News Items

Since June 2022, the hacktivist group Mysterious Team Bangladesh has been linked to more than 750 Distributed Denial-of-Service (DDoS) attacks and 78 website defacements. According to Group-IB, the group primarily targets logistics, government, and financial sector organizations in India and Israel. The group's main motivations are religious and political. Other countries of interest to the group include Australia, Senegal, the Netherlands, Sweden, and Ethiopia. In addition, the threat actor is said to have gained access to web servers and administrative panels, most likely by exploiting known security vulnerabilities or poorly protected passwords. Mysterious Team Bangladesh, as its name suggests, is likely of Bangladeshi origin. The group maintains an active presence on Telegram and Twitter. This article continues to discuss findings regarding the Mysterious Team Bangladesh hacktivist group.

THN reports "'Mysterious Team Bangladesh' Targeting India with DDoS Attacks and Data Breaches"

According to security researchers at Sophos, CryptoRom, a notorious scam that combines fake cryptocurrency trading and romance scams, has taken a new twist by utilizing generative artificial intelligence (AI) chat tools to lure and interact with victims. The researchers noted that CryptoRom scams typically begin by contacting potential targets through dating apps or social media platforms. Once the conversation moves to private messaging apps like WhatsApp or Telegram, the scammers introduce the idea of trading cryptocurrencies and offer to guide the targets through installing and funding a fake crypto-trading app. The researchers stated that what makes this new development particularly concerning is the use of generative AI tools like ChatGPT or Google Bard to assist scammers in creating more convincing conversations with targets. This makes the interactions more persuasive and reduces the workload for the scammers when dealing with multiple victims. Moreover, the researchers noted that recent cases revealed that scammers are not stopping at the initial "tax" payment but are coming up with additional excuses to extract even more money from victims. The researchers noted that the scammers have also slipped their fraudulent apps past both Apple's and Google's app store reviews by modifying the app's content after approval. By changing a pointer in remote code, the benign app can be switched to a fraudulent one without further scrutiny. The researchers warned individuals who believe they may have fallen victim to these scams to report the incident to local authorities experienced in dealing with fraud cases. Victims are also advised to contact their banks to see if any transactions can be reversed and report the wallet addresses of the fraud to the relevant cryptocurrency exchange.

Infosecurity reports: "AI-Powered CryptoRom Scam Targets Mobile Users"

Allegheny County recently released limited details on a data breach. According to the county, they were affected by a global cybersecurity incident impacting the popular file transfer tool, MOVEit. The county noted that the breach allowed a group of cybercriminals to access county files on May 28 and 29. The hackers claim they're only interested in business data and deleted files from the county. However, the county said they could have obtained personal information from Social Security numbers to health information. The county recommends that those concerned they are affected by the breach should monitor their credit for things such as new credit inquiries, new accounts opened, delinquent payments, and other things that would imply their identity was stolen.

CBS Pittsburgh reports: "Allegheny County Issues Notice of Data Breach"

Mozilla recently announced the release of Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, which include patches for multiple high-severity vulnerabilities. Mozilla lists 14 CVEs in its advisory, nine of which are rated high severity. Three of the CVEs refer to memory safety bugs in Firefox. The first of the high-severity flaws tracked as CVE-2023-4045 is described as a cross-origin restrictions bypass in Offscreen Canvas, which failed to properly track cross-origin tainting. Mozilla noted that the issue can allow web pages to view images displayed in a page from a different site. Browsers include a same-origin policy that prevents HTML and JavaScript code originating on a website from accessing content on other sites. The second high-severity issue that Firefox 116 patches is CVE-2023-4046, which is described as the use of an incorrect value during WASM compilation. Mozilla noted that in some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. Mozilla noted that the browser update also resolves CVE-2023-4047, a permission request bypass via clickjacking. A page could trick users into clicking on a carefully placed item but instead, register the input as a click on a security dialog that was not displayed to the user. The three other high-severity vulnerabilities that Firefox 116 resolves include CVE-2023-4048 (an out-of-bounds read flaw causing DOMParser to crash when deconstructing a crafted HTML file), CVE-2023-4049 (race conditions leading to potentially exploitable use-after-free vulnerabilities), and CVE-2023-4050 (stack buffer overflow in StorageManager potentially leading to a sandbox escape). Tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058, Mozilla noted that the memory safety bugs resolved in Firefox 116 could have led to arbitrary code execution. Most of these high-severity issues, Mozilla says, also impact Firefox extended support and Thunderbird and were addressed in Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. Mozilla makes no mention of any of these vulnerabilities being exploited in attacks.

SecurityWeek reports: "Firefox 116 Patches High-Severity Vulnerabilities"

The North Atlantic Treaty Organization (NATO) is investigating the alleged theft of data by the hacktivist group known as SiegedSec. The threat actor claims to have compromised the Communities of Interest (COI) Cooperation Portal and stolen hundreds of confidential documents. According to SiegedSec, the data breach had nothing to do with the ongoing conflict between Russia and Ukraine. The threat intelligence company CloudSEK analyzed the 845 MB of leaked compressed data, discovering unclassified information and 8,000 employee records from 31 countries. The compromised information included names, business email addresses, home addresses, companies and units, working groups, job titles, and pictures. In addition, CloudSEC discovered 20 unclassified documents, while SeigedSec claims to have up to 700. Some leaked documents were several years old, while others were as recent as July 2023. Although the nature of the information in most leaked documents remains unknown, some contained a list of software used by NATO, including vendor information and version numbers. This article continues to discuss the alleged NATO data theft.

CPO Magazine reports "Alleged NATO Data Theft Leaked Hundreds of Sensitive Documents and Thousands of User Records"

False claims and disinformation in a society highly influenced by social media have become significant problems with potentially severe consequences. Researchers at the University of Oklahoma and collaborating institutions have received funding from the National Science Foundation's (NSF) Secure and Trustworthy Cyberspace (SaTC) program to study false claim attacks. Kash Barker, Ph.D., is the Principal Investigator (PI) leading a team of researchers exploring indirect attacks against infrastructure systems via unsuspecting users. In recent years, the number of false claims has increased, and studies suggest that most online users are initially tricked by fake news, as noted by Barker. When these incidents are weaponized by an adversary against US infrastructure networks, a damaging problem may occur. Disinformation can be used as a weapon to disrupt cyber-physical systems, human lives, and economic productivity. In these scenarios, chaos is caused not by systems or devices, but by "hacked" people. Imagine an adversary spreading information claiming that an electric company is offering free power during the hottest hours of the day, luring customers to use as much power as they want. This could exceed the grid's capacity and cause issues. Researchers will analyze the information and physical layers to combat these weaponized false claims. Both layers are intrinsically connected but are also individually vulnerable to attacks. This article continues to discuss the study on socio-technical approaches for securing cyber-physical systems from false claim attacks.

The University of Oklahoma reports "False Claims Attacks on Infrastructure Focus of NSF-Funded Research"

Researchers in Austria and Germany have developed a power-monitoring side-channel attack that exposes sensitive data on modern computer chips. The Collide+Power attack analyzes the processor's power consumption to determine the contents of the CPU cache memory. It may expose encryption keys and other identifiers if an attacker has persistent access to the victim's hardware or to a cloud computing environment that shares hardware between tenants. The technique is described in a paper titled "Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels." Collide+Power is based on measuring how power usage varies when processing known data from the attacker and unknown data from the victim, and then inferring the unknown data based on differences between these measurements. This article continues to discuss the Collide+Power attack.

The Register reports "Collide+Power Vulnerability Leaks Secrets Bit by Bit"

Cado Security has discovered a new variant of the peer-to-peer (P2P) worm known as the P2PInfect, which targets Redis servers with a previously undocumented initial access vector. In July, researchers at Palo Alto Networks Unit 42 found the new P2P worm targeting Redis servers running on both Linux and Windows. P2PInfect is more scalable and potent than other worms due to its ability to target Redis servers running on Linux and Windows operating systems. The worm is written in the Rust programming language and exploits the Lua sandbox escape vulnerability, tracked as CVE-2022-0543 with a CVSS score of 10.0, to target Redis instances. The Muhstik and Redigo botnets have previously exploited this vulnerability in attacks against Redis servers. The malware exploits CVE-2022-0543 to gain initial access and then drops an initial payload that establishes P2P communication to the P2P network. Over the past two weeks, researchers have identified over 307,000 unique public Redis systems, 934 of which may be vulnerable to infection. This article continues to discuss the new variant of the P2PInfect worm.

Security Affairs reports "Experts Discovered a Previously Undocumented Initial Access Vector Used by P2PInfect Worm"

Bedding products giant Tempur Sealy has recently shut down certain systems after falling victim to a cyberattack. Based in Lexington, Kentucky, Tempur Sealy manufactures and sells mattresses, pillows, and other bedding products under brands such as Cocoon, Sealy, Stearns & Foster, and Tempus. The company stated that the cyberattack was identified on July 23, 2023, and triggered the activation of "incident response and business continuity plans." This included proactively shutting down some of the company's IT systems, resulting in the temporary interruption of the company's operations. The company has started the process of restoring its critical IT systems and has already resumed operations, but the company did not say to what capacity. The company noted that the forensic investigation remains ongoing, and it continues to work to determine whether this incident will have a material impact on its business, operations, or financial results. The company stated that it has yet to determine if any personal information was compromised during the attack and would provide required notifications should that be the case.

SecurityWeek reports: "Bedding Giant Tempur Sealy Takes Systems Offline Following Cyberattack"

Researchers at CyFox have discovered a Dynamic Link Library (DLL) planting/hijacking vulnerability in the popular media center application Stremio, which attackers could exploit to execute code on a victim's system, steal information, and more. DLLs are files that can be dynamically linked and shared by multiple programs simultaneously. They are essential to Windows and numerous applications, including Stremio. They house standard functions that are shared by multiple applications, preventing code duplication and reducing executable file size. In addition, DLLs grant access to system resources such as device divers, graphics processing, and networking. When a user launches a program on Windows, the program searches for and uses the required DLLs to function as intended. The flaw discovered by the researchers impacts version 4.4 of Stremio for Windows. It stems from the use of LoadLibraryA and LoadLibraryExA, two Windows Application Programming Interface (API) functions. The latter allows an attacker to place malicious DLLs in the application directory. This article continues to discuss findings regarding the Stremio vulnerability.

Help Net Security reports "Stremio Vulnerability Exposes Millions to Attack"

A nation-state actor with ties to China is believed to have been behind a series of attacks against industrial organizations in Eastern Europe that occurred last year in an attempt to steal data from air-gapped systems. Researchers attributed the attacks with medium to high confidence to a hacking group called APT31, also known as Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), based on similarities in the observed techniques. The attacks involved over 15 different implants and their variants, classified into three broad categories based on their ability to establish persistent remote access, collect sensitive information, and send the collected data to actor-controlled infrastructure. According to researchers, one of the implant types appeared to be a sophisticated modular malware designed to profile removable drives and infect them with a worm to exfiltrate data from air-gapped industrial networks in Eastern Europe. This article continues to discuss APT31 attacks targeting industrial organizations in Eastern Europe to siphon data stored on air-gapped systems.

THN reports "China's APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe"

Marisa Midler and Samantha Chaves, penetration testers with the Carnegie Mellon Software Engineering Institute's (SEI) Computer Emergency Response Team (CERT), have introduced a repository of penetration testing findings that is now publicly accessible on GitHub. The findings refer to the vulnerabilities and weaknesses discovered during a penetration test. The penetration testing findings repository is a collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses uncovered during a penetration test. For each finding, the repository includes default names, descriptions, remediation recommendations, references, mappings to multiple frameworks, and severity ratings. Standardization, streamlined reporting, comprehensiveness, and ease of navigation are the key goals of this repository and its structure. This article continues to discuss the repository of penetration testing findings.

Carnegie Mellon University Software Engineering Institute reports "A Repository of Common Penetration Testing Weaknesses"

According to new research on the role of the insurance industry in driving the criminal ecosystem, there is no "compelling evidence" that victims of ransomware attacks with cyber insurance are more likely to make extortion payments than those without insurance. This independent study, sponsored by the UK's National Cyber Security Centre (NCSC) and the Research Institute for Sociotechnical Cyber Security, addresses concerns that the cyber insurance industry helps cybercriminals by covering ransom payments. Researchers from the Royal United Services Institute, the University of Kent, De Montfort University, and Oxford Brookes University conducted the study. While there is evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations and to increase ransom demands, the conclusion that ransomware operators deliberately target organizations with insurance has been overstated, according to the study. This article continues to discuss findings from the study on the role of cyber insurance in addressing the threats posed by ransomware.

The Record reports "No Evidence Ransomware Victims With Cyber Insurance Pay Up More Often, UK Report Says"

The Biden-Harris Administration has unveiled the National Cyber Workforce and Education Strategy (NCWES) to address immediate and long-term cyber workforce needs. Filling the many cyber positions in the US is a national security imperative. The NCWES emphasizes the urgent need to fill a vast number of vacant cyber positions. Many communities that are presently underrepresented in the cyber workforce do not see themselves in cyber jobs or are unaware of the opportunity to join this critical and expanding workforce. The new strategy is committed to empowering Americans to pursue cyber careers. The NCWES follows the publication of the President's National Cybersecurity Strategy, which outlined a vision for developing a digital environment that is aligned with values and adequately resourced to address today's complex threat environment. This article continues to discuss the purpose and pillars of the NCWES.

HSToday reports "Administration Launches National Cyber Workforce and Education Strategy to Address Cyber Workforce Needs"

Researchers have uncovered malicious Android apps that use optical character recognition to steal credentials displayed on smartphone screens. The malware, dubbed CherryBlos by Trend Micro security researchers, has been embedded in at least four Android apps available outside of Google Play, particularly on sites promoting money-making scams. One of the apps was available on Google Play for nearly a month without the malicious CherryBlos payload. The researchers also found suspicious apps created by the same developers on Google Play, but they did not contain the payload. The apps concealed their malicious functionality with great care. This article continues to discuss findings regarding the CherryBlos malware.

Ars Technica reports "Android Malware Steals User Credentials Using Optical Character Recognition"

Security researchers at TXOne Networks have discovered that several vulnerabilities in a Weintek product could have been exploited to manipulate and damage industrial control systems (ICS). The security holes impact Taiwan-based Weintek's Weincloud, a cloud-based product designed for remotely managing human-machine interfaces (HMIs) and operations. According to a recent advisory published by CISA, the affected product is used by organizations worldwide, particularly in the critical manufacturing sector. Weintek patched the vulnerabilities with an account API update, and no action is required from users. The TXOne researchers confirmed that exploitation no longer appears possible. Four types of security holes have been found in Weintek Weincloud, three of which have been assigned "high severity" ratings. The researchers noted that one of them could have been exploited to reset an account's password by using the corresponding JWT token. Another issue could have been leveraged to log in with testing credentials to the official website by abusing the registration functionality. The third high-severity flaw could be used to cause a DoS condition. The fourth issue, classified as "medium severity," could have been exploited for brute-force attacks.

SecurityWeek reports: "Weintek Weincloud Vulnerabilities Allowed Manipulation, Damaging of ICS Devices"

TheAVRecon botnet has been observed using compromised small office/home office (SOHO) routers since at least May 2021 as part of a multi-year campaign. Lumen Black Lotus Labs disclosed AVRecon earlier this month as malware capable of executing additional commands and stealing a victim's bandwidth for an illegal proxy service offered to other malicious actors. It has also surpassed QakBot in scale, having infiltrated more than 41,000 nodes in 20 countries. The malware has been used to establish residential proxy services to hide malicious activity, including password spraying, web-traffic proxying, and ad fraud. According to new research, AVRecon is the malware engine behind SocksEscort, a 12-year-old service that rents compromised residential and small business devices to cybercriminals seeking to cover their true location online. The connection is based on direct correlations between SocksEscort and the command-and-control (C2) servers of AVRecon. This article continues to discuss new findings regarding the AVRecon botnet.

THN reports "AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service"

Researchers at Palo Alto Networks discovered that in 2022, the most widely used ransomware delivery method was URL or web browsing. In 2021, it was email attachments (i.e., delivery via SMTP, POP3, and IMAP protocols), but in 2022, only 12 percent of attempts used this particular delivery channel. In 8.2 percent of ransomware infections recorded by the company in 2022, the primary entry vector was third-party applications. Palo Alto Networks has been tracking and analyzing ransomware-hosting URLs and hostnames. Based on a large, random sample (7,000 URLs out of 27,000 unique ones), they identified several techniques used by ransomware groups to prevent their websites from being identified, taken down, or blocked. The perpetrators have been observed rotating different URLs/hostnames to host the same ransomware or using the same URL to deliver different ransomware. Some attackers engage in both of these tactics. This article continues to discuss key findings regarding ransomware delivery URLs.

Help Net Security reports "Web Browsing Is the Primary Entry Vector for Ransomware Infections"

Researchers are collaborating to enhance the privacy and security of sensitive data that may include Personally Identifiable Information {PII). Tony Chiang, Data Scientist at Pacific Northwest National Laboratory (PNNL), and Amy Wagler, Professor of Mathematical and Computational Sciences at the University of Texas at El Paso (UTEP), are leading the project. Data privacy and sharing remain a persistent challenge in today's technologically advanced world. The PNNL and UTEP project team wants to protect data from security breaches by creating a Generative Adversarial Network (GAN), or Machine Learning (ML) model, in which two neural networks compete using deep learning techniques to make more accurate predictions. The GAN will use synthetic data instead of real data. The model's discriminators will be incapable of distinguishing between the two data sets, making it impossible to identify and differentiate sensitive data from synthetic data, which is crucial in industries that deal with sensitive data, such as healthcare. This article continues to discuss the PNNL and UTEP project aimed at strengthening the protection of sensitive data.

Pacific Northwest National Laboratory reports "Pacific Northwest National Laboratory and The University of Texas at El Paso Collaborate to Strengthen Data Protection"

According to research published in the International Journal of Business Performance Management, password management strategies can boost trust in digital services. The most significant barrier to password management is a lack of awareness among potential users, despite campaigns emphasizing the importance of using strong passwords for logins and not reusing passwords. The research is a call to action for digital service providers to encourage user adoption of a robust password management strategy. Nitin Bansal of the SBI School of Banking and Commerce and Krishna Nath Pandey of the Sunrise University, both in Rajasthan, India, surveyed over 400 individuals in the National Capital Region (NCR) of India to examine the adoption of digital services, security concerns, and how those who use digital services manage their logins and passwords. The survey found that people are becoming more willing to use digital services, but security concerns often prevent them from doing so. The research suggests that password management education can increase user trust and usage. This article continues to discuss the study on the impact of password management strategies on trust enhancement in the digital era.

Inderscience reports "Impact of Password Management Strategies on the Trust Enhancement in the Digital Era"

A team from the MIT Lincoln Laboratory traveled to Hill Air Force Base (AFB) near Salt Lake City, Utah, to assess the vulnerabilities of 5G networks. Fifth-generation, or 5G, mobile network technology is designed to provide higher data rates, ultralow latency, enhanced reliability, expanded configurability, increased network capacity, and connectivity between a greater number of users. The US Department of Defense (DOD) wants to incorporate these commercial advancements into their communications systems, but 5G lacks adequately robust security features. For military applications, wireless connectivity makes communications susceptible to unintended detection (i.e., identifying the presence of signals), unwarranted geolocation (i.e., determining the origin of signals), and intentional jamming (i.e., preventing the transmission and reception of signals). Before the DOD can fully leverage 5G technology, vulnerabilities in networking must be identified, quantified, and mitigated. This article continues to discuss the Lincoln Laboratory team assessing the vulnerabilities of 5G and developing potential solutions to make this technology resilient.

MIT Lincoln Laboratory reports "Field Campaign Assesses Vulnerabilities of 5G Networks"

Sandia programmers are helping the US Cybersecurity and Infrastructure Security Agency (CISA) in its hunt for hackers and cyber terrorists through an innovative program that enlists Microsoft cloud users worldwide. In March, Untitled Goose Tool was announced via a CISA alert. Wellington Lee, a Sandia cybersecurity expert, was part of the team that created the free tool for tracking potentially malicious activities in Microsoft Azure, Azure Active Directory, and Microsoft Office 365 environments. Untitled Goose Tool is a suite of data collection tools capable of quickly scouring a virtual storage space for signs of a potentially malicious user accessing the data, collecting data on how they accessed the cloud space, and returning the data to CISA's security experts for assessment. This article continues to discuss the new toolset developed to quickly analyze and isolate unusual data in cloud computing environments.

Sandia National Laboratories reports "Sandia Helps Develop Digital Tool to Track Cloud Hackers"

Zimbra recently released patches for a cross-site scripting (XSS) vulnerability in Collaboration Suite that has been exploited in malicious attacks. The vulnerability is tracked as CVE-2023-37580 and was disclosed earlier this month when Zimbra recommended manual patching for version 8.8.15 of the popular email and collaboration solution. No CVE identifier had been issued for the flaw at the time, but Clement Lecigne from Google's Threat Analysis Group (TAG) said that in-the-wild exploitation had been observed. Zimbra recently announced software updates for Zimbra Collaboration Suite versions 8.8.15, 9.0.0, and 10.0.x. A fix for the exploited security bug was included in version 8.8.15 patch 41 of the solution. The company noted that the update resolves two other vulnerabilities in the suite, namely CVE-2023-38750, an issue leading to the exposure of internal JSP and XML files, and CVE-2023-0464, a bug "related to the verification of X.509 certificate chains that include policy constraints" in OpenSSL. Patches for the last two flaws were also included in the Zimbra Collaboration Suite versions 10.0.2 and 9.0.0 patch 34. CVE-2023-37580, however, only impacts version 8.8.15 of the solution.

SecurityWeek reports: "Zimbra Patches Exploited Zero-Day Vulnerability"

Large Language Models (LLMs) apply deep learning techniques to process and generate text. This Artificial Intelligence (AI) technology has resulted in the development of open source and publicly accessible tools, such as ChatGPT, Claude, Google Bard, and more. Recent work has focused on aligning LLMs to prevent undesirable generation. For example, public chatbots will not generate inappropriate content if asked directly. Although attackers have been able to evade these measures, their strategy often requires significant human creativity, and the results have been found to be inconsistent. Researchers from the School of Computer Science (SCS) at Carnegie Mellon University (CMU), the CyLab Security and Privacy Institute, and the Center for AI Safety in San Francisco have discovered a new vulnerability, proposing a simple and effective attack method that can cause aligned LLMs to generate objectionable behaviors with a high success rate. In their study titled "Universal and Transferable Attacks on Aligned Language Models," CMU Associate Professors Matt Fredrikson and Zico Kolter, Ph.D. student Andy Zou, and CMU alum Zifan Wang discovered a suffix that, when attached to a wide range of queries, significantly increases the chance that both open and closed source LLMs will deliver affirmative responses to queries they would otherwise reject. This article continues to discuss the vulnerability found in LLMs.

CyLab reports "Researchers Discover New Vulnerability in Large Language Models"