News Items

Jen Easterly, director of the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), told attendees at the sixth annual Hack the Capitol event in McLean, Virginia, on May 10 that CISA aims to help "cyber poor" places such as US small businesses, election offices, local government agencies, hospitals, and K-12 schools strengthen their defenses and responses to cyberattacks. Although the agency continues to work with the government, large companies, and technology vendors to improve security, CISA wants to determine how much it can help smaller organizations defend against cyber threats. Easterly noted that the objective is to understand their requirements, what they need to invest in security, and where CISA can help them protect their capabilities. The emphasis on smaller organizations recognizes that small and midsize businesses (SMBs), local government agencies, and schools have often been overlooked and excluded from efforts to create more resilient organizations. The government's efforts to create public-private partnerships have typically centered on large companies and critical industries, but attackers, particularly ransomware gangs, have targeted smaller organizations with limited cybersecurity resources. According to US Census data, 99. percent of all companies in the US have 250 employees or less. CISA has introduced Cybersecurity Performance Goals (CPGs), which aim to be low-cost and low-effort goals organizations can pursue to enhance their cybersecurity posture. This article continues to discuss CISA's efforts to help cyber poor organizations.

Dark Reading reports "CISA Addresses 'Cyber Poor' Small Biz, Local Government"

The cybersecurity awareness training company NINJIO has published a comprehensive report on cyber threats faced by higher education institutions and the sector's unique vulnerabilities. Universities are high-value targets for cybercriminals because they handle massive amounts of sensitive data, including research data and student records. Moreover, university networks' size, complexity, and openness exacerbate the cybersecurity challenges they confront. According to the report, faculty, students, and all university stakeholders must be trained to recognize cyber threats and take appropriate action against them. Cyberattacks in higher education are rising, and the report examines how universities can combat them by implementing behavior-based, end-to-end cyber awareness solutions. In addition, the report describes how university administrators and Information Technology (IT) teams struggle to keep up with the evolution of cybercriminal tactics. Since millions of students, professors, and researchers use interconnected digital systems for online instruction, record-keeping, and more daily, cybercriminals have numerous opportunities to exploit user errors. More than a third of the errors that led to breaches in the education sector in 2022 were caused by emails sent to the wrong individuals or with the wrong attachments, while ransomware accounted for more than 30 percent of breaches. This article continues to discuss NINJIO's recommendations on how universities can build a culture of cybersecurity awareness at every level.

Higher Ed Dive reports "NINJIO Releases Report Focused On Increasing Necessity for Human-Based Cybersecurity in Higher Education"

The National Institute of Standards and Technology (NIST) has updated its draft guidelines for protecting sensitive unclassified information to help federal agencies and government contractors implement cybersecurity requirements more consistently. "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" (NIST Special Publication [SP] 800-171 Revision 3) will be of particular interest to businesses with federal contracts. The SP 800-171 security requirements are referenced in federal rules governing the protection of Controlled Unclassified Information (CUI), which includes sensitive data such as health information, critical energy infrastructure information, and intellectual property. Systems that store CUI typically support government programs containing critical assets. The changes are intended to help organizations understand how to implement the specific cybersecurity safeguards outlined in a closely related NIST publication, SP 800-53 Rev. 5. The authors have aligned the terminology of the two documents so that organizations can more easily use SP 800-53's catalog of technical tools, or "controls," to achieve SP 800-171's cybersecurity outcomes. According to Ron Ross of NIST, the update is intended to help maintain consistent defenses against high-level information security threats. This article continues to discuss NIST's update of its draft guidelines for protecting sensitive unclassified information.

NIST reports "NIST Revises SP 800-171 Guidelines for Protecting Sensitive Information"

In over 50 countries, the National Security Agency (NSA) and several partner agencies have identified infrastructure for the sophisticated Russian cyber espionage tool known as Snake malware. The agencies are publishing the joint Cybersecurity Advisory (CSA) "Hunting Russian Intelligence 'Snake' Malware" in order to help network defenders in detecting Snake and any associated activity. The agencies link Snake operations to a known unit within Russia's Federal Security Service (FSB) Center 16. Snake malware infrastructure has been discovered in North America, South America, Europe, Africa, Asia, and Australia, including the US and Russia. Rob Joyce, the NSA's Director of Cybersecurity, stated that Russian government actors have used this intelligence-gathering tool for years. The technical details will help many organizations in locating and eliminating malware worldwide. In the US, the FSB has targeted education institutions, small companies, and media organizations. The Snake malware is typically deployed on external-facing infrastructure nodes on a network. From there, it applies more techniques, tactics, and procedures (TTPs) to conduct additional exploitation operations on the internal network. This article continues to discuss the release of the CSA on the Snake malware.

NSA reports "US Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide"

Cybersecurity researchers at ZeroFox have discovered a new ransomware gang on the dark web called CryptNet. They made the discovery on the dark web forum RAMP, where a threat actor advertised the new Ransomware-as-a-Service (RaaS) group. ZeroFox noted that CryptNet is advertised as quick and undetectable with various capabilities and features, including deleting shadow copies and disabling backup services. The group also offers offline encryption and a negotiation chat panel. ZeroFox suspects that CryptNet has already racked up some ransomware victims, with two victims having been identified at the end of April. CryptNet offers a 90 percent cut to anyone using its newly developed illegal software in a successful attack. This is one of the highest percentages seen on the RaaS market, with most affiliates receiving between 60 and 80 percent, according to ZeroFox, which added that CryptNet claimed it would also provide support during ransom negotiations. This article continues to discuss the new ransomware gang CryptNet.

Cybernews reports "CryptNet: Russian Ransom Gang Makes Its Debut"

Digital twins, which are virtual representations of actual real-world objects, are becoming increasingly popular. Providing real-time models of physical assets, people, or biological systems that can help identify problems as they occur or in advance is just one of their many applications. However, experts warn that cybersecurity exposure increases as organizations expand their use of digital twins and others create new ones. Digital twins are vulnerable because they rely on data to accurately represent whatever they model. There are concerns that the data may be corrupted or stolen and used for malicious purposes rather than their intended function. According to technology experts and security leaders, digital twins are exposed to the same threats as conventional Information Technology (IT) and Operational Technology (OT) environments. Some emphasize that digital twins could create not only new entry points for these types of attacks but also present opportunities for new attack types, including what one security expert termed the "evil digital twin." This article continues to discuss concerns regarding the vulnerability of digital twins to threats.

CSO Online reports "Evil Digital Twins and Other Risks: The Use of Twins Opens up a Host of New Security Concerns"

Industrial and IoT cybersecurity firm Claroty recently disclosed the details of five vulnerabilities that can be chained in an exploit, potentially allowing threat actors to hack certain Netgear routers. The vulnerabilities were first presented at the 2022 Pwn2Own Toronto hacking competition, where white hat hackers earned a total of nearly $1 million for exploits targeting smartphones, printers, NAS devices, smart speakers, and routers. Claroty's router exploit, which targeted Netgear's Nighthawk RAX30 SOHO router, earned the company's researchers $2,500 at Pwn2Own. Claroty noted that the flaws used in the exploit chain are tracked as CVE-2023-27357, CVE-2023-27367, CVE-2023-27368, CVE-2023-27369, and CVE-2023-27370. They were all patched by Netgear with the release of firmware version 1.0.10.94 in early April. Claroty stated that three of the vulnerabilities have been rated "high severity," and their exploitation can lead to remote code execution, authentication bypass, and command injection. Chaining all the flaws can have a significant impact. Claroty noted that successful exploits could allow attackers to monitor users' internet activity, hijack internet connections and redirect traffic to malicious websites, or inject malware into network traffic. An attacker could also use these vulnerabilities to access and control networked smart devices (security cameras, thermostats, smart locks), change router settings, including credentials or DNS settings, or use a compromised network to launch attacks against other devices or networks. Claroty stated that one mitigating factor is that executing the exploit requires access to the LAN it's not a WAN attack that can be executed from the internet, which is why it earned a smaller reward at Pwn2Own. Netgear explained in an advisory that these vulnerabilities require an attacker to have your WiFi password or an Ethernet connection to your network to be exploited.

SecurityWeek reports: "Details Disclosed for Exploit Chain That Allows Hacking of Netgear Routers"

Threat actors are taking advantage of the leak of Babuk, also known as Babak or Babyk, ransomware code in September 2021 to build different ransomware families that can target VMware ESXi systems. Alex Delamotte, a security researcher at SentinelOne, noted that the emergence of these variants in the second quarter of 2022 and the first quarter of 2023 shows a growing trend of Babuk source code adoption. Leaked source code allows malicious actors to target Linux systems when they may otherwise lack the expertise to develop a working program. As a result, several large and small cybercrime groups have set their sights on ESXi hypervisors. At least three different ransomware strains, including Cylance, Rorschach, and RTM Locker, that have emerged since the start of the year are based on the leaked Babuk source code. The most recent analysis by SentinelOne indicates that this phenomenon is becoming more prevalent, with the cybersecurity company identifying source code overlaps between Babuk and ESXi lockers attributed to Conti and REvil. Other ransomware families that have adopted features from Babuk include LOCK4, DATAF, Mario, and Play ransomware. This article continues to discuss the leaked Babuk ransomware code sparking different ransomware strains that target VMware ESXi systems.

THN reports "Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems"

According to Salesforce, 30 percent of automotive employees do not check security protocols before attempting to use a new tool, thus putting their company and customer data at risk. As companies store and use exponentially more data to power connected car features, concerns regarding cybersecurity grows in the automotive industry. According to Upstream, the number of automotive Application Programming Interface (API) attacks increased by 380 percent last year alone. In addition, 34 percent of automotive employees who participated in Salesforce's survey reported that their company now faces more security threats than it did two years ago. Salesforce's research explores the impacts of gaps between company security efforts and employee actions, revealing the need for automotive organizations to equip employees with trusted, simple-to-use technologies. This article continues to discuss automotive industry employees being unaware of data security risks, the rise in automotive API attacks, automotive employees taking risks with personal devices at work, and data security in the automotive industry.

Help Net Security reports "Automotive Industry Employees Unaware of Data Security Risks"

Wendy's is teaming up with Google to add artificial intelligence to its menu. Wendy's plans to launch an AI chatbot to automate its restaurants' drive-thrus. Dubbed FreshAI, the AI tech will hold limited conversations with customers, handling their food orders and answering frequently asked questions. The bot will integrate with the store's hardware and cash register systems for processing orders. The burger chain, founded in Columbus in 1969, is using Google to power FreshAI with its existing cloud-based generative AI and large language models. The language models include the restaurant's menu as data and will allow the drive-thru chatbot to understand complex, customized, or indirect orders, as well as discern between a customer's voice and background noise. Wendy's will test FreshAI at one of its corporate-owned Columbus storefronts in June, though it did not specify which one. It also did not mention if the chatbot would ultimately result in fewer workers at restaurant locations. Google had first partnered with Wendy's in 2021 when the two companies announced they would work together to improve customer experiences with analytics and machine learning.

The Hill reports: "Wendy's to Test AI Chatbot at Ohio Drive-Thru"

UK-based business process outsourcing and professional services company Capita recently announced that it expects to incur costs ranging between roughly $19 million and $25 million due to a recent cybersecurity incident, but it has not clarified whether that includes a ransom payment to the hackers. The breach came to light on March 31, when Capita said it was experiencing a major IT incident that had been causing disruptions, but it took until April 3 for the company to confirm that the cause was a cyberattack. Capita initially said there was no evidence of customer or other information getting compromised but confirmed that files were stolen from its systems on April 20, days after a ransomware group named Black Basta started leaking information allegedly stolen from the company. The leaked files stored personal and financial information. In its latest update on the cybersecurity incident, the company said it determined that data was stolen from less than 0.1% of its server estate, it previously said that 4% of its servers were impacted. Capita is one of the largest business outsourcing providers in the UK, and its services are used by the government.

SecurityWeek reports: "Capita Says Ransomware Attack Will Cost It Up to $25 Million"

According to security researchers at Sophos, the share of ransomware victims whose data was encrypted by their extorters grew to 76% over the past year. In a new study, the researchers conducted interviews with 3000 cybersecurity/IT leaders carried out in the first quarter of 2023. Responding organizations were located in 14 countries and had between 100 and 5000 employees, with revenue ranging from less than $10m to more than $5bn. The researchers noted that the encryption rate in 2022 is the highest since tracking began in 2020 when it was 73%. The researchers claimed this is evidence of an "ever-increasing skill level of adversaries who continue to innovate and refine their approaches." The researchers noted that only the IT, technology, and telecoms sector managed to buck the trend, with an encryption rate of just 47%. In just under a third (30%) of cases where data was encrypted, it was also stolen in double extortion attacks. However, only in 3% of cases were victims held to ransom without data being encrypted. The researchers stated that interestingly, those who choose to pay their extorters double recovery costs: from an average of $375,000 for those who use backups to $750,000. They also run the risk of extending recovery times: 45% of organizations using backups recovered within a week versus 39% of those that paid the ransom. Around half (46%) of victims that had data encrypted elected to pay a ransom, rising to over half for higher-wealth businesses more likely to have standalone cyber-insurance policies.

Infosecurity reports: "Ransomware Encryption Rates Reach New Heights"

The Phishing-as-a-Service (PhaaS) platform called 'Greatness' has increased activity as it targets organizations using Microsoft 365 in the US, Canada, the UK, Australia, and South Africa. Many organizations use the Microsoft 365 cloud-based productivity platform, making it an attractive target for cybercriminals seeking to steal data or credentials for use in network breaches. In a new report by Cisco Talos, researchers detail how the Greatness phishing platform launched in the middle of 2022, with activity spiking in December 2022 and March 2023. Many victims work in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services, with most being located in the US. The Greatness PhaaS includes everything a phisher requires to conduct a successful campaign. To initiate an attack, the user accesses the 'Greatness' administration panel with their Application Programming Interface (API) key and a list of target email addresses. The PhaaS platform provides the server that will host the phishing page and the HTML attachment generator. The affiliate then creates the email's content and provides any additional content or adjustments to the default settings. The service then sends the victims a phishing email with an HTML attachment. When this attachment is opened, the browser executes obfuscated JavaScript code to connect to the Greatness server and retrieve the malicious page to display to the user. The phishing service will inject the target's company logo and background image from the employer's Microsoft 365 login page. This article continues to discuss findings and observations regarding the Greatness PhaaS.

Bleeping Computer reports "New 'Greatness' Service Simplifies Microsoft 365 Phishing Attacks"

In a campaign that has been ongoing since October 2021, a China-aligned threat actor has targeted a gambling company in the Philippines. The cybersecurity company ESET is tracking the attacks against Southeast Asian gambling companies under the name Operation ChattyGoblin. According to ESET, these attacks target the support agents of victim companies via chat applications, specifically the Comm100 and LiveHelp100 apps. CrowdStrike first documented the use of a Trojanized Comm100 installer to deliver malware in October 2022. The company attributed the supply chain compromise to a potentially China-linked threat actor. The attack chains use the chat applications to deliver a C# dropper, which in turn deploys a second C# executable that ultimately serves as a conduit to drop a Cobalt Strike beacon on compromised workstations. Also highlighted in ESET's APT Activity Report Q4 2022-Q1 2023 are attacks against South Asian government institutions by threat actors Donot Team and SideWinder with ties to India. This article continues to discuss researchers' findings regarding Operation ChattyGoblin.

THN reports "Operation ChattyGoblin: Hackers Targeting Gambling Firms via Chat Apps"

Based on one of the mysteries of human perception known as synesthesia, a researcher at the Oak Ridge National Laboratory (ORNL) developed a new method to hide sensitive electric grid information from malicious actors in a cyberattack. This method involves a palette of colors that is constantly changing. The Grid Communications and Security group leader at ORNL, Peter Fuhr, was intrigued by synesthesia, a condition that causes some people to experience one sense through another, such as perceiving sounds as colors. Fuhr used this idea to encrypt the "language" of grid management software into colors. Utilities use a computer system to gather and analyze real-time data to monitor and control equipment. This system communicates with hardware using strings of letters, which can be translated into color combinations represented as bars, wheels, or swirls. The color patterns are then faded under another image, such as a colorful pointillist painting, or hidden between video feed frames. With each sensor reading, the decoding key rotates. According to Fuhr, this innovative approach has already gained attention from private companies interested in licensing. Using a secure link between ORNL and the public utility EPB of Chattanooga, the concept was tested for six months. The encoded colors are transferred via communication links among video cameras at EPB's electrical substations. This article continues to discuss the new synesthesia-inspired way to hide sensitive electric grid information from cyberattacks.

Oak Ridge National Laboratory reports "Cybersecurity Goes Undercover to Protect Electric Grid Data"

In order to make multi-factor authentication (MFA) less susceptible to social engineering attacks, Microsoft Authenticator will now require number matching for all push notifications. The use of MFA fatigue attacks by cybercriminals has proven effective. These attacks involve sending a barrage of MFA push notification requests to employees, usually at unsociable hours, to manipulate them into authenticating a login attempt to clear the notifications. To authorize the login attempt, number matching requires opening a push notification, launching Microsoft Authenticator, and entering a series of numbers that appear in the app. This technique has existed for years and combines MFA and two-factor authentication (2FA). These numbers typically reset after a predetermined amount of time, such as 30 seconds, and add an extra layer of interaction to reduce the risk of successful social engineering attacks. In a typical attack scenario, the recipients of the constant notifications are often asleep and awakened by loud smartphone alerts. The attack is successful if the individual hurries to approve the login attempts. Adding this layer makes the process more manual, giving the recipient more time to recognize that a malicious actor is triggering the event. This article continues to discuss the Microsoft Authenticator adding another layer of complexity to prevent social engineering attacks.

ITPro reports "Microsoft Authenticator Mandates Number Matching to Counter MFA Fatigue Attacks"

Delinea's new survey of over 2,000 Information Technology (IT) security decision-makers reveals that only 39 percent of respondents believe their company's leadership has a solid grasp of cybersecurity's role as a business enabler. In addition, more than one-third of respondents (36 percent) believe that cybersecurity is viewed as important only in regard to compliance and regulatory requirements, while 17 percent say it is not a business priority. This misalignment between business and security goals appears to have resulted in at least one negative consequence for 89 percent of respondents' organizations, with more than a quarter (26 percent) reporting an increase in the number of successful cyberattacks against their organization. Misaligned cybersecurity objectives have caused delays in investments (35 percent), delays in strategic decision-making (34 percent), and unnecessary increases in spending (27 percent). There are also consequences for individuals, with 31 percent of respondents reporting a stress-related impact on security teams. This article continues to discuss key findings from the survey of IT security decision-makers.

BetaNews reports "Business Leaders Don't Understand Cybersecurity"

Federal entities at the forefront of policing cybercrime and ransomware in the US urge organizations to continue reporting cyber incidents to help fill data gaps. Recent executive actions call for a stricter approach to penalizing ransomware incidents. Leaders from the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and FBI spoke at a recent George Washington University Business and Policy Forum about ongoing government initiatives to continue countering and preventing zero-day cyber incidents. CISA's CSO Valerie M. Cofield and the FBI's Cyber Division Section Chief David Ring discussed a data gap in the larger picture of the current cyber threat landscape and how sharing incident information contributes to the national security goal of strengthening digital networks. Ring reiterated that victim reporting is crucial and that federal agencies overseeing cybercrime in the US still have much work to do to close the gap regarding what is reported, what is actually seen, and what is occurring in the wild. The Cyber Incident Reporting for Critical Infrastructure Act, which became law in 2022, offers promise for CISA and the FBI's efforts. This legislation requires public and private sector entities to report any cyber incident. Cofield commented that while this is a step in the right direction, collecting the necessary data may take several years following the bill's passage. This article continues to discuss the importance of collaboration and data sharing to protect US digital networks.

NextGov reports "CISA, FBI Need Data from Cybercrime Victims to Support Policy"

US and international law enforcement agencies have announced the successful dismantling of a malware implant used by a Kremlin-sponsored hacking group. The US Justice Department (DOJ) obtained court authorization that permitted US law enforcement to wipe out the malicious code used by Turla called "Snake." Turla has a long history of ties to the Russian Federal Security Service (FSB). Snake has been assessed to be their premier espionage weapon, according to a senior FBI official, who added that it had been deployed against NATO countries and others to steal sensitive US information. According to the official, the initiative, dubbed "Operation Medusa," has denied the Moscow-backed group of a resource upon which it has relied for 20 years. In an affidavit released alongside the announcement, the bureau determined that the FSB compromised hundreds of computers in at least 50 countries using the Snake malware package. This article continues to discuss the elimination of the Kremlin-linked Snake espionage malware.

The Record reports "Kremlin-Linked 'Snake' Espionage Malware Eliminated, Justice Department Says"

The Royal ransomware group has become more active this year, targeting critical infrastructure organizations with various tools. Based on the group's leak site, Palo Alto Networks' Unit 42 reports that it has affected 157 organizations since its inception last year. Royal ransomware has affected different industries, including both small and large businesses. According to information from their leak site and public reporting agencies, the Royal ransomware has impacted manufacturing and more. The group has been observed using multiple initial access vectors, including callback phishing, Search Engine Optimization (SEO) poisoning, exposed Remote Desktop Protocol (RDP) accounts, and compromised credentials, to gain access to vulnerable systems. After securing access, the group uses multiple tools to support the intrusion operation, such as the TCP/UDP tunnel Chisel and the Active Directory query tool AdFind. Royal has compromised victims via a BATLOADER infection. BATLOADER will download additional payloads, such as VidarStealer, Ursnif/ISFB, and Redline Stealer, as well as legitimate system management and Remote Monitoring and Management (RMM) tools. Researchers have observed Royal operators using PowerTool, a piece of software with access to the kernel that is ideal for removing endpoint security software. This article continues to discuss researchers' findings and observations regarding the Royal ransomware gang.

SC Media reports "Royal Ransomware Gang Quickly Expands Reign"

Microsoft recently warned that more threat actors have started targeting a recently patched vulnerability in PaperCut MF/NG print management solutions, including Iranian state-sponsored groups. The critical flaw tracked as CVE-2023-27350 (CVSS score of 9.8) and patched in March 2023 could allow remote, unauthenticated attackers to bypass authentication and execute arbitrary code with the privileges of the System user. In late April, PaperCut urged customers to update their installations as soon as possible. A few days later, Microsoft reported that it had seen a Cl0p ransomware operator affiliated with the FIN11 and TA505 Russian groups exploiting the vulnerability for weeks. Now, Microsoft warns that Iranian state-sponsored threat actors Mint Sandstorm and Mango Sandstorm have adopted publicly available proof-of-concept (PoC) code exploiting the bug and are targeting unpatched PaperCut installations in attacks. For now, Microsoft stated that Mint Sandstorm activity targeting CVE-2023-27350 appears opportunistic, while Mango Sandstorm's exploitation of the flaw remains low. Microsoft noted that as more threat actors begin to use this vulnerability in their attacks, organizations are strongly urged to prioritize applying the updates provided by PaperCut to reduce their attack surface. Also tracked as Ajax Security Team, Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, Mint Sandstorm has been active since at least 2011, targeting governments, critical infrastructure, activists, journalists, and other entities.

SecurityWeek reports: "Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability"

As part of a campaign that began in late November 2022, the Advanced Persistent Threat (APT) actor known as SideWinder has been using a backdoor in attacks against Pakistani government organizations. According to the BlackBerry Research and Intelligence Team, the SideWinder APT group used a server-based polymorphism method to deliver the next stage payload. Another campaign discovered by the company in March 2023 shows that Turkey has also become a priority for the threat actor. SideWinder has been on the radar since at least 2012, and it is primarily known to target Southeast Asian organizations in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka. The group is also tracked under the names APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. It is believed to be an Indian state-sponsored group. In the past year, SideWinder has been linked to a cyberattack against the Pakistan Navy War College (PNWC) and an Android malware campaign that harvested sensitive information using rogue phone cleaner and Virtual Private Network (VPN) apps uploaded to the Google Play Store. What distinguishes this campaign is the threat actor's use of server-based polymorphism to circumvent traditional signature-based antivirus detection and spread additional payloads by responding with two variants of an intermediate RTF file. This article continues to discuss findings regarding SideWinder's attacks, techniques, and targets.

THN reports "Researchers Uncover SideWinder's Latest Server-Based Polymorphism Technique"

DEF CON's AI Village will host the first public assessment of Large Language Models (LLMs) to discover bugs and the potential for AI model misuse. There are numerous ways in which LLMs can help users' creativity, but there are also challenges, particularly regarding security and privacy. This event aims to bring further attention to the implications of using generative Artificial Intelligence (AI), a technology with many potential applications and unclear repercussions. Red teams will evaluate LLMs from leading vendors, including Anthropic, Google, Hugging Face, NVIDIA, OpenAI, Stability, and Microsoft. They will do so on a Scale AI-developed evaluation platform. This exercise is intended to reveal both the potential and limitations of LLMs. Red teams hope that testing these models will reveal any potential vulnerabilities and evaluate the extent to which LLMs are vulnerable to manipulation. The White House, the National Science Foundation's (NSF) Computer and Information Science and Engineering (CISE) Directorate, and the Congressional AI Caucus' support for the red teaming exercise indicate the importance of the use of LLMs. It also emphasizes the possible risks associated with this technology. This article continues to discuss the first public assessment of LLMs.

Help Net Security reports "Finding Bugs in AI Models at DEF CON 31"

According to a new study from researchers at the University of Georgia, the same blockchain technology that secures cryptocurrency systems could also shield users from intrusive and predatory advertising. Many consumers do not understand how their personal data is used in digital advertising. Which devices collect what data, how companies use that data, and how to block certain ads can be puzzling. Advertisers and publishers can experience the negative effects of ad fraud, such as unauthorized ads and bots that hijack ad traffic and divert profits. According to the researchers, blockchain can combat both of these challenges. Jooyoung Kim, the study's lead author, explained that there will always be malicious actors due to the size and complexity of the advertising ecosystem. Advertisers and publishers cannot effectively track them, and consumers are concerned about the security and privacy of their personal information. With the automated nature of blockchain, consumers have greater control over their exposure to ads. This could increase consumer trust in advertising by placing control in their hands. People can track how their data is used and opt out of certain ad categories. In addition to placing fake ads, fraudsters can use bots to defraud ads. These bots can click on ads, depleting the budgets of advertisers. Such fraud schemes have caused 15 to 50 percent of ads to be wasted, contributing to an estimated $100 billion in losses in 2022. Digital advertising fraud schemes have wasted consumers' attention and increased the number of potential threats to them. Although blockchain may not completely prevent fraud from the start, it does pave the way to do so. When a fraudulent ad is identified, it can be traced back to its source via the blockchain. This article continues to discuss the new study on the anti-fraud possibilities of blockchain.

The University of Georgia reports "Applying Blockchain to Digital Advertising"