News Items

Many highly sophisticated systems, such as those that power drones, fighter jets, and even secure authentication programs, are custom software developed at great expense. It is not as simple as downloading the latest software patch and clicking "Install" to update them. It often requires an expensive and time-consuming rewrite or reverse engineering process. Therefore, Georgia Tech engineers, computer scientists, and cybersecurity researchers are working to accelerate the process with a Defense Advanced Research Projects Agency (DARPA)-funded project. Their goal is to unpack these legacy systems, incorporate updates, and redeploy them in weeks or months as opposed to years. About halfway through the five-year project, the team has a prototype pipeline that automates significant portions of the process using Georgia Tech-developed software analysis techniques. This article continues to discuss the DARPA-funded effort to update critical defense software.

Georgia Tech reports "'Distilling' Outdated Software Could Save Defense Dept. Millions in Time and Money"

A missing piece of electronic equipment at Jefferson Health's hospital in Cherry Hill may have compromised the personal information of some of its patients, the health care provider recently revealed. Jefferson Health said it began mailing letters Tuesday to alert patients whose information may have been involved in a potential breach it describes as a "recent privacy incident." According to the hospital, the possible privacy breach involved a backup DEXA scan drive that contained partial information about patients. The hospital did not provide the number of patients that may have been impacted there but said the potential breach was recognized by a maintenance technician working on the machine. Jefferson said the information on the drive could be viewable and would include names, dates of birth, medical record numbers, the dates of studies, and, in some cases, mailing addresses. However, the hospital noted that other sensitive patient information, such as Social Security numbers, driver's licenses, phone numbers, and insurance numbers, are only viewable with the appropriate credentials, exact system software, and additional technology.

Courier Post reports: "Jefferson Cherry Hill Warns of Possible Data Breach. What Info May Have Been Exposed?"

An analysis of 3.5 million business assets revealed that most Internet-exposed web apps containing Personal Identifiable Information (PII) are vulnerable to cyberattacks. Hackers use PII for financial, credential, and phishing-related attacks. Seventy-four percent of the web apps the security company CyCognito examined contain PII vulnerable to at least one known major exploit, such as Apache Superset, Papercut, or MOVEit. The report discovered that 11 percent of vulnerable assets had multiple "easily exploitable" flaws, including misconfiguration, lack of secure HTTPS encryption, and the absence of a Web Application Firewall (WAF). According to the report, the average enterprise has over 12,000 web apps, of which at least 30 percent, or more than 3,000 assets, contain at least one exploitable or high-risk vulnerability. This article continues to discuss key findings from CyCognito's analysis.

SC Magazine reports "Web App Warning: 74% Of Apps With PII Are Vulnerable to a 'Major Exploit'"

OpenAI, Google, Meta, and other companies tested their Large Language Models (LLMs) at the DEF CON hacker conference. Results from the event have provided the White House Office of Science and Technology Policy and the Congressional AI Caucus with a new corpus of information. The Generative Red Team Challenge, organized by AI Village, SeedAI, and Humane Intelligence, provides greater insight into the potential misuse of generative Artificial Intelligence (AI) and what methods could secure it. During the challenge, hackers were tasked with forcing generative AI to produce personal or harmful information, contrary to its intended function. The AI Village team is still analyzing the event's data and expects to present it in September 2023. This article continues to discuss the Generative Red Team Challenge influencing AI security policy, the vulnerabilities LLMs are likely to have, and how to prevent these vulnerabilities.

TechRepublic reports "DEF CON Generative AI Hacking Challenge Explored Cutting Edge of Security Vulnerabilities"

Google recently announced the release of Chrome 116 to the stable channel with patches for 26 vulnerabilities, including 21 reported by external researchers. Of the externally reported bugs, eight have a severity rating of "high," with most of them being memory safety issues. Based on the bug bounty reward paid out, the most important of these is CVE-2023-2312, a use-after-free flaw in the Offline component. Google noted that the reporting researcher was awarded a $30,000 bounty for the finding. Next in line is CVE-2023-4349, a use-after-free issue in Device Trust Connectors, followed by an inappropriate implementation in Fullscreen (CVE-2023-4350), and a use-after-free bug in Network (CVE-2023-4351), for which Google paid out bounties of $5,000, $3,000, and $2,000, respectively. Google noted that the remaining four high-severity vulnerabilities that Chrome 116 resolves include a type confusion flaw in the V8 JavaScript engine, a heap buffer overflow bug in ANGLE, another in Skia, and an out-of-bounds memory access issue in the V8 engine. These issues were reported by researchers at Google Project Zero and Microsoft Vulnerability Research, and, per Google's policy, no bug bounty reward will be issued for them. Google stated that all the remaining externally-reported vulnerabilities addressed in Chrome 116 are medium-severity: six inappropriate implementation bugs, three use-after-free issues, two insufficient policy enforcement flaws, one insufficient validation of untrusted input, and one heap buffer overflow vulnerability. Overall, Google gave the reporting researchers $63,000 in bug bounty rewards. The internet giant does not mention any of these vulnerabilities being exploited in attacks. The latest Chrome iteration is rolling out as version 116.0.5845.96 for Mac and Linux and as versions 116.0.5845.96/.97 for Windows.

SecurityWeek reports: "Chrome 116 Patches 26 Vulnerabilities"

Multiple critical security vulnerabilities have been discovered in Ivanti Avalanche, an enterprise mobile device management solution used by 30,000 organizations. Ivanti Avalanche WLAvanacheServer.exe v6.4.0.0 contains the vulnerabilities, collectively tracked as CVE-2023-32560, with a CVSS score of 9.8. According to the cybersecurity company Tenable, they are stack-based buffer overflows. Tenable said the flaws stem from buffer overflows caused by processing certain data types. An unauthenticated remote attacker could specify a long hex string or long type 9 item to overflow the buffer. Exploiting both issues enables a remote adversary to achieve code execution or a system crash. This article continues to discuss the security flaws found in Ivanti Avalanche.

THN reports "Critical Security Flaws Affect Ivanti Avalanche, Threatening 30,000 Organizations"

A major US energy company was the target of a phishing campaign that sent more than 1,000 emails containing malicious QR codes designed to steal Microsoft credentials. The campaign, which Cofense discovered in May, used both PNG image attachments and redirect links associated with Microsoft Bing and well-known business applications, such as Salesforce and CloudFlare's Web3 services, with embedded QR codes. The fake Microsoft security alerts claimed that recipients were required to update their account's security settings for two-factor authentication (2FA), multi-factor authentication (MFA), and more. The images and links within the messages led recipients to a phishing page aimed at stealing Microsoft credentials. Although the campaign impacted multiple industries, a leading energy company in the US received the lion's share of the phishing emails, with its employees receiving over 29 percent of the more than 1,000 emails containing malicious QR codes. This article continues to discuss findings regarding the QR code phishing campaign.

Dark Reading reports "QR Code Phishing Campaign Targets Top US Energy Company"

Cleaning products manufacturer and marketer Clorox recently announced that it has taken certain systems offline in response to a cyberattack. In a statement, the organization said it recently identified unusual activity on its IT systems. Upon detection, they immediately took steps to stop the activity and took certain systems offline. The affected systems remain offline as it is working on adding more "protections and hardening measures to further secure them." Clorox noted that, as a result, some operations are temporarily impaired. In a Form 8-K filing with the Securities and Exchange Commission (SEC), the company said it has implemented workarounds to enable offline operations and continue servicing customers, but disruptions are expected to continue. Clorox also told the SEC that it has informed law enforcement of the incident and that it is working with third-party cybersecurity experts to investigate the attack and restore its operations. Clorox did not provide additional information on the type of cyberattack it has fallen victim to. Clorox did not say whether any data was stolen from its systems nor how long it might take to restore the impacted systems. Clorox noted that the investigation into the nature and scope of the incident remains ongoing and is in its very early stages. Based in Oakland, California, Clorox makes and sells consumer and professional cleaning products, including Brita, Glad, Green Works Cleaning Products, Kingsford, Liquid-Plumr, Pine-Sol, and Tilex. The company has locations in 25 countries and territories worldwide and a market presence in over 100 countries.

SecurityWeek reports: "Cleaning Products Giant Clorox Takes Systems Offline Following Cyberattack"

According to SafeBreach researcher Or Yair, Microsoft's OneDrive file-sharing program can be used as ransomware to encrypt most files on a target machine beyond recovery, partly because Windows and Endpoint Detection and Response (EDR) programs inherently trust the program. Microsoft has patched OneDrive so that this vulnerability no longer affects client versions 23.061.0319.0003, 23.101.0514.0001, and later. Yair has packaged his OneDrive attack process into an automated tool called DoubleDrive, which is available on GitHub and compatible with older OneDrive versions. This article continues to discuss the DoubleDrive attack.

SC Media reports "'DoubleDrive' Attack Turns Microsoft OneDrive Into Ransomware"

The Colorado Department of Health Care Policy and Financing (HCPF) has recently revealed that the personal information of millions of individuals was compromised in a data breach resulting from the recent MOVEit cyberattack. The HCPF informed the Maine Attorney General's office that it has started informing close to 4.1 million individuals that their personal information might have been compromised in the incident. HCPF revealed that, on May 28, an unauthorized party accessed certain HCPF files that IBM, which is providing certain services to the organization, was transferring using MOVEit. Those files contained the personal information of both Health First Colorado (Medicaid) and Child Health Plan Plus members. The exposed information, the organization says, includes names, addresses, birth dates, Social Security numbers, demographic or income information, medical information, treatment information, and health insurance information. On August 11, the agency started notifying the potentially impacted individuals of the data breach, offering free credit monitoring and identity restoration services.

SecurityWeek reports: "Colorado Health Agency Says 4 Million Impacted by MOVEit Hack"

A new cybersecurity threat known as QwixxRAT, a Remote Access Trojan (RAT), was recently discovered by the Uptycs Threat Research team in early August 2023. According to the researchers, QwixxRAT has caught attention due to its unusual distribution method. The threat actor behind it is spreading the malicious tool through popular communication platforms, Telegram and Discord. The researchers noted that once it gains access to a victim's Windows-based machine, QwixxRAT discreetly collects sensitive data, sending it to the attacker's Telegram bot. The researchers stated that beyond mere data theft, QwixxRAT wields formidable remote administrative tools, enabling attackers to control victim devices, launch commands, and even destabilize systems. To evade detection, the RAT employs a Telegram bot for command-and-control functionalities. This also allows the attacker to remotely manage the RAT and execute operations without triggering antivirus alarms. The researchers noted that QwixxRAT's impact is global, as its reach has been observed in evaluations of compromised systems worldwide. The researchers noted that from a technical standpoint, the RAT file is a C# compiled binary, functioning as a 32-bit executable file designed for CPU operations. The researchers revealed that the threat actor employed two distinct names for the same Remote Access Trojan (RAT). One alias used was "Qwixx Rat," while the other was identified as "TelegramRAT." The main function consists of a total of 19 individual functions, each serving a unique purpose.

Infosecurity reports: "New QwixxRAT Trojan Spreads Through Messaging Apps"

The National Institute of Standards and Technology's (NIST) Cybersecurity Framework (CSF) has been updated, and is now aimed at organizations of all sizes. The framework was introduced nearly a decade ago as technical cybersecurity guidance for critical infrastructure interests such as energy, banking, and hospitals. Version 2.0 of the widely used NIST CSF has added a sixth function, govern, to the original framework's five (identify, protect, detect, respond, and recover) for an effective cybersecurity program. Viakoo's CEO, Bud Broomhead, explained that the new NIST update does not just help organizations with basic cybersecurity functions as it extends to other enterprise areas. Expanding the scope of the NIST framework to include all types of organizations acknowledges that all organizations face cyber threats and must have a plan to manage cyber hygiene and incident response. This article continues to discuss the updates and business benefits of CSF 2.0.

Dark Reading reports "What's New in the NIST Cybersecurity Framework 2.0"

In the second quarter of 2023, according to Gartner, the availability of generative Artificial Intelligence (AI), such as OpenAI's ChatGPT and Google Bard, became a top concern for enterprise risk executives. Generative AI was the second most frequently cited risk in Gartner's second quarter survey, making its debut in the top ten. This reflects the rapid rise in public awareness and usage of generative AI tools, as well as the scope of potential use cases. Gartner surveyed 249 senior enterprise risk executives in May 2023 to provide a benchmarked view of 20 emerging risks to business leaders. The report contains comprehensive information on the potential impact, time frame, level of attention, and perceived opportunities associated with these risks. This article continues to discuss key findings and observations regarding generative AI risks and regulatory challenges.

Help Net Security reports "Navigating Generative AI Risks and Regulatory Challenges"

The Norfolk and Suffolk police in the UK have recently confirmed the accidental exposure of personal data belonging to more than 1000 individuals, including crime victims. The disclosure occurred within Freedom of Information (FOI) responses issued by law enforcement agencies. According to a joint statement from the East Anglian constabularies, a "technical issue" resulted in the inclusion of raw crime report data in a "very small percentage" of FOI responses distributed between April 2021 and March 2022. The compromised data in the Norfolk and Suffolk breach encompassed information stored within a dedicated police system, including data on crime reports, details regarding victims, witnesses, and suspects, and descriptions of the criminal acts. The spectrum of offenses encompassed domestic incidents, sexual offenses, assaults, thefts, and instances of hate crime.

Infosecurity reports: "UK Police Data Breach Exposes Victim Information"

As opportunities for network data collection increase and usage patterns change, "network parenting" methods must evolve. People continue to make mistakes despite well-defined security policies, technical safeguards, and extensive user education, and adversaries continue to be successful. According to Daniel Ruef, a researcher with Carnegie Mellon Software Engineering Institute's (SEI) Computer Emergency Response Team (CERT) Division, using the perspective of a Security Operations Center (SOC) treating their network as children for which they are responsible, aspects of parenting can be applied to determine uses of monitored data to build greater situational awareness. This article continues to discuss the importance of listening to one's network, the role of Endpoint Detection and Response (EDR) data, tailoring analytics to the cloud, and the need for real-time streaming data analysis.

Carnegie Mellon University Software Engineering Institute reports "Netflow in the Era of EDR and Cloud: Helicopter Parenting for Your Network"

The US government recently announced that the DHS's Cyber Safety Review Board (CSRB) is going to conduct a review on malicious attacks targeting cloud environments. The initiative will focus on providing recommendations for government, industry, and cloud services providers to improve identity management and authentication in the cloud. The DHS noted that initially, the review will focus on the recent Microsoft cloud hack but will then expand to issues relating to cloud-based identity and authentication infrastructure affecting applicable CSPs and their customers. The CSRB was established in February 2022 and is an initiative tasked with reviewing major cyber events, including their root cause, mitigations, and response.

SecurityWeek reports: "US Cyber Safety Board to Review Cloud Attacks"

Synack Red Team Members discovered several vulnerabilities in the ScrutisWeb ATM fleet monitoring software made by French company Iagona that could be exploited to remotely hack ATMs. The vendor patched the vulnerabilities in July 2023 with the release of ScrutisWeb version 2.1.38. ScrutisWeb allows organizations to monitor banking or retail ATM fleets from a web browser, enabling them to quickly respond to problems. The solution can be used to monitor hardware, reboot or shut down a terminal, send and receive files, and modify data remotely. It's worth noting that ATM fleets can include check deposit machines and payment terminals in a restaurant chain. The four types of vulnerabilities found by the researchers include CVE-2023-33871, CVE-2023-38257, CVE-2023-35763, and CVE-2023-35189. The flaws include path traversal, authorization bypass, hardcoded cryptographic key, and arbitrary file upload issues that can be exploited by remote, unauthenticated attackers. The researchers noted that threat actors could exploit the flaws to obtain data from the server (configurations, logs, and databases), execute arbitrary commands, obtain encrypted administrator passwords, and decrypt them using a hardcoded key. The researchers said an attacker can leverage the flaws to log into the ScrutisWeb management console as an admin and monitor the activities of connected ATMs, enable management mode on the devices, upload files, and reboot or power them off. Hackers could also exploit the remote command execution vulnerability to hide their tracks by deleting relevant files. The researchers noted that additional exploitation from this foothold in the client's infrastructure could occur, making this an internet-facing pivot point for a malicious actor.

SecurityWeek reports: "Iagona ScrutisWeb Vulnerabilities Could Expose ATMs to Remote Hacking"

Alberta Dental Service Corporation (ADSC) has recently revealed that nearly 1.47 million individuals have been affected by a data breach that occurred between May 7 and July 9, 2023. ADSC administers dental benefits through various programs, and the incident has raised concerns over compromised personal information. The company stated that the breach was discovered on July 9, 2023, when an unauthorized third party gained access to a portion of ADSC's IT infrastructure and deployed malware, temporarily encrypting specific systems and data. ADSC didn't reveal how they were compromised. The breach impacted three groups in particular. Dental Assistance for Seniors Plan clients enrolled between July 1, 2015, and July 9, 2023, may have had their personal information compromised, including name, address, personal health number, date of birth, and dental benefits details. Low-Income Health Benefits Plan clients enrolled from January 1, 2006, to July 9, 2023, may have had their name, date of birth, dental benefits details, and government-issued identification number compromised. Dental Services Providers enrolled for direct payment of eligible health claims between January 1, 2010, and July 9, 2023, may have had their corporate details and license numbers exposed.

Infosecurity reports: "Alberta Dental Services Security Breach Exposes 1.47M Records"

Phishing attacks are becoming increasingly sophisticated, requiring more advanced detection methods. Din Serussi, manager of the incident response group at Perception Point, explained that this is because modern forms of phishing are more difficult to detect, especially when employees work remotely, and are more challenging to protect. According to Serussi, 91 percent of cyberattacks start with a phishing email. In the past, it required time for an attacker to create a phishing template, but Artificial Intelligence (AI) can now generate a phishing template with an embedded malicious URL and malicious file in 30 seconds. This article continues to discuss Serussi's insights on modern phishing tactics used by attackers and how to address them.

Dark Reading reports "As Phishing Gets Even Sneakier, Browser Security Needs to Step Up"

Ford warns of a buffer overflow vulnerability in the SYNC3 infotainment system used in many Ford and Lincoln vehicles, which could enable Remote Code Execution (RCE), but claims that vehicle safety is unaffected. SYNC3 is a modern infotainment system that supports Wi-Fi hotspots, phone connectivity, voice commands, and third-party applications. The WL18xx MCP driver for the Wi-Fi subsystem of the car's infotainment system contains the vulnerability, tracked as CVE-2023-29468. It allows an attacker within Wi-Fi range to cause a buffer overflow using a specially crafted frame. This article continues to discuss the potential exploitation and impact of the vulnerability in the SYNC3 infotainment system.

Bleeping Computer reports "Ford Says Cars With Wi-Fi Vulnerability Still Safe to Drive"

Multiple security flaws in AudioCodes desk phones and Zoom's Zero Touch Provisioning (ZTP) could be exploited by an adversary to conduct remote attacks. Using the vulnerabilities discovered in AudioCodes desk phones and Zoom's ZTP feature, an external attacker can gain complete remote control of the devices, according to an analysis by a SySS security researcher. The unrestricted access could then be used to eavesdrop on rooms or phone conversations, pivot through the devices to attack corporate networks, and even assemble a botnet of infected devices. This article continues to discuss the potential exploitation and impact of the vulnerabilities in AudioCodes desk phones and Zoom's ZTP.

THN reports "Zoom ZTP & AudioCodes Phones Flaws Uncovered, Exposing Users to Eavesdropping"

Southwest Research Institute (SwRI) has developed an algorithm to remotely update and fix spacecraft software using less time and data than other techniques. Not only does the tool improve the overall efficiency of satellite software transmissions, but it can also recover data from unsuccessful over-the-air updates and malicious cyberattacks. It identifies missing bytes and other errors before applying a custom "micropatch" to missing or damaged software. Instead of updating an entire file or operating system, as is typically required with over-the-air satellite software updates, the tool can detect and fix smaller errors, according to Henry Haswell, a research engineer in SwRI's Intelligent Systems Division. Researchers deployed and tested the tool on the International Space Station (ISS). SwRI collaborated with Axiom Space Inc. and Amazon Web Services (AWS) to upload and assess the micropatch technology on an ISS computer operated by Axiom Space. This article continues to discuss the SwRI micropatch algorithm that improves ground-to-spacecraft software update efficiency.

Southwest Research Institute reports "SwRI Micropatch Algorithm Improves Ground-To-Spacecraft Software Update Efficiency"

Gootloader, a Search Engine Optimization (SEO) watering hole technique, has been observed targeting legal-related search terms. It has been identified as a threat to law firms and individuals conducting research online for legal information. According to Trustwave's SpiderLabs, the Gootloader malware exploits compromised WordPress sites for malware distribution and uses SEO poisoning techniques to achieve high rankings in web search results. Through the manipulation of search engine results and luring of unsuspecting users to compromised websites, Gootloader exploits users' trust in search results to deliver malicious payloads. Researchers found that close to 50 percent of these cases target law firms. In addition to English, the Gootloader campaign also targets the French, Spanish, Portuguese, German, and South Korean languages. This article continues to discuss findings regarding the Gootloader campaign.

SC Magazine reports "Gootloader SEO Watering Hole Malware Targets Law Firms"

Multiple vulnerabilities have recently been identified in the widely used Avada theme and its accompanying Avada Builder plugin. Security researchers at Patchstack discovered the flaws. The researchers noted the Avada Builder plugin exhibits two weaknesses. The first is an Authenticated SQL Injection (CVE-2023-39309). The researchers stated that by exploiting this vulnerability, attackers possessing authenticated access could breach sensitive data and potentially execute remote code. The second vulnerability is a Reflected Cross-Site Scripting (XSS) vulnerability (CVE-2023-39306), enabling unauthenticated attackers to pilfer sensitive information and potentially heighten their privileges on impacted WordPress sites. Patchstack also discovered various vulnerabilities in the Avada theme. First among them is a Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307). With this vulnerability, contributors gain the ability to upload arbitrary files, which may encompass detrimental PHP files, thereby enabling remote code execution and compromising site integrity. The researchers also found an Author+ flaw (CVE-2023-39312). Here, the researchers were able to attain the capability to upload malevolent zip files, thereby introducing the potential for remote code execution and vulnerabilities within the site. The researchers stated that the last vulnerability discovered is the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). Through this loophole, Contributors can instigate requests to internal services on the WordPress server, thereby potentially initiating unauthorized actions or data access within the organizational framework. The researchers noted that the vulnerabilities were reported to the Avada vendor on July 6, 2023, leading to the release of patched versions on July 11, 2023. To address these vulnerabilities, users are urged to update the Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2. The researchers noted that ensuring prompt updates is crucial to maintain website security.

Infosecurity reports: "Multiple Flaws Found in the Avada WordPress Theme and Plugin"