackers Attack Medical Equipment Provider, Almost 2M People Affected"

In March 2023, researchers detected a previously unknown Advanced Persistent Threat (APT) group, Bad Magic, also known as Red Stinger, which targeted organizations in the region of the Russo-Ukrainian conflict. The attackers were seen using PowerMagic and CommonMagic implants. On the lookout for other implants with similarities to PowerMagic and CommonMagic, the researchers discovered a different cluster of even more sophisticated malicious activities associated with the same threat actor. In addition to Donetsk, Lugansk, and Crimea, victims of this cluster were also located in central and western Ukraine. The APT group targeted individuals as well as diplomatic and research organizations in the conflict zone. In the most recent campaign discovered by researchers, the APT group used a modular framework dubbed CloudWizard that supports spyware capabilities, such as capturing screenshots, recording microphones, harvesting Gmail inboxes, and keylogging. This article continues to discuss the CloudWizard APT targeting organizations involved in the region of the Russo-Ukrainian conflict.

Security Affairs reports "A Deeper Insight Into the CloudWizard APT's Activity Revealed a Long-Running Activity"

The FBI warns people to be aware of fake employment advertisements that are used to lure applicants into Southeast Asian scam operations. In recent years, such schemes, perpetrated primarily by Chinese organized crime groups, have expanded in size, with Cambodia as the industry's epicenter and Myanmar increasingly becoming a hub. Workers are trafficked into "pig butchering" operations, in which a cybercriminal forges a relationship with a victim from a distance before stealing their money. Historically, labor trafficking has involved precarious manual jobs, but cyber trafficking in Southeast Asia requires a well-educated population with technology and language skills, so syndicates cast a wide net in the quest for workers. In employment fraud schemes, criminal actors primarily target victims in Asia by publishing false job advertisements on social media and online employment sites, according to the FBI's notice, adding that advertised positions include tech support and offer high salaries and benefits. The FBI alert is intended for US travelers, but victims are from all over the world, mostly from Asia. This article continues to discuss the FBI's warning about fake job advertisements from cyber traffickers.

The Record reports "FBI Warns About Fake Job Ads From Cyber Traffickers"