News Items

An updated version of the botnet malware KmsdBot is now targeting Internet of Things (IoT) devices, simultaneously expanding its attack surface and capabilities. Akamai security researcher Larry W. Cashdollar noted that the binary now supports Telnet scanning and more CPU architectures. The most recent variant, which has been observed since July 16, 2023, arrives months after it was discovered that the botnet is being offered as a Distributed Denial-of-Service (DDoS)-for-hire service to other threat actors. Its effectiveness in real-world attacks is suggested by the fact that it is actively maintained. First documented in November 2022, KmsdBot is mainly designed to target private gaming servers and cloud hosting providers. However, it has since set its sights on some Romanian government and Spanish educational sites. This article continues to discuss the updated version of the KmsdBot botnet malware.

THN reports "KmsdBot Malware Gets an Upgrade: Now Targets IoT Devices with Enhanced Capabilities"

PurFoods, which conducts business in the US as 'Mom's Meals,' has issued a data breach warning after ransomware compromised the personal information of 1.2 million customers and employees. Mom's Meals is a medical meal delivery service for individuals eligible for government assistance through the Medicaid and Older Americans Act programs, as well as self-paying customers. The company warns that it discovered suspicious activity on its networks on February 22, 2023, when ransomware encrypted files on its systems. July 10, 2023, concluded a more in-depth investigation that confirmed hackers had accessed payment card information, Medicare identification, health information, and more. This article continues to discuss the Mom's Meals data breach.

Bleeping Computer reports "Mom's Meals Discloses Data Breach Impacting 1.2 Million People"

Three bankrupt cryptocurrency companies, FTX, BlockFi, and Genesis, have suffered data breaches following a SIM swapping attack that targeted risk and financial advisory firm Kroll. Kroll stated that it had learned on August 19 that a threat actor had used SIM swapping to transfer an employee's T-Mobile phone number to a SIM card controlled by the attacker. As a result of the attack, which Kroll described as "highly sophisticated," the hacker was able to use the targeted employee's hijacked phone number to access systems storing files that contained personal information of bankruptcy claimants in the cases of FTX, BlockFi, and Genesis. Kroll said it immediately took action to secure the three customers' accounts and notified impacted individuals via email. In notifications sent out to customers, FTX said the attacker gained access to files storing information such as name, address, email address, and FTX account balance. The company noted that Kroll does not store FTX account passwords, and FTX systems or digital assets are not affected. Shortly after Kroll and the cryptocurrency companies started notifying customers, FTX users reported getting phishing emails claiming they were eligible to start withdrawing funds from their FTX account. Genesis also told customers that their name, address, email address, and claim against Genesis debtors were compromised as a result of the Kroll hack and warned that the information could be leveraged for phishing emails and other scams. BlockFi has also issued a statement warning customers about a likely uptick in phishing attempts and spam phone calls due to this incident.

SecurityWeek reports: "3 Cryptocurrency Firms Suffer Data Breach After Kroll SIM Swapping Attack"

Artificial Intelligence (AI)-based Large Language Models (LLMs) that drive chatbots such as ChatGPT could pose security risks if exploited by malicious actors. For example, an LLM can be tricked into generating malicious content, an activity known as prompt hacking. The misuse of LLMs is likely to increase, which is one security risk being explored by Turing's Centre for Emerging Technology and Security (CETaS). CETaS aims to help policymakers understand the risks and opportunities presented by AI and other emerging technologies, as well as respond accordingly. Other risks posed by AI include its potential to bolster the cyber offensive capabilities of adversaries and exacerbate disinformation. Policies must strike a balance between mitigating security risks and maximizing the societal benefits of these technologies. AI provides the security community opportunities to address emerging security risks more effectively by enhancing cyber defensive capabilities, automating software development for use within the intelligence and national security community, and more. The approach at CETaS is multidisciplinary and based on evidence, as policymakers require reliable recommendations informed by various perspectives. This article continues to discuss the efforts of Turing's CETaS to help policymakers navigate the security challenges AI creates.

The Alan Turing Institute reports "Helping Policy Makers to Navigate the National Security Challenges Created by AI"

For millions of Chinese people, the first software they install on a new laptop or smartphone is a keyboard app. However, only some know this may make the text they type vulnerable to eavesdropping. The standard QWERTY keyboard by itself is inefficient since dozens of Chinese characters can share the same latinized phonetic spelling. A localized keyboard app can save time and frustration by predicting the characters and words a user wants to type. About 800 million Chinese people use third-party keyboard apps on different devices. A recent report by the Citizen Lab, a technology and security research group affiliated with the University of Toronto, revealed that Sogou, one of the most popular Chinese keyboard apps, had a significant security flaw. According to the researchers, Sogou's encryption system could be exploited to intercept and decrypt what users were typing in real-time. This article continues to discuss findings regarding the keyboard software putting hundreds of millions of Chinese users at risk.

MIT Technology Review reports "How Ubiquitous Keyboard Software Puts Hundreds of Millions of Chinese Users at Risk"

Discord has recently started reaching out to users affected by a data breach disclosed earlier this year to let them know what Personal Identifying Information (PII) was exposed in the incident. Discord noted that the breach stemmed from a security breach at a third-party service provider detected on March 29, involving the compromise of an account belonging to a customer support agent. This incident was subsequently disclosed on May 12 through emails sent to potentially affected individuals. Discord noted that the attackers gained access to the agent's support ticket queue, user email addresses, messages they exchanged with Discord support, and support ticket attachments.

BleepingComputer reports: "Discord Starts Notifying Users Affected by March Data Breach"

The Rhysida ransomware group has claimed responsibility for the early August ransomware attack on California-based Prospect Medical Holdings (PMH), a multi-state conglomerate with more than a dozen hospitals and over 150 outpatient facilities. In addition to recently listing PMH as a victim on their dark leak site, the threat actor organized a live auction to sell more than two terabytes of data allegedly stolen from the attack. According to a warning bulletin issued by the US Department of Health and Human Services (HHS), Rhysida is new to the realm of ransomware. Rhysida is suspected of being connected to the Vice Society ransomware gang known for targeting the education sector, mainly in the US, Canada, and the UK. This article continues to discuss the Rhysida ransomware group claiming responsibility for the recent multi-hospital attack and observations surrounding the threat actor.

Cybernews reports "Multi-Hospital Ransom Attack in US Claimed by Rhysida Gang"

Google recently introduced new AI-powered security controls for its Workspace customers, targeting zero trust, digital sovereignty, and threat defense. Google stated that the new AI-powered zero trust capabilities are meant to provide organizations with more granular control over how data is accessed and used. Google noted that to ensure data protection and prevent inappropriate sharing of data in Google Drive, Google AI can now be used to automatically and continuously classify and label new and existing files and then apply necessary controls based on the organization's security policies. Later this year, Gmail will receive enhanced DLP controls to improve control over the sharing of sensitive information, both inside and outside the organization. Google also announced new digital sovereignty controls to help prevent unauthorized access to sensitive data, storing encryption keys, selecting where data is processed, and limiting Google support access. To prevent third-party access to sensitive data, Google is introducing new client-side encryption (CSE) improvements, such as generally available support of mobile apps in Google Calendar, Gmail, and Meet, or the ability to view, edit, or convert Excel files. To improve protections against account takeover, later this year, the internet giant will make two-step verification (2SV) mandatory for select administrator accounts of resellers and largest enterprise customers and will enable multi-party approval for sensitive administrator actions. Google also announced the availability of automated protections for sensitive actions in Gmail, including filtering and forwarding and the ability to export Workspace logs into Chronicle.

SecurityWeek reports: "Google Workspace Introduces New AI-Powered Security Controls"

A China-based hacking group has been linked to cyberattacks on dozens of Taiwanese organizations as part of a suspected espionage campaign. The Microsoft Threat Intelligence team tracks the activities under the name Flax Typhoon, also known as Ethereal Panda. According to the company, Flax Typhoon operates with minimal use of malware and relies on tools built into the operating system to quietly remain in victims' networks. Microsoft has not observed the group use the access for data collection and exfiltration. Taiwan's government agencies, educational institutions, critical manufacturing, and Information Technology (IT) companies account for most targets. The group is believed to have been operating since mid-2021. This article continues to discuss findings and observations regarding Flax Typhoon.

THN reports "China-Linked Flax Typhoon Cyber Espionage Targets Taiwan's Key Sectors"

Cybersecurity insurance is a rapidly developing market, expected to rise from around $13 billion in 2022 to $84 billion in 2030. However, insurers have difficulty quantifying the possible risks of this type of insurance. Traditional actuary models do not work well in an environment where highly driven, creative, and sophisticated attackers dynamically pursue activities resulting in insurable events. Accurate loss estimation is critical for establishing customer premiums, but even after two decades, insurers' loss ratios vary significantly. Underwriting processes must be more robust to estimate losses and price reasonable premiums accurately. This article continues to discuss cybersecurity insurance challenges and the next generation of this type of insurance.

Help Net Security reports "Cybersecurity Insurance Is Missing the Risk"

Malicious non-state actors are using Artificial Intelligence (AI) to amplify their malicious activities. Since the release of OpenAI's ChatGPT last year, there has been much discussion on the dark web about methods involving this technology. Dark web users have shared tips on jailbreaking the technology to evade safety and ethical limitations and use it for more sophisticated malicious activity. A new generation of AI-powered tools and applications has emerged that aim to satisfy cybercriminals' needs. On July 13, the first of these tools, WormGPT, surfaced on the dark web. WormGPT is based on the open-source GPT-J Large Language Model (LLM) developed in 2021. It is marketed as a 'blackhat' alternative to ChatGPT with no ethical limits. Allegedly trained on malware data, its primary applications are to generate advanced phishing and business email attacks, as well as to write malicious code. FraudGPT first appeared for sale on the dark web on July 22, following WormGPT's release. Based on GPT-3 technology, FraudGPT is advertised as an advanced bot for offensive purposes. Its uses include creating undetectable malware, developing hacking tools, discovering security flaws, and more. This article continues to discuss new malicious AI tools.

The Australian Strategic Policy Institute reports "Malicious AI Arrives on the Dark Web"

Organizations are increasingly implementing biometrics to streamline and expedite authentication. However, Stuart Wells, CTO of the biometrics authentication company Jumio, identifies potential threats and methods fraudsters may use to circumvent facial recognition. Europol has predicted that by 2026, as much as 90 percent of online content could be artificially generated, making it more difficult for organizations to determine the true identities of individuals. According to Wells, fraudsters can use a "camera injection" technique to inject deepfake videos into the system and deceive biometric and liveness detection tools. This technique involves bypassing a camera's Charged-Coupled Device (CCD) to inject pre-recorded content, a real-time face swap video feed, or entirely fabricated content using deepfake technology. If attackers use camera injection, they can remain undetected without victims being aware of the hack. If malicious actors can evade the verification, they can cause significant damage by stealing identities, creating fake accounts, and more. This article continues to discuss the use of deepfake videos and camera injection attacks by fraudsters.

Cybernews reports "Fraudsters Can Bypass Biometric Facial Recognition"

The University of Minnesota has recently confirmed that a threat actor has exfiltrated data from its systems but says no malware infection was identified. The confirmation comes one month after a threat actor boasted about accessing the university's database containing information about students, staff, and faculty. The adversary claimed to have accessed 7 million unique Social Security numbers, as the database contained records the university has been digitizing since 1989. The university claimed that it initially learned about the hacker's claims on July 21 and immediately launched an investigation to verify the validity of the attacker's claims. The university stated that the preliminary assessment is that the data at issue is from 2021 and earlier. The university also said that scans it has performed revealed no ongoing activity related to the incident, and there were no system disruptions. The university noted that its investigation is continuing, but its security professionals have not detected any system malware (including ransomware), encrypted files, or fraudulent emails related to the incident. There have been no known disruptions to current university operations as a result of this data security incident. The educational institution did not say what type of personal information was accessed in the data breach and did not confirm the number of impacted individuals. However, it did say that it would inform all affected parties if it determines that sensitive information might have been compromised.

SecurityWeek reports: "University of Minnesota Confirms Data Breach, Says Ransomware Not Involved"

Data from 2.6 million users of Duolingo, a language learning platform with over 74 million monthly users, was leaked on a hacking forum. The compromised data, which includes real names, login names, email addresses, and internal service-related details, was initially offered for sale on the now defunct Breached hacking forum in January 2023 for $1500. Duolingo stated that these records were obtained by data scraping public profile information and noted that they have no indication that their systems were compromised. According to security researchers, the breach reportedly originated from an exposed application programming interface (API), discovered in March 2023, that enables the retrieval of user profile information. This API inadvertently permitted unauthorized access to email addresses associated with Duolingo accounts. Despite the potential consequences of the breach, Duolingo has not commented on why the API remains accessible even after abuse was reported earlier in the year.

Infosecurity reports: "Data of 2.6 Million Duolingo Users Leaked on Hacking Forum"

A new operation motivated by financial gain involves a malicious Telegram bot to help threat actors scam their victims. The Telekopye toolkit automates creating a phishing website from a template and sending the URL to potential victims. According to ESET, this toolkit functions as a Telegram bot that, when activated, provides easy-to-navigate menus that can accommodate multiple scammers simultaneously. Evidence suggests that Russia is the toolkit's country of origin due to the use of Russian SMS templates. Multiple variants of Telekopye have been discovered to date, with the earliest dating back to 2015, indicating that it has been actively maintained and used for several years. This article continues to discuss researchers' findings and observations regarding Telekopye.

THN reports "New Telegram Bot 'Telekopye' Powering Large-scale Phishing Scams from Russia"

According to Strata Identity, the top security concern in multi-cloud environments is fragmented access policies, as more than 75 percent of enterprises reported not knowing where applications are deployed or who has access to them. Since last year, the percentage of organizations using a single cloud identity provider (IDP) has decreased from 30 percent to 20 percent. The remaining 80 percent are currently using multiple IDPs to manage enterprise identity. The top three cloud security concerns among enterprises are a lack of visibility into access policies (67 percent), identity-based threats (65 percent), and data privacy regulations (56 percent). This article continues to discuss key findings from Strata Identity regarding cloud security concerns and cloud identity systems.

Help Net Security reports "Lack of Visibility Into Cloud Access Policies Leaves Enterprises Flying Blind"

Vulnerabilities discovered by researchers at Tenable in Rockwell Automation's ThinManager ThinServer product could be exploited in attacks aimed at industrial control systems (ICS). The researchers found one critical and two high-severity vulnerabilities in ThinManager ThinServer, a thin client and RDP server management software offered by Rockwell. The flaws are tracked as CVE-2023-2914, CVE-2023-2915, and CVE-2023-2917. The researchers describe the security holes as improper input validation issues that can lead to integer overflow or path traversal. The researchers noted that remote attackers can exploit the flaws without prior authentication by sending specially crafted synchronization protocol messages. If the vulnerabilities were exploited, an adversary could cause a denial-of-service (DoS) condition, delete arbitrary files with system privileges, and upload arbitrary files to any folder on the drive where ThinServer.exe is installed. The researchers reported the vulnerabilities in May, and the researchers released technical details on August 17, the same day Rockwell Automation informed customers about the availability of patches.

SecurityWeek reports: "Rockwell ThinManager Vulnerabilities Could Expose Industrial HMIs to Attacks"

The French national employment agency, Pole emploi, has recently been hit by a cyberattack potentially exposing critical information of up to 10 million people. Several security researchers have linked the breach to the Clop ransomware gang's MOVEit campaign. The incident is thought to have exposed the names, employment statuses, and social security numbers of six million people who registered with the agency in February 2022 and four million who had been off the register for less than 12 months at the time of the cyberattack. Pole emploi said the security of its information system remains untouched, and welfare payments will continue. The organization also confirmed that the breach does not affect jobseekers' email addresses, phone numbers, passwords, or bank details. Investigations are currently ongoing.

Infosecurity reports: "Sensitive Data of 10 Million at Risk After French Employment Agency Breach"

The African economy is expected to grow significantly over the next five years. In order to promote financial inclusion with this growth, the continent's financial technologies and infrastructure must undergo security and resilience improvements. The CyLab-Africa initiative, a collaboration between Carnegie Mellon University's (CMU) CyLab Security and Privacy Institute and CMU Africa, seeks to strengthen the cybersecurity of financial systems in Africa and other emerging economies. Assane Gueye, associate teaching professor and co-director of CyLab-Africa, has identified five cybersecurity challenges that Africa must overcome. Cybersecurity is a global concern, but as Africa enters the digital world, the continent faces unique challenges. This article continues to discuss the five cybersecurity challenges unique to Africa.

Carnegie Mellon University Africa reports "Five Unique Cybersecurity Challenges in Africa"

The advancement of Artificial intelligence (AI) technology and the ease with which the general public can access it has given attackers powerful new capabilities to create more convincing phishing messages for victims. However, AI technology can also be used for good. Before phishing attacks can cause damage to organizations' finances and reputations, defenders are effectively detecting and preventing them. Traditional security solutions cannot completely stop phishing attacks, especially those involving the exploitation of zero-day vulnerabilities. Despite their success in reducing the number of phishing attacks that enable malicious actors to gain access to enterprise Information Technology (IT) environments, many phishing emails can still evade these solutions and reach end users' devices. To use Machine Learning (ML) algorithms to detect phishing attacks, they must be trained on a large dataset of normal (honest) and phishing (suspicious) emails to learn how to catch anomalies and identify common malicious patterns in phishing emails. There are three main ML techniques for detecting phishing emails: social graph analysis, employee communication profiling, and email structural analysis. This article continues to discuss phishing attacks and how ML algorithms are used to fight them.

Cybernews reports "Combating Phishing Attacks Using AI and Machine Learning Technologies"

Researchers at Check Point Research have recently released their 2023 Mid-Year Security Report. The research reveals a concerning 8% surge in global weekly cyberattacks during Q2, marking the most significant increase in two years. The researchers noted that USB devices have resurfaced as threats, employed by both state-affiliated groups and cybercriminals to distribute malware globally. Hacktivism is on the rise, with politically motivated groups conducting targeted attacks. The researchers stated that the misuse of AI has escalated, as attackers use generative AI tools for phishing emails, keystroke monitoring malware, and basic ransomware code. In the first half of 2023, over 2200 victims fell victim to 48 ransomware groups. Lockbit, with a 20% increase in victims compared to the previous year, led the pack. The researchers noted that emerging groups like Royal and Play appeared as Hive and Conti Ransomware-as-a-Service (RaaS) groups disbanded. Geographically, 45% of victims were in the US. The manufacturing and retail sectors were most affected, indicating a shift in ransomware strategy.

Infosecurity reports: "Artificial Intelligence and USBs Drive 8% Rise in Cyberattacks"

The cloud cybersecurity company Barracuda has published a new report on the evolution of the malicious use of Artificial Intelligence (AI), detailing how attackers use AI and how to prevent attacks. The company analyzed 905 billion events from customers' integrated network, cloud, email, endpoint, and server security tools between January and July 2023. Barracuda outlines the three most prevalent high-risk detections during the first half of 2023 in this report. AI was essential to both the detection and analysis of the data. While the data analysis showed how AI can be used to detect and prevent attacks, the report warns that AI can also be exploited for malicious purposes by attackers. The report notes that generative AI language tools can compose highly convincing emails appearing to be from a legitimate company, making it more difficult for individuals to determine whether an email is legitimate or an attempt at phishing, account takeover, or Business Email Compromise (BEC). This article continues to discuss findings from Barracuda regarding the use of AI by attackers and defenders.

SiliconANGLE reports "Barracuda Details How AI Is Being Used by Attackers and Defenders"

According to a new study conducted by researchers at the Identity Theft Resource Center (ITRC), 16% of American identity theft victims have had suicidal thoughts following their experiences, up from just 8% in 2020. During the study, the researchers conducted interviews with a random sample of victims who had contacted the ITRC in the past and 1048 general consumers. Identity crimes, in this case, mean identity fraud or theft. The researchers stated that the share of general consumers who have been victims of identity crimes multiple times stood at 69%, with first-time victims less common (41%). A quarter (26%) of victims claimed losses in excess of $100,000 from romance and social media scams and other threats. The researchers noted that, in some cases, consumers are defrauded through no fault of their own. A third (33%) of ITRC victims and nearly a quarter (23%) of general consumers have received between two and five data breach notices from companies they've done business with that have failed to safeguard their personal information. However, the researchers noted that poor personal security sometimes provides an open door for hackers and fraudsters. Only half (53%) of general consumers use multi-factor authentication (MFA), and a similar share (52%) have their mobile lock screen enabled. Some 59% say they share the same password across multiple accounts. The researchers also found that just 57% limit what they post online, and even fewer (48%) restrict who can see these posts. The researchers stated that "the fact that 16% of identity crime victims thought it's easier to end their lives than try to recover from an identity crime says as much about the lack of concern and support for identity crime victims as it does the victims themselves." The researchers argued that we need to fundamentally change the way we support identity crime victims to ensure no one feels ignored or dismissed the way they do today.

Infosecurity reports: "Doubling of Identity Theft Victims With Suicidal Thoughts"

A growing body of evidence suggests that the Akira ransomware uses Cisco Virtual Private Network (VPN) products as an attack vector to infiltrate corporate networks, steal data, and encrypt it. Akira ransomware is a relatively new ransomware operation that was launched in March 2023, with a Linux encryptor later being added to target VMware ESXi virtual machines. Cisco VPN solutions are widely used in various industries to provide secure, encrypted data transmission between users and corporate networks, typically for remote workers. According to researchers, Akira has been using compromised Cisco VPN accounts to infiltrate corporate networks without installing additional backdoors or persistence mechanisms that could lead to their identification. This article continues to discuss the Akira ransomware targeting Cisco VPN products.

Bleeping Computer reports "Akira Ransomware Targets Cisco VPNs to Breach Organizations"