News Items

Dr. Madhusanka Liyanage of University College Dublin (UCD) is the coordinator of the UCD School of Computer Science's Network Softwarization and Security Labs (Netslab) research group. This group is primarily focused on the security and privacy of future mobile networks, such as 5G and 6G. Netslab is a relatively new research group comprised of nine individuals, including three postdoctoral researchers and six Ph.D. students. At Netslab, research is conducted on various network softwarization and security aspects, including network slicing, software-defined networking, and edge computing. The team is particularly interested in how blockchain and Artificial Intelligence (AI) could be used to improve the security of future mobile networks. Netslab is establishing itself as a leading research group in network security by exploring and developing these technologies. Dr. Liyanage is also the leader of two significant EU Horizon 2020 projects, SPATIAL and CONFIDENTIAL6G. SPATIAL aims to move toward a trustworthy cybersecurity sector in Europe, enabling trustworthy governance and a regulatory framework for AI-driven security. The CONFIDENTIAL6G project will design quantum-resistant cryptographic protocols as well as security proof tools, libraries, mechanisms, and architectural blueprints for 6G confidentiality. This article continues to discuss Dr. Liyanage's research on novel security and privacy solutions.

Silicon Republic reports "UCD Network Researcher Combatting 'Ecosystem of Connected Threats'"

A new variant of the credential-stealing Zaraza malware has been collecting web browser login credentials from Google Chrome, Microsoft Edge, Opera, and Brave. Researchers warn that the threat actors behind the malware are using Telegram servers as their command-and-control (C2) platform to shuffle through stolen bank login information and cryptocurrency. According to Uptycs, Telegram is also used to distribute and promote the Zaraza malware. Researchers suspect that the campaign's operators are tied to Russia. Adversaries using the Zaraza bot have targeted almost 40 web browsers. Apple's Safari and Mozilla Foundation's Firefox browsers are absent from the list of browsers. The initial path or approach used by adversaries to infect targeted systems was not included in Uptycs' analysis. The Zaraza bot seems to be part of a larger criminal organization, with threat actors being able to purchase access to it through a centralized malware distributor. The adoption of Telegram as a C2 by threat actors is a continuing trend. According to Uptycs, attackers are attracted to Telegram because it allows them to deliver malware and move data while avoiding detection. This article continues to discuss researchers' findings regarding the new variant of the Zaraza malware.

SC Media reports "Chrome, Edge Browsers Targeted in Zaraza Bot Malware Attacks"

The COVID-19 pandemic increased the use of Internet of Things (IoT) devices for telehealth purposes. However, using smart speakers to share sensitive personal health information for telehealth purposes may pose a cybersecurity and privacy risk, which the government is attempting to address, according to a notice recently filed in the Federal Register. As part of the National Cybersecurity Center of Excellence (NCCoE) project addressing this issue, the National Institute of Standards and Technology (NIST) is seeking comments and solutions to help them in mitigating cybersecurity risks in telehealth smart home integration. Since consumers are using their own commercial devices and integrating them into a health delivery organization's telehealth solution, these organizations may struggle to identify and address cybersecurity risks because they do not have control over these products. While the user experience may be improved, practitioners could face challenges in deploying mitigating controls that limit cybersecurity and privacy risk because devices may use proprietary or purpose-built operating systems that do not allow engineers to add protective software, according to the NCCoE project. The NCCoE project plans to provide a reference architecture that uses the NIST Risk Management Framework, NIST Cybersecurity Framework, and NIST Privacy Framework to identify cybersecurity and privacy risks and solutions. The project will create a model that mimics patients using smart speakers for telehealth purposes to detect and mitigate the associated cybersecurity and privacy issues. This article continues to discuss NIST looking for providers to help address the cybersecurity and privacy vulnerabilities in the telehealth ecosystem.

GCN reports "NIST Wants to Mitigate Smart Home Telehealth Cybersecurity Risks"

Researchers have discovered a new QBot malware campaign using compromised business communications to trick victims into installing the malware. Since April 4, 2023, the most recent activity has primarily targeted users in Germany, Argentina, Italy, Algeria, Spain, the US, Russia, France, the UK, and Morocco. Since at least 2007, the banking Trojan known as QBot, also known as Qakbot or Pinkslipbot, has been in operation. In addition to stealing credentials and cookies from web browsers, it serves as a backdoor for introducing ransomware or other next-stage payloads such as Cobalt Strike. Anti-VM, anti-debugging, and anti-sandbox techniques have been added to the malware to evade detection. According to Check Point, it was also the most pervasive malware in March 2023. According to researchers, early distribution methods for QBot included infected websites and pirated software. The banker is now distributed to potential victims via pre-installed malware, social engineering, and phishing emails. This article continues to discuss the new QBot malware campaign.

CyberIntelMag reports "Business Emails Hijacked by New QBot Banking Trojan Campaign For Distributing Malware"

Security researchers at Proofpoint have warned of a 12-fold increase in reporting of so-called "conversational scams" like pig butchering last year, making them the fastest growing threat to mobile users in 2022. The researchers stated that such scams typically require a much longer lead time than phishing or malware delivery. The threat actor may initially approach their target on social media or a dating site and then look to build rapport over the weeks that follow, exchanging harmless-seeming messages. However, the real goal for the fraudster is to make off with their victim's information, money, or credentials. The researchers noted that often the victim will be lured into investing in a fake cryptocurrency scheme. According to the FBI, this kind of pig butchering scam was responsible for driving a surge in investment fraud last year that exceeded $3.3bn in losses. The researchers noted in addition to financial losses, these attacks also extract a significant human cost. Pig butchering and romance scams both involve an emotional investment on the part of the victim. Trust is earned and then abused, which can prompt feelings of shame and embarrassment alongside the real-world consequence of losing money. The researchers stated that the release of tools like ChatGPT, Bing Chat, and Google Bard heralds the arrival of a new kind of chatbot capable of understanding context, displaying reasoning, and even attempting persuasion. Looking further ahead, AI bots trained to understand complex tax codes and investment vehicles could be used to defraud even the most sophisticated victims. The researchers noted that if "coupled with image generation models capable of creating unique photos of real-seeming people, conversational threat actors could soon be using AI as a full-stack criminal accomplice, creating all the assets they need to ensnare and defraud victims."

Infosecurity reports: "Conversational Attacks Fastest Growing Mobile Threat"

Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), Software-as-a-Service (SaaS), and Email-as-a-Service (EaaS) have unique security considerations. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has published the Trusted Internet Connections (TIC) 3.0 Cloud Use Case, which provides network and multi-boundary security guidance for agencies operating in cloud environments. The feedback garnered during the 2022 public comment period has been incorporated into the new version. The Cloud Use Case describes specific security patterns, applicable security capabilities, and telemetry requirements. This guidance also contains cloud-specific factors, including the shared services model and cloud security posture management principles defined in the Cloud Security Technical Reference Architecture. In addition, this use case is written from the perspective of cloud-hosted services as opposed to the consumer accessing these services. This article continues to discuss CISA's release of TIC 3.0 guidance documents.

CISA reports "Final Version of TIC Use Cases Covering Cloud Services"

MuddyWater, an Iranian threat actor, continues its time-tested practice of using legitimate remote administration tools to seize control of targeted systems. While the nation-state group previously used ScreenConnect, RemoteUtilities, and Syncro, a new Group-IB analysis found the adversary's use of the SimpleHelp remote support software. Since at least 2017, MuddyWater has been believed to be a subordinate element of Iran's Ministry of Intelligence and Security (MOIS). Turkey, Pakistan, the United Arab Emirates, Iraq, Israel, Saudi Arabia, Jordan, the US, Azerbaijan, and Afghanistan are among the main targets. Nikita Rostovtsev, senior threat analyst at Group-IB, stated that MuddyWater uses the legitimate remote device control and management tool SimpleHelp to guarantee persistence on victim devices. SimpleHelp has not been compromised and is used as designed. The threat actors discovered a method for downloading the tool from the official website and deploying it in their attacks. The exact method used to distribute the SimpleHelp samples is currently unknown. However, the group is known to send spear-phishing emails containing malicious links from already compromised corporate email accounts. This article continues to discuss the use of SimpleHelp by MuddyWater.

THN reports "Iranian Hackers Using SimpleHelp Remote Support Software for Persistent Access"

According to Pindrop, the rise and adoption of Artificial Intelligence (AI), an impending recession, and the return of pre-pandemic fraud techniques are driving record rates of fraud attacks against consumers and businesses. States with restrictions on biometrics use are twice as likely to experience fraud. During periods of economic instability, fraud increases. In the fourth quarter of 2022, financial institutions experienced a 53 percent year-over-year increase in fraudulent activity. Fraudsters are taking advantage of data from the dark web and testing it in the Interactive Voice Response (IVR) to identify high-value accounts and attack those accounts together with other fraudsters. Retail has become one of the verticals with the highest incidence of fraud, with one in 347 calls to call centers supporting online retailers being fraudulent. This article continues to discuss key findings from Pindrop's Voice Intelligence and Security Report.

Help Net Security reports "Pre-Pandemic Techniques Are Fueling Record Fraud Rates"

UK-based photo editing, graphic design, and publishing software developer Affinity recently informed its forum members of a data breach that occurred on April 6. The company said a hacker gained access to forum user data after compromising an administrator's account. The adversary may have accessed information such as username, reputation, join date, post count, email addresses, and the last used IP address. The company noted that while most of the compromised information is already public, the email address and IP are not, and this type of information can be useful to malicious actors for targeted phishing attacks. It is unclear how many users had their data compromised, but the Affinity forum has nearly 175,000 members. The company said it's confident that user passwords were not compromised in the breach. The Affinity forum data breach has been reported to the UK Information Commissioner's Office (ICO), and steps have been taken to prevent such incidents in the future. It's unclear how the administrator account was compromised, but in many of these types of incidents, account hacking is possible because two-factor authentication has not been used.

SecurityWeek reports: "Creative Software Maker Affinity Informs Customers of Forum Breach"

Domino Backdoor is a new malware linked by security researchers to former members of the prolific Conti and FIN7 groups. It has been used to launch information-stealing malware, which involves the same techniques and source code as the infamous groups, indicating the formation of a new and dangerous alliance. IBM Security X-Force found Domino in the fall of 2022 and raised the alarm when an attack in February 2023 linked the new malware to former members of the Conti. Domino Backdoor is a 64-bit Dynamic-Link Library (DLL) with an undiscovered backdoor capable of delivering additional malicious payloads to infected systems. Once executed on a system, the malware determines the victim's username and hostname, uses this information to generate a hash, and then adds its own process ID. It then decrypts its configuration block, which contains two IP addresses for its command-and-control (C2) server and an RSA public key. The program then generates a random 32-byte key that is encrypted using the RSA key. Then it contacts its C2 using one IP address if the infected system is connected to a domain and the other IP address if it is not, and begins to harvest and encrypt core system data. It was observed decrypting and deploying its own payload using AES-256-CBC in a lab environment. Domino Backdoor and Domino Loader were discovered sharing code with Lizar, a malware with ties to the FIN7 cybercrime group, and using C2 addresses similar to those employed by FIN7 for its SSH-key-based backdoors. In addition, Domino Backdoor samples from December 2022 were discovered using the NewWorldOrder Loader, which FIN7 previously employed to install the Carbanak Backdoor malware. This article continues to discuss the new Domino Backdoor malware.

ITPro reports "New Domino Backdoor Malware Linked to Ex-Conti, FIN7 Criminals"

Palo Alto Networks Unit 42 found the Vice Society ransomware group exfiltrating data from a victim network using a custom-built Microsoft PowerShell script. Using this PowerShell tool, the threat actors are circumventing software and/or human-based security detection mechanisms. PowerShell scripting is commonly used in a typical Windows environment. A PowerShell-based tool can enable threat actors to hide in plain sight and execute their code while avoiding detection. Early in 2023, the researchers observed the gang exfiltrating data from a victim network using a script named w1.ps1. They were able to retrieve the script from the Windows Event Log (WEL). The PowerShell data exfiltration script created by Vice Society is a simple data exfiltration tool, with multi-processing and queuing used to prevent the script from consuming an excessive amount of system resources. The script focuses on files over 10 KB with file extensions and on directories on its "include list." According to researchers, the nature of PowerShell scripting in the Windows environment makes it difficult to completely prevent this type of threat. This article continues to discuss the Vice Society ransomware operators using a PowerShell tool to exfiltrate data from compromised networks.

Security Affairs reports "Vice Society Gang Is Using a Custom PowerShell Tool for Data Exfiltration"

It is important to protect social media users from harassment and bullying while also taking steps to protect their privacy. A team of researchers from four leading universities has proposed using Machine Learning (ML) technology to identify potentially risky conversations on Instagram without eavesdropping on them. The discovery could provide platforms and parents with the ability to protect vulnerable, younger users while maintaining their privacy. The team led by researchers from Drexel University, Boston University, Georgia Institute of Technology, and Vanderbilt University recently published their work on investigating what type of data input, such as metadata, text, and image features, could be most useful for ML models to identify risky conversations. Their findings suggest that risky conversations can be identified based on metadata characteristics, such as conversation length and participant engagement. Afsaneh Razi, Ph.D., an assistant professor in Drexel's College of Computing and Informatics and co-author of the study, stated that the prevalence of harassment, abuse, and bullying by malicious users is very concerning, considering Instagram's popularity among young people. Instagram makes its users feel safe enough to connect with others very openly. After the Cambridge Analytica scandal and the European Union's precedent-setting privacy protection regulations, platforms are under increasing pressure to protect their users' privacy. Therefore, Meta, the company behind Facebook and Instagram, is implementing end-to-end encryption for all platform messages, indicating that the message content is technologically protected and can only be accessed by those involved in the conversation. However, this increased degree of security makes it more difficult for platforms to use automated technology to detect and prevent online threats, which is why the team's system could play a crucial role in protecting users. This article continues to discuss the system developed to use ML to help flag risky messages on Instagram while preserving users' privacy.

Drexel University reports "Machine Learning Can Help to Flag Risky Messages on Instagram While Preserving Users' Privacy"

OpDefender, a technology created at Idaho National Laboratory (INL) for the US Department of Homeland Security (DHS), is founded on the principle of minimizing the attack surface as much as possible. Operational control technology exists at all levels of the nation's critical infrastructure, switching breakers at substations, opening floodgates at dams, and opening and closing valves in oil refineries and water treatment facilities. If left unprotected, Industrial Control Systems (ICS) are so vulnerable that anyone with basic programming skills can shut down a substation, leaving thousands of people in the dark. OpDefender operates on the premise that no device on a network of control systems can be trusted. It includes network switches that analyze and filter network packets in real-time, enabling operators to implement "whitelisting" rules. Its human-machine interface prevents any device from communicating with a network until an administrator has configured it. By default, an alarm sounds when a network receives data from a device that has not been whitelisted. OpDefender's proprietary software enables it to function as a "smart" switch, differentiating between routine and suspicious communications. When suspicious communication is detected, the system quarantines the packet and notifies a human operator. The operator then controls which commands reach the ICS via a simple interface. OpDefender, unlike detection systems that require span ports and big data analysis, analyzes packets in real-time and only flags violations. This article continues to discuss the capabilities, development, testing, and support of the OpDefender technology.

Idaho National Laboratory reports "Making a Smaller Target for Hackers: Technology Keeps Industrial Control Systems Safer by Limiting Online Access"

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2023-20963 to its Known Exploited Vulnerabilities Catalog. CISA has given the government until May 4 to patch the zero-day vulnerability, which was allegedly exploited by an e-commerce app to eavesdrop on users. The high severity vulnerability was patched by Google last month after the firm said it may be under "limited, targeted exploitation." CISA stated that Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed. Mobile security company Lookout confirmed late last month that the vulnerability, which has a CVSS score of 7.8, was being exploited by malicious versions of the Pinduoduo Android app. At least two versions of the popular Chinese e-commerce app available from third-party app stores were to blame. With over 750 million monthly active users, Pinduoduo is one of the world's most popular destinations for online shopping. The firm has denied its software is malicious, even though the two apps analyzed by researchers were apparently signed with an official key. The Pinduoduo app has been temporarily pulled from the official Play store, but most Chinese consumers rely on third-party app stores to source their Android downloads. Although the CISA catalog of known vulnerabilities is designed to force federal government agencies to improve patching processes, it is also strongly recommended that private enterprises use the same tool to help prioritize their efforts in this area.

Infosecurity reports: "CISA: Patch Bug Exploited by Chinese E-commerce App"

Russia's cyber capabilities are not to be underestimated, but NATO neighbors are more than capable of defending themselves against the Kremlin, according to the Lithuanian cyber chief. Constant cyberattacks from Russia are launched against the nations that border Moscow's empire. Everything is on the agenda, from ransomware attacks to attack attempts against critical infrastructure. As demonstrated by the war in Ukraine, military operations are often accompanied by cyber operations, prompting NATO and EU members such as Lithuania to develop tools and methods to defend against numerous and better-resourced adversaries. Liudas Alisauskas, the head of Lithuania's National Cyber Security Centre (NCSC), believes that one way to meet the challenge is by fostering local talent and forming partnerships with the most skilled hackers. Cybernews sat down with Alisauskas to discuss how the frontline NATO member defends against Moscow's hackers, whether Russia can still be considered a significant power after a year of disastrous warfare, and the impact of attacks launched by pro-Russian hacktivists such as Killnet. This article continues to discuss NATO members' defense against Moscow's hackers.

Cybernews reports "Genius Hackers Help Russia's Neighbors Thwart Cyber Incursions"

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver Google Command and Control (GC2), an open-source red teaming tool, as part of a broader exploitation of Google's infrastructure for malicious purposes. Google's Threat Analysis Group (TAG) attributed the campaign to a threat actor it monitors as HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email containing links to a password-protected file hosted on Google Drive, which incorporates the GC2 tool to read commands from Google Sheets and exfiltrate data via the cloud storage service. After installation on a victim's computer, the malware queries Google Sheets for commands. In addition to exfiltration via Drive, GC2 allows the download of other files from Drive onto the victim system. Google reported that the same malware was previously used to target an Italian job search website in July 2022. The development is noteworthy because it suggests that Chinese threat actors are increasingly relying on publicly accessible tools, such as Cobalt Strike and GC2, to obfuscate attribution efforts. It also indicates that malware and tools written in the Go programming language are gaining popularity due to its cross-platform compatibility and modularity. This article continues to discuss APT41's use of GC2 and other findings surrounding the threat actor.

THN reports "Google Uncovers APT41's Use of Open Source GC2 Tool to Target Media and Job Sites"

Extended Internet of Things devices (xIoT) are attractive to cyberattackers aiming to move laterally within enterprise networks and establish persistence. Such devices have everything the bad guys need to gain a foothold as xIoT devices are significantly under-secured, present in large numbers, present in sensitive network areas, and are typically not well monitored. Brian Contos, a security researcher and strategist, explains that xIoT devices typically fall into three device categories that have all proliferated in business environments. The first category consists of enterprise IoT devices, such as cameras, printers, IP phones, and door locks. The second category consists of Operational Technology (OT) devices, such as industrial robots, valve controllers, and other digital equipment used to regulate physics in industrial settings. General network devices, such as switches, network-attached storage, and gateway routers, are the third and often the least-remembered category. Contos has explored how these devices can be used to launch massive attacks against enterprise resources, as well as what security strategists should do to mitigate the threat. This article continues to discuss the use of xIoT devices by attackers to establish persistence across networks and what enterprises should start doing about the risk.

Dark Reading reports "Why xIoT Devices Are Cyberattackers' Gateway Drug for Lateral Movement"

The Coastal Virginia Center for Cybersecurity Innovation (COVA CCI), the Commonwealth Cyber Initiative (CCI) node for southeastern Virginia, has awarded $581,100 to seven maritime industry-focused cybersecurity research projects. Old Dominion University, Christopher Newport University, and the College of William and Mary submitted proposals in response to the COVA CCI request for proposals titled "Addressing Cybersecurity Compliance Challenges to Technology Adoption for the Maritime Industry." Researchers were asked to collaborate with maritime industry partners to resolve barriers to technology adoption resulting from or related to cybersecurity compliance issues. The projects seek to eliminate or mitigate cybersecurity obstacles to adopting new technologies such as cloud computing, 5G connectivity, and Machine Learning (ML). The projects include "Applying Risk Assessment Methodology to Produce Cyber-Hardened 5G Communication Capabilities for Autonomous Maritime Platforms," "Machine Learning-Enabled Dependency Network Analysis for Quantifying Risks and Ripple Effects Stemming from Cybersecurity Non-Compliance Issues," "Spotlighting and Mitigating Cyber Attacks in Artificial-Intelligence-of-Things (AIoT)-Enabled Maritime Transportation Systems," and more. This article continues to discuss the awarded projects aimed at addressing maritime cybersecurity needs.

Old Dominion University reports "ODU Researchers Receive Grants to Address Maritime Cybersecurity Needs"

Passwords may soon become obsolete. However, the need for authentication and secure website access remains as strong as ever. Passkeys are digital credentials that are stored on a user's mobile device or computer. They are similar to actual keys. Access to a passkey is gained by logging into a device with a Personal Identification Number (PIN), a swipe pattern, or biometrics such as fingerprint or facial recognition. A user configures their online accounts to trust their computer or phone. In order to access accounts, a hacker would need physical access to the user's device and the ability to login in. Sayonnha Mandal, lecturer in interdisciplinary informatics and cybersecurity researcher at the University of Nebraska, believes that passkeys provide quicker, simpler, and more secure sign-ins and reduce human error in password security and authorization procedures. Passkeys eliminate the need to remember passwords and eliminate the need for two-factor authentication (2FA). Passkeys are created through public-key cryptography. They use a public-private key pair to guarantee a mathematically protected private relationship between the user's device and the online account being accessed. Since it would be almost impossible for a hacker to guess the passkey, the device from which the passkey is accessed must be physically at hand. This article continues to discuss Mandal's insights on how passkeys work and why they matter.

The Conversation reports "What Are Passkeys? A Cybersecurity Researcher Explains How You Can Use Your Phone to Make Passwords a Thing of the Past"

Louisiana State University (LSU) and the US Secret Service (USSS) have a formal agreement for the development of cyber technology and cyber talent, as well as for state and national security. The Memorandum of Understanding (MOU) strengthens interactions and collaborations between the agency and the university in research, talent, and outreach. LSU and the USSS have agreed to advance cyber-physical system security and forensics knowledge, operational processes, and tools through collaboration. The partnership will provide LSU faculty and students with the opportunity to gain insight into and work on pertinent, real-world law enforcement and protective services challenges, as well as increase the Secret Service's access to LSU's talented students and nationally renowned cybersecurity expertise. The partnership will drive agency-specific research projects, connect students with agents directly, defend vulnerable Louisiana residents from cyberattacks, and more. This article continues to discuss the partnership between LSU and the USSS aimed at addressing cyber challenges.

Louisiana State University reports "LSU and US Secret Service Partner to Address Cyber Challenges for Louisiana, Nation"

According to the Identity Theft Resource Center (ITRC), the volume of US data breaches fell in Q1 2023, but the number of notices with no actionable information contained within grew by 20% from the previous quarter. The ITRC is a non-profit that tracks publicly reported data breaches and leaks in the US and has been dismayed by the growing reluctance of breached firms to share important information about incidents. The ITRC argued that this means that those impacted can't make accurate assessments about the risk of data compromise and what actions they should take following a breach involving their data. The number of data breaches with no actionable information about the root cause of the compromise grew from just five in Q1 2021 to 155 a year later and 187 in Q1 2023. Eva Velasquez, president, and CEO of the ITRC stated that it is troubling to see the trend of a lack of actionable information in data breaches continue from 2022. Velasquez said that among the top ten breaches they saw in Q1, 60% did not include information about the root cause of the event, compared to 40% in Q4 2022. This means individuals and businesses remain at a higher risk of cyberattacks and data compromises. Last year, the ITRC claimed that only a third (34%) of breach notices included both victim and attack details, the lowest figure in five years and a 50% decline from 2019. The total number of reported breaches declined 13% from the previous quarter to 445 for the first three months of 2023. The number of victims decreased by 65% to 89 million. The ITRC noted that healthcare topped the list of most breached sectors for the third consecutive quarter, followed close behind by financial services. Incidents in the manufacturing and utilities, technology, healthcare, and transportation sectors impacted the most people. Velasquez claimed that the number of victims and compromises usually falls in Q1 each year.

Infosecurity reports: "Volume of Opaque Breach Notices Surges in Q1"

Alex Polyakov, CEO of the security company Adversa, only needed a couple of hours to break GPT-4. In March, when OpenAI released the latest version of its text-generating Artificial Intelligence (AI)-driven chatbot, Polyakov started entering prompts into the chatbot designed to circumvent OpenAI's safety systems. He eventually had GPT-4 making inappropriate remarks, writing phishing emails, and supporting violence. Polyakov is among a handful of security researchers, technologists, and computer scientists who are devising jailbreaks and prompt injection attacks against ChatGPT and other generative AI systems. The jailbreaking process seeks to create prompts that enable the chatbots to bypass restrictions on producing hateful content or writing about illegal acts. Prompt injection attacks can covertly insert malicious data or instructions into AI models. The attacks are a form of hacking that exploits system vulnerabilities with carefully crafted and refined sentences rather than code. Although the attack types are primarily used to circumvent content filters, security researchers warn that the rush to deploy generative AI systems increases the risk of cybercriminals stealing data and wreaking havoc on the web. Polyakov has developed a "universal" jailbreak that is effective against multiple Large Language Models (LLMs), such as GPT-4, Microsoft's Bing chat system, Google's Bard, and Anthropic's Claude. This article continues to discuss security researchers' work on jailbreaking LLMs to demonstrate the avoidance of safety rules.

Wired reports "The Hacking of ChatGPT Is Just Getting Started"

Cybersecurity company Darktrace issued a statement recently after it was named on the leak website of the LockBit ransomware group. In the statement, the company noted that the cybercriminal gang was claiming that they had compromised Darktrace's internal security systems and had accessed their data. The company stated that its security teams had run a full review of their internal systems and could see no evidence of compromise. Darktrace noted that they would continue to monitor the situation extremely closely, but based on their current investigations, they are confident that their systems remain secure and all customer data is fully protected. On LockBit's leak website, the post suggested that data was stolen from Darktrace and that the cybercriminals were asking for a $1 million ransom. The fake data on the LockBit site was apparently test data posted by the hackers while doing maintenance. A recent Twitter post from Singapore-based threat intelligence firm DarkTracer, which is unrelated to Darktrace, read, "The reliability of the RaaS service operated by LockBit ransomware gang seems to have declined." The cybercriminals were not happy with DarkTracer's allegations but confused it with UK-based Darktrace and published a post suggesting that they had hacked Darktrace. These types of mistakes are not uncommon for ransomware groups. It's worth noting that there is also no evidence that LockBit targeted DarkTracer either. LockBit has also been known to make false claims when it comes to cybersecurity companies.

SecurityWeek reports: "Darktrace Denies Getting Hacked After Ransomware Group Names Company on Leak Site"

European police have recently arrested five individuals in an attempt to bust a criminal network believed to have made $98m from tens of thousands of victims through investment fraud. According to Europol, some 33 German law enforcers teamed up with their peers in Bulgaria, Romania, Georgia, and Israel to search 15 locations, including five illegal call centers. Europol noted that the two action days in March were a follow-up to operations undertaken against the same criminal gang in 2021 and enabled police to glean new evidence that revealed a much larger cost to victims than the 15m euros first estimated. Europol stated that the fraudsters lured potential victims through legitimate-looking website advertising and social media, encouraging them to make small initial investments of between 200-250 euros. Contact center workers then called the individuals, tricking them with fake "graphics" showing the purportedly large profits they'd already made and promising even bigger returns if they invested more. Europol claimed that persistently low interest rates at the time of the scheme (2019-21) made the high-risk investments more attractive to the victims. In reality, their funds went straight to the gang members' bank accounts. In the latest crackdown, police seized high-value assets, including luxury watches, electronic equipment, cash, bitcoins, bank cards, and various documents. An estimated 33,000 victims lost money to the gang. Investment fraud cost victims an estimated $3.3bn in 2022, making it the highest-grossing cybercrime category that year.

Infosecurity reports: "Five Arrests in Crackdown on $98m Investment Fraud Gang"