News Items

As technology advances, the manufacturing industry increasingly adapts to digital instruction, from the production of fighter jets to cars. Mechanical parts can be designed on a computer and sent via the network to a manufacturing machine that follows digital instructions to create a part. The transition into the digital realm makes protecting online information a national interest. Recently, Dr. Narasimha Reddy, a professor in the Department of Electrical and Computer Engineering at Texas A&M University, received a grant from the National Science Foundation (NSF) to explore cybersecurity issues in digital manufacturing. He hopes that by getting ahead of the implementation of these digital manufacturing machines and addressing cybersecurity issues, manufacturing could be made more secure. Since these machines must receive instructions over the network, they could be sent malicious packets that cause damage. When a company uses modern manufacturing processes to produce parts for fighter jets, there is a risk that someone will compromise their network security. If these jets contain faulty equipment, there is a national security problem. This article continues to discuss the research aimed at making digital manufacturing more secure.

Texas A&M University reports "Cybersecurity Project Plans to Connect Researchers Across the Country"

In June, Johns Hopkins University and Johns Hopkins Health System learned that their systems were among those affected by a broad-based cybersecurity attack that targeted a widely used software platform for transferring data files called MOVEit. Initially, they believed 5,500 people were impacted at Johns Hopkins Health Care System and Johns Hopkins Howard County General Hospital. In a new update, now Johns Hopkins reveals that 310,405 people were affected by the hacking incident at Johns Hopkins Medicine. Hopkins noted that it has sent letters to those affected by the data breach, notifying them that they were eligible to sign up for two free years of credit monitoring. With such a large number of people affected, cybersecurity experts are warning that when unsecured protected health information is involved, that can mean things like Social Security numbers, medication information, and many other very personal and private information can be compromised.

WBAL reports: "More Than 300K People Affected by Johns Hopkins Data Breach"

Malicious actors are using a legitimate Rust-based injector called Freeze[.]rs to launch the commodity malware XWorm. The attack chain, discovered by Fortinet FortiGuard Labs on July 13, 2023, begins with a phishing email containing a malicious PDF file. It has also been used to introduce the Remcos Remote Access Trojan (RAT) by means of the SYK Crypter cipher, which Morphisec first documented in May 2022. Cara Lin, a security researcher, noted that this file redirects to an HTML file and uses the 'search-ms' protocol to access an LNK file on a remote server. Once the LNK file is clicked, a PowerShell script executes Freeze[.]rs and SYK Crypter in order to carry out additional malicious actions. Freeze[.]rs is an open-source red teaming tool from Optiv that serves as a payload creation tool for bypassing security solutions and executing shellcode stealthily. This article continues to discuss the use of the Freeze[.]rs by malicious actors for XWorm malware attacks.

THN reports "New Attack Alert: Freeze[.]rs Injector Weaponized for XWorm Malware Attacks"

According to OPSWAT, malware, one of the most prevalent and pervasive initial threat vectors, continues to evolve and become more sophisticated. Using malware as a foothold, threat actors infiltrate targeted infrastructures and then move laterally to gain long-term access, cause damage, or exfiltrate data. Organizations rely on actionable threat intelligence garnered through sandboxes and advanced malware analysis technologies and processes to effectively combat these threats. This proactive approach enables organizations to strengthen infrastructure defenses, improve incident response capabilities, and customize security strategies based on the threats they likely face. Sixty-two percent of organizations recognize the need to increase their investments in threat intelligence tools and processes. Only 22 percent of organizations have fully matured threat intelligence programs, with most indicating that they are still in the early phases or need to invest in additional tools and processes. This article continues to discuss key findings from OPSWAT's survey on threat intelligence.

Help Net Security reports "Threat Intelligence's Key Role in Mitigating Malware Threats"

Eye-Shield is an innovative screen protection system developed by researchers at the University of Michigan that obscures images and text on a user's phone and other devices when seen from a distance. According to the researchers, previous methods have been ineffective, inconvenient, or limited. Some involve applying a physical privacy film to the device, which cannot be turned off or easily removed, provides only limited protection, and in many cases, prevents screen protector usage. Other solutions have taken the form of apps focused on specific functions, such as obscuring numbers by overlaying low- and high-frequency images, and substituting text with difficult-to-read handwriting. Eye-Shield is designed to exist on a device as a free, built-in feature that the user can turn on and off as needed. The program takes advantage of the visual perception of contrast to blur text and images at a distance. This article continues to discuss the Eye-Shield solution that uses a pixelation scheme to obscure device screens when viewed from a distance, protecting against shoulder surfing attacks.

The University of Michigan reports "University of Michigan Researchers Create Screen Protection System to Fend Off Shoulder Surfers"

Governor Kathy Hochul has recently introduced New York's first-ever statewide cybersecurity strategy, reinforced by a $600m commitment. The initiative is designed to shield critical infrastructure, data, networks, and technology systems from malicious attacks. The strategy's primary pillars: unification, resilience, and preparedness, are designed to enable New York State to not only deter cyberattacks but also neutralize potential threats effectively. The commitment also includes allocating $90m to centralize cybersecurity, with $30m designated for shared services strengthening local governments' cybersecurity. An additional $500m will be invested in healthcare information technology cybersecurity infrastructure, and $7.4m will expand New York State Police's cyber units. The governor also signed legislation to boost New York's technology talent pool, providing necessary funding for employers to acquire and retain cybersecurity professionals.

Infosecurity reports: "New York Introduces First-Ever Statewide Cybersecurity Strategy"

A recent cross-border investigation into West African cybercriminal groups has resulted in 103 arrests and the seizure of more than $2.2 million. Operation Jackal was led by law enforcement agencies across 21 countries on six continents and targeted cybercrime groups such as the Nigerian criminal gang "Black Axe." The law enforcement agencies noted that the Black Axe group has a reputation for cyber-enabled financial fraud, particularly business email compromise, romance and inheritance scams, credit card and tax fraud, and money laundering. Isaac Kehinde Oginni, director of Interpol's Financial Crime and Anti-Corruption Centre, called the operation a successful demonstration of international cooperation and a future blueprint for financial crime enforcement. The operation began in May when $2.36 million was frozen or seized, 103 people arrested, 1,110 suspects identified, and 208 bank accounts blocked.

Dark Reading reports: "Interpol Shuts Down African Cybercrime Group, Seizes $2 Million"

There has been an increase in the use of a Phishing-as-a-Service (PhaaS) toolkit called EvilProxy by threat actors to conduct account takeover attacks targeting high-ranking executives at well-known companies. According to Proofpoint, an ongoing hybrid campaign used the service to target thousands of Microsoft 365 user accounts, sending about 120,000 phishing emails to hundreds of organizations across the globe between March and June 2023. Nearly 39 percent of the hundreds of compromised users are C-level executives, including CEOs and CFOs. Additionally, the attacks have targeted employees with access to financial assets or sensitive data. At least 35 percent of compromised users had enabled additional account protections. The campaigns are viewed as a response to the increased adoption of multi-factor authentication (MFA) in enterprises, which has prompted threat actors to evolve their tactics to circumvent new security layers by incorporating Adversary-in-the-Middle (AitM) phishing kits to steal credentials, session cookies, and one-time passwords. This article continues to discuss threat actors increasingly using the EvilProxy PhaaS.

THN reports "Cybercriminals Increasingly Using EvilProxy Phishing Kit to Target Executives"

The Biden-Harris Administration has launched a two-year competition to protect the most critical software in the US using Artificial Intelligence (AI). The AI Cyber Challenge (AIxCC) calls on competitors across the US to identify and fix software vulnerabilities using AI. This challenge is being led by the Defense Advanced Research Projects Agency (DARPA). It will involve collaboration with several top AI companies, including Anthropic, Google, Microsoft, and OpenAI, who are lending their expertise and making their advanced technology available for this competition. This competition, which will offer nearly $20 million in prizes, will spur the development of new technologies to strengthen computer code security, one of the most pressing challenges in cybersecurity. AIxCC will demonstrate the potential benefits of AI for securing software used throughout the Internet and society, from the electric grids powering the US to transportation systems. This article continues to discuss the goals and structure of the AIxCC.

Help Net Security reports "White House Launches AI Cyber Challenge to Make Software More Secure"

MITRE is collaborating with Robust Intelligence, a provider of Artificial Intelligence (AI) solutions, to improve a free tool that helps organizations assess the supply chain risks of publicly available AI models online. Indiana University is also involved in the collaboration to develop automated risk assessment tools. The availability of sophisticated models in public repositories has facilitated the incorporation of AI into enterprise systems. However, there are few independent testing tools for assessing risk. Therefore, Robust Intelligence created the AI Risk Database as a community resource in March 2023. After its further development in collaboration with MITRE, a new open-source version is now available on GitHub, with a long-term plan to integrate it into the set of MITRE ATLAS tools. ATLAS is a knowledge base containing a list of adversary tactics and techniques based on real-world attack observations and AI red teaming. It includes links to other tools that enable attack emulation. The collaboration between Robust Intelligence and MITRE will lead to the characterization and operationalization of risks, including risk scores, software vulnerabilities, and associated CVEs. These characterizations will help raise awareness of potential risks and vulnerabilities associated with open-source AI models. This article continues to discuss the collaboration aimed at tackling AI supply chain risks in open-source models.

MITRE reports "MITRE and Robust Intelligence Tackle AI Supply Chain Risks in Open-Source Models"

Cybernews researchers found an address that shed light on WordPress-orientated "hack waves" caused by the Balada Injector malware. Evidence indicates that the malware is still highly active, evading security software by using new domain names and small changes between surges of obfuscated attacks. The Balada Injector malware family has been active since 2017, using multiple attack vectors and persistence mechanisms. Cybernews observed a likely outcome of seven automated attack waves against a vulnerable WordPress website, each of which added a block of malicious PHP code directly into the index file of the compromised website, executing the malicious scripts when visited. However, the automated attack waves could not determine if a website had been compromised previously. This article continues to discuss findings regarding the hack waves caused by the Balada Injector malware.

Cybernews reports "Balada Injector Still at Large - New Domains Discovered"

The UK's financial regulatory recently warned consumers to be on the lookout for loan fee fraudsters after revealing new research claiming that many Brits are worried about their finances this summer. The Financial Conduct Authority (FCA) said it polled 2000 adults in late July and found that 55% are more concerned about their bank balance this summer than last. Rising food (63%) and energy costs (53%) were cited as the biggest concerns, but summer spending pressures, including entertainment costs (24%) and summer holidays (22%), also loomed large for respondents. The FCA noted that more than a third (35%) said they're worried about how they're going to pay for summer holidays this year. As a result, a quarter (24%) of British consumers are turning to credit or loans to fund their summer spending plans. The FCA stated that this could open the door to loan fee fraud, a type of advanced fee fraud where individuals pay a fee to access a loan that never materializes. The FCA warned that such scams tend to peak in summer, costing victims an average of 260 pounds. The FCA said there was a 26% year-on-year increase in complaints from victims last summer versus 2021.

Infosecurity reports: "Summer Spending Pressure Fuels Loan Fee Fraud Fears"

The SBU, Ukraine's security service, thwarted a Russian state-controlled hacking group's attempt to break into the Ukrainian military's battlefield management system. A recently published technical report reveals that Russian hackers attempted to infect Ukrainian military networks with at least seven variants of new custom malware. The SBU attributed the attack to the hacking group known as Sandworm, which works on behalf of Russia's military intelligence agency. The security service reported that it was able to halt the operation during the planning phase. Sandworm has been persistently targeting Ukraine with various malware strains designed to disrupt critical networks. However, its latest attack aimed to gain access to sensitive information regarding the Ukrainian military's operations, locations, equipment, and movements. According to the SBU's report, the Russian hackers initially sought to seize Android tablets used by the Ukrainian military to plan and execute combat missions. They wanted to access other connected devices and infect them with malware through these tablets. The hackers have developed at least seven new information-stealing malware strains to infect Android devices, including NETD to conduct internal intelligence, TOR and DROPBEAR to gain remote access to the devices, and DEBLIND to steal information from Android devices. STL, another malware strain, can access devices connected to Starlink satellite Internet. This article continues to discuss Sandworm's attempt to infiltrate the Ukrainian military's battlefield management system.

The Record reports "Ukraine Says It Thwarted Attempt to Breach Military Tablets"

Researchers at ETH Zurich have discovered a new attack on AMD computer chips in which the attacker secretly plants an "idea" within the computer. It was possible to leak data from anywhere in the computer's memory using this attack. The team led by Kaveh Razavi, a professor in the Department of Information Technology and Engineering, demonstrated a serious flaw in certain Central Processing Units (CPUs) that allows an attacker to plant the equivalent of an idea in a victim's CPU, coax it into executing specific commands, and thus retrieve information. This article continues to discuss the research behind the new attack on AMD computer chips.

ETH Zurich reports "Planting Ideas in a Computer's Head"

Microsoft recently released updates for 87 vulnerabilities, including two that are being actively exploited in the wild. The first zero-day was publicly disclosed last month when Microsoft initially announced a series of zero-day vulnerabilities in various Microsoft products that were discovered and exploited in the wild. They were assigned a single placeholder: CVE-2023-36884. This month, Microsoft released patches for this vulnerability, calling it a Windows Search Security Feature Bypass Vulnerability, and also released ADV230003, a defense-in-depth update designed to stop the attack chain associated that leads to the exploitation of this CVE. The second zero-day is CVE-2023-38180, a denial of service bug in .NET and Visual Studio that could cause systems to crash. Another vulnerability addressed is CVE-2023-21709, an elevation of privilege vulnerability in Microsoft Exchange Server with a CVSS score of 9.8. The attack complexity is low and doesn't require user interaction, making it a potentially popular choice for threat actors. There were also over 20 remote code execution (RCE) bugs listed by Microsoft this month. These include CVE-2023-29328 and CVE-2023-29330, two critical vulnerabilities in Microsoft Teams that attackers can exploit with direct access to a targeted device. For exploitation, the user must join a Teams meeting organized by the attacker. Microsoft noted that CVE-2023-36911, CVE-2023-36910, and CVE-2023-35385 are all RCE flaws in the Microsoft Message Queuing Service, with a CVSS score of 9.8 but a low likelihood of exploitation. All three have a network attack vector, low complexity of the attack, require no privileges, and do not need user interaction.

Infosecurity reports: "Microsoft Patches 80+ Flaws Including Two Zero-Days"

Intel recently released a total of 46 new security advisories to inform customers about 80 vulnerabilities affecting the company's firmware and software. The most serious of the flaws, based on their CVSS score, are 18 high-severity issues allowing privilege escalation or, in a few cases, denial-of-service (DoS) attacks. Intel noted that the vulnerabilities impact processor BIOS, chipset firmware, NUC BIOS, Unison, Manageability Commander, NUC Kit and Mini PC BIOS, Driver and Support Assistant (DSA), AI Hackathon, PROSet/Wireless Wi-Fi and Killer WiFi, NUC Pro Software Suite, Easy Streaming Wizard, Virtual RAID on CPU (VROC), SGX and TDX for some Xeon Processors, and Unite products. Medium-severity vulnerabilities have been addressed in processors, RealSense SDKs and ID software, ITS, Unite Android app, NUC BIOS firmware, PSR SDK, SDP tool, Server Board BMC video drivers, Unison, oneAPI, Hyperscan Library, DTT, Support Android app, Agilex (Quartus Prime Pro Edition for Linux), ISPC, and Advanced Link Analyzer Standard Edition. Intel noted that bugs with a "medium severity" rating have also been resolved in VCUST Tool, Distribution of OpenVINO Toolkit, Optimization for TensorFlow, Ethernet controllers and adapters, System Firmware Update Utility for Server Boards and Server System, NUC ITE Tech, Arc graphics cards, SSD Tools, PCSD, Ethernet Controller RDMA driver for Linux, and RST products. These mostly allow a local attacker to escalate privileges, and some can lead to information disclosure or DoS attacks. Intel noted that a vast majority of the flaws disclosed on Tuesday have received patches, but some of the impacted products have been discontinued.

SecurityWeek reports: "Intel Addresses 80 Firmware, Software Vulnerabilities"

The UK Electoral Commission has disclosed a "complex" cyberattack on its systems that went undetected for more than a year, allowing threat actors access to 40 million people's voter data spanning years. According to the regulator, the incident was identified in October 2022 following the detection of suspicious activity on its systems. It was then discovered that the malicious actors first gained access to the systems in August 2021. The intrusion allowed unauthorized access to the Commission's servers hosting email, control systems, and copies of electoral registers maintained for research purposes. The perpetrators' identities are currently unknown. The registers contained the names and addresses of anyone who enrolled to vote in the UK between 2014 and 2022, as well as those registered as overseas voters. However, they did not have the information of those who were eligible to register anonymously and the addresses of overseas electors registered outside the UK. This article continues to discuss the breach faced by the UK Electoral Commission.

THN reports "UK Electoral Commission Breach Exposes Voter Data of 40 Million Britons"

Following the discovery of vulnerabilities in the Terrestrial Trunked Radio (TETRA) communications protocol, which is used by Industrial Control Systems (ICS) worldwide, researchers have uncovered multiple additional zero-day vulnerabilities in a Motorola base station and system chip. Both are needed to execute and decrypt the TETRA communications algorithm, which may expose sensitive information. TETRA is a global standard for encrypted two-way communications devised by public safety experts. TETRA systems are used in public safety and industrial-commercial sectors, including utility companies, rail and metro lines, power stations, oil refineries, and chemical plants. Wouter Bokslag, co-founder of Midnight Blue, says that the base station has a Trusted Execution Environment (TEE) designed to prevent the exfiltration of cryptographic primitives and keys. However, he explains that through a side-channel attack on the TEE, his team was able to decrypt the module and get an AES key that could be used to decrypt further communications passing through the equipment. This article continues to discuss the TETRA-related vulnerabilities.

Dark Reading reports "Raft of TETRA Zero-Day Vulnerabilities Endanger Industrial Communications"

According to computer scientists at the University of California, Riverside (UCR), the headset hardware and virtual keyboard interfaces associated with Augmented Reality (AR) and Virtual Reality (VR) present new opportunities for hackers. The metaverse technology, currently being developed by Facebook's Mark Zuckerberg and other technology giants, relies on headsets that interpret bodily motions, including reaches, nods, steps, and blinks, to navigate new AR and VR worlds in order to play games, socialize, shop, and more. A computer science team at UCR's Bourns College of Engineering led by professors Jiasi Chen and Nael Abu-Ghazaleh, has demonstrated that spyware can monitor and record a user's every movement and then use Artificial Intelligence (AI) to translate those motions into words with accuracy of at least 90 percent. They showed that if a user runs multiple applications, and one of them is malicious, it can spy on the other applications. It can spy on the environment around a user to see whether people are around them and how far they are. It can also expose the user's interactions with the headset to the attacker. For example, if a user pauses a virtual game to check Facebook messages by air-typing the password on a virtual keyboard generated by the headset, the spyware could capture the password. Similarly, attackers could interpret the user's body movements to access their actions during a virtual meeting where sensitive information is disclosed and discussed. This article continues to discuss the study on the hacking opportunities created by headset hardware and virtual keyboard interfaces associated with AR and VR.

The University of California, Riverside reports "Virtual Reality Headsets Are Vulnerable to Hackers"

Since January 2021, patients with statutory health insurance in Germany have had the option to use an electronic health record. However, not many people have taken advantage of it. An interview study conducted by researchers at Ruhr University Bochum, Leibniz University Hannover, and CISPA - Helmholtz Center for Information Security revealed that there are many misconceptions about the digital infrastructure on which the records are based, such as who can view which data. People have expressed skepticism regarding the role of health insurance companies. Professor Karola Marky and Ph.D. student Rebecca Panskus of Ruhr University Bochum presented the findings at the 2023 Symposium on Usable Privacy and Security (SOUPS). Marky concludes from the study that there is much room for improvement with regard to the digital infrastructure of electronic health records. This article continues to discuss the study on privacy mental models of electronic health records.

Ruhr University Bochum reports "How Do People Really Feel About Electronic Health Records?"

Just months after the launch of OpenAI's ChatGPT chatbot, cybercriminals and hackers claim to have developed their own versions of the text-generating Artificial Intelligence (AI) technology. Theoretically, the systems could improve criminals' ability to develop malware or write phishing emails that can trick users into revealing login information. Since the beginning July, cybercriminals have been advertising two Large Language Models (LLMs), WormGPT and FraudGPT, on dark web forums and marketplaces. The systems, said to mimic ChatGPT and Google's Bard, generate text in response to the questions or prompts that users input. In contrast to the LLMs built by legitimate companies, these chatbots are marketed for illegal purposes. The malicious LLMs claim to eliminate all safety protections and ethical barriers. This article continues to discuss the LLMs advertised by cybercriminals that could help perform phishing attacks and create malware.

Wired reports "Criminals Have Created Their Own ChatGPT Clones"

General Data Protection Regulation (GDPR) fines are forcing businesses to reconsider their cybersecurity strategies. However, experts are concerned that, despite compliance looking good on paper, it does not translate into better protection in practice and may end up costing them more. Global fines, including those charged under the EU law, account for 6 percent of the 13.5 billion pounds lost by British businesses as a result of the "most notable data breaches" reported to the Information Commissioner's Office (ICO) between 2019 and 2022, according to research conducted by the cybersecurity firm Imperva. There are concerns that the fear itself may be the problem. UK organizations, anxious to avoid penalties, are engaging in "tick-box" exercises that may render them compliant on paper but leave them vulnerable to cyberattacks in reality. Although regulators are taking a tougher stance on data breaches and ICO penalties have increased nearly tenfold since the implementation of GDPR fines, there is still a risk that organizations will prioritize compliance measures over those that provide real data security, according to Terry Ray, senior vice president of Imperva. This article continues to discuss cybersecurity concerns surrounding GDPR compliance.

Cybernews reports "GDPR Compliance Is Not Cybersecurity, Says Analyst"

CrowdStrike recently released its 2023 Threat Hunting Report, warning that threat actors have doubled down on identity-based attacks over the past year. The new report is based on data collected over 12 months between July 1, 2022, and June 30, 2023, and it covers several major topics, including identity threats, cybercrime group techniques and tactics, and Linux and macOS insights and trends. CrowdStrike found that 62% of interactive intrusions involved the abuse of valid accounts, and 34% of breaches involved the use of domain or default accounts. In addition, there was a 160% increase in attempts to collect secret keys and other credentials through cloud instance metadata APIs. Pass-the-hash attacks increased by 200% year-over-year. CrowdStrike noted that the biggest rise related to identity threats was observed in Kerberoasting attacks, which increased by 583%, with a Russian-speaking ransomware group known as Vice Spider and Vice Society being responsible for 27% of all Kerberoasting attacks. Kerberoasting is a post-exploitation technique that involves the abuse of the Kerberos network authentication protocol. CrowdStrike observed a 40% year-over-year increase in interactive intrusions, with the technology sector being the most targeted for the sixth year in a row. The financial services industry saw the biggest increase in interactive intrusions, at more than 80%.

SecurityWeek reports: "Identity-Based Attacks Soared in Past Year: Report"

As cars become increasingly equipped with computerized components, they become more vulnerable to cyberattacks and privacy leaks. Ethical hackers, also known as white hat hackers, have already demonstrated attacks on computerized car technology. The cybersecurity sector is becoming a greater research focus, especially as Artificial Intelligence (AI) innovations enter the auto industry. M. Hadi Amini, an assistant professor at the Knight Foundation School of Computing and Information Sciences in the College of Engineering and Computing at Florida International University, is an expert in developing Machine Learning (ML), AI, and optimization algorithms as well as customizing them for real-world applications, such as healthcare, homeland security, and infrastructure resilience. In the Sustainability, Optimization, and Learning for InterDependent Networks laboratory, he explores integrating AI into complex systems while considering cyber, physical, and societal perspectives. Amini leads the university's AI research for the National Center for Transportation Cybersecurity and Resilience, which is supported by the US Department of Transportation. The potential of AI in vehicles is significant as some drivers are already using the technology to operate their vehicles semi-autonomously, but the technology also poses new challenges. One of the primary focuses is the storage of driver data. A driver's data is required for AI to make smarter decisions. Therefore, Amini is delving into whether or not someone's personal information might be vulnerable if a car is hacked. This article continues to discuss Amini's research on protecting cars and drivers' privacy from hackers in the age of AI.

Florida International University reports "Protecting Your Self-Driving Car - And Your Privacy - From Cyberhackers in the Age of AI"