News Items

  • news

    Visible to the public "Russian APT Phished Government Employees via Microsoft Teams"

    Microsoft reports that an Advanced Persistent Threat (APT) group with ties to Russia's Foreign Intelligence Service has used Microsoft Teams to launch phishing attacks against employees of dozens of global organizations. To host and execute their social engineering attack, the actor uses Microsoft 365 tenants belonging to small businesses they have compromised in previous attacks. According to the company, the actor renames the compromised tenant, adds a new onmicrosoft[.]com subdomain, and then adds a new user associated with that domain to send the outbound message to the target tenant. The actor-controlled subdomains and new tenant names contained product- or security-related keywords. The actor would then send a Microsoft Teams message request to the targeted employees, who, if they accepted, would receive a message urging them to input a code into the Microsoft Authenticator app on their mobile device. This article continues to discuss the Russian APT group targeting employees of global organizations with phishing attacks via Microsoft Teams.

    Help Net Security reports "Russian APT Phished Government Employees via Microsoft Teams"

  • news

    Visible to the public "'Mysterious Team Bangladesh' Targeting India with DDoS Attacks and Data Breaches"

    Since June 2022, the hacktivist group Mysterious Team Bangladesh has been linked to more than 750 Distributed Denial-of-Service (DDoS) attacks and 78 website defacements. According to Group-IB, the group primarily targets logistics, government, and financial sector organizations in India and Israel. The group's main motivations are religious and political. Other countries of interest to the group include Australia, Senegal, the Netherlands, Sweden, and Ethiopia. In addition, the threat actor is said to have gained access to web servers and administrative panels, most likely by exploiting known security vulnerabilities or poorly protected passwords. Mysterious Team Bangladesh, as its name suggests, is likely of Bangladeshi origin. The group maintains an active presence on Telegram and Twitter. This article continues to discuss findings regarding the Mysterious Team Bangladesh hacktivist group.

    THN reports "'Mysterious Team Bangladesh' Targeting India with DDoS Attacks and Data Breaches"

  • news

    Visible to the public "Over 640 Citrix Servers Backdoored With Web Shells in Ongoing Attacks"

    Hundreds of Citrix Netscaler ADC and Gateway servers have been compromised and backdoored in a series of attacks targeting a critical Remote Code Execution (RCE) flaw, tracked as CVE-2023-3519. The vulnerability has been exploited as a zero-day to breach the network of a US critical infrastructure organization. Shadowserver Foundation security researchers have revealed that the attackers had deployed web shells on at least 640 Citrix servers in these attacks. This article continues to discuss Citrix Netscaler ADC and Gateway servers being breached and backdoored in attacks targeting an RCE vulnerability.

    Bleeping Computer reports "Over 640 Citrix Servers Backdoored With Web Shells in Ongoing Attacks"

  • news

    Visible to the public "AI-Powered CryptoRom Scam Targets Mobile Users"

    According to security researchers at Sophos, CryptoRom, a notorious scam that combines fake cryptocurrency trading and romance scams, has taken a new twist by utilizing generative artificial intelligence (AI) chat tools to lure and interact with victims. The researchers noted that CryptoRom scams typically begin by contacting potential targets through dating apps or social media platforms. Once the conversation moves to private messaging apps like WhatsApp or Telegram, the scammers introduce the idea of trading cryptocurrencies and offer to guide the targets through installing and funding a fake crypto-trading app. The researchers stated that what makes this new development particularly concerning is the use of generative AI tools like ChatGPT or Google Bard to assist scammers in creating more convincing conversations with targets. This makes the interactions more persuasive and reduces the workload for the scammers when dealing with multiple victims. Moreover, the researchers noted that recent cases revealed that scammers are not stopping at the initial "tax" payment but are coming up with additional excuses to extract even more money from victims. The researchers noted that the scammers have also slipped their fraudulent apps past both Apple's and Google's app store reviews by modifying the app's content after approval. By changing a pointer in remote code, the benign app can be switched to a fraudulent one without further scrutiny. The researchers warned individuals who believe they may have fallen victim to these scams to report the incident to local authorities experienced in dealing with fraud cases. Victims are also advised to contact their banks to see if any transactions can be reversed and report the wallet addresses of the fraud to the relevant cryptocurrency exchange.

    Infosecurity reports: "AI-Powered CryptoRom Scam Targets Mobile Users"

  • news

    Visible to the public Call for Papers: Journal of Cybersecurity Special Collection

    Call for Papers
    Special Collection: The Philosophy of Information Security

    Editors: David Pym and Jonathan Spring

    For this special collection, we solicit papers at the intersection of philosophy, information security, and philosophy of science. There are multiple under-explored ways in which these fields intersect.

    Suggested, but not exclusive, topics include:

  • news

    Visible to the public "Allegheny County Issues Notice of Data Breach"

    Allegheny County recently released limited details on a data breach. According to the county, they were affected by a global cybersecurity incident impacting the popular file transfer tool, MOVEit. The county noted that the breach allowed a group of cybercriminals to access county files on May 28 and 29. The hackers claim they're only interested in business data and deleted files from the county. However, the county said they could have obtained personal information from Social Security numbers to health information. The county recommends that those concerned they are affected by the breach should monitor their credit for things such as new credit inquiries, new accounts opened, delinquent payments, and other things that would imply their identity was stolen.

    CBS Pittsburgh reports: "Allegheny County Issues Notice of Data Breach"

  • news

    Visible to the public "OT/IoT Malware Surges Tenfold in First Half of the Year"

    According to security researchers at Nozomi Networks, malware-related cyber threats in operational technology (OT) and Internet of Things (IoT) environments jumped tenfold year-on-year in the first six months of 2023. The researchers noted that specific to malware, denial-of-service (DoS) activity remains one of the most prevalent attacks against OT systems. This is followed by the remote access trojan (RAT) category commonly used by attackers to establish control over compromised machines. The researchers noted that distributed denial of service (DDoS) threats are the top threat in IoT network domains. The researchers stated that malicious IoT botnets remain active this year as threat actors continue to use default credentials in attempts to access chained IoT devices. Trojans, "dual use" malware, and ransomware were among the most commonly detected alerts across OT and IoT environments, with phishing a common vector for stealing information, establishing initial access, and deploying malware. The researchers stated that poor authentication and password hygiene topped the list of most prolific threats for the period, despite alerts declining by 22% YoY. However, network anomalies and attacks were up 15%, and access control and authorization threats surged 128%. The manufacturing, energy, healthcare, water, and wastewater sectors were hardest hit, alongside the public sector. The researchers found that water treatment organizations experienced a large number of generic network scans, while oil and gas facilities suffered OT protocol packet injection attacks. The researchers noted that "the number of OT/IoT vulnerabilities remains high, with 643 published during the six months, while Nozomi's honeypots detected an average of 813 unique attacks daily."

    Infosecurity reports: "OT/IoT Malware Surges Tenfold in First Half of the Year"

  • news

    Visible to the public "Firefox 116 Patches High-Severity Vulnerabilities"

    Mozilla recently announced the release of Firefox 116, Firefox ESR 115.1, and Firefox ESR 102.14, which include patches for multiple high-severity vulnerabilities. Mozilla lists 14 CVEs in its advisory, nine of which are rated high severity. Three of the CVEs refer to memory safety bugs in Firefox. The first of the high-severity flaws tracked as CVE-2023-4045 is described as a cross-origin restrictions bypass in Offscreen Canvas, which failed to properly track cross-origin tainting. Mozilla noted that the issue can allow web pages to view images displayed in a page from a different site. Browsers include a same-origin policy that prevents HTML and JavaScript code originating on a website from accessing content on other sites. The second high-severity issue that Firefox 116 patches is CVE-2023-4046, which is described as the use of an incorrect value during WASM compilation. Mozilla noted that in some circumstances, a stale value could have been used for a global variable in WASM JIT analysis. This resulted in incorrect compilation and a potentially exploitable crash in the content process. Mozilla noted that the browser update also resolves CVE-2023-4047, a permission request bypass via clickjacking. A page could trick users into clicking on a carefully placed item but instead, register the input as a click on a security dialog that was not displayed to the user. The three other high-severity vulnerabilities that Firefox 116 resolves include CVE-2023-4048 (an out-of-bounds read flaw causing DOMParser to crash when deconstructing a crafted HTML file), CVE-2023-4049 (race conditions leading to potentially exploitable use-after-free vulnerabilities), and CVE-2023-4050 (stack buffer overflow in StorageManager potentially leading to a sandbox escape). Tracked as CVE-2023-4056, CVE-2023-4057, and CVE-2023-4058, Mozilla noted that the memory safety bugs resolved in Firefox 116 could have led to arbitrary code execution. Most of these high-severity issues, Mozilla says, also impact Firefox extended support and Thunderbird and were addressed in Firefox ESR 115.1, Firefox ESR 102.14, Thunderbird 115.1, and Thunderbird 102.14. Mozilla makes no mention of any of these vulnerabilities being exploited in attacks.

    SecurityWeek reports: "Firefox 116 Patches High-Severity Vulnerabilities"

  • news

    Visible to the public "Managing Technological Security of Smart Environment Monitoring Systems"

    New research in the International Journal of Critical Infrastructures presents guidance regarding securing water-related critical infrastructures and further emphasizes the need to protect environment monitoring technologies as cities evolve into smart cities. The research conducted by Anh Tuan Hoang and Xuan Ky Nguyen of the Vietnam National University in Hanoi focuses on the city of Quang Ninh and provides recommendations to help it construct resilient and secure systems. As cities evolve and systems become increasingly interconnected and dependent on Information Technology (IT), there is an urgent need to improve not only the required sensors and actuators for the smart city, but also to ensure that they can withstand cyberattacks and other forms of malicious activity. The current study explores the critical infrastructure of water systems in Vietnam, a nation where smart cities are a top priority. The team highlights the significance of protecting environmental monitoring technologies against various security threats. By focusing on Quang Ninh, the team has demonstrated the risks that a smart city may encounter and how critical infrastructure can be made watertight. The researchers have identified a strong relationship between technological security and environmental protection and management performance. The work underlines the human factors that can lead to the compromise of technological systems, calling for such factors to be closely examined to improve security and prevent social engineering-based cyberattacks. This article continues to discuss the study on managing the technological security of smart environment monitoring systems.

    Inderscience reports "Managing Technological Security of Smart Environment Monitoring Systems"

  • news

    Visible to the public "Alleged NATO Data Theft Leaked Hundreds of Sensitive Documents and Thousands of User Records"

    The North Atlantic Treaty Organization (NATO) is investigating the alleged theft of data by the hacktivist group known as SiegedSec. The threat actor claims to have compromised the Communities of Interest (COI) Cooperation Portal and stolen hundreds of confidential documents. According to SiegedSec, the data breach had nothing to do with the ongoing conflict between Russia and Ukraine. The threat intelligence company CloudSEK analyzed the 845 MB of leaked compressed data, discovering unclassified information and 8,000 employee records from 31 countries. The compromised information included names, business email addresses, home addresses, companies and units, working groups, job titles, and pictures. In addition, CloudSEC discovered 20 unclassified documents, while SeigedSec claims to have up to 700. Some leaked documents were several years old, while others were as recent as July 2023. Although the nature of the information in most leaked documents remains unknown, some contained a list of software used by NATO, including vendor information and version numbers. This article continues to discuss the alleged NATO data theft.

    CPO Magazine reports "Alleged NATO Data Theft Leaked Hundreds of Sensitive Documents and Thousands of User Records"

  • news

    Visible to the public "New Malware WikiLoader Targeting Italian Organizations"

    Researchers are warning about a malware downloader spoofing Italian organizations in order to deliver a banking Trojan to Italian companies. The downloader, dubbed WikiLoader by Proofpoint researchers, uses multiple methods to avoid detection. The financially-motivated threat actor, tracked as TA544, likely developed WikiLoader to rent it out to "select cybercriminal threat actors." The loader leads to the Ursnif banking Trojan, one of TA544's two preferred Trojans. Researchers named the downloader WikiLoader because the malware makes a request to Wikipedia and verifies that the response contains the string "The Free." Since December 2022, Proofpoint has observed at least eight campaigns distributing WikiLoader. This article continues to discuss findings regarding WikiLoader.

    BankInfoSecurity reports "New Malware WikiLoader Targeting Italian Organizations"

  • news

    Visible to the public "False Claims Attacks on Infrastructure Focus of NSF-Funded Research"

    False claims and disinformation in a society highly influenced by social media have become significant problems with potentially severe consequences. Researchers at the University of Oklahoma and collaborating institutions have received funding from the National Science Foundation's (NSF) Secure and Trustworthy Cyberspace (SaTC) program to study false claim attacks. Kash Barker, Ph.D., is the Principal Investigator (PI) leading a team of researchers exploring indirect attacks against infrastructure systems via unsuspecting users. In recent years, the number of false claims has increased, and studies suggest that most online users are initially tricked by fake news, as noted by Barker. When these incidents are weaponized by an adversary against US infrastructure networks, a damaging problem may occur. Disinformation can be used as a weapon to disrupt cyber-physical systems, human lives, and economic productivity. In these scenarios, chaos is caused not by systems or devices, but by "hacked" people. Imagine an adversary spreading information claiming that an electric company is offering free power during the hottest hours of the day, luring customers to use as much power as they want. This could exceed the grid's capacity and cause issues. Researchers will analyze the information and physical layers to combat these weaponized false claims. Both layers are intrinsically connected but are also individually vulnerable to attacks. This article continues to discuss the study on socio-technical approaches for securing cyber-physical systems from false claim attacks.

    The University of Oklahoma reports "False Claims Attacks on Infrastructure Focus of NSF-Funded Research"

  • news

    Visible to the public "Apple Users Open to Remote Control via Tricky macOS Malware"

    Researchers at Guardz have discovered Hidden Virtual Network Computing (hVNC) malware that infests Macs and silently executes complete takeovers without user permission. It also sports persistence through reboots. It's being sold at a lifetime price of $60,000 on the Dark Web, with add-ons available. Virtual Network Computing (VNC) software is typically used by IT teams to provide remote technical support to users. A doppelganger version of the tool is hVNC, which can be bundled into malware that operates covertly, gaining access without requesting permission from the user. According to the researchers, a macOS version of such a tool has emerged on Exploit, the infamous Russian underground forum. It specializes in bagging all manner of sensitive information, including login credentials, personal data, financial information, and more. The researchers noted that, concerningly for Apple users, the malware can also survive system reboots and other attempts at removal. The macOS hVNC identified by Guardz has been available since April, with updates made as recently as July 13, and was tested on a wide array of macOS versions from 10 through 13.2.

    Dark Reading reports: "Apple Users Open to Remote Control via Tricky macOS Malware"

  • news

    Visible to the public "Collide+Power Vulnerability Leaks Secrets Bit by Bit"

    Researchers in Austria and Germany have developed a power-monitoring side-channel attack that exposes sensitive data on modern computer chips. The Collide+Power attack analyzes the processor's power consumption to determine the contents of the CPU cache memory. It may expose encryption keys and other identifiers if an attacker has persistent access to the victim's hardware or to a cloud computing environment that shares hardware between tenants. The technique is described in a paper titled "Collide+Power: Leaking Inaccessible Data with Software-based Power Side Channels." Collide+Power is based on measuring how power usage varies when processing known data from the attacker and unknown data from the victim, and then inferring the unknown data based on differences between these measurements. This article continues to discuss the Collide+Power attack.

    The Register reports "Collide+Power Vulnerability Leaks Secrets Bit by Bit"

  • news

    Visible to the public "Researchers Claim US-Registered Cloud Host Facilitated State-Backed Cyberattacks"

    According to researchers at the cybersecurity company Halcyon, the US-registered cloud company Cloudzy provided web hosting and Internet services to over two dozen state-sponsored hacking groups and commercial spyware operators. In a recently published report, Halcyon noted that it had discovered Cloudzy to be "knowingly or unwittingly" serving as a command-and-control provider (C2P) for well-known state-sponsored hacking groups. C2Ps are Internet providers that enable hackers to host virtual private servers and other anonymized services for ransomware affiliates conducting cyberattacks and extortion. The groups that rely on Cloudzy include the China-backed espionage group APT10, North Korea-backed hacking group Kimsuky, and more. This article continues to discuss the facilitation of state-backed cyberattacks by a US-registered cloud company.

    TechCrunch reports "Researchers Claim US-Registered Cloud Host Facilitated State-Backed Cyberattacks"

  • news

    Visible to the public "Experts Discovered a Previously Undocumented Initial Access Vector Used by P2PInfect Worm"

    Cado Security has discovered a new variant of the peer-to-peer (P2P) worm known as the P2PInfect, which targets Redis servers with a previously undocumented initial access vector. In July, researchers at Palo Alto Networks Unit 42 found the new P2P worm targeting Redis servers running on both Linux and Windows. P2PInfect is more scalable and potent than other worms due to its ability to target Redis servers running on Linux and Windows operating systems. The worm is written in the Rust programming language and exploits the Lua sandbox escape vulnerability, tracked as CVE-2022-0543 with a CVSS score of 10.0, to target Redis instances. The Muhstik and Redigo botnets have previously exploited this vulnerability in attacks against Redis servers. The malware exploits CVE-2022-0543 to gain initial access and then drops an initial payload that establishes P2P communication to the P2P network. Over the past two weeks, researchers have identified over 307,000 unique public Redis systems, 934 of which may be vulnerable to infection. This article continues to discuss the new variant of the P2PInfect worm.

    Security Affairs reports "Experts Discovered a Previously Undocumented Initial Access Vector Used by P2PInfect Worm"

  • news

    Visible to the public "Possible Chinese Malware in US Systems a ‘Ticking Time Bomb’: Report"

    The Biden administration recently announced that it believes China has implanted malware in key US power and communications networks in a "ticking time bomb" that could disrupt the military in the event of a conflict. The Times reported that the malware potentially gave China's People's Liberation Army the ability to disrupt US military operations if Beijing were to move against Taiwan at some point. The systems affected, the Times said, could allow China not only to cut off water, power, and communications to US military bases but also to homes and businesses across the United States. The report comes two months after Microsoft warned that state-sponsored Chinese hackers had infiltrated critical US infrastructure networks. Microsoft pointed out Guam, a US Pacific territory with a vital military outpost, as one target but said malicious activity had also been detected elsewhere in the United States. Microsoft stated that the stealthy attack carried out since mid-2021 was likely aimed at hampering the United States in the event of a regional conflict.
    Authorities in Australia, Canada, New Zealand, and Britain warned at the same time that Chinese hacking was likely taking place globally, affecting an extensive range of infrastructure. The Times said the discovery of the malware sparked a series of meetings in the White House Situation Room involving top military, intelligence, and national security officials to track down and eradicate the code. The White House issued a statement Friday saying, "The Biden administration is working relentlessly to defend the United States from any disruptions to our critical infrastructure, including by coordinating interagency efforts to protect water systems, pipelines, rail and aviation systems, among others." Reports of the malware operation come at a particularly strained point in US-China relations, with China aggressively asserting its claim that Taiwan is Chinese territory and the US seeking to ban sales of sophisticated semiconductors to Beijing.

    SecurityWeek reports: "Possible Chinese Malware in US Systems a 'Ticking Time Bomb': Report"

  • news

    Visible to the public "Bedding Giant Tempur Sealy Takes Systems Offline Following Cyberattack"

    Bedding products giant Tempur Sealy has recently shut down certain systems after falling victim to a cyberattack. Based in Lexington, Kentucky, Tempur Sealy manufactures and sells mattresses, pillows, and other bedding products under brands such as Cocoon, Sealy, Stearns & Foster, and Tempus. The company stated that the cyberattack was identified on July 23, 2023, and triggered the activation of "incident response and business continuity plans." This included proactively shutting down some of the company's IT systems, resulting in the temporary interruption of the company's operations. The company has started the process of restoring its critical IT systems and has already resumed operations, but the company did not say to what capacity. The company noted that the forensic investigation remains ongoing, and it continues to work to determine whether this incident will have a material impact on its business, operations, or financial results. The company stated that it has yet to determine if any personal information was compromised during the attack and would provide required notifications should that be the case.

    SecurityWeek reports: "Bedding Giant Tempur Sealy Takes Systems Offline Following Cyberattack"

  • news

    Visible to the public "Researchers Unveil New Cipher System that Protects Computers Against Spy Programs"

    With the development of a new, highly efficient cipher for cache randomization, a group of international researchers has made significant progress in computer security. The cipher, designed by Rei Ueno, an assistant professor from the Research Institute of Electrical Communication at Tohoku University, addresses the threat of cache side-channel attacks, providing improved security and performance. Cache side-channel attacks pose a significant threat to today's computer systems because they can stealthily extract sensitive data, such as secret keys and passwords. These attacks exploit flaws in the operating principles of modern computers, making countermeasures difficult. Cache randomization is a promising countermeasure, but identifying a secure and efficient mathematical function for this purpose has remained challenging. Therefore, Ueno and his team developed SCARF, which is based on a comprehensive mathematical formulation and modeling of cache side-channel attacks. This article continues to discuss the SCARF system developed to combat cache side-channel attacks.

    Tohoku University reports "Researchers Unveil New Cipher System that Protects Computers Against Spy Programs"

  • news

    Visible to the public "Stremio Vulnerability Exposes Millions to Attack"

    Researchers at CyFox have discovered a Dynamic Link Library (DLL) planting/hijacking vulnerability in the popular media center application Stremio, which attackers could exploit to execute code on a victim's system, steal information, and more. DLLs are files that can be dynamically linked and shared by multiple programs simultaneously. They are essential to Windows and numerous applications, including Stremio. They house standard functions that are shared by multiple applications, preventing code duplication and reducing executable file size. In addition, DLLs grant access to system resources such as device divers, graphics processing, and networking. When a user launches a program on Windows, the program searches for and uses the required DLLs to function as intended. The flaw discovered by the researchers impacts version 4.4 of Stremio for Windows. It stems from the use of LoadLibraryA and LoadLibraryExA, two Windows Application Programming Interface (API) functions. The latter allows an attacker to place malicious DLLs in the application directory. This article continues to discuss findings regarding the Stremio vulnerability.

    Help Net Security reports "Stremio Vulnerability Exposes Millions to Attack"

  • news

    Visible to the public "Canon Warns of Wi-Fi Security Risks When Discarding Inkjet Printers"

    Canon is warning users of home, office, and large-format inkjet printers that the Wi-Fi connection settings stored in the devices' memories are not wiped during initialization, enabling access to the data for others. This vulnerability could pose a security and privacy risk to affected users if the printer memory is extracted by repair technicians, temporary users, or future buyers of the devices, allowing them to get their Wi-Fi network's connection information. Depending on the model and configuration, the information stored in a Canon printer may include the network SSID, password, network type, assigned IP address, MAC address, and network profile. This sensitive Wi-Fi connection information could help a malicious third party gain unauthorized access to a Canon printer user's network to which the printer was connected. The attacker can then access shared resources, steal data, or execute other privacy-invading attacks exploiting additional vulnerabilities. This article continues to discuss the Wi-Fi security risks that arise when discarding inkjet printers.

    Bleeping Computer reports "Canon Warns of Wi-Fi Security Risks When Discarding Inkjet Printers"

  • news

    Visible to the public "China's APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe"

    A nation-state actor with ties to China is believed to have been behind a series of attacks against industrial organizations in Eastern Europe that occurred last year in an attempt to steal data from air-gapped systems. Researchers attributed the attacks with medium to high confidence to a hacking group called APT31, also known as Bronze Vinewood, Judgement Panda, and Violet Typhoon (formerly Zirconium), based on similarities in the observed techniques. The attacks involved over 15 different implants and their variants, classified into three broad categories based on their ability to establish persistent remote access, collect sensitive information, and send the collected data to actor-controlled infrastructure. According to researchers, one of the implant types appeared to be a sophisticated modular malware designed to profile removable drives and infect them with a worm to exfiltrate data from air-gapped industrial networks in Eastern Europe. This article continues to discuss APT31 attacks targeting industrial organizations in Eastern Europe to siphon data stored on air-gapped systems.

    THN reports "China's APT31 Suspected in Attacks on Air-Gapped Systems in Eastern Europe"

  • news

    Visible to the public "China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure"

    The US military has been dealing with two significant cyber threats, one being the Chinese campaign called Volt Typhoon against military bases, and the other being an insider breach impacting Air Force and FBI communications. The Biden administration has confirmed that Volt Typhoon's malware is far more widespread than previously believed. Responders have discovered it within many networks that control the communications, power, and water supplying US military bases. These networks also affect ordinary businesses and individuals. It is difficult for investigators to determine the complete scale of the infestation. The Chinese state-aligned Advanced Persistent Threat (APT) behind Volt Typhoon, also known as Vanguard Panda, came to light after Microsoft uncovered Chinese cyber activity in Guam, the location of a US military base strategically critical to Taiwan's defense against Chinese aggression. This article continues to discuss China's Volt Typhoon APT as well as the insider breach affecting Air Force and FBI communications.

    Dark Reading reports "China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure"

  • news

    Visible to the public "A Repository of Common Penetration Testing Weaknesses"

    Marisa Midler and Samantha Chaves, penetration testers with the Carnegie Mellon Software Engineering Institute's (SEI) Computer Emergency Response Team (CERT), have introduced a repository of penetration testing findings that is now publicly accessible on GitHub. The findings refer to the vulnerabilities and weaknesses discovered during a penetration test. The penetration testing findings repository is a collection of Active Directory, phishing, mobile technology, system, service, web application, and wireless technology weaknesses uncovered during a penetration test. For each finding, the repository includes default names, descriptions, remediation recommendations, references, mappings to multiple frameworks, and severity ratings. Standardization, streamlined reporting, comprehensiveness, and ease of navigation are the key goals of this repository and its structure. This article continues to discuss the repository of penetration testing findings.

    Carnegie Mellon University Software Engineering Institute reports "A Repository of Common Penetration Testing Weaknesses"

  • news

    Visible to the public "ASU Researcher Bridges Security and AI"

    The many advancements in Artificial Intelligence (AI) show that the technology is critical. In the realm of national security, experts are taking note of the impact of AI on the collective defense strategy. Paulo Shakarian, an associate professor of computer science in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University, is at the forefront of this important work, using his expertise in symbolic AI and neuro-symbolic systems, which are advanced forms of AI technology, to meet the needs of national security organizations. He has been invited to AI Forward, a series of workshops hosted by the US Defense Advanced Research Projects Agency (DARPA). Shakarian is one of 100 participants working to advance DARPA's initiative to explore new directions for AI research impacting various defense-related tasks, such as autonomous systems, intelligence platforms, military planning, big data analysis, and computer vision. This article continues to discuss Shakarian's work and insights on AI and security as well as DARPA's AI Forward initiative.

    Arizona State University reports "ASU Researcher Bridges Security and AI"

  • news

    Visible to the public "No Evidence Ransomware Victims With Cyber Insurance Pay Up More Often, UK Report Says"

    According to new research on the role of the insurance industry in driving the criminal ecosystem, there is no "compelling evidence" that victims of ransomware attacks with cyber insurance are more likely to make extortion payments than those without insurance. This independent study, sponsored by the UK's National Cyber Security Centre (NCSC) and the Research Institute for Sociotechnical Cyber Security, addresses concerns that the cyber insurance industry helps cybercriminals by covering ransom payments. Researchers from the Royal United Services Institute, the University of Kent, De Montfort University, and Oxford Brookes University conducted the study. While there is evidence that cyber insurance policies exfiltrated during attacks are used as leverage in negotiations and to increase ransom demands, the conclusion that ransomware operators deliberately target organizations with insurance has been overstated, according to the study. This article continues to discuss findings from the study on the role of cyber insurance in addressing the threats posed by ransomware.

    The Record reports "No Evidence Ransomware Victims With Cyber Insurance Pay Up More Often, UK Report Says"

  • news

    Visible to the public "Google: 'Vulnerabilities Persist Too Long on Android'"

    Google has published its annual report regarding zero-day vulnerabilities. In the report, Google's Threat Analysis Group (TAG) notes that patches are often unavailable to Android users for too long. The research group discovered 41 zero-day vulnerabilities in the wild. As the developer of Android, Google controls its own patch policy, whereas many smartphone manufacturers release their own version of the operating system. Examples include Samsung's OneUI and Nothing's NothingOS, but numerous others exist. After each Android update, there may be some delay between the release of a patch for "vanilla" Android, such as that found on Pixel smartphones, and the release of patches for Android offshoots. Google does not identify a specific vendor whose parch policy is not in order. This article continues to discuss key findings and observations from Google in regard to zero-day vulnerabilities.

    Techzine reports "Google: 'Vulnerabilities Persist Too Long on Android'"

  • news

    Visible to the public "Administration Launches National Cyber Workforce and Education Strategy to Address Cyber Workforce Needs"

    The Biden-Harris Administration has unveiled the National Cyber Workforce and Education Strategy (NCWES) to address immediate and long-term cyber workforce needs. Filling the many cyber positions in the US is a national security imperative. The NCWES emphasizes the urgent need to fill a vast number of vacant cyber positions. Many communities that are presently underrepresented in the cyber workforce do not see themselves in cyber jobs or are unaware of the opportunity to join this critical and expanding workforce. The new strategy is committed to empowering Americans to pursue cyber careers. The NCWES follows the publication of the President's National Cybersecurity Strategy, which outlined a vision for developing a digital environment that is aligned with values and adequately resourced to address today's complex threat environment. This article continues to discuss the purpose and pillars of the NCWES.

    HSToday reports "Administration Launches National Cyber Workforce and Education Strategy to Address Cyber Workforce Needs"

  • news

    Visible to the public "Hackers Exploit BleedingPipe RCE to Target Minecraft Servers, Players"

    It has recently been discovered that hackers are actively exploiting a "BleedingPipe" remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices. BleedingPipe is a vulnerability found in many Minecraft mods caused by the incorrect use of deserialization in the "ObjectInputStream" class in Java to exchange network packets between servers and clients. The adversaries send specially crafted network packets to vulnerable Minecraft mod servers to take over the servers. The threat actors can then use those hacked servers to exploit the flaws in the same Minecraft mods used by players that connect to the server, allowing them to install malware on those devices as well. In a new report by a Minecraft security community (MMPA), the researchers have found that the flaw impacts many Minecraft mods running on 1.7.10/1.12.2 Forge, which uses unsafe deserialization code.

    BleepingComputer reports: "Hackers Exploit BleedingPipe RCE to Target Minecraft Servers, Players"

  • news

    Visible to the public "Android Malware Steals User Credentials Using Optical Character Recognition"

    Researchers have uncovered malicious Android apps that use optical character recognition to steal credentials displayed on smartphone screens. The malware, dubbed CherryBlos by Trend Micro security researchers, has been embedded in at least four Android apps available outside of Google Play, particularly on sites promoting money-making scams. One of the apps was available on Google Play for nearly a month without the malicious CherryBlos payload. The researchers also found suspicious apps created by the same developers on Google Play, but they did not contain the payload. The apps concealed their malicious functionality with great care. This article continues to discuss findings regarding the CherryBlos malware.

    Ars Technica reports "Android Malware Steals User Credentials Using Optical Character Recognition"

  • news

    Visible to the public "FBI Says AI Is Making It Easier for Hackers to Write Malware"

    The FBI has further emphasized that Artificial Intelligence (AI) helps nearly every aspect of cybercriminal activity, from development to deployment, and this trend is continuing. On a recent media call, an FBI official suggested that free, customizable open source models are gaining popularity among hackers attempting to spread malware, conduct phishing attacks, and carry out other scams. There has also been a significant increase in the number of AI writers created by hackers specifically to target vulnerable Internet users. Generative AI offers much assistance in launching cyberattacks, due to its powerful coding capabilities. Now that tens of models have been trained to write and fix code, malware development is more accessible to those who previously lacked the skill. The FBI and other organizations have also observed content creation tools being used to write phishing emails and develop malicious websites. In addition, with the introduction of multimodal models such as GPT-4, hackers can create convincing deepfakes to coerce victims into handing over sensitive information, payment, and more. This article continues to discuss the FBI's warning regarding cybercriminals using AI to create and launch attacks.

    TechRadar reports "FBI Says AI Is Making It Easier for Hackers to Write Malware"

  • news

    Visible to the public "Weintek Weincloud Vulnerabilities Allowed Manipulation, Damaging of ICS Devices"

    Security researchers at TXOne Networks have discovered that several vulnerabilities in a Weintek product could have been exploited to manipulate and damage industrial control systems (ICS). The security holes impact Taiwan-based Weintek's Weincloud, a cloud-based product designed for remotely managing human-machine interfaces (HMIs) and operations. According to a recent advisory published by CISA, the affected product is used by organizations worldwide, particularly in the critical manufacturing sector. Weintek patched the vulnerabilities with an account API update, and no action is required from users. The TXOne researchers confirmed that exploitation no longer appears possible. Four types of security holes have been found in Weintek Weincloud, three of which have been assigned "high severity" ratings. The researchers noted that one of them could have been exploited to reset an account's password by using the corresponding JWT token. Another issue could have been leveraged to log in with testing credentials to the official website by abusing the registration functionality. The third high-severity flaw could be used to cause a DoS condition. The fourth issue, classified as "medium severity," could have been exploited for brute-force attacks.

    SecurityWeek reports: "Weintek Weincloud Vulnerabilities Allowed Manipulation, Damaging of ICS Devices"

  • news

    Visible to the public "Hackers Threaten to Auction off DNA Patient Records From Oklahoma Hospital"

    The Karakurt ransomware group is targeting the McAlester Regional Health Center in Oklahoma, claiming to have stolen over 126 GB of data from the facility, including DNA patient records. Karakurt announced its plans to publish samples and auction 117 GB of the hospital's sensitive data. The group claims that this cache contains at least 40 GB of stolen genetic DNA patient records. According to a report from Nature Reviews Genetics, stolen genetic material can be used for malicious purposes, including blackmail and/or profiting through fake paternity results as well as revealing predispositions to disease and existing medical conditions that could affect employment prospects, insurance premiums, and more. The US Cybersecurity and Infrastructure Security Agency (CISA) first profiled the Karakurt gang in an advisory released in June 2022. The threat actors are suspected to be an offshoot of the Russian-affiliated Conti group, notorious for its double extortion tactics and aggressive nature. CISA reported that the group uses various tactics, techniques, and procedures (TTPs), posing significant defense and mitigation challenges. This article continues to discuss the Karakurt ransomware group threatening to auction off DNA patient records from the McAlester Regional Health Center.

    Cybernews reports "Hackers Threaten to Auction off DNA Patient Records From Oklahoma Hospital"

  • news

    Visible to the public "AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service"

    TheAVRecon botnet has been observed using compromised small office/home office (SOHO) routers since at least May 2021 as part of a multi-year campaign. Lumen Black Lotus Labs disclosed AVRecon earlier this month as malware capable of executing additional commands and stealing a victim's bandwidth for an illegal proxy service offered to other malicious actors. It has also surpassed QakBot in scale, having infiltrated more than 41,000 nodes in 20 countries. The malware has been used to establish residential proxy services to hide malicious activity, including password spraying, web-traffic proxying, and ad fraud. According to new research, AVRecon is the malware engine behind SocksEscort, a 12-year-old service that rents compromised residential and small business devices to cybercriminals seeking to cover their true location online. The connection is based on direct correlations between SocksEscort and the command-and-control (C2) servers of AVRecon. This article continues to discuss new findings regarding the AVRecon botnet.

    THN reports "AVRecon Botnet Leveraging Compromised Routers to Fuel Illegal Proxy Service"

  • news

    Visible to the public "Linux Version of Abyss Locker Ransomware Targets VMware ESXi Servers"

    The Abyss Locker operation has developed a Linux encryptor that targets VMware's ESXi Virtual Machine (VM) platform for enterprise-level attacks. As businesses migrate from individual servers to VMs for improved resource management, performance, and disaster recovery, ransomware groups develop encryptors that are specifically designed to target the platform. Considering that VMware ESXi is one of the most widely-used VM platforms, nearly every ransomware group has begun releasing Linux encryptors to encrypt all virtual servers on a device. Other ransomware operations that use Linux ransomware encryptors include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, Hello Kitty, RansomEXX, and Hive, with most targeting VMware ESXi. This article continues to discuss the Linux version of Abyss Locker ransomware.

    Bleeping Computer reports "Linux Version of Abyss Locker Ransomware Targets VMware ESXi Servers"

  • news

    Visible to the public "Web Browsing Is the Primary Entry Vector for Ransomware Infections"

    Researchers at Palo Alto Networks discovered that in 2022, the most widely used ransomware delivery method was URL or web browsing. In 2021, it was email attachments (i.e., delivery via SMTP, POP3, and IMAP protocols), but in 2022, only 12 percent of attempts used this particular delivery channel. In 8.2 percent of ransomware infections recorded by the company in 2022, the primary entry vector was third-party applications. Palo Alto Networks has been tracking and analyzing ransomware-hosting URLs and hostnames. Based on a large, random sample (7,000 URLs out of 27,000 unique ones), they identified several techniques used by ransomware groups to prevent their websites from being identified, taken down, or blocked. The perpetrators have been observed rotating different URLs/hostnames to host the same ransomware or using the same URL to deliver different ransomware. Some attackers engage in both of these tactics. This article continues to discuss key findings regarding ransomware delivery URLs.

    Help Net Security reports "Web Browsing Is the Primary Entry Vector for Ransomware Infections"

  • news

    Visible to the public "Another AI Pitfall: Digital Mirroring Opens New Cyberattack Vector"

    "Digital twins" or Artificial Intelligence (AI) assistants trained to serve needs by learning about and, in some ways imitating users, can be turned against people in various ways. According to Ben Sawyer, a professor at the University of Central Florida, and Matthew Canham, the CEO of Beyond Layer Seven, despite the uproar over how Large Language Models (LLMs) will allow hackers to create increasingly sophisticated phishing emails, vishing calls, and bots, this type of activity is nothing new. There is already much discussion regarding the insecurity of LLMs, as both researchers and attackers experiment with breaking and manipulating them. Today's social engineering attacks rely on an attacker's ability to closely imitate familiar entities such as coworkers or brands. Sawyer and Canham believe that the future of social engineering will be defined by AI's ability to imitate people and manipulate subconscious preferences. This article continues to discuss how LLMs can be hacked as well as the use of AI to build digital personas to make it easier for malicious actors to create more convincing attacks.

    Dark Reading reports "Another AI Pitfall: Digital Mirroring Opens New Cyberattack Vector"

  • news

    Visible to the public "Pacific Northwest National Laboratory and The University of Texas at El Paso Collaborate to Strengthen Data Protection"

    Researchers are collaborating to enhance the privacy and security of sensitive data that may include Personally Identifiable Information {PII). Tony Chiang, Data Scientist at Pacific Northwest National Laboratory (PNNL), and Amy Wagler, Professor of Mathematical and Computational Sciences at the University of Texas at El Paso (UTEP), are leading the project. Data privacy and sharing remain a persistent challenge in today's technologically advanced world. The PNNL and UTEP project team wants to protect data from security breaches by creating a Generative Adversarial Network (GAN), or Machine Learning (ML) model, in which two neural networks compete using deep learning techniques to make more accurate predictions. The GAN will use synthetic data instead of real data. The model's discriminators will be incapable of distinguishing between the two data sets, making it impossible to identify and differentiate sensitive data from synthetic data, which is crucial in industries that deal with sensitive data, such as healthcare. This article continues to discuss the PNNL and UTEP project aimed at strengthening the protection of sensitive data.

    Pacific Northwest National Laboratory reports "Pacific Northwest National Laboratory and The University of Texas at El Paso Collaborate to Strengthen Data Protection"

  • news

    Visible to the public "Improving Cybersecurity: New Ways to Protect Data"

    Nektarios Tsoutsos, an assistant professor in the Department of Electrical and Computer Engineering in the College of Engineering at the University of Delaware, is developing new methods to protect data when cloud services are compromised. With support from the Faculty Early Career Development (CAREER) Program of the National Science Foundation (NSF), Tsoutsos will develop advanced cryptographic algorithms and programming strategies to protect user information for various applications. Tsoutsos and his lab will accelerate end-to-end encryption algorithm development to be simpler, usable, and easily integrated into existing computer programming paradigms. A part of the CAREER award will be used to advance Tsoutsos' work on homomorphic encryption, which enables end-to-end encryption in a way that allows data to be processed and analyzed without compromising its security. The initial work will focus on encrypted Machine Learning (ML) so that users can securely send their data to the cloud for complex analysis. This article continues to discuss Tsoutsos' work on developing advanced cryptographic algorithms and programming strategies to help safeguard user information.

    The University of Delaware reports "Improving Cybersecurity: New Ways to Protect Data"

  • news

    Visible to the public "Impact of Password Management Strategies on the Trust Enhancement in the Digital Era"

    According to research published in the International Journal of Business Performance Management, password management strategies can boost trust in digital services. The most significant barrier to password management is a lack of awareness among potential users, despite campaigns emphasizing the importance of using strong passwords for logins and not reusing passwords. The research is a call to action for digital service providers to encourage user adoption of a robust password management strategy. Nitin Bansal of the SBI School of Banking and Commerce and Krishna Nath Pandey of the Sunrise University, both in Rajasthan, India, surveyed over 400 individuals in the National Capital Region (NCR) of India to examine the adoption of digital services, security concerns, and how those who use digital services manage their logins and passwords. The survey found that people are becoming more willing to use digital services, but security concerns often prevent them from doing so. The research suggests that password management education can increase user trust and usage. This article continues to discuss the study on the impact of password management strategies on trust enhancement in the digital era.

    Inderscience reports "Impact of Password Management Strategies on the Trust Enhancement in the Digital Era"

  • news

    Visible to the public "Research Shows That Business Continuity Response Measures Are Not Keeping Pace With Cyber Threats"

    New research commissioned by Cohesity reveals that most businesses lack the cyber resilience strategies and data security capabilities necessary to address today's escalating cyber threats and maintain business continuity. In addition, cyber resilience efforts are not keeping up with cyber threats, as data security and recovery technology deficiencies reduce cyber insurance eligibility and amplify the repercussions of a successful cyberattack. Comparing the cybersecurity outlook for 2023 to 2022, 93 percent of respondents felt that ransomware attacks posed a greater threat to their industry in 2023. Nearly half of respondents (45 percent) said their company had fallen victim to a ransomware attack within the previous six months. Eighty percent are concerned about their organization's cyber resilience strategy and whether or not it can address cyber challenges and threats. When asked how long their organization would take to recover data and business processes after a cyberattack, over 95 percent of respondents said it would take longer than 24 hours, 71 percent said longer than four days, and 41 percent said longer than a week. This article continues to discuss key findings from the survey of 3,409 Information Technology (IT) and Security Operations (SecOps) decision-makers.

    Continuity Central reports "Research Shows That Business Continuity Response Measures Are Not Keeping Pace With Cyber Threats"

  • news

    Visible to the public "Field Campaign Assesses Vulnerabilities of 5G Networks"

    A team from the MIT Lincoln Laboratory traveled to Hill Air Force Base (AFB) near Salt Lake City, Utah, to assess the vulnerabilities of 5G networks. Fifth-generation, or 5G, mobile network technology is designed to provide higher data rates, ultralow latency, enhanced reliability, expanded configurability, increased network capacity, and connectivity between a greater number of users. The US Department of Defense (DOD) wants to incorporate these commercial advancements into their communications systems, but 5G lacks adequately robust security features. For military applications, wireless connectivity makes communications susceptible to unintended detection (i.e., identifying the presence of signals), unwarranted geolocation (i.e., determining the origin of signals), and intentional jamming (i.e., preventing the transmission and reception of signals). Before the DOD can fully leverage 5G technology, vulnerabilities in networking must be identified, quantified, and mitigated. This article continues to discuss the Lincoln Laboratory team assessing the vulnerabilities of 5G and developing potential solutions to make this technology resilient.

    MIT Lincoln Laboratory reports "Field Campaign Assesses Vulnerabilities of 5G Networks"

  • news

    Visible to the public "University of Rochester Updates Investigation Into Data Breach"

    On Tuesday, the University of Rochester sent an update to faculty, students, and staff regarding a June data breach impacting dozens of organizations through a third-party vendor MOVEit. A spokesperson from the University of Rochester stated that after an investigation, they determined the university's broad network security was not impacted. UR Medicine's eRecord, MyChart, and clinical applications were also secure. The spokesperson noted that the data breach may have exposed some of the personal information of students and employees, along with their spouses, domestic partners, and dependents. The university says all individuals directly impacted by the breach will receive a letter in the mail detailing the exact data that was compromised. The letters will be mailed no later than the week of July 31. The University of Rochester is also offering two years of free credit monitoring to anyone whose personal data was found to be compromised by the cybersecurity incident.

    WROC Rochester reports: "University of Rochester Updates Investigation Into Data Breach"

  • news

    Visible to the public "Sandia Helps Develop Digital Tool to Track Cloud Hackers"

    Sandia programmers are helping the US Cybersecurity and Infrastructure Security Agency (CISA) in its hunt for hackers and cyber terrorists through an innovative program that enlists Microsoft cloud users worldwide. In March, Untitled Goose Tool was announced via a CISA alert. Wellington Lee, a Sandia cybersecurity expert, was part of the team that created the free tool for tracking potentially malicious activities in Microsoft Azure, Azure Active Directory, and Microsoft Office 365 environments. Untitled Goose Tool is a suite of data collection tools capable of quickly scouring a virtual storage space for signs of a potentially malicious user accessing the data, collecting data on how they accessed the cloud space, and returning the data to CISA's security experts for assessment. This article continues to discuss the new toolset developed to quickly analyze and isolate unusual data in cloud computing environments.

    Sandia National Laboratories reports "Sandia Helps Develop Digital Tool to Track Cloud Hackers"

  • news

    Visible to the public "Cryptography May Offer a Solution to the Massive AI-Labeling Problem"

    The European Union (EU) will soon require some technology platforms to label their Artificial Intelligence (AI)-generated images, audio, and videos with "prominent markings" showing their synthetic origins. In addition, the White House wants major AI companies to disclose when their content was created using AI. However, identifying material created by AI is a significant technical challenge. According to researchers, the best available options, such as AI-powered detection tools and watermarking, are inconsistent, temporary, and occasionally inaccurate. C2PA is another approach that has recently garnered much interest. It is a relatively new open source Internet protocol that uses cryptography to encode information about the origins of a piece of content, or "provenance" information. The creators of C2PA compare the protocol to a nutrition label, except that it reveals the origin of the content and who or what created it. The project, which is part of the nonprofit Joint Development Foundation, was initiated by Adobe, Arm, Intel, Microsoft, and Truepic, who formed the Coalition for Content Provenance and Authenticity (from which the protocol gets its name). This article continues to discuss what C2PA is and how it is being used.

    MIT Technology Review reports "Cryptography May Offer a Solution to the Massive AI-Labeling Problem"

  • news

    Visible to the public "Zimbra Patches Exploited Zero-Day Vulnerability"

    Zimbra recently released patches for a cross-site scripting (XSS) vulnerability in Collaboration Suite that has been exploited in malicious attacks. The vulnerability is tracked as CVE-2023-37580 and was disclosed earlier this month when Zimbra recommended manual patching for version 8.8.15 of the popular email and collaboration solution. No CVE identifier had been issued for the flaw at the time, but Clement Lecigne from Google's Threat Analysis Group (TAG) said that in-the-wild exploitation had been observed. Zimbra recently announced software updates for Zimbra Collaboration Suite versions 8.8.15, 9.0.0, and 10.0.x. A fix for the exploited security bug was included in version 8.8.15 patch 41 of the solution. The company noted that the update resolves two other vulnerabilities in the suite, namely CVE-2023-38750, an issue leading to the exposure of internal JSP and XML files, and CVE-2023-0464, a bug "related to the verification of X.509 certificate chains that include policy constraints" in OpenSSL. Patches for the last two flaws were also included in the Zimbra Collaboration Suite versions 10.0.2 and 9.0.0 patch 34. CVE-2023-37580, however, only impacts version 8.8.15 of the solution.

    SecurityWeek reports: "Zimbra Patches Exploited Zero-Day Vulnerability"

  • news

    Visible to the public "North Korean Hackers Bag Another $100m in Crypto Heists"

    North Korea's infamous Lazarus hacking group has been linked to two new attacks on cryptocurrency firms which led to the theft of nearly $100m in virtual currency. CoinsPaid said in an update this week that $37.3m was stolen from the firm. The company claimed that despite the multimillion-dollar loss, customer funds remained intact, although it admitted that the platform's availability had suffered. Lazarus was also linked to an even bigger raid on crypto payments provider Alphapo last Sunday. Blockchain experts explained that Alphapo hot wallets had initially been drained of $23m in Ethereum, Tron, and Bitcoin. However, the experts updated that original estimate days later, revealing that an additional $37m in Tron and Bitcoin was found missing, bringing the total to $60m.

    Infosecurity reports: "North Korean Hackers Bag Another $100m in Crypto Heists"

  • news

    Visible to the public "Researchers Discover New Vulnerability in Large Language Models"

    Large Language Models (LLMs) apply deep learning techniques to process and generate text. This Artificial Intelligence (AI) technology has resulted in the development of open source and publicly accessible tools, such as ChatGPT, Claude, Google Bard, and more. Recent work has focused on aligning LLMs to prevent undesirable generation. For example, public chatbots will not generate inappropriate content if asked directly. Although attackers have been able to evade these measures, their strategy often requires significant human creativity, and the results have been found to be inconsistent. Researchers from the School of Computer Science (SCS) at Carnegie Mellon University (CMU), the CyLab Security and Privacy Institute, and the Center for AI Safety in San Francisco have discovered a new vulnerability, proposing a simple and effective attack method that can cause aligned LLMs to generate objectionable behaviors with a high success rate. In their study titled "Universal and Transferable Attacks on Aligned Language Models," CMU Associate Professors Matt Fredrikson and Zico Kolter, Ph.D. student Andy Zou, and CMU alum Zifan Wang discovered a suffix that, when attached to a wide range of queries, significantly increases the chance that both open and closed source LLMs will deliver affirmative responses to queries they would otherwise reject. This article continues to discuss the vulnerability found in LLMs.

    CyLab reports "Researchers Discover New Vulnerability in Large Language Models"

  • news

    Visible to the public "New Cybersecurity Advisory Warns About Web Application Vulnerabilities"

    The National Security Agency (NSA) collaborated with US and international cyber agencies to issue the Cybersecurity Advisory (CSA) titled "Preventing Web Application Access Control Abuse," which warns that vulnerabilities in web applications, including Application Programming Interfaces (APIs), may enable malicious actors to manipulate and access sensitive data. The partnering agencies, which include the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the NSA, provide vendors, designers, developers, and consumer organizations with guidance to mitigate Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. IDOR vulnerabilities are web application access control flaws that allow malicious actors to modify, delete, or access sensitive data. The exploitation of these vulnerabilities could affect any web application, including those deployed in Software-as-a-Service (SaaS) used for cloud applications, private cloud models proprietary to the organization's infrastructure, and others. This article continues to discuss the CSA on preventing the abuse of access control vulnerabilities in web applications.

    NSA reports "New Cybersecurity Advisory Warns About Web Application Vulnerabilities"

  • news

    Visible to the public "Hackers Abusing Windows Search Feature to Install Remote Access Trojans"

    Hackers could exploit a legitimate Windows search feature to download arbitrary payloads from remote servers and compromise targeted systems with Remote Access Trojans (RATs) such as AsyncRAT and Remcos RAT. According to Trellix, the novel attack technique makes use of the "search-ms:" URI protocol handler, which allows applications and HTML links to launch custom local searches on a device. The technique also involves the "search:" application protocol, which is a mechanism for calling the desktop search application on Windows. Attackers are directing users to websites that exploit the 'search-ms' functionality through JavaScript on the page. This technique has been expanded to include HTML attachments. In such attacks, threat actors have been observed crafting deceptive emails with embedded hyperlinks or HTML attachments containing URLs redirecting users to compromised websites. This causes the execution of JavaScript that uses the URI protocol handlers to perform searches on a server under the attacker's control. This article continues to discuss the abuse of a legitimate Windows search feature by hackers to install RATs.

    THN reports "Hackers Abusing Windows Search Feature to Install Remote Access Trojans"