News Items

A leading legal industry body in the US has recently been forced to contact individuals with accounts on its website to notify them that their logins may have been compromised. The American Bar Association (ABA) reportedly told 1.5 million individuals about the breach, which occurred last month. The ABA said in a notice on its website that it first discovered unusual activity on its network on March 17 but concluded that a threat actor had gained unauthorized access even earlier than that, on March 6. The ABA noted that on March 23, 2023, the investigation identified that an unauthorized third party acquired usernames and hashed and salted passwords that users may have used to access online accounts on the old ABA website before 2018 or the ABA Career Center since 2018. In many instances, the password may have been the default password assigned to the user by the ABA if the user never changed that password on the old ABA site. The ABA is notifying all affected individuals in an abundance of caution. The ABA stated that users who didn't update their passwords in 2018 when the ABA changed its website login platform are being asked to do so now, as well as any credentials reused on other non-ABA accounts that could now be exposed to credential stuffing. Although the stolen passwords are hashed and salted, they could still be cracked given enough time and/or inclination.

Infosecurity reports: "American Bar Association Breach Hits 1.5 Million Members"

Cybersecurity researchers have detailed the inner workings of the evasive loader known as "in2al5d p3in4er" that is used to deliver the Aurora information-stealing malware. According to a report from the cybersecurity company Morphisec, the loader is compiled with Embarcadero RAD Studio and targets endpoint workstations with an advanced anti-VM (virtual machine) technique. Aurora, the Go-based information stealer, first appeared in late 2022. It is distributed via YouTube videos and Search Engine Optimization (SEO) poisoning, with websites offering fake cracked software downloads to other attackers as a commodity virus. When a victim clicks on a link in a YouTube video description, they are redirected to a fake website where they are persuaded to download malware posing as a useful tool. The loader examined by Morphisec inquires about the vendor ID of the installed graphics card and compares it to a list of allowlisted vendor IDs (i.e., AMD, Intel, or NVIDIA). The loader terminates itself if the value is incorrect. The loader ultimately uses the process hollowing technique to decode the final payload and inject it into the legitimate process "sihost.exe." The research highlights that the threat actors behind in2al5d p3in4er loader are using social engineering techniques for a high-impact campaign, which involves YouTube being used as a malware distribution channel. This article continues to discuss attackers using YouTube to deliver the in2al5d p3in4er loader and Aurora information-stealing malware.

CyberIntelMag reports "YouTube Videos Using Highly Evasive Loader to Distribute Aurora Stealer Malware"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) emphasizes that cybersecurity is a worldwide problem. A system or network vulnerability exploited on one side of the world can have global repercussions, directly affecting critical infrastructure. In order to make cyberspace safer and more secure for everyone, the CISA Global Strategy encourages capacity development with international partners. CISA conducted a series of capacity-building engagements in Thailand, the Philippines, and Indonesia in March. The workshops on cyber hygiene focused on highly interdependent sectors, such as national defense, banking, business, aviation, and shipping. During the workshops, CISA cybersecurity and vulnerability management experts discussed Information Technology/Operational Technology (IT/OT), Industrial Control Systems (ICS), threat actors, threat intelligence, cyberattack frameworks, workforce development tools, and case studies of prevalent attacks. The need to develop greater cooperation between IT and OT, raise awareness of phishing and other attack vectors within organizations, and develop the cybersecurity workforce in the public sector arose as major themes. This article continues to discuss the first-of-their-kind capacity-building engagements conducted by CISA in Thailand, the Philippines, and Indonesia.

CISA reports "CISA - Building Cyber Hygiene Capacity in Thailand, the Philippines and Indonesia"

According to researchers, the popularity of ChatGPT has prompted scammers to use OpenAI's chatbot name in malicious domains to trick unsuspecting victims. Since OpenAI introduced ChatGPT, the chatbot's popularity has skyrocketed, reaching 100 million monthly active users within two months of its debut, and scammers quickly took note. The threat detection and content filtering company DNSFilter observed a sixfold increase in blocked ChatGPT and OpenAI-related domains among its large body of clients. The vulnerabilities that ChatGPT-related domains can introduce to networks are attracting the attention of government agencies and organizations. Dave Raphael, chief operating officer at DNSFilter, stated that organizations are blocking ChatGPT from their networks because of security and privacy concerns. Scammers are one of the primary reasons to restrict access to websites containing ChatGPT keywords. The number of malicious websites with "ChatGPT" in their name increased has increased significantly, according to a recent study. Since the chatbot's introduction, fraudsters have consistently attempted to capitalize on its growing popularity. Attackers are leveraging ChatGPT's prominence to redirect users to malicious websites using phishing and deception techniques, including malware-distributing domains. This article continues to discuss the growing use of OpenAI's chatbot name in malicious domains.

Cybernews reports "ChatGPT Malicious Domains Spike as Bot Use Grows

A Chinese-language threat group targeted South Korean research and academic institutions with data exfiltration attacks in January. Researchers from Recorded Future's Insikt Group suspect that the threat actors affiliated with the group have launched a series of new attacks against organizations in Japan and Taiwan. The group is known as Xiaoqiying, Genesis Day, or Teng Snake, according to Di Wu, senior threat intelligence analyst at Insikt Group. The attacks against South Korean institutions began on January 25, impacting the Korean Research Institute for Construction Policy, the Korean Archaeological Society, the Woorimal Academic Society, and the Korean Academy of Basic Medicine and Health Sciences. Wu stated that the analysis of the group's Telegram channels, postings on special-access forums, and presence on a clearnet website led to the conclusion that this is a hacktivist group motivated primarily by patriotism toward China, and that it will likely conduct similar cyberattacks against Western and NATO targets, as well as any country or region considered hostile to China. The group operated two Telegram channels, one for posting announcements and the other for communicating with other hackers and followers. Both were shut down in February when media outlets began reporting on the cyberattacks targeting South Korea. Prior to disbanding, the group recruited new members via Telegram. Xiaoqiying claimed to have stolen 54 GB of data from various organizations. This article continues to discuss the Xiaoqiying threat group targeting a dozen South Korean research and academic institutions with data exfiltration attacks.

The Record reports "Chinese-Language Threat Group Targeted a Dozen South Korean Institutions"

According to a report by the industrial cybersecurity company Dragos, the Chernovite threat group developed a new modular malware called Pipedream to target Industrial Control Systems (ICS). This toolkit is capable of launching disruptive and destructive attacks against tens of thousands of critical industrial devices, posing a significant threat to organizations tasked with managing the electrical grid, oil and gas pipelines, water systems, and manufacturing plants. According to the Dragos report, Pipedream, a modular ICS attack framework created by Chernovite developers, is the seventh known ICS-specific malware. Pipedream is the first ICS/Operational Technology (OT) malware to be disruptive and destructive across multiple industries. Its existence is evidence that industrial adversarial capabilities have significantly increased. The Chernovite group possesses a greater scope of ICS-specific knowledge than other threat actors. The demonstrated ICS expertise in Pipedream includes the ability to disrupt, degrade, and potentially destroy physical processes in industrial environments. Dragos is confident that a state actor created Pipedream with the intention of using it for future disruptive or destructive operations. The capabilities of Pipedream provide an adversary with various options for discovering a target's OT network architecture and identifying its assets and processes. This article continues to discuss the Pipedream malware, the increase in ransomware attacks against industrial organizations, and five critical controls for strong ICS/OT cyber defense.

Security Intelligence reports "Pipedream Malware Can Disrupt or Destroy Industrial Systems"

Beginning this summer, the Internal Revenue Service (IRS) will send four cybercrime investigators to Australia, Singapore, Colombia, and Germany, marking a significant expansion of the IRS's global efforts to combat cybercrimes, such as those involving cryptocurrencies, decentralized finance, and cryptocurrency laundering services. In recent years, agents from the IRS's Criminal Investigation (IRS-CI) unit have played an important role in investigating crimes on the dark web as part of landmark international operations. These operations include the shutdown of the drug and hacking services marketplace AlphaBay and the arrest of its administrator, the bust of the Internet's largest child abuse website, and the takedown of a marketplace for stolen Social Security Numbers. Before now, the IRS had only one cyber investigator stationed abroad, in The Hague, Netherlands. Since 2021, this investigator has worked closely with Europol. During a panel at the Chainalysis Links conference on April 4, IRS executive director of global operations policy and support for IRS-CI, Guy Ficco, first announced the expansion. This article continues to discuss the expansion of the IRS's efforts to fight cybercrimes globally.

TechCrunch reports "The IRS Is Sending Four Investigators Across the World to Fight Cybercrime"

The Lazarus Group, a notorious state-sponsored threat actor with ties to North Korea, has been linked to a new campaign targeting Linux users. According to a new report by ESET, the attacks are part of a persistent and long-running activity known as Operation Dream Job. The findings mark the first instance of the group using Linux malware as part of this social engineering scheme. Operation Dream Job, also known as DeathNote or NukeSped, refers to multiple attack waves in which the group uses fraudulent employment offers as an enticement to convince unsuspecting targets to download malware. In addition, there are overlaps with two other Lazarus clusters called Operation In(ter)ception and Operation North Star. Similarly, the attack chain discovered by ESET delivers a fake HSBC job offer as a decoy within a ZIP archive file, which is then used to initiate a Linux backdoor named SimplexTea distributed via an OpenDrive cloud storage account. This article continues to discuss the Lazarus Group's new campaign against Linux users.

THN reports "Lazarus Group Adds Linux Malware to Arsenal in Operation Dream Job"

Attackers are injecting stealthy backdoors into websites using Eval PHP, an outdated WordPress plugin. Eval PHP is an outdated WordPress plugin that enables site administrators to embed PHP code on WordPress pages and posts, which is then executed when the page is loaded in the browser. The plugin has not been updated in a decade and is generally regarded as abandonware, but it is still accessible via the WordPress plugins repository. According to the website security company Sucuri, the use of Eval PHP to embed malicious code on seemingly harmless WordPress pages increased in April 2023, with an average of 4,000 malicious installations per day of the WordPress plugin. The primary advantage of this method over traditional backdoor injections is that Eval PHP can be used to reinfect cleaned sites while the point of compromise remains relatively hidden. This article continues to discuss attackers' use of the old Eval PHP WordPress plugin to compromise websites.

Bleeping Computer reports "Attackers Use Abandoned WordPress Plugin to Backdoor Websites"

The 3CX Desktop App software has been reportedly compromised via a prior software supply chain breach, with a North Korean actor suspected to be responsible. Security researchers at Mandiant stated the initial compromise was traced back to malware from financial software firm Trading Technologies' website. The researchers noted that the first attack saw hackers place a backdoor into an application available on the website known as X_Trader 1. That infected app, later installed on the computer of a 3CX employee, allowed the hackers to spread their access through 3CX's network. Mandiant said this would be the first observed instance of one software supply chain attack leading to another. The researchers noted that in late March 2023, a software supply chain compromise spread malware via a trojanized version of 3CX's legitimate software that was available to download from their website. The researchers stated that the attack shows the potential reach of this type of compromise, particularly when a threat actor can chain intrusions, as demonstrated in this investigation. The security experts said the affected versions of 3CX were DesktopApp 18.12.416 and earlier, which contained malicious code. The code ran a downloader, Suddenicon, which in turn received additional command and control (C2) servers from encrypted icon files hosted on GitHub. The decrypted C2 server was then used to download a third-stage payload called Iconicstealer, a data miner that steals browser information. Mandiant said the researchers are currently tracking this malicious activity as UNC4736, a suspected North Korean nexus cluster of activity.

Infosecurity reports: "North Korean Hacker Suspected in 3CX Software Supply Chain Attack"

The Artificial Intelligence (AI) chatbot ChatGPT has been generating a great deal of buzz in the news and on social media regarding its ability to write blogs, software source code, and frameworks. People are sharing what they have done with the Large Language Model (LLM)-based bot and what they plan to do in the future. Their applications include product prototyping, virtual assistants, and nearly limitless duties. Cybercriminals have experimented with ChatGPT. Based on dark web forums, cybercriminals are using ChatGPT to generate malicious code. According to Nicole Sette, associate managing director of the cyber risk business at Kroll, a corporate investigation and risk consultancy, most researchers agree that chatbots are not yet optimized for code creation, as they lack the creativity to develop new code. However, in March 2023, Kroll observed hacking forum users discussing methods for bypassing ChatGPT restrictions and using the program to generate code. Sette explains that other forum users shared code for circumventing ChatGPT's Terms of Service, also known as 'jailbreaking ChatGPT,' in various dark web forums. Threat actors have discovered methods to use chatbots to write malware, including information stealers. Check Point Research reported that someone on an underground hacker forum used ChatGPT to recreate a Python-based information stealer using published analyses of prevalent malware. This article continues to discuss how cybercriminals are using ChatGPT.

CACM reports "Turning AI to Crime"

Cisco recently announced patches for critical vulnerabilities impacting its Industrial Network Director and Modeling Labs solutions. Designed for industrial network management, Industrial Network Director (IND) provides visibility into network and automation devices. Cisco released fixes for a critical-severity flaw in the web interface of IND that could be exploited remotely to execute commands on the underlying operating system. Tracked as CVE-2023-20036 (CVSS score of 9.9), the issue exists because input was not properly validated when uploading a device pack. An authenticated attacker could alter the upload request and execute commands with administrative privileges. Cisco IND version 1.11.3 resolves this vulnerability along with a medium-severity bug that could allow an attacker to read application data. This week, Cisco also released patches for a critical-severity flaw in the external authentication mechanism of Modeling Labs, an on-premises network simulation tool. Tracked as CVE-2023-20154 (CVSS score of 9.1), the issue is the result of improper handling of certain messages returned by the external authentication server. The security defect was patched with the release of Modeling Labs version 2.5.1. Cisco noted that an attacker could exploit this vulnerability by logging in to the web interface of an affected server. Under certain conditions, the authentication mechanism would be bypassed, and the attacker would be logged in as an administrator. Successful exploitation of the vulnerability would allow the attacker to access and modify simulations and user-created data. Cisco stated that to exploit this vulnerability, the attacker would need valid user credentials that are stored on the associated external authentication server. Recently the company also announced patches for high-severity vulnerabilities in StarOS software and the BroadWorks network server that could lead to privilege escalation and denial-of-service (DoS), respectively. Cisco warned that proof-of-concept (PoC) exploitation code targeting the StarOS software bug (which is tracked as CVE-2023-20046) has been publicly released. The tech giant says it is unaware of these vulnerabilities being exploited in attacks. However, customers are advised to apply the available fixes as soon as possible, as unpatched Cisco products are known to have been exploited in the wild.

SecurityWeek reports: "Cisco Patches Critical Vulnerabilities in Industrial Network Director, Modeling Labs"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) reports that there are about 153,000 public drinking water systems and over 16,000 publicly owned wastewater treatment systems in the US. Therefore, a cyberattack on these systems could result in service interruptions, damage to critical infrastructure, and even illness and death. The Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, has developed and implemented a cost-effective cyber-physical security situational awareness capability for Industrial Control Systems (ICS) at the Cranberry Water Treatment plant in Westminster, Maryland. The technology is designed to detect and notify operators of malicious activity, including unauthorized access, malicious code, and data exfiltration. In addition, it provides a comprehensive view of the system's health and performance, enabling operators to quickly identify and resolve any problems. This solution integrates network fingerprinting, host-based monitoring, digital twin technology, and advanced event correlation and alerting to provide system operators with a comprehensive understanding of their systems. This article continues to discuss the development of the cost-effective cyber-physical security situational awareness capability for ICS and its testing at the Cranberry Water Treatment plant in Westminster, Maryland.

Johns Hopkins Applied Physics Laboratory reports "Developing Cybersecurity Solutions for Industrial Infrastructures"

The UK government's intelligence and security arm recently issued an alert on Russian state-aligned threat actors aiming to conduct disruptive and destructive attacks against critical infrastructure in Western countries. The National Cyber Security Centre (NCSC) stated that recently these threat groups have focused on distributed denial-of-service (DDoS) attacks, defacements, and misinformation attacks. The NCSC warns that some have stated a desire to achieve a more disruptive and destructive impact against Western critical national infrastructure (CNI), including in the UK. The agency believes these groups will focus on identifying poorly protected critical infrastructure systems to cause disruptions. The NCSC noted that threat actors that pose a threat include not only groups that are actually sponsored by the Russian government but also hacktivists that are sympathetic to Russia. Aligned with Moscow's interests, these threat actors support Russia's invasion of Ukraine, are ideologically motivated, and may not be subject to formal state control, which makes them less predictable, as their targeting is broader compared to that of cybercriminal groups. The NCSC believes these groups are not sophisticated enough and lack the resources to launch destructive attacks on their own. The agency says that without external assistance, they consider it unlikely that these groups have the capability to deliberately cause a destructive, rather than disruptive, impact in the short term. Nonetheless, the NCSC notes that these groups may become more effective over time and recommends that organizations take the necessary precautions to prepare themselves for potential attacks.

SecurityWeek reports: "UK Warns of Russian Hackers Targeting Critical Infrastructure"

Fortra, the company developer of Cobalt Strike, is bringing further attention to the zero-day Remote Code Execution (RCE) flaw in its GoAnywhere MFT tool that ransomware actors are actively exploiting to steal sensitive data. The critical flaw, tracked as CVE-2023-0669, with a CVSS score: of 7.2, is a pre-authenticated command injection vulnerability that could be exploited for code execution. The company patched the vulnerability in version 7.1.2 of the software in February 2023, but not before it had been weaponized as a zero-day exploit since January 18. On January 30, 2023, Fortra, which collaborated with Palo Alto Networks Unit 42, was made aware of suspicious activity associated with some file transfer instances. According to the company, the unauthorized entity used the flaw to create unauthorized user accounts in certain MFTaaS customer environments. The unauthorized party leveraged user accounts for a subset of these customers to download files from their hosted MFTaaS environments. Cl0p, a Ransomware-as-a-Service (RaaS) provider, exploited the GoAnywhere vulnerability and was the most active threat actor observed, with a total of 129 victims, according to NCC Group. Cl0p's exploitation spree is the second time since September 2021 that LockBit has been dethroned from the top spot. Royal, BlackCat, Play, Black Basta, and BianLian were other prevalent ransomware strains. This article continues to discuss the zero-day RCE vulnerability in Fortra's GoAnywhere MFT tool that ransomware actors have actively exploited to steal sensitive data.

THN reports "Fortra Sheds Light on GoAnywhere MFT Zero-Day Exploit Used in Ransomware Attacks"

Hackers are infiltrating inadequately protected and Internet-exposed Microsoft SQL (MS-SQL) servers in order to deploy Trigona ransomware and encrypt all files. The MS-SQL servers are being compromised by brute-force or dictionary attacks that exploit account credentials that are easy to guess. After connecting to a server, the threat actors deploy malware called CLR Shell by researchers from the South Korean cybersecurity company AhnLab who discovered the attacks. This malware collects system information, modifies the compromised account's configuration, and escalates privileges to LocalSystem by exploiting a flaw in the Windows Secondary Logon Service, which is required to initiate the ransomware as a service. This article continues to discuss the hacking of MS-SQL servers to deploy Trigona ransomware payloads.

Bleeping Computer reports "Microsoft SQL Servers Hacked to Deploy Trigona Ransomware"

E2EE was proposed as an additional layer of encryption for the Global System for Mobile Communication and Terrestrial Trunked Radio mobile communications standards when the need and value of private and secure communications came of age. Nearly all consumer-oriented information-sharing services provide data encryption today, but not all are E2EE, and there is still confusion regarding what true E2EE entails. E2EE is a secure communication method that encrypts data at the sender's device and decrypts it only at the recipient's device, preventing anyone in between from reading or modifying the data. True E2EE offers a very high level of security because it prevents unauthorized parties from intercepting communications. In addition, unlike simpler encryption techniques, E2EE can provide mathematical proof of security through public/private key cryptography, algorithms that factor large prime numbers, and digital signatures that guarantee the sender's authenticity. This definition articulates the security functions and requirements necessary for government agencies to deploy E2EE services securely. True E2EE services are robust and fortified to help organizations meet the complex and stringent security and privacy requirements that most enterprises require. They enable agencies to minimize risk and maximize compliance, while providing the ability to communicate quickly and securely. Adopting best practices allows organizations in the public and private sectors to integrate E2EE successfully into their communications and file-sharing platforms. This article continues to discuss key attributes of secure communications that enterprises should consider when designing their E2EE models.

GCN reports "Not All Encryption Is Created Equal"

Researchers continue to work toward realizing a future populated by autonomous vehicles, but the threat of cyberattacks is one of the most pressing issues to resolve. To address this critical issue, a new research team is exploring methods to mitigate the effects of cyberattacks on transportation infrastructure and Connected Autonomous Vehicle (CAV) systems on road traffic safety. As part of its University Transportation Centers (UTC) program, the Department of Transportation (DOT) has awarded a $10 million, five-year grant in support of the work. Dr. Yunpeng (Jack) Zhang will lead the Transportation Cybersecurity Center for Advanced Research and Education (CYBER-CARE) at the University of Houston (UH). Texas A&M University-Corpus Christi, Embry-Riddle Aeronautical University, Rice University, the University of Cincinnati, and the University of Hawaii at Honolulu are members of the CYBER-CARE consortium. The work will include researching, developing, and testing various technologies to specify, evaluate, and enforce cybersecurity and safety policies for CAV accident management policies. This article continues to discuss the research effort to bolster transportation cybersecurity.

Texas A&M University-Corpus Christi reports "TAMU-CC Researchers Part of Cybersecurity Research Team Funded by $10M Department of Transportation Grant"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the FBI are collaborating with international partners' cybersecurity agencies to publish cybersecurity best practices for smart cities. Smart cities incorporate public services into a connected environment to increase efficiencies and improve the quality of life in different communities. Seven agencies from five countries have published the Cybersecurity Information Sheet, "Cybersecurity Best Practices for Smart Cities," highlighting how the integration of Operational Technology (OT) in a connected environment has many benefits but can also be an attractive target for malicious cyber actors seeking to steal data from critical infrastructure and proprietary information, perform ransomware operations, or execute destructive cyberattacks. The report explores risks stemming from three areas, including a large interconnected attack surface, the Information and Communications Technology (ICT) supply chain and vendors, and infrastructure operations automation. This article continues to discuss the agencies' release of a report aimed at strengthening cybersecurity for smart cities.

NSA reports "NSA Part of Coalition Highlighting Cybersecurity Best Practices for Smart Cities"

Cybersecurity professionals need help remembering all the various names companies use to refer to threat actors. For example, some use a number system, while others use colors, animals, and adjectives such as "fancy" and "charming." Microsoft has announced that it is moving away from a taxonomy based on chemical elements to one that uses weather-themed names to classify hacking groups, adding yet another naming scheme. The tech giant outlined its new naming scheme, explaining that countries will be assigned weather conditions such as blizzard for Russia, sleet for North Korea, typhoon for China, and sandstorm for Iran, while specific groups within nations will be categorized by an adjective such as a color. An Iranian nation-state group will be renamed "Mint Sandstorm" after previously being referred to as "Phosphorus." Microsoft's John Lambert stated that the increasing complexity, scale, and volume of threats calls for reimagining not only how Microsoft communicates threats but also how the company enables customers to understand these threats quickly and with clarity. With the new taxonomy, consumers and security researchers who are already overwhelmed by threat intelligence data will be provided with more context. Lambert explained that the new system would enable them to better organize the threat groups they are tasked with monitoring and provide easier classification methods. Simply by reading the name, researchers and security teams will immediately have an idea about the type of threat actor they are facing. He added that Microsoft is currently tracking over 300 threat actors, including 160 nation-state groups, 50 ransomware gangs, and hundreds of other types of attackers. Using its new naming taxonomy, Microsoft has reclassified every actor it tracks. This article continues to discuss Microsoft's new naming scheme for threat actors.

The Record reports "'Denim Tsunami' and 'Mulberry Typhoon': Microsoft Alters the Way It Names Hacking Groups"

Researchers from Finland's Aalto University published a report titled "Cyber Citizen Skills and Their Development in the European Union," urging EU member states to develop a unified, people-centered approach to cyber skills and cybersecurity. It was discovered that there are significant differences in the quality of cybersecurity education and other digital skills across the EU. The researchers' study was conducted as part of the Cyber Citizen Initiative. Its primary objective is to create a "cybersecurity civic skills learning model and a learning portal for all Europeans," according to the report's authors. According to the report, the online learning portal will contain content aimed at various audiences. It will include a cybersecurity game that facilitates practical and entertaining cybersecurity education. The researchers found that a unified learning model would help the EU in focusing its efforts to ensure that all citizens have at least a moderate level of cybersecurity competence based on their analysis of the various methodologies EU countries use to develop citizens' cybersecurity skills. This article continues to discuss the new EU cyber citizen report calling on EU member states to develop a cohesive cybersecurity skills plan for all citizens.

Silicon Republic reports "New Report Calls on EU to Develop Cohesive Cybersecurity Skills Plan for All"

According to Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority, the recent data breach of personal information for thousands of users of Washington D.C.'s health insurance exchange, including members of Congress, was caused by basic human error. The data breach was first discovered in early March and included basic personal information, including date of birth, Social Security numbers, and contact information for "56,415 current and past customers including members of Congress, their families, and staff." Kofman stated that her office immediately brought in the FBI Cyber Security Task Force, and the security flaw was quickly tracked down to a particular computer server that was "misconfigured to allow access to the reports on the server without proper authentication. Based on their investigation to date, they believe the misconfiguration was not an intentional but human mistake." Kofman noted that this security flaw enabled an unidentified hacker to steal two reports that contained the client information, some of which were later offered up for sale in an online forum. Kofman stated that the stolen data "included that of 17 Members of the House and 43 of their dependents, and 585 House staff members and of their 231 dependents."

NBC Washington reports: "DC Health Link Data Breach Blamed on Human Error"

Researchers have emphasized that Large Language Model (LLM)-driven malware assessments should not be used in place of human analysis because the Artificial Intelligence (AI) technology underlying them can be deceived and manipulated. They have warned that the prevalence of malicious packages in repositories such as PyPI and npm continues to rise. Researchers from Endor Labs stated that the creation of fake accounts and the distribution of malicious packages can be automated to such an extent that the marginal costs of creating and spreading a malicious package are close to zero. Therefore, the company conducted an experiment and helped identify malicious packages by using a combination of AI techniques and examining the source code and metadata of packages. Researchers explained that the source code is examined for the presence of typical malware behaviors such as droppers, reverse shells, and information exfiltration. GPT-3.5 was queried for 1,874 artifacts. Although LLMs can be beneficial in day-to-day operations, Endor Labs has determined that they cannot replace human review. This article continues to discuss GPT being tricked into believing malware is benign.

Cybernews reports "GPT Tricked by Analysts Into Believing Malware Is Benign"

Security researchers at Akamai have discovered that last year was a record-breaker in terms of API and application-based attacks on the EMEA retail sector, with detected threats surging 189%. During the study, Akamai analyzed intelligence gathered from 340,000 servers in 4000 locations on 1300 networks in 134 countries. The researchers saw a significant spike in attacks last year across the high-tech (176%) and social media (404%) sectors in EMEA. Globally, the financial services sector also saw an increase in attacks based on 2021 figures. However, in the UK, recorded threats declined by 4%, making this the only region to experience a decrease in this vertical. The researchers suggested that this could be down to threat actors targeting individual account holders rather than large banking institutions. Retail, high tech, and financial services remained by far the most popular targets for web attacks in 2022, accounting for over 70% of total detected threats during the year. The researchers noted that elsewhere, attacks on the healthcare industry globally surged 55% from 2021 to 2022, driven by greater adoption of IoT equipment, which has expanded organizations' attack surfaces. The researchers also found that Local File Inclusion (LFI) remained the top attack vector in EMEA, with attacks growing 115% from 2021 to 2022. Globally they surged by even more (193% year-on-year).

Infosecurity reports: "Triple-digit Increase in API and App Attacks on Tech and Retail"