News Items

Machine Learning (ML)-based frameworks remain highly vulnerable to adversarial attacks, which involve malicious data tampering that causes them to fail in unexpected ways, despite their successes and increased adoption. A study by researchers at the University of Melbourne suggests that quantum ML models may be more resistant to adversarial attacks launched through classical computers. Identifying and exploiting the features an ML model uses is how adversarial attacks function. However, the features used by generic quantum ML models are inaccessible to classical computers and, therefore, hidden from an adversary equipped with only classical computing resources. According to the researchers, these concepts could also be used to detect adversarial attacks by using both classical and quantum networks. This article continues to discuss the potential protection of Artificial Intelligence (AI) from attacks using quantum computing.

The University of Melbourne reports "Using Quantum Computing to Protect AI From Attack"

In May of this year, researchers at Indiana University Bloomington discovered a ChatGPT-powered botnet operating on X, formerly known as Twitter. The researchers named the botnet Fox8 due to its connection to cryptocurrency websites with variations of the same name. According to the researchers, it consisted of 1,140 accounts, many of which appeared to use ChatGPT to compose and respond to social media posts. The auto-generated content seemed designed to entice unsuspecting humans to click on links leading to cryptocurrency-hyping websites. The researchers discovered the botnet by searching the platform for the phrase "As an AI language model...", which ChatGPT sometimes uses in response to prompts on sensitive topics. Then they manually examined accounts to determine which ones appeared to be operated by bots. This article continues to discuss findings and observations regarding the ChatGPT-powered botnet.

Ars Technica reports "Crypto Botnet on X Is Powered by ChatGPT"

The Advanced Research Projects Agency for Health (ARPA-H), a division of the US Department of Health and Human Services (HHS), has announced the formation of the Digital Health Security (DIGIHEALS) project, which aims to protect the electronic infrastructure of the US healthcare system. ARPA-H is a funding agency supporting health and biomedical research. ARPA-H, established in 2022, funds research in various areas, focusing on solutions with the potential to advance areas of medicine and health that cannot be easily achieved through traditional research or commercial activity. The DIGIHEALS project is dedicated to developing technologies that ensure patients continue to receive care in the event of a widespread cyberattack against a medical facility. This article continues to discuss the DIGIHEALS project.

HealthITSecurity reports "HHS Launches Digital Health Security Project to Protect Healthcare Infrastructure"

According to security researchers at Lumen, a recent HiatusRAT campaign has been targeting a US military procurement system for reconnaissance. Initially observed at the beginning of the year, HiatusRAT has been targeting high-bandwidth routers typically used by medium-sized businesses, allowing attackers to run commands, exfiltrate data, and establish a covert proxy network. HiatusRAT has been active since at least June 2022, targeting organizations in Europe and Latin America, with at least 100 victims identified by March 2023. The researchers noted that following initial reporting on HiatusRAT, the threat actor changed tactics and, in attacks observed in June 2023, shifted focus to performing reconnaissance against a US military procurement system and to targeting Taiwan-based organizations. According to the researchers, the adversary continued the operation unhindered by the public exposure and recompiled their malware binaries for new architectures, including Arm, Intel 80386, and x86-64, hosting them on newly procured virtual private servers (VPSs). The researchers noted that one of these VPSs was used almost exclusively in attacks targeting Taiwanese entities, including a municipal government organization and various commercial firms, including semiconductor and chemical manufacturers. The researchers also identified a different VPS node being used to transfer data with a server that the US Department of Defense uses for contract proposals and submissions. The researchers noted that given that this website was associated with contract proposals, they suspect the threat actor could gather publicly available information about military requirements or search for organizations involved in the Defense Industrial Base (DIB).

SecurityWeek reports: "US Military Targeted in Recent HiatusRAT Attack"

Juniper Networks has patched four vulnerabilities, tracked as CVE-2023-36844, CVE-2023-36845, CVE-2023-36846, and CVE-2023-36847, in Junos OS that, if chained, could enable Remote Code Execution (RCE) on the company's SRX firewalls and EX switches. Junos OS is an operating system based on Linux and FreeBSD that runs on firewalls, network switches, and other security devices offered by Juniper Networks. J-Web, a Graphical User Interface (GUI), is the component affected by the vulnerabilities. It is used to manage devices running Junos. Juniper noted that an unauthenticated, network-based attacker could remotely execute code on the devices by chaining exploits of these vulnerabilities. This article continues to discuss the potential exploitation and impact of the Junos OS vulnerabilities.

Help Net Security reports "Juniper Networks Fixes Flaws Leading To RCE in Firewalls and Switches"

Researchers have discovered that an emerging China-backed Advanced Persistent Threat (APT) group dubbed Carderbee targeted Hong Kong organizations in a supply chain attack involving legitimate software to deploy the PlugX/Korplug backdoor. The Symantec Threat Hunter Team disclosed that Carderbee used a compromised version of Cobra DocGuard, an application for protecting, encrypting, and decrypting software developed by the Chinese company EsafeNet, to get access to victims' networks. During the attack, the group used its PlugX installer malware signed with another legitimate entity, a Microsoft certificate. This article continues to discuss the Carderbee APT group targeting organizations in Hong Kong in a supply chain attack.

Dark Reading reports "Chinese APT Targets Hong Kong in Supply Chain Attack"

At the DEF CON hacker conference, white hat hackers demonstrated how to spoof an Apple device and deceive users into divulging sensitive information. Conference attendees who use iPhones saw pop-up messages prompting them to connect their Apple ID or share their password with a nearby Apple TV. The messages were part of a study conducted by security researcher Jae Bochs. According to Bochs, data was not collected during the experiment. He was sending out Bluetooth Low Energy (BLE) advertisement packets that do not require pairing. He used inexpensive equipment consisting of a Raspberry Pi Zero 2 W, two antennas, a Bluetooth adapter compatible with Linux, and a portable battery. This article continues to discuss the demonstrated spoofing of an Apple device that could trick users into sharing their sensitive data.

Security Affairs reports "Spoofing an Apple Device and Tricking Users Into Sharing Sensitive Data"

INTERPOL and AFRIPOL coordinated an operation across 25 African countries that led to the arrest of 14 suspected cybercriminals and the identification of 20,674 suspicious cyber networks, underscoring the rise of digital insecurity and cyber threats in the region. The identified networks were linked to losses of over $40 million. The four-month Africa Cyber Surge II operation centered on identifying cybercriminals and compromised infrastructure. It facilitated communication, provided analysis, and shared intelligence between countries. Cooperation was streamlined between African law enforcement agencies through the operation in order to prevent, mitigate, investigate, and disrupt cyber extortion, phishing, Business Email Compromise (BEC), and more. This article continues to discuss highlights from the operation.

HSToday reports "Thousands of Illicit Cyber Networks Disrupted in Africa Operation"

According to US intelligence agencies, unnamed Foreign Intelligence Entities (FIEs) are escalating cyberattacks against US-based space companies. The FBI, the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) recently released an advisory warning of cyberattacks on the space industry. The agencies noted that FIEs recognize the significance of the commercial space industry to the US economy and national security, as well as the rising dependence of critical infrastructure on space-based assets. They consider the innovation and assets of the US in space as both potential threats and opportunities to acquire critical technologies and expertise. FIEs gain access to the US space industry through cyberattacks, strategic investments, and targeting key supply chain nodes, among other methods. This article continues to discuss the increase in cyberattacks on the US space industry by FIEs.

The Record reports "FBI, Air Force Warn of Cyberattacks on Space Industry by 'Foreign Intelligence Operations'"

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST) issued a warning that cyber actors could target the US' most sensitive information now and use future quantum computing technology to break traditional cryptographic algorithms that are not quantum-resistant. This could be especially detrimental for sensitive data with long-term confidentiality requirements. The joint Cybersecurity Information Sheet (CSI), titled "Quantum-Readiness: Migration to Post-Quantum Cryptography," helps the Department of Defense (DoD), National Security System (NSS) owners, the Defense Industrial Base (DIB), and others in protecting the confidentiality, integrity, and authenticity of sensitive information. This article continues to discuss the CSI on migrating to post-quantum cryptography.

NSA reports "Post-Quantum Cryptography: CISA, NIST, and NSA Recommend How to Prepare Now"

The BlackCat/ALPHV ransomware group has added Seiko to its leak website, claiming responsibility for a cyberattack disclosed by the Japanese company. Seiko is one of the largest and oldest watchmakers in the world, with around 12,000 employees and an annual revenue of more than $1.6 billion. On August 10, 2023, the company published a data breach notice revealing that an unauthorized third party accessed or exfiltrated data from at least a part of its Information Technology (IT) infrastructure. The BlackCat ransomware group claimed responsibility for the attack on Seiko, posting samples of the data stolen during the attack. In the listing, the threat actors leak what appear to be production plans, employee passport scans, new model release plans, and specialized lab test results. This article continues to discuss the cyberattack on Seiko and the BlackCat ransomware gang claiming to have been behind it.

Bleeping Computer reports "Japanese Watchmaker Seiko Breached by BlackCat Ransomware Gang"

According to IRONSCALES and Osterman Research, specialized email security vendors are leveraging a combination of Artificial Intelligence (AI) and human insights to improve email security and combat emergent threat methods enhanced by AI. The threat posed by AI-generated email attacks is expected to increase exponentially. More than 74 percent of respondents have witnessed an increase in the use of AI by cybercriminals over the past six months, and more than 85 percent believe that AI will be used to bypass their existing email security technologies. Seventy-seven percent of organizations now rank email security among their top three priorities, and almost all of the security leaders surveyed predict that AI will be moderately or extremely important to their future email defenses. This article continues to discuss cybercriminals using AI in email attacks, strengthening defenses with AI-enabled email security solutions, and organizations still relying on human insights for complementary protection.

Help Net Security reports "Organizations Invest in AI Tools to Elevate Email Security"

Tesla has recently disclosed a data breach impacting roughly 75,000 people, but the incident is the result of a whistleblower leak rather than a malicious cyberattack. Tesla recently told US authorities that a data breach discovered in May resulted in the exposure of the personal information, including social security numbers, of more than 75,700 individuals. A notification letter sent to impacted people reveals that the data breach is related to a couple of former employees sending confidential information to German media outlet Handelsblatt. Tesla said the ex-workers "misappropriated the information in violation of Tesla's IT security and data protection policies." The compromised information includes names, contact information, and employment-related records associated with current and former employees. Impacted individuals are being offered credit monitoring and identity protection services. The leak came to light in May when Handelsblatt reported that it had received 100 Gb of confidential Tesla data from a whistleblower. The leaked files, dubbed "Tesla Files," reportedly included information on more than 100,000 current and former employees, customer bank details, production secrets, and customer complaints regarding driver assistance systems. Handelsblatt has assured Tesla that it does not intend to publish the personal data provided by the whistleblower. Tesla stated that the chances of the exposed data being misused are slim, given the circumstances of the incident.

SecurityWeek reports: "Tesla Discloses Data Breach Related to Whistleblower Leak"

Advanced smartphone features entice users who want more from their devices, especially in regard to health and entertainment, but the question is whether these features pose a security risk when making or receiving actual calls. A team of researchers from Texas A&M University and four other institutions developed malware to answer that question. The researchers' malware, dubbed EarSpy, uses Machine Learning (ML) algorithms to filter caller information from ear speaker vibration data recorded by an Android smartphone's motion sensors without evading protections or needing user permissions. This article continues to discuss the malware created by academic researchers that shows how call security can be compromised in three areas.

Texas A&M University reports "Research Hack Reveals Call Security Risk in Smartphones"

Due to their complexity, hybrid cyber threats are dangerous. Oftentimes, cyberattacks are accompanied by an information component designed to achieve specific objectives, such as misleading the public or convincing them of things favorable to the nation launching the attack. The cybersecurity experts and professionals, Dr. Darius Stitilis and Associate Professor Marius Laurinaitis from Mykolas Romeris University (MRU), along with Professor Matthew Warren, the Director of the Cyber Security Center at the Royal Melbourne Institute of Technology (RMIT) in Adelaide, Australia, are sharing their insights on new generation hybrid threats and the need to expand the application of the hybrid threat model developed within the European Union (EU) beyond its borders. This article continues to discuss insights on combating hybrid cyberattacks.

Mykolas Romeris University reports "MRU Researchers Share Insights on How to Combat Hybrid-Cyber-Attacks"

Hackers recently managed to break into a US Air Force satellite in orbit and took home prizes of up to $50,000 for exposing the vulnerabilities. Italian team "mHACKeroni" were the winners of the US Space Force annual "Hack-A-Sat" competition, which took place at the hacker international conference DEF CON in Las Vegas on Friday and Saturday. The event was designed to figure out gaps in US cyber defenses before they can be exploited by rival states like Russia and China. For the first time, the hackers were asked to attack a real satellite in space, the US Air Force Moonlighter, which was deployed specifically for the event. Five teams were picked out of more than 700 applicants to strategically hack into the satellite. The participants aimed to break in and build a data link to the satellite while keeping competing teams out. The Italian team beat last year's winners, Poland-based "Poland Can Into Space." They came second and won $30,000, while the UK-US joint team "jmp fs:[rcx]" took $20,000 home. While the event had a decidedly fun-and-games tone to it, it reflects a serious and growing security threat. Satellite hacking can cause real geopolitics problems.

Business Insider reports: "Hackers Figured Out 3 separate Ways to Break Into US Air Force Satellites, And Won up to $50K For Doing it"

SentinelOne observed Bronze Starlight, also known as APT10, Emperor Dragonfly, and Storm-0401, an Advanced Persistent Threat (APT) group with ties to China, targeting the Southeast Asian gambling sector. The malware and infrastructure used in the campaign are similar to those observed in Operation ChattyGoblin, which the security company ESET attributed to threat actors linked to China. According to SentinelOne, the threat actors used DLL hijacking of executables of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables to launch Cobalt Strike beacons. Bronze Starlight is a nation-state group known for using ransomware as a distraction or misattribution technique. The perpetrators used modified chat application installers to download .NET malware loaders. The loaders then retrieve a second-stage payload contained in a password-protected ZIP archive from Alibaba buckets. This article continues to discuss the ongoing campaign attributed to China-linked Bronze Starlight targeting the Southeast Asian gambling sector.

Security Affairs reports "Bronze Starlight Targets the Southeast Asian Gambling Sector"

Open source software development automation server Jenkins recently announced patches for high and medium severity vulnerabilities impacting multiple plugins. The patches address three high severity cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins. Jenkins noted that the first bug, tracked as CVE-2023-40336, exists because no POST requests were required for an HTTP endpoint in version 6.846.v23698686f0f6 and earlier of the Folders plugin, leading to CSRF. This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts. The second high severity bug, CVE-2023-40342, impacts Flaky Test Handler plugin versions 1.2.2 and earlier, which do not escape JUnit test contents when they are displayed in the Jenkins UI, allowing attackers to perform XSS attacks. Jenkins noted that Shortcut Job plugin versions 0.4 and earlier do not escape the shortcut redirection URL, leading to an XSS flaw tracked as CVE-2023-40346. Another high severity XSS flaw was identified in Docker Swarm plugin versions 1.11 and earlier, which do not escape values returned from Docker before they are inserted into the Docker Swarm Dashboard view. However, no patch was released for this bug. Jenkins also recently announced fixes for medium-severity vulnerabilities in the Folders, Config File Provider, NodeJS, Blue Ocean, Fortify, and Delphix plugins. According to Jenkins, these flaws could lead to information disclosure, credential leaks, CSRF attacks, HTML injection, and credential ID enumeration. Fixes were included in Blue Ocean version 1.27.5.1, Config File Provider version 953.v0432a_802e4d2, Delphix version 3.0.3, Flaky Test Handler version 1.2.3, Folders version 6.848.ve3b_fd7839a_81, Fortify version 22.2.39, NodeJS version 1.6.0.1, and Shortcut Job version 0.5. Additionally, Jenkins warned that no patches have been released for three medium severity flaws in the Maven Artifact ChoiceListProvider (Nexus), Gogs, and Favorite View plugins that could lead to credential exposure, information disclosure, and CSRF attacks.

SecurityWeek reports: "Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins"

Researchers have discovered how to manipulate the iPhone's user interface to fake airplane mode while secretly maintaining Internet connectivity. Jamf Threat Labs detailed in a new report how the code controlling the different elements of iOS 16's airplane mode experience can be manipulated to simulate the real thing. They say that mobile device attackers could use this technique post-exploitation to enable 24/7 persistence without the user's knowledge. According to Jamf's vice president of portfolio strategy, Michael Covington, this is a different form of social engineering attack in which the user is duped into believing something that is false. This article continues to discuss the research on how mobile attackers could deceive iPhone users and provide the ideal cover for post-exploitation malicious activity.

Dark Reading reports "Researchers Trick an iPhone Into Faking Airplane Mode"

According to security researchers at TRM Labs, North Korea has stolen around $200 million in cryptocurrencies across 30 hacks so far in 2023, less than in 2022 but still a sum "10 times larger than attacks by other actors." The researchers noted that although this year has witnessed a considerable downturn in crypto hacks, largely attributable to the decrease in digital asset prices and the ongoing bear market, many cybercriminal groups remain undeterred. North Korean state-affiliated hacking groups were one of the most prolific actors in 2022, a record-breaking year for hacks, with nearly $4 billion stolen. In June, the Wall Street Journal reported the nation had netted more than $3 billion over the last five years, with stolen digital currency funding about 50% of the country's ballistic missile program. The researchers at TRM Labs puts that figure at $2 billion. U.S. officials say the North Korean government relies on a workforce of thousands of IT workers operating worldwide, including in China and Russia, earning as much as $300,000 a year. Officials noted that the operations also rely on "front people" who will apply for jobs at crypto firms and then make small changes to products to allow them to be hacked or slip malicious code to employees at targeted companies. The researchers at TRM Labs stated that although the proceeds from North Korean crypto hacks are down around 75% so far in 2023 compared with last year, the country is still responsible for over 20% of all crypto stolen so far this year. The most lucrative hack in 2023 targeted a non-custodial wallet provider called Atomic Wallet.

Forune reports: "North Korean Cybercriminals Have Already Stolen $200 Million in Crypto Hacks in 2023"

Researchers are trying to keep up with hackers and prevent data theft. Some standard tools include multi-factor authentication (MFA) systems, fingerprint technology, and retinal scans. Automatic speaker identification, which uses a person's voice as a passcode, is a type of security system growing in popularity. These systems, already in place for phone banking and other applications, effectively detect digitally-manipulated attempts to fake a user's voice. However, digital security engineers at the University of Wisconsin-Madison have discovered that these systems are not as foolproof in the face of an innovative analog attack. They found that speaking through customized PVC pipes, commonly found in hardware stores, can trick Machine Learning (ML) algorithms supporting automatic speaker identification systems. This article continues to discuss the method of defeating automatic speaker identification systems using the type of PVC pipe found at any hardware store.

The University of Wisconsin-Madison reports "Down the Tubes: Common PVC Pipes Can Hack Voice Identification Systems"

Adlumin security researchers are warning of the Play ransomware group targeting security Managed Service Providers (MSPs) to gain initial access and exploit up to five-year-old security appliance vulnerabilities. According to Kevin O'Connor, director of threat research at Adlumin, it is a clever tactic to attack companies via their security vendor. Cyber defenders find it difficult to detect the attack because it initially masquerades as legitimate administrative access and grants attackers unrestricted access to the target's network and Infomation Technology (IT) assets. According to the security firm, the gang also uses intermittent encryption to avoid triggering defenses that check for entire file modifications. The latest campaign targets the financial, software, legal, and logistics industries in the US, Australia, the UK, and Italy. The Play ransomware group is responsible for cyberattacks on the city of Oakland, the Judiciary of Cordoba in Argentina, and more. TrendMicro reported that the group's activities are similar to those of the ransomware groups Hive and Nokoyawa, indicating a possible affiliation. This article continues to discuss the Play ransomware group's history and most recent campaign.

BankInfoSecurity reports "Play Ransomware Using MSPs and N-Days to Attack"

A new cybersecurity technology that relies on the unique digital fingerprint of a semiconductor chip could help defend the equipment of electrical utilities from malicious attacks in which software updates are exploited on devices controlling critical infrastructure. The GridTrust project, successfully tested in a US municipal power system substation, combines the digital fingerprint with cryptographic technology to enhance security for utilities and other critical industrial systems that must update control device software or firmware. The project was led by researchers at the Georgia Institute of Technology (Georgia Tech) in collaboration with the City of Marietta, Georgia. It was supported by the US Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Researchers from Sandia National Laboratories and Protect Our Power, a security-focused not-for-profit organization, also contributed to the project. This article continues to discuss the GridTrust project.

Georgia Tech reports "GridTrust Helps Protect the Nation's Electric Utilities from Cyber Threats"

Researchers have discovered an extensive campaign that distributed proxy server apps to at least 400,000 Windows systems. The devices function as residential exit nodes without the users' permission. A company is charging for the proxy traffic running through the systems. Residential proxies are advantageous to cybercriminals because they facilitate the deployment of massive credential stuffing attacks from new IP addresses. Additionally, they serve legitimate functions such as ad verification, data scraping, website testing, and privacy-enhancing rerouting. Some proxy companies sell access to residential proxies and offer monetary incentives to users who agree to share their bandwidth. This article continues to discuss findings and observations regarding the 400,000 proxy botnet.

Bleeping Computer reports "Massive 400,000 Proxy Botnet Built With Stealthy Malware Infections"