News Items

A team of researchers at the University of Tennessee Institute of Agriculture has received a US Department of Agriculture (USDA)-National Institute of Food and Agriculture (NIFA) new investigator seed grant to explore data security and privacy risks associated with the use of Precision Dairy Management (PDM) systems. This study will delve into the types and extent of PDM systems used by Tennessee dairy farmers, as well as the potential data security risks posed by these devices and how farmers and technology developers perceive these threats. During the milking process, PDM systems help farmers maximize dairy output through data collection and Artificial Intelligence (AI) technologies. PDM systems help improve animal welfare, detect and prevent disease, reduce livestock discomfort, and analyze milk production. Although there are potential long-term benefits to profitability and animal health, data breaches and privacy violations may pose a safety risk. The project will analyze the types of Internet-Connected Devices (ICDs) in PDM systems and how they are used. Researchers will work to determine how potential security breaches and unwanted online access could impact farmers on a local, state, and national scale. This article continues to discuss the research project on analyzing data security concerns and privacy risks of using PDM systems.

The University of Tennessee Institute of Agriculture reports "UTIA Analyzes Data Security and Privacy Concerns of Precision Dairy Management Systems"

A newly established virtual institute at the University of Kansas (KU) School of Engineering will prepare the next generation of military and civilian leaders to fight the growing threat of cyberattacks and protect the electromagnetic spectrum (EMS). The US Department of Defense (DoD) awarded KU a two-year $1.5 million grant to establish the Virtual Institutes for Cyber and Electromagnetic Spectrum Research and Employ (VICEROY) program. Fengjun Li, professor of electrical engineering and computer science at KU and lead researcher for the VICEROY program, emphasized that the complexity and diversity of modern communication systems, such as 5G and 6G networks, as well as Artificial Intelligence (AI) and electronic warfare systems, pose tough challenges for protecting networks from cyberattacks. This article continues to discuss the goals of the VICEROY program.

The University of Kansas reports "School of Engineering Establishes Virtual Institute to Combat Cyber Threats"

Johnny Dollar is a fictional private detective turned insurance investigator whose old-school crime-fighting adventures are being rebooted decades into the future to combat digital extortion, one of the digital age's most pressing and disruptive crimes. The character started as a radio serial on February 18, 1949. Johnny made his living as a private investigator, pursuing mobsters, murderers, and scammers. More than 800 episodes were broadcast on CBS Radio before the series' cancellation in 1962. Today, Allan Liska, an analyst at the cybersecurity company Recorded Future, is relaunching Johnny's story in a new comic book. Like Liska, the new Johnny Dollar will spend his days investigating ransomware crimes and helping victims whose lives have been turned upside down by cybercriminal gangs. This article continues to discuss Liska's translation of a 1940s detective radio serial to a comic set in the modern computer age.

SC Media reports "Ransomware Comic Looks to Bring Detective Noir to the Computer Age"

Security researchers at Patchstack have discovered a vulnerability in several extensions for the All-in-One WP Migration plugin, potentially exposing WordPress websites to attacks leading to sensitive information disclosure. With more than five million installations and maintained by ServMask, All-in-One WP Migration is a highly popular plugin for moving websites that also provides several premium extensions for migrating to third-party platforms. The vulnerability impacts All-in-One WP Migration's Box, Google Drive, OneDrive, and Dropbox extensions that could allow attackers to access sensitive information. The vulnerability is tracked as CVE-2023-40004 and is described as an unauthenticated access token manipulation issue. The researchers noted that the bug could allow an unauthenticated attacker to tamper with the access token configuration of the affected extension. The researchers stated that this "access token manipulation could result in a potential sensitive information disclosure of migration to the attacker's controlled third-party account or restore a malicious backup." The researchers noted that the flaw was identified in the init function of the affected extensions, which is "hooked to the WordPress's admin_init hook," which in turn can be triggered by an attacker without authentication. The researchers stated that since there is no permission and nonce validation on the init function, an unauthenticated user is able to modify or delete the access token used on each of the affected extensions. On July 18, the researchers reported the vulnerability to ServMask, which patched the bug in all impacted extensions by "adding permission and nonce validation on the init function." Users are advised to update to All-in-One WP Migration's Box extension version 1.54, Google Drive extension version 2.80, OneDrive extension version 1.67, and Dropbox extension version 3.76, which were released at the end of July.

SecurityWeek reports: "Vulnerability in WordPress Migration Plugin Exposes Websites to Attacks"

The "Classiscam" Fraud-as-a-Service (FaaS) operation has expanded its global reach, targeting a greater number of brands, countries, and industries, and causing more significant financial harm than before. This Telegram-based operation, similar to Ransomware-as-a-Service (RaaS), recruits affiliates who use the service's phishing kits to create fraudulent ads and pages aimed at stealing money, credit card information, and, more recently, banking credentials. The developers then divide any profits with the affiliate, with the developers receiving 20-30 percent and the affiliate receiving the remainder. Group-IB discovered the criminal platform in 2019, with researchers reporting its rapid expansion. The platform resulted in 40 cybercrime groups making $6.5 million throughout 2020. This article continues to discuss the Classiscam FaaS.

Bleeping Computer reports "Classiscam Fraud-As-A-Service Expands, Now Targets Banks and 251 Brands"

The cybercriminal group Kinsing has returned, exploiting a previously disclosed path traversal vulnerability in the Openfire enterprise messaging application to create unauthenticated admin users. They can then upload malware and a Monero cryptominer to compromised platforms after gaining complete control of Openfire cloud servers. In less than two months, Aqua Nautilus researchers have observed over 1,000 attacks exploiting the Openfire vulnerability, tracked as CVE-2023-32315, which was disclosed and fixed in May. Openfire is a web-based real-time collaboration (RTC) server used as a chat platform over XMPP that supports over 50,000 concurrent users. This article continues to discuss the Kinsing threat group exploiting an Openfire vulnerability.

Dark Reading reports "Cyberattackers Swarm Openfire Cloud Servers With Takeover Barrage"

The US Department of Energy recently announced a competition that can help smaller electric utilities obtain funding and technical assistance for improving their cybersecurity posture. The competition, named the Advanced Cybersecurity Technology (ACT) 1 Prize Competition, is part of the Biden administration's Rural and Municipal Utility Cybersecurity (RMUC) Program, which has set aside $250 million over a five-year period for enhancing cybersecurity at cooperative, municipal and small investor-owned electric utilities. The total budget for the ACT 1 Prize Competition, which is the first in a series, is $8.96 million in cash and technical assistance. The competition has three phases, focusing on commitment, planning, and implementation. The Department of Energy stated that in the planning phase, competitors need to describe their current resources and their need for improving their cybersecurity posture. The deadline for the first phase of the project is November 29, 2023. The department noted that "winning utilities in the Commitment Phase will receive cash prizes and technical assistance based on their commitment to improving their utility's cybersecurity posture through investments in cybersecurity technologies, staff training, and improvements to governance processes." In the planning phase, utilities will conduct system assessments, identify areas for training, understand potential risks and solutions, and draft an implementation roadmap. In the final phase, they will work on implementing that roadmap. In the second and third phases, electric utilities will receive cash prizes and technical assistance based on the work they completed in the respective phase.

SecurityWeek reports: "Energy Department Offering $9M in Cybersecurity Competition for Small Electric Utilities"

Splunk recently announced patches for multiple high-severity vulnerabilities in Splunk Enterprise and IT Service Intelligence, including flaws in third-party packages. The most severe of the bugs resolved in Splunk Enterprise this month is CVE-2023-40595 (CVSS score of 8.8), which is described as a remote code execution issue exploitable using crafted queries. Splunk noted that the exploit requires the use of the collect SPL command, which writes a file within the Splunk Enterprise installation. The attacker can then use this file to submit a serialized payload that can result in the execution of code within the payload. The next most severe vulnerability is CVE-2023-40598, a command injection vulnerability impacting a legacy internal function, which could be exploited to execute arbitrary code. Splunk stated that the vulnerability revolves around the currently deprecated runshellscript command that scripted alert actions use. The researchers noted that this command, along with external command lookups, lets an attacker use this vulnerability to inject and execute commands within a privileged context from the Splunk platform instance. Splunk stated that the latest Splunk Enterprise releases also resolve a cross-site scripting (XSS) flaw (CVE-2023-40592), an absolute path traversal bug leading to code execution (CVE-2023-40597), and a privilege escalation issue resulting from an insecure path reference in a DLL (CVE-2023-40596). All vulnerabilities were addressed with the release of Splunk Enterprise versions 8.2.12, 9.0.6, and 9.1.1, which also patch two medium-severity denial-of-service (DoS) flaws. Splunk also recently announced patches for an unauthenticated log injection bug (CVE-2023-4571, CVSS score of 8.6) in IT Service Intelligence. Splunk noted that the issue allows an attacker to inject ANSI escape codes into log files, resulting in malicious code being executed when the log file is read in a vulnerable terminal application. While IT Service Intelligence is not directly impacted by the flaw, indirect impact results from the permissions the terminal application has and from where and how the user reads the malicious log files. Splunk patched the vulnerability in IT Service Intelligence versions 4.13.3 and 4.15.3. Splunk makes no mention of any of these vulnerabilities being exploited in attacks.

SecurityWeek reports: "Splunk Patches High-Severity Flaws in Enterprise, IT Service Intelligence"

As threat groups increasingly use cloud storage, email, and messaging platforms in cyberattacks, technology providers seek new ways to bolster their defense strategies. Threat groups have used legitimate services for command-and-control (C2) communication, payload delivery, and data exfiltration. This abuse can make cyberattacks difficult to detect for victims. In addition, this strategy reduces operational expenses and infrastructure costs for cybercriminals because it simplifies C2 server installation and eliminates the need for hosting or registration fees. According to a new report by Recorded Future's Insikt Group, Advanced Persistent Threat (APT) groups have been at the forefront of innovation efforts surrounding this type of abuse, but less sophisticated groups are following suit due to a "trickle down effect." This article continues to discuss blocking threat groups from abusing legitimate platforms.

Decipher reports "Tech Companies Mull Strategies to Block Threat Groups From Abusing Platforms"

The National Safety Council (NSC) is a US nonprofit organization that provides workplace and driving safety training. On its digital platform, NSC offers online resources to its nearly 55,000 members, representing various businesses, agencies, and academic institutions. However, the organization's website was exposed to cyberattacks for five months. The Cybernews research team discovered web directories with public access that exposed thousands of credentials. The leaked credentials include those belonging to employees from around 2,000 businesses and government agencies, such as Shell, BP, Exxon, Chevron, Siemens, Intel, HP, Dell, Intel, IBM, AMD, and more. This article continues to discuss the NSC leaking nearly 10,000 emails and passwords of their members, exposing 2,000 organizations.

Cybernews reports "Credentials of NASA, Tesla, DOJ, Verizon, and 2K Others Leaked by Workplace Safety Organization"

Britain's National Cyber Security Centre (NCSC) has issued a warning about a fundamental security vulnerability impacting Large Language Models (LLMs), the type of Artificial Intelligence (AI) used by ChatGPT to perform human-like conversations. Since ChatGPT's launch in November 2022, most security concerns regarding the technology have centered on its ability to automatically generate human-like speech. Cybercriminals are now deploying their own versions to generate "remarkably persuasive" phishing emails. In addition to the malicious use of LLM software, there are vulnerabilities stemming from its use and integration with other systems, especially when the technology interfaces with databases and other product components. It is referred to as a "prompt injection" attack, and according to the NCSC, the issue may be fundamental. The agency warned that research suggests an LLM cannot distinguish between an instruction and data provided to help complete the instruction. This article continues to discuss Britain's NCSC warning of a fundamental flaw in AI technology.

The Record reports "UK Cyber Agency Warns of Potentially Fundamental Flaw in AI Technology"

A new version of the DreamBus botnet malware infects devices by exploiting a critical Remote Code Execution (RCE) flaw in RocketMQ servers. The exploited vulnerability, tracked as CVE-2023-33246, is a permission verification flaw that affects RocketMQ versions 5.1.0 and earlier and allows remote command execution under certain conditions. Recent DreamBus attacks exploiting this vulnerability were discovered by researchers at Juniper Threat Labs, who reported an uptick in activity in the middle of June 2023. This article continues to discuss findings regarding the new version of the DreamBus botnet malware.

Bleeping Computer reports "DreamBus Malware Exploits RocketMQ Flaw to Infect Servers"

Cybercriminals are now targeting Airbnb for fraud on the dark web. Thousands of Airbnb accounts have become available in underground cybercrime markets for purchase in recent months, sometimes for as little as one dollar. According to an investigation conducted by SlashNext researchers, cybercriminals are using phishing, stealer malware, and stolen cookies to gain unauthorized access to Airbnb accounts, which they then sell online. With unauthorized access to the accounts of legitimate hosts and guests, cybercriminals are able to book properties and perform other unauthorized actions without raising any red flags. This article continues to discuss cybercriminals targeting Airbnb for fraud.

Dark Reading reports "In Airbnb, Cybercriminals Find a Comfortable Home for Fraud"

Mozilla and Google recently announced the release of stable updates for Firefox and Chrome to address several high-severity vulnerabilities, including memory corruption issues. Mozilla released Firefox 117 with patches for 13 vulnerabilities, including seven rated "high severity," four of which are described as memory corruption bugs affecting the browser's IPC CanvasTranslator, IPC ColorPickerShownCallback, IPC FilePickerShownCallback, and JIT UpdateRegExpStatics components. The first three flaws are tracked as CVE-2023-4573, CVE-2023-4574, and CVE-2023-4575 and could have led to a use-after-free, causing a potentially exploitable crash. The fourth vulnerability tracked as CVE-2023-4577, could have led to a potentially exploitable crash as well. Mozilla noted that it also patched a high-severity integer overflow (CVE-2023-4576) in the RecordedSourceSurfaceCreation component of Firefox for Windows, resulting in "a heap buffer overflow potentially leaking sensitive data that could have led to a sandbox escape." Mozilla stated that Firefox 117 also addresses multiple high-severity memory safety bugs that are collectively tracked as CVE-2023-4584 and CVE-2023-4585 and which also impact Firefox ESR and Thunderbird. The remaining six issues addressed with this browser release are medium and low-severity vulnerabilities that could lead to site spoofing, sensitive information leaks, the download of files without a warning of their potential harm, a buffer overflow, or browser context not being cleared when closing a private window. Mozilla also announced the release of Firefox ESR 115.2 with patches for 14 vulnerabilities, including 12 resolved in Firefox 117. Additionally, Mozilla released Firefox ESR 102.15 recently with patches for six vulnerabilities. Google stated that the recent Chrome update resolves one vulnerability, tracked as CVE-2023-4572 and described as a use-after-free flaw in MediaStream. Google noted that such issues may often be exploited to escape Chrome's sandbox and achieve remote code execution if combined with other vulnerabilities. Mozilla and Google make no mention of any of these flaws being exploited in attacks.

SecurityWeek reports: "High-Severity Memory Corruption Vulnerabilities Patched in Firefox, Chrome"

According to researchers at Mandiant, the hackers responsible for a recent campaign targeting Barracuda Email Security Gateway (ESG) devices have conducted follow-up attacks against compromised organizations considered "high priority targets" by the Chinese government, and have made significant efforts to evade victims' remediation actions. Between October 2022 and June 2023, a previously unknown threat group, UNC4841, which Mandiant and the FBI revealed to have clear ties to China, compromised Barracuda ESG appliances globally. Barracuda hired Mandiant to investigate the attacks when they were discovered in May, and the company has been collaborating closely with affected organizations and authorities in multiple jurisdictions. In a recent report, Mandiant notes that UNC4841 was able to launch additional malware to maintain a presence on a smaller group of targeted networks, even as organizations scrambled to address the initial attacks. A few victims remained at risk from the novel backdoor malware, DEPTHCHARGE, that the threat group deployed in response to remediation efforts. This article continues to discuss Barracuda ESG hacks focusing on China's high priority targets.

SC Magazine reports "Barracuda ESG Hacks Focused On China's 'High Priority Targets'"

SoS Musings #76 -

Side-Channel Attacks Continue Emerging

Cyber Scene #83 -

AI Abounding: Worldwide Regulation, Home and Abroad

The GhostSec hacktivist group claims to have compromised the FANAP Behnama software, exposing 20GB of data, including face recognition and motion detection systems the Iranian government allegedly uses to monitor and track its citizens. GhostSec is suspected to be an offshoot of the larger Anonymous hacktivist group that emerged around 2015 as a separate entity, seemingly in response to the ISIS terrorist attacks in France that same year. Since then, it claims to have sabotaged hundreds of websites and social media accounts promoting Islamist extremism. This article continues to discuss the GhostSec hacktivist group claiming to have taken down the "Iran regime's very own privacy-invading software."

Cybernews reports "Iran Spyware Breached and Exposed by GhostSec"

A new malspam campaign has been observed deploying DarkGate, an off-the-shelf malware. The current increase in DarkGate malware activity is likely given that the malware's developer has recently begun renting it out to a limited number of affiliates, according to Telekom Security. The most recent report expands on the findings of security researcher Igal Lytzki, who described a "high volume campaign" that uses hijacked email threads to trick recipients into downloading malware. DarkGate, which is mainly sold on underground forums by an actor named RastaFarEye, includes the ability to evade detection by security software, set up persistence using Windows Registry changes, escalate privileges, and steal data from web browsers and other applications such as Discord and FileZilla. This article continues to discuss the DarkGate malspam campaign.

THN reports "DarkGate Malware Activity Spikes as Developer Rents Out Malware to Affiliates"

Recent research from ISC2 shows that the cybersecurity industry continues to face a severe talent shortage as the threat landscape evolves and the skills gap grows. The organization discovered that there is still a need for more than 3.4 million security professionals. Organizations are adopting cloud-first strategies to attain greater scalability and flexibility. In addition, they are using multiple cloud technology providers and database providers, increasing workload, alerts, and data. Complexity requires new tools, practice changes, skill modifications, and increased participation. Furthermore, CISOs lack the budgets and employees to meet the demand in the current economic climate. This affects organizations of all sizes and is partially attributable to an expanding and evolving threat landscape. In 2022 alone, 1,802 data breaches occurred, and 422 million individuals were affected. This article continues to discuss the cybersecurity talent shortage.

Dark Reading reports "Addressing Cybersecurity's Talent Shortage & Its Impact on CISOs"

According to security researchers at Delinea, there is a growing disconnect between carriers and enterprises seeking robust coverage. Insights from 300 US organizations highlighted an escalating trend: securing cyber insurance is increasingly challenging, with more firms requiring over six months for policies. The survey sought to identify shifting patterns since last year's analysis. The researchers stated that companies making multiple claims surged to 47%, while 67% of respondents reported insurance premiums surging by 50-100% during application or renewal. The researchers also found that there is a growing list of exclusions that could potentially render cyber insurance coverage null, encompassing factors such as inadequate security protocols (43%), human errors (38%), acts of war (33%) and non-adherence to compliance procedures (33%). The researchers noted that even organizations that succeed in procuring or renewing policies may face claim denials or reductions due to intricate policy stipulations. The researchers stated that security controls are important given the prevalence of cyberattacks stemming from compromised credentials. Approximately 51% of respondents indicate Identity and Access Management (IAM) controls as policy requisites, closely followed by 49% citing Privileged Access Management (PAM). With cyber insurance shaping up as a strategic imperative, the researchers noted that organizations are also aligning budgets: 50% invested in IAM solutions, 45% procured password vaults, and 44% acquired PAM controls to fortify their coverage.

Infosecurity reports: "Report Reveals Growing Disparity in Cyber Insurance Landscape"

Dutch infrastructure-as-a-service and cloud solutions provider Leaseweb shut down some critical systems last week due to a cyberattack. Leaseweb stated that it detected unusual activity in certain areas of its cloud environments on the night of August 22. The company noted that the issue had an impact on a specific portion of its cloud-based infrastructure, leading to downtime for a small number of cloud customers. The company noted that impacted systems should now be restored. According to its website, Leaseweb provides cloud, CDN, managed hosting, colocation, bare metal servers, and other services to more than 17,000 customers, including SMBs and enterprises.

SecurityWeek reports: "Leaseweb Reports Cloud Disruptions Due to Cyberattack"

The Onion Router (Tor) faced a massive Distributed Denial-of-Service (DDoS) attack. DoS abuse continues to be a persistent problem, degrading the performance of the anti-censorship service and causing many to be concerned for its security. Tor's onion routing is a privacy technology dating back 20 years. It essentially works by relaying a user's Internet traffic through a shifting maze of nodes so that, with some clever encryption encapsulation, a network eavesdropper, for example, will struggle or be unable to determine a user's true public IP address. To prevent future crippling DDoS attacks, Tor developers have been working on a defense initially proposed in April 2020. It was introduced in Tor version 0.4.8.4 and relies on a mechanism developed by Moni Naor and Cynthia Dwork in 1992 as a defense against DoS and spam. This article continues to discuss Tor turning to proof-of-work puzzles in the fight against DDoS attacks.

The Register reports "Tor Turns to Proof-Of-Work Puzzles to Defend Onion Network From DDoS Attacks"

In recent years, WebDetetive, a Portuguese-language spyware, has compromised over 76,000 Android phones in South America, primarily in Brazil. WebDetetive is also the latest phone spyware company to be compromised in recent months. In an undated note seen by TechCrunch researchers, the unidentified hackers described how they discovered and exploited multiple security flaws to compromise WebDetetive's servers and gain access to its user databases. By exploiting other vulnerabilities in the spyware maker's web dashboard, which abusers used to access the stolen phone data of their victims, the hackers claimed to have enumerated and downloaded every dashboard record, including customers' email addresses. According to the hackers, dashboard access enabled them to delete victim devices from the spyware network, effectively severing the connection at the server level to prevent the device from uploading new data. This article continues to discuss the Portuguese-language app WebDetetive used to compromise over 76,000 phones.

TechCrunch reports "A Brazilian Phone Spyware Was Hacked and Victims' Devices 'Deleted' From Server"