News Items

Researchers from Rutgers University have discovered a significant flaw in how algorithms designed to detect "fake news" assess the credibility of online news stories. According to the researchers, most of these algorithms rely on a credibility score for the article's "source" rather than assessing the credibility of each individual article. Vivek K. Singh, an associate professor at the Rutgers School of Communication and Information and coauthor of the study "Misinformation Detection Algorithms and Fairness Across Political Ideologies: The Impact of Article Level Labeling," stated that not all news articles published by "credible" sources are accurate, nor are all articles published by "noncredible" sources "fake news." With article-level labels matching 51 percent of the time, the researchers concluded that using source-level labels to determine credibility is not a reliable method. This labeling procedure has significant implications for tasks such as the development of robust fake news detectors and audits of fairness across the political spectrum. To address this issue, the study provides a new dataset of individually labeled articles of journalistic quality, as well as a method for misinformation detection and fairness audits. This study's findings emphasize the need for more nuanced and trustworthy methods to detect misinformation in online news and provide valuable resources for future research. This article continues to discuss the flaws discovered in using source reputation for training automatic misinformation detection algorithms.

Rutgers University reports "Rutgers Researchers Find Flaws in Using Source Reputation for Training Automatic Misinformation Detection Algorithms"

The NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) recently announced that four countries have joined as members: Ukraine, Ireland, Japan, and Iceland. The announcement was made on the cybersecurity center's 15th anniversary. The organization, based in Tallinn, Estonia, now has 39 members. The NATO cyber defense hub conducts cyber defense research, training, and exercises, focusing on areas such as technology, strategy, operations, and law. The CCDCOE recently conducted the annual Locked Shields cyber defense exercise, in which the representatives of 38 countries took part. In the exercise, Red Teams compete against Blue Teams, which are tasked with defending a country's information systems and critical infrastructure from large-scale attacks.

SecurityWeek reports: "4 Countries Join NATO Cyber Defense Center"

A Russian national has recently been unmasked as a key player in the "development and deployment" of the Hive, LockBit, and Babuk ransomware strains. Mikhail Pavlovich Matveev (aka Wazawaka/m1x/Boriselcin/Uhodiransomwar) was recently charged with conspiring to transmit ransom demands, conspiring to damage protected computers, and intentionally damaging protected computers. If convicted, he faces over 20 years behind bars. However, that's not likely, as the suspect is thought to reside in Russia. The State Department has issued a $10m reward for information that leads to the arrest and/or conviction of Matveev, under its Transnational Organized Crime Rewards Program. The Department of Justice (DoJ) highlighted several alleged victims of Matveev, including a law enforcement agency and non-profit behavioral healthcare organization in New Jersey and the Washington DC Metropolitan Police Department. The DoJ estimated the combined ransom haul for the three variants at $200m, adding that the affiliates behind them demanded twice that. In addition to the indictments, the US Treasury's Office of Foreign Assets Control (OFAC) announced sanctions against Matveev.

Infosecurity reports: "US Offers $10m Reward For Alleged Prolific Ransomware Actor"

Google recently announced the release of a Chrome 113 security update that resolves a total of 12 vulnerabilities, including one rated "critical." Six of the flaws were reported by external researchers. The "critical" vulnerability, tracked as CVE-2023-2721 and reported by Qihoo 360 researcher Guang Gong, is described as a use-after-free flaw in Navigation. Google noted that a remote attacker could craft an HTML page to trigger a heap corruption when a user accesses the page. The attacker would have to convince the user to visit the page. Google stated that use-after-free vulnerabilities are memory corruption bugs that occur when the pointer is not cleared after memory allocation is freed, which could lead to arbitrary code execution, denial-of-service, or data corruption. In Chrome, use-after-free issues can be exploited to escape the browser sandbox, which also requires the attacker to target a vulnerability in the underlying system or in Chrome's browser process. Google noted that the latest Chrome update addressed three other externally reported use-after-free flaws, all rated "high" severity. The vulnerabilities impact the browser's Autofill UI, DevTools, and Guest View components. The new browser release also resolves a "high" severity type confusion bug in the V8 JavaScript engine and a "medium" severity inappropriate implementation issue in WebApp Installs. Google stated that it paid $11,500 in bug bounties to the reporting researchers. However, the company has yet to determine the amounts to be paid for two of the vulnerabilities, including the "critical" severity one, so the final amount could be higher. The latest Chrome iteration is now rolling out as version 113.0.5672.126 for macOS and Linux, and as versions 113.0.5672.126/.127 for Windows.

SecurityWeek reports: "Chrome 113 Security Update Patches Critical Vulnerability"

Apple recently announced that it blocked 1.7 million applications from being published in the App Store in 2022. The rejected apps did not meet the required privacy, security, and content standards. The App Store has more than 650 million average weekly visitors globally, who can access content from more than 36 million registered Apple developers. Apple noted that last year, they terminated 428,000 developer accounts for fraudulent activity and rejected 105,000 Developer Program enrollments. The tech giant says it blocked 57,000 untrustworthy apps distributed through illegitimate storefronts and roughly 3.9 million attempts to deploy or launch applications distributed illicitly via the Developer Enterprise Program. In 2022, Apple revealed that they disabled more than 282 million customer accounts that engaged in fraudulent activities and prevented 198 million fraudulent new accounts from being created. According to Apple, its team reviews, on average more than 100,000 app submissions per week. Last year, the team reviewed over 6.1 million app submissions and rejected 1.7 million of them on various fraud and privacy concerns. Some of the rejected apps, Apple says, contained malicious code designed to steal user credentials, while others were disguised as financial management platforms but could morph into other applications. Other applications were spam, copycats, or misleading, contained undocumented features, or attempted to obtain users' data without their consent. According to Apple, over 147 million ratings and reviews were blocked and removed from the App Store last year out of a total of more than a billion that were processed. Apple also says it blocked roughly 3.9 million stolen credit cards from being used in its store and banned 714,000 accounts, thus blocking fraudulent transactions worth more than $2 billion.

SecurityWeek reports: "Apple Blocked 1.7 Million Applications From App Store in 2022"

A joint Cybersecurity Advisory (CSA) issued by US and Australia government agencies and published by the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) warns organizations of the most recent tactics, techniques, and procedures (TTPs) used by the BianLian ransomware group. Since June 2022, the BianLian ransomware and data extortion group has been targeting entities within US and Australian critical infrastructure organizations. As part of the #StopRansomware initiative, the advisory is based on investigations conducted by the FBI and the Australian Cyber Security Centre (ACSC). It seeks to provide defenders with information that enables them to adjust protections and strengthen their security posture against BianLian ransomware and other threats of a similar nature. BianLian used a double-extortion model at first, encrypting systems after stealing sensitive data from victim networks and then threatening to publish the data. However, since Avast released a decryptor for the ransomware in January 2023, the group has shifted to extortion based on data theft without encrypting systems. This article continues to discuss the BianLian group's TTPs.

Bleeping Computer reports "FBI Warns Organizations of the New BianLian Ransomware Tactics"

The Wemo Mini Smart Plug V2, which enables users to remotely control anything connected to it via a mobile app, contains a security flaw that cyberattackers can exploit to trigger a variety of undesirable outcomes. These include the ability to turn electronic devices on and off remotely, and the potential to move deeper into an internal network or jump to additional devices. The Smart Plug goes into an existing outlet, connecting to an internal Wi-Fi network and the Internet via Universal Plug-n-Play (UPNP) ports. Users can then control the device via a mobile app, providing a method to smarten traditional lamps, fans, and other utility items. In addition to integrating with Alexa, Google Assistant, and Apple Home Kit, the app provides features such as scheduling. According to researchers at Sternum, the flaw, tracked as CVE-2023-27217, is a buffer-overflow vulnerability that affects the device model F7C063 and allows remote command injection. However, when they contacted the device manufacturer, Belkin, for a patch, they were informed that no firmware update would be released because the device is now an end-of-life product. This article continues to discuss the command injection bug in the popular device that Belkin has no plans to address.

Dark Reading reports "Unpatched Wemo Smart Plug Bug Opens Countless Networks to Cyberattacks"

The US Department of Transportation has designated the Center for Assured and Resilient Navigation in Advanced Transportation Systems (CARNATIONS) at the Illinois Institute of Technology (Illinois Tech) as a Tier 1 University Transportation Center (UTC). As a Tier 1 UTC, CARNATIONS will receive a $10 million grant for increasing the resilience of transportation navigation systems against cyberattacks such as spoofing and jamming. CARNATIONS, a consortium of universities led by Professor of Mechanical and Aerospace Engineering Boris Pervan, conducts transformative research in resilient transportation systems, facilitates technology transfer to public agencies and industry, and advances workforce and educational development. Interference, such as jamming and spoofing, that targets critical infrastructure can cause delays and cascading failures across multiple modes of transportation. For example, a major aircraft manufacturer reported over 10,000 Global Navigation Satellite System (GNSS) interference events in 2021 alone, and repeated spoofing attacks have negatively impacted various military operations. Pervan and his team plan to approach the problem from different angles, including developing sophisticated algorithms that can distinguish between authentic and spoofed GPS signals and improving GPS receivers by combining them with other types of sensors resistant to jamming and spoofing. CARNATIONS will consider the possibility of a fully connected system in the future, in which self-driving cars exchange information with each other and with smart infrastructure such as traffic signals. This article continues to discuss CARNATIONS and its goal to enhance the resilience of transportation infrastructure against cyber threats.

Illinois Institute of Technology reports "Illinois Tech's CARNATIONS Receives $10M Federal Grant as New Tier 1 Transportation Center to Bolster Cybersecurity in Navigation Systems"

According to security experts, the new '.zip' top-level domain (TLD) could drive an increase in the spread of malware and undermine legitimate sources. TLDs are the letters that follow the final period in a URL, such as '.com.' At the beginning of May, Google announced the release of eight new options, including .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus. Although most of the new TLDs were created to correspond with specific job titles, there are concerns that the two that resemble file extensions, which are '.zip' and '.mov,' could be used by hackers to deceive users into entering malicious domains. Zipped archives are widely used in business because they enable the sharing of large amounts of data in a compressed format and are compatible with macOS, Windows, and Linux. Using the '.zip' TLD to disguise illegitimate links as downloadable files could lead to increased phishing attacks or the delivery of malicious .zip files, such as those used in recent Emotet botnet campaigns through domains resembling innocent files. This article continues to discuss the cybersecurity risk posed by the new .zip TLD.

ITPro reports "Is the New .zip Top-Level Domain a Cyber Security Risk?"

Secure Data Recovery shared the results of a data recovery project aimed at determining how many files could be recovered from hard drives purchased online. The company purchased 100 hard drives at random and used reasonable means to attempt data recovery. Secure Data Recovery was able to recover data from 35 drives, 34 of which were sanitized, 30 were damaged, and only one was encrypted. Over 5.7 million files were recovered, although that number was skewed by a single hard drive containing more than 3.1 million files. The findings emphasize a major problem among most users. After replacing damaged or obsolete hard drives, most users lack a thorough destruction or disposal plan. This article continues to discuss the recovery of millions of files from hard drives purchased online, users not properly destroying or disposing of damaged or obsolete hard drives, and how to securely dispose of a hard drive.

TechRadar reports "Millions of Deleted Files Recovered in Hard Drives Purchased Online"

Security researchers at Char49 have discovered that a vulnerability in the official website of luxury sports car maker Ferrari could have exposed potentially sensitive information. The issue was discovered in March. Ferrari addressed the weakness within a week. The researchers noticed that the "media.ferrari[.]com" domain is powered by WordPress, and it was running a very old version of W3 Total Cache, a plugin installed on more than a million websites. The plugin was affected by CVE-2019-6715, a flaw that can be exploited by an unauthenticated attacker to read arbitrary files. Exploitation of the vulnerability allowed the researchers to obtain the "wp-config.php" file, which stores WordPress database credentials in clear text. The researchers stated that the exposed database stored information associated with the media[.]ferrari.com domain. While the researchers did not dig too deep in order to avoid breaking responsible disclosure rules, the vulnerability could have been exploited to access other files on the web server, including ones that could contain information that is of value for threat actors. After being notified, Ferrari patched the vulnerability by updating the WordPress plugin. The researchers stated that while in this case there is no indication that the security hole directly exposed customer or other sensitive information, it's important for high-profile companies such as Ferrari to ensure that none of their systems are vulnerable. In March, Ferrari admitted to being targeted in a ransomware attack in which hackers stole customer information.

SecurityWeek reports: "WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers"

Multiple security flaws have been discovered in the cloud management platforms of three industrial cellular router vendors, which could expose Operational Technology (OT) networks to attacks. The industrial cybersecurity company OTORIO presented its findings at the Black Hat Asia 2023 conference. The 11 vulnerabilities enable Remote Code Execution and complete control over hundreds of thousands of devices and OT networks. Specifically, the cloud-based management solutions provided by Sierra Wireless, Teltonika Networks, and InHand Networks for remotely managing and operating devices contain the vulnerabilities. Successful exploitation of the vulnerabilities could pose significant risks to industrial environments, allowing adversaries to bypass security layers, exfiltrate sensitive data, and remotely execute code on internal networks. The vulnerabilities could also be weaponized to gain unauthorized access to devices on the network and carry out malicious operations such as a shutdown with elevated permissions. This article continues to discuss the potential exploitation and impact of the vulnerabilities found in cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks.

THN reports "Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks"

According to Cequence Security, Application Programming Interfaces (APIs) have emerged as a primary attack vector in several high-profile incidents, posing a significant threat to the security posture of organizations. Numerous high-profile organizations have suffered API attacks in recent months, increasing the need for CISOs to prioritize API security. According to Ameya Talwalkar, CEO of Cequence Security, traditional prevention methods are no longer sufficient as attackers become more inventive. Talwalkar added that as attack automation becomes an increasingly prevalent threat against APIs, organizations must have the tools, knowledge, and expertise to defend in real-time. About 45 billion search attempts were made for shadow APIs in the second half of 2022, a 900 percent increase from the 5 billion attempts made in the first half of 2022. From June to October 2022, attackers favored traditional application security techniques, but as the holidays approached, API security tactics experienced a 220 increase. This article continues to discuss key findings from Cequence Security's "API Protection Report: Holiday Build-up Shows 550% Jump in Unique Threats."

Help Net Security reports "Attack Automation Becomes a Prevalent Threat Against APIs"

The Department of Transportation (DOT) has recently been hit with a data breach that may have exposed personally identifiable information of federal government employees. The DOT said it was working to notify affected individuals whose personally identifiable information may have been compromised due to the breach and to help mitigate potential risks. The data breach impacts individuals that are enrolled in the US Department of Transportation's transit benefit program (TRANServe). TRANServe manages the transit benefit program for DOT and other federal agencies. The breach occurred within the system that supports TRANServe. TRANServe is a commuting benefits system that reimburses staff across the federal government for certain transportation costs. According to the DOT, the information compromised as a result of the breach may include details such as the name of TRANServe transit benefit recipients, their agency, work email address, work phone number, work address, home address, SmarTrip card number, and/or TRANServe Card number. The breach is expected to affect 114,000 current DOT employees and 123,000 former DOT employees.

FedScoop reports: "Transportation Dept Cyber Breach Exposes Data of Federal Employees"

A Californian VoIP provider has recently been accused of breaking telemarketing rules by providing services that sent billions of illegal robocalls to US consumers. The Department of Justice (DoJ) and Federal Trade Commission (FTC) on Friday announced a civil enforcement action against Los Angeles-headquartered XCast Labs. The DoJ alleges that XCast Labs services delivered pre-recorded marketing messages to recipients, many of whom are listed on the National Do Not Call Registry. These included scam calls impersonating government agencies and "other false or misleading statements to induce purchases." The DoJ claimed that some calls also used spoofed caller ID information to hide the true origin of the caller and/or failed to identify the seller of the services being marketed. XCast Labs, which describes itself as "the nation's leading supplier of business enterprise solutions," is accused of continuing to allow its services to be used in this way, even after being told that the calls were illegal. The newly filed complaint seeks monetary civil penalties and a permanent injunction to prevent XCast Labs from future violations.

Infosecurity reports: "US Says VoIP Firm Delivered Billions of Scam Robocalls"

Discord has recently notified users of a data breach that occurred when a threat actor gained unauthorized access to the support ticket queue of a third-party customer service agent. The company noted that due to the nature of the incident, "it is possible that user email addresses, the contents of customer service messages, and any attachments sent between users and Discord may have been exposed to a third party." The popular messaging platform said that when it discovered the issue, it deactivated the compromised account and completed malware checks on the machine. The company stated that while they believe the risk is limited, it is recommended that users be vigilant for any suspicious messages or activity, such as fraud or phishing attempts. It is expected that Discord's user base will reach nearly 200 million monthly active users by the end of 2023, making it an increasingly attractive target for attackers.

Infosecurity reports: "Discord Breached After Service Agent Targeted"

Quantum computing threatens to render the use of classic cryptography for secure communications obsolete. Quantum cryptography applies the laws of quantum mechanics to ensure security. Quantum Key Distribution (QKD) enables two parties to secure a message using a random secret key, which is generated by quantum particles known as photons. In order to accomplish this, scientists are increasingly using an alphabet based on specific properties of light particles (i.e., photons), namely their color composition. However, no equipment had been created to decode the information again. Therefore, researchers at Paderborn University have created such a decoder. They made a multi-output quantum pulse gate (mQPG) that separates incoming letters into various colors, which physicists can identify with a spectrometer. In addition, they have demonstrated a complete, high-dimensional mQPG-based decoder that enables encryption protocols based on individual photons. This article continues to discuss the new technology developed by researchers at Paderborn University for quantum cryptography applications.

Paderborn University reports "New Technology Developed for Quantum Cryptography Applications"

Federal authorities have warned the healthcare industry about a rise in cyberattacks against Veeam's backup application. The attacks appear to be linked to the March disclosure of a high-severity vulnerability in the vendor's software. The vulnerability, tracked as CVE-2023-27532, exposes Veeam Backup and Replication (VBR)-stored encrypted credentials. According to a recent alert from the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HHS HC3), its exploitation could lead to unauthorized access to backup infrastructure hosts. These intrusions may result in data theft or ransomware deployment. The issue affects all versions of the Veeam software, which backs up, replicates, and restores data on Virtual Machines (VMs). The software supports transaction-level restores of Oracle and Microsoft SQL databases, according to HHS HC3. In addition to backing up and recovering VMs, VBR is also used to protect and restore individual files and applications for environments such as Microsoft Exchange and SharePoint, which are used in the healthcare and public health sector, making the threat significant. This article continues to discuss the healthcare sector facing a rise in cyberattacks on VBR.

DataBreachToday reports "Feds Warn of Rise in Attacks Involving Veeam Software Flaw"

Lawmakers recently introduced bipartisan legislation to strengthen the cybersecurity of US election infrastructure and boost voter confidence by requiring penetration testing as part of voting machine certification. Senators. Mark Warner and Susan Collins introduced the "Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing" (SECURE IT) Act, which requires the Election Assistance Commission (EAC) to mandate that systems seeking certification undergo penetration testing, allowing researchers to search for vulnerabilities and simulate cyberattacks. Warner noted that the SECURE IT Act would enable researchers to assume the role of cybercriminals in order to identify vulnerabilities and flaws that might not otherwise be discovered. Under the SECURE IT Act, EAC and the National Institute of Standards and Technology (NIST) would accredit entities to conduct penetration testing. EAC must also establish a voluntary Coordinated Vulnerability Disclosure Program for election systems, in which researchers gain access to voting systems to identify and disclose vulnerabilities to the manufacturer and EAC. Discovered vulnerabilities will be submitted to the Common Vulnerabilities and Exposures database after 180 days. This article continues to discuss the SECURE IT Act.

NextGov reports "Voting Machines Must Be Test Hacked for Certification, Under Proposed Bill"

Software maker Brightly has recently confirmed that hackers stole close to three million SchoolDude user accounts in an April data breach. SchoolDude is a cloud-based work order management system used primarily by schools and universities to submit and track maintenance orders. Its users are school employees, like principals, executives, and maintenance workers, as well as students and other staff submitting repair requests. The company said it was notifying both past and present customers that the hackers took their names, email addresses, account passwords, and phone numbers if added to the account. The data also includes the names of school districts. Brightly said it reset customer passwords. The company warned users to change passwords on other online accounts that use the same credentials as they used on SchoolDude. This refers to credential stuffing, where hackers use passwords from previous data breaches to break into other user accounts with the same passwords. Brightly said it discovered the breach on April 28, more than a week after the mass data theft.

TechCrunch reports: "Brightly Says SchoolDude Data Breach Spilled 3 Million User Accounts"

According to a report by Bitdefender, a previously undocumented malware campaign called DownEx has been targeting government institutions in Central Asia for cyber espionage. The first instance of the malware was discovered in 2022 during a highly targeted attack aimed at exfiltrating data from Kazakhstan's foreign government institutions. Another attack was observed by researchers in Afghanistan. Bitdefender noted that the involved domain and IP addresses do not appear in any previously documented incidents, and the malware does not share code similarities with previously identified malware. Researchers believe that a state-sponsored group is responsible for these incidents based on the specific targets of the attacks, the document metadata that impersonates a real diplomat, and the primary focus on data exfiltration. Although the attacks have not been attributed to any specific threat actor, a Russian group is likely responsible for the attacks. Bitdefender said that the use of a cracked version of Microsoft Office 2016 prevalent in Russian-speaking countries is an indication of the attack's origin, adding that it is unusual to see the same backdoor written in two languages. This was previously observed with the Russian-based group APT28 and their backdoor Zebrocy. This article continues to discuss the new DownEx malware campaign.

CSO Online reports "New DownEx Malware Campaign Targets Central Asia"

The National Science Foundation (NSF) has awarded $2 million to Virginia Tech and George Mason University to develop distributed, mobile space and terrestrial networking infrastructure for multi-constellation coexistence. This work will be done through the agency's Computer and Information Science and Engineering Community Research Infrastructure (CCRI) program. Through developing the fundamental infrastructure and implementing cybersecurity protocols, the researchers hope to demonstrate the value and practicality of an open-source inter-constellation network with global benefits. The team will investigate software vulnerabilities and the physical security of satellites, ground stations, and more in order to ensure that future space communications remain secure from hacking or cyber threats. This article continues to discuss Virginia Tech and George Mason University teaming up to develop an open-source cyber-infrastructure and new space-based networking technology, and what they will do to bolster cybersecurity.

Virginia Tech reports "Virginia Tech, George Mason University Partner to Develop Networking Infrastructure for Satellite Constellations"

A new study identifies multiple challenges associated with relying on Internet of Things (IoT) devices during investigations. Many IoT devices, for example, lack security controls. A determined adversary can configure IoT devices to generate a false narrative that can conceal their activities and complicate forensic investigations. Instead of considering IoT data as the gold standard, it is essential to corroborate them with physical evidence from fire or crime scenes and to promote stronger security controls in IoT smart home devices. Overall, research should not only concentrate on ensuring the security and reliability of IoT devices but also on preventing the misuse of data. This article continues to discuss the use of IoT devices in investigations and the associated privacy and security challenges.

IEEE Spectrum reports "The Internet of Things: Fire Sleuth, Fire Starter"

Security researchers at Capterra have discovered that more than three-fifths (61%) of US businesses have been directly impacted by a software supply chain threat over the past year. The researchers polled 271 IT and IT security professionals to better understand the risk exposure of US companies to vulnerabilities in third-party software. Half of the respondents rated the software supply chain threat as "high" or "extreme," with another 41% claiming the risk is moderate. The researchers pointed to open source software as a key source of supply chain risk. It is now used by 94% of US companies in some form, with over half (57%) using multiple open source platforms. The researchers claimed that app sprawl is contributing to cyber risk, revealing that retailers that have experienced a cyberattack in the past two years are more than twice as likely to report being impacted by app sprawl as those that did not experience an attack (53% versus 22%). Alongside reducing app sprawl, the researchers recommended organizations request a software bill of materials (SBOM) from vendors and open source providers so that they can better track individual components. Yet only half (49%) of respondents are doing so currently.

Infosecurity reports: "Software Supply Chain Attacks Hit 61% of Firms"