News Items

Security researchers at Check Point have discovered that internet-connected Peloton fitness equipment is plagued with numerous security issues that could allow attackers to obtain device information or deploy malware. The researchers analyzed the software running on the Peloton Treadmill and revealed exposure to security risks associated with Android devices that are not updated to the most recent platform iterations, as well as risks posed by attackers with physical access to the device. The treadmill runs Android 10, which does not contain patches for more than 1,000 vulnerabilities that have been addressed in the operating system over the past three years. Furthermore, the device was found to have USB debugging enabled, meaning that an attacker with physical access could retrieve a list of all installed packages and could also obtain shell access, compromising the treadmill completely. The researchers noted that an attacker could use specific commands to exfiltrate data from the treadmill, or they could exploit the existing applications, which are compiled using different SDK versions. Applications can also be fetched for reverse engineering and for extracting secrets. According to the researchers, some applications on the device incorporate rooting detection mechanisms, but an attacker could use certain techniques to identify further vulnerabilities in the applications at runtime. Additionally, the researchers identified hardcoded sensitive information on the device, such as a license key for a text-to-speech voice service. The service could be abused for denial-of-service (DoS). The researchers noted that certain unprotected services were also identified on the treadmill, potentially allowing malicious applications to escalate privileges and gain access to sensitive data or to abuse broadcast receivers and send the device into an infinite loop, preventing updates. The researchers also discovered "differences in the signature scheme of the installed apps," which could potentially expose the device to malicious attacks. The researchers stated that the treadmill operating system includes numerous standard APIs that can be exploited to execute Android code, allowing attackers to carry out nefarious actions from a networking perspective and take advantage of the device's always-on nature. Moreover, the presence of a webcam and microphone makes the treadmill vulnerable to eavesdropping attacks if malware is installed. The researchers were able to sideload a mobile remote access tool (MRAT) on the device, gaining full access to the treadmill's functionality, including audio recording, taking photos, accessing geolocation, and abusing the network stack. According to the researchers, the compromised device also provided "full access to the local area network," which could be leveraged for additional malicious activities. After being informed of these issues, Peloton told the researchers that "they meet expected security measures for Android-based devices," pointing out that physical access is required for exploitation.

SecurityWeek reports: "Multiple Security Issues Identified in Peloton Fitness Equipment"

DepositFiles is a service that claims to be the ideal location to store and share files. However, researchers discovered DepositFiles' publicly hosted environment configuration (config) file, a critical record of how to run software. The file exposed payment service credentials, Abuse and Support email credentials, and more. Due to this exposure, the service's clients are at risk of having their Personal Identifiable Information (PII), files, and passwords stolen. Researchers noted that attackers could also target the company with malware, ransomware, and unauthorized access to business payment systems. They believe that the environment configuration file was exposed beginning in February 2023 based on the indexing of another sensitive file. This article continues to discuss DepositFiles' environment configuration file being left accessible and the potential impact of this exposure.

Security Affairs reports "DepositFiles Exposed Config File, Jeopardizing User Security"

In the first quarter of 2023, the number of incidents involving infostealer malware more than doubled compared to last year, mainly targeting Windows, Linux, and macOS. According to a recent study by Uptycs, most of the perpetrators behind infostealer malware use Telegram as a platform for command-and-control (C2) and data exfiltration. Infostealer malware targets victims by stealing passwords, login credentials, and other sensitive information. Following the collection of personal information, the stealer sends it to the malicious actor's C2 system. Uptycs' examination of the dark web revealed that RedLine has the largest market share, followed by Raccoon and the RecordBreaker stealer. Newcomer Meta, Vidar, Cryptbot, and AZORult are other widely-used infostealers. This article continues to discuss key findings from Uptycs' latest report on infostealers.

SC Magazine reports "Infostealer Incidents More Than Doubled in Q1 2023"

A cyberattack on an NHS supplier has recently left two ambulance trusts serving millions of people without access to electronic patient records. Swedish healthcare IT firm Ortivus said in a statement that an attack on July 18 left affected UK customers using its hosted data center. Ortivus noted that electronic patient records are currently unavailable and are, until further notice, handled using manual systems. No patients have been directly affected. The company stated that no other systems have been attacked, and no customers outside of those in the hosted data center have been affected. Ortivus noted that it is currently working in close collaboration with the affected customers to restore the systems and recover data. The affected customers are the ones using MobiMed ePR, electronic patient record systems in a hosted environment. BBC claimed that South Central Ambulance Service (SCAS) and South Western Ambulance Service (SWASFT) are both affected by the incident. Neither trust has released any information publicly about the incidents. Although Ortivus claimed no patients have been directly affected, if ambulances turn up without the ability to access patient records, it's likely that the standard of care will suffer. The two trusts are said to serve around 12 million people in the south of England.

Infosecurity reports: "Supply Chain Attack Hits NHS Ambulance Trusts"

Two recently introduced Linux vulnerabilities in the Ubuntu kernel make it possible for unprivileged local users to acquire elevated privileges on a large number of devices. Ubuntu is one of the most popular Linux distributions, particularly in the US, with an estimated 40 million users. Two vulnerabilities tracked as CVE-2023-32629 and CVE-2023-2640, discovered by Wiz researchers, were recently introduced into the operating system, affecting about 40 percent of Ubuntu's users. CVE-2023-2640 is a high-severity (CVSS v3 score: 7.8) vulnerability in the Ubuntu Linux kernel that allows a local attacker to gain elevated privileges. CVE-2023-32629 is a medium-severity (CVSS v3 score: 5.4) vulnerability in the Linux kernel memory management subsystem, where a race condition when accessing VMAs may result in use-after-free, allowing arbitrary code execution by a local attacker. This article continues to discuss the discovery and impact of the Linux vulnerabilities.

Bleeping Computer reports "Almost 40% Of Ubuntu Users Vulnerable to New Privilege Elevation Flaws"

Hackers are planting "malvertisements" for widely-used Information Technology (IT) tools on search engines in an attempt to lure IT professionals and conduct ransomware attacks in the future. The scheme involves pay-per-click advertisements on Google and Bing, which link to compromised WordPress sites and phishing pages that resemble download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the intended software along with a Python package containing initial access malware, which the attackers then use to launch additional payloads. Sophos researchers have dubbed the campaign "Nitrogen." Several technology companies and nonprofits in North America have already been affected. Although none of the known cases have been successful, the researchers found that hundreds of brands have been co-opted for this type of malvertising across multiple campaigns in the past few months. This article continues to discuss findings and observations regarding the malicious Nitrogen campaign.

Dark Reading reports "'Nitrogen' Ransomware Effort Lures IT Pros via Google, Bing Ads"

Cellular networks are essential for various applications, including phone calls and Internet access. However, the growth of fake base stations in cellular networks, sometimes known as stingrays, cell-site simulators, or IMSI catchers, poses a major security threat with potentially severe consequences. Attackers can use fake base stations as stepping stones for different multi-step attacks, including signal counterfeiting, numb attacks, detach/downgrade attacks, energy depletion attacks, and panic attacks. These attacks can cause significant harm to individuals, businesses, and even governments. Therefore, security researchers at Purdue University's Department of Computer Science led a recent study demonstrating how high-quality datasets could be used to detect fake base stations in cellular networks using Machine Learning (ML) algorithms. This article continues to discuss the security researchers' work on high-quality datasets that could be used to detect fake base stations in cellular networks using ML algorithms.

Purdue University reports "Researchers Uncover Fake Base Stations in Cellular Networks Using Machine Learning"

Reports of "hacktivism" are rising, with 2022 seeing a significant resurgence in the area, primarily fueled by the Russia-Ukraine conflict. According to Radware data, from February 18 to April 18 this year, hacktivists claimed over 1,800 Distributed Denial-of-Service (DDoS) attacks across 80 Telegram channels. Since the Russia-Ukraine conflict, hacktivism has experienced a resurgence, with loosely affiliated groups of partisans or volunteers being pitted against nation-states. Some well-known hacktivist groups include the IT Army, Guacamaya, and SiegedSec. The infamous pro-Russian entity NoName057(16) engages in targeted DDoS campaigns across multiple sectors in NATO countries. CyberArmyofRussia_Reborn (CARR) has been identified by Mandiant as a Russian hacktivist group conducting DDoS attacks against Ukraine. KillNet, a prominent pro-Russian hacktivist group, consistently targets the US and Europe with DDoS attacks. It may appear that these types of groups are becoming more prevalent, but cybersecurity experts paint a more nuanced picture, noting that it is unclear whether the practice is becoming more widespread, if the term is being redefined, or if it is being used as a cover for more traditional malicious activity in cyberspace, such as ransomware and cyber espionage. This article continues to discuss notable hacktivist groups, the potential use of hacktivism as a cover, and the future of such activity.

SC Magazine reports "Hacktivism: Is It Fashionable Again or Just a Sly Cover?"

According to computer security researchers, Python security fixes are often implemented through "silent" code commits without an associated Common Vulnerabilities and Exposures (CVE) identifier. That is not ideal, they argue, because attackers like exploiting undisclosed vulnerabilities in unpatched systems. In addition, developers who are not security experts may not notice that an upstream commit is targeting an exploitable vulnerability relevant to their code. Therefore, application developers may not realize that a Python package could have a major flaw due to little or no announcement about it, and not incorporate a patched version into their code. Malicious actors could take advantage of this by exploiting those non-publicized vulnerabilities. In a paper titled "Exploring Security Commits in Python," a team of researchers from George Mason University and Dougherty Valley High School propose a solution, which is a database of security commits called PySecDB. The database would increase the community's visibility of Python code repairs. This article continues to discuss the proposed security commits database aimed at making Python code repairs more visible to the community.

The Register reports "Sneaky Python Package Security Fixes Help No One - Except Miscreants"

According to a new report from the US Cybersecurity and Infrastructure Security Agency (CISA), more than half of all cyberattacks against government agencies, critical infrastructure organizations, and state-level government bodies involved legitimate accounts. CISA collaborated with the US Coast Guard (USCG) in 2022 to conduct 121 Risk and Vulnerability Assessments (RVAs) on federal civilian agencies, high-priority private and public sector critical infrastructure operators, and select state, local, tribal, and territorial stakeholders. According to Gabriel Davis, a federal lead for risk operations at CISA, these assessments are designed to test an organization's defenses and allow the government to explore how they would respond to a sophisticated attack. They also provide CISA with information about how hackers operate. A new report of their findings reveals that threat actors conducted their most successful attacks using standard techniques involving phishing and default credentials. In 54 percent of successful attacks studied, valid credentials, including those from former employee accounts that have not been disabled in addition to default administrator accounts, were used. This article continues to discuss key findings from the RVAs.

The Record reports "CISA: Most Cyberattacks on Governments, Critical Infrastructure Involve Valid Credentials"

According to security researchers at Sophos, the education sector recorded a higher share of ransomware victims than any other in 2022. During the study, the researchers conducted interviews with 400 IT and cybersecurity leaders globally, split evenly across schools and higher education institutions. The researchers found that 79% of higher and 80% of "lower" education institutions were compromised by ransomware over the past year, up from 64% and 56% in 2021, respectively. The researchers noted that exploits and compromised credentials accounted for 77% of ransomware attacks against higher education organizations and 65% of attacks against lower education organizations. Breaches stemming from compromised credentials (37%/36%) accounted for a much bigger share than the cross-industry average of 29%. The researchers stated that the lack of adoption of multi-factor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise. Interestingly, the researchers noted that the education sector had one of the highest rates of ransom payment, with over half (56%) of higher education victims and 47% of schools paying up. This may account for why the sector is so frequently targeted by threat actors. Another possible factor is the fact that higher education institutions are less likely to maintain backups than the cross-sector average (63% versus 70%).

Infosecurity reports: "Education Sector Has Highest Ransomware Victim Count"

The ALPHV ransomware group, also known as BlackCat, is attempting to increase the pressure on their victims to pay a ransom by providing an Application Programming Interface (API) for their leak site in order to increase the visibility of their attacks. This action follows the recent breach of Estee Lauder, which resulted in the beauty company disregarding the threat actor's attempts to negotiate a ransom payment. Multiple researchers recently observed that the ALPHV/BlackCat data leak site added a new page with instructions on how to use their API to get timely updates about new victims. The malware research group VX-Underground warned of the new section on the gang's site. However, the "feature" appears to have been partially available to a limited audience for months. The ransomware group published API calls that could be used to fetch information about new victims added to their leak site or updates starting on a specific date. This article continues to discuss the ALPHV/BlackCat ransomware gang providing an API for their leak site to increase visibility for their attacks.

Bleeping Computer reports "ALPHV Ransomware Adds Data Leak API in New Extortion Strategy"

Users of applications involving Large Language Models (LLMs) similar to ChatGPT must be aware of the possible risks. Researchers warn that an attacker who develops untrusted content for the Artificial Intelligence (AI) system could compromise any information or recommendations generated by the system. The attack could enable job applicants to circumvent resume-checking applications, disinformation specialists to force a news summary bot to only give a specific point of view, or malicious actors to turn a chatbot into a willing participant in their fraud. In a session titled "Compromising LLMs: The Advent of AI Malware," a group of computer scientists will demonstrate that indirect prompt-injection (PI) attacks are possible because applications connected to ChatGPT and other LLMs often treat consumed data in the same manner as user queries or commands. Attackers can take control of the user's session by inserting specially crafted information as comments into documents or web pages that an LLM will parse. This article continues to discuss researchers finding that AI applications involving LLMs could be compromised by attackers using natural language to trick users.

Dark Reading reports "ChatGPT, Other Generative AI Apps Prone to Compromise, Manipulation"

Some of the largest US-based generative Artificial Intelligence (AI) companies plan to watermark their content, according to a White House fact sheet released on July 21. Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI have agreed to eight voluntary commitments concerning the use and oversight of generative AI, including watermarking. This agreement follows a March statement expressing the White House's concerns about the misuse of AI. In addition, the agreement comes at a time when regulators are finalizing procedures for managing generative AI's impact on technology and how people interact with it since ChatGPT brought AI content to the public's attention in November 2022. This article continues to discuss the eight AI safety commitments and how government regulation of AI could discourage malicious actors.

TechRepublic reports "OpenAI, Google and More Agree to White House List of Eight AI Safety Assurances"

Cybersecurity Snapshots #44 -

Data Travel is the Organization's Next Big Cybersecurity Challenge

FraudGPT, a new Artificial Intelligence (AI) bot discovered being sold on different dark web marketplaces and Telegram accounts, is used exclusively for offensive purposes, such as spear-phishing, cracking tools, and carding. John Bambenek, principal threat researcher at Netenrich, which discovered FraudGPT, noted that his team believes the threat actor behind it is likely the same group that operates WormGPT, another AI phishing tool recently reported by SlashNext. According to Bambenek, Netenrich is currently unaware of any active attacks launched through FraudGPT tools. FraudGPT appears to focus more on short-duration, high-volume attacks such as phishing, whereas WormGPT is more focused on longer-duration attacks involving malware and ransomware. This article continues to discuss the new AI bot FraudGPT, believed to come from the same group that developed the WormGPT tools.

SC Media reports "New AI Phishing Tool FraudGPT Tied to Same Group Behind WormGPT"

A group of major technology companies recently made an announcement about watermarking Artificial Intelligence (AI)-generated content. However, cybersecurity researchers already suggest this new approach has flaws. Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI met with the White House to discuss how they can mitigate the risks associated with the AI they create. They promised to invest in cybersecurity and AI-generated content watermarking. Dr. Florian Kerschbaum, a professor of computer science and member of the Cybersecurity and Privacy Institute at the University of Waterloo, explained that the watermarking technology pitched by the companies embeds a secret message within the content's code. The idea is that the message cannot be removed without also removing the content. Kerschbaum notes, however, that there are still some uncertainties in the scientific foundations of watermarking. Malicious actors may be able to remove a watermark, and the issue of digital watermarks has fascinated scientists for decades. This article continues to discuss concerns and questions regarding watermarking AI-generated content.

The University of Waterloo reports "The Promise of Watermarking AI Content"

Recently, commercial and consumer bank 1st Source Corp announced that it was affected by a security breach that involved a popular file transfer tool, MOVEit. The data breach has impacted about 450,000 records. The company stated that a third party had gained access to data of its commercial and individual clients earlier this month, adding that it was in the process of identifying and notifying individual clients affected. MOVEit, made by Massachusetts-based Progress, allows organizations to securely transfer files and data between business partners and customers.

U.S. News reports: "1st Source Says 450,000 Records Affected in Client Data Breach"

The financially motivated threat actors responsible for the Casbaneiro banking malware family have been observed applying a User Account Control (UAC) bypass technique to gain full administrative privileges on a machine. This indicates that the threat actor is developing tactics to evade detection and run malicious code on compromised assets. Sygnia noted that despite the threat actors' continued focus on Latin American financial institutions, the alterations in their techniques pose a significant threat to multi-regional financial institutions. Casbaneiro, also known as Metamorfo and Ponteiro, is best known for its banking trojan, which emerged in 2018 due to mass email spam campaigns targeting the Latin American financial sector. Infection chains typically begin with a phishing email pointing to a booby-trapped attachment that, when opened, triggers a series of steps that culminate in the deployment of banking malware, along with scripts that use living-off-the-land (LotL) techniques to fingerprint the host and collect system metadata. Horabot, a binary designed to spread the infection to other unaware employees of the compromised organization, is also downloaded during this phase. This article continues to discuss what has changed in recent Casbaneiro attack waves.

THN reports "Casbaneiro Banking Malware Goes Under the Radar with UAC Bypass Technique"

The GuidePoint Research and Intelligence Team (GRIT) tracked a total of 1,177 publicly posted ransomware victims claimed by 41 different threat groups during the second quarter of 2023. The report by GRIT reveals a 38 percent increase in the number of public ransomware victims compared to Q1 2023, and a 100 percent increase from Q2 2022. Manufacturing and technology, accounting for 14 percent and 11 percent of impacted industries, respectively, continue to be the most affected industries, a trend observed by GRIT in 2022 and Q1 2023. The consulting (+236 percent) and insurance (+160 percent) industries experienced the greatest relative growth in observed ransomware attacks, whereas the government (-61 percent) and automotive (-59 percent) sectors experienced a relative decline. GRIT observed an increase in the activity of Ransomware-as-a-Service (RaaS) groups during Q2 2023, attributable to the launch of 14 new groups. Compared to Q1, this represents a 260 percent increase in "First Seen" groups. This article continues to discuss key findings from GRIT's Q2 2023 Ransomware Report.

Help Net Security reports "RaaS Proliferation: 14 New Ransomware Groups Target Organizations Worldwide"

Ensuring information system security requires preventing system compromises and finding adversaries already present in the network before they can launch an attack from inside. Cyber threat hunting has been deemed critical for identifying threats by personnel in defensive computer operations. However, the time, expense, and expertise required for cyber threat hunting often prevent its use. What is needed is an autonomous cyber threat hunting tool capable of running more pervasively, achieving standards of coverage considered impractical, and significantly reducing competition for limited time, money, and analyst resources. Phil Groce, a senior network defense analyst in the Software Engineering Institute's (SEI) CERT Division, describes early efforts at Carnegie Mellon University (CMU) to apply game theory to the development of algorithms suitable for informing a fully autonomous threat hunting capability. As a starting point, the CMU team is developing chain games, a series of games that can be used to evaluate and refine threat hunting strategies. This article continues to discuss the work to apply game theory to developing algorithms fit for informing a fully autonomous threat hunting capability.

Software Engineering Institute - Carnegie Mellon University reports "Using Game Theory to Advance the Quest for Autonomous Cyber Threat Hunting"

Tavis Ormandy, a Google Information Security researcher, has posted information about a new vulnerability he discovered independently in AMD's Zen 2 processors. The 'Zenbleed' vulnerability affects the entire Zen 2 product stack, including AMD's EPYC data center processors and Ryzen 3000 CPUs, enabling the theft of sensitive information, such as encryption keys and user logins, from the CPU. According to Ormandy, the attack does not require physical access to the computer or server. It can even be executed via JavaScript on a webpage. The Zenbleed vulnerability, tracked as CVE-2023-20593, allows data exfiltration at a rate of 30kb per core, per second, which is enough to take sensitive information flowing through the processor. This attack is effective against all software operating on the processor, including Virtual Machines (VMs), sandboxes, containers, and processes. This attack's ability to read data across VMs poses a significant threat to cloud service providers and cloud instance users. This article continues to discuss the Zenbleed vulnerability.

Tom's Hardware reports "AMD 'Zenbleed' Bug Allows Data Theft From Zen 2 Ryzen 3000, EPYC CPUs: Patches Coming"

A Los Angeles man recently pleaded guilty to using SIM swapping to perpetrate multiple cybercrime schemes targeting hundreds of victims. Between April 2019 and February 2023, Amir Hossein Golshan, 24, engaged in account takeovers, Zelle payment fraud, and Apple support impersonation, causing roughly $740,000 in losses to his victims. According to the Department of Justice (DoJ), in December 2021, relying on SIM swapping, Golshan took over the Instagram account of an influencer with over 100,000 followers. Using the unauthorized access to the account, he contacted the victim's friends impersonating the influencer, asking them to send money via Zelle, PayPal, and other platforms, obtaining thousands of dollars from the unsuspecting victims. He also locked the influencer out of her accounts and sent her messages demanding a $2,000 ransom for returning control of the accounts. The DoJ noted that Golshan admitted to using SIM swapping against two other victims in January 2022. After taking control of one of the victims' social media accounts, he demanded a $5,000 ransom, threatening to release personal videos and photos. Golshan targeted roughly 500 individuals in SIM swapping and Zelle fraud schemes, receiving approximately $82,000 in payments from his victims. Golshan also impersonated Apple support personnel to gain access to victim accounts and steal NFTs, cryptocurrency, and other digital goods, defrauding five victims of between $2,000 and $389,000 each. Golshan pleaded guilty to unauthorized computer access, access to a computer to defraud, and wire fraud. Scheduled for sentencing on November 27, he faces up to five years in prison for the computer access counts and up to 20 years in prison for wire fraud.

SecurityWeek reports: "Los Angeles SIM Swapper Pleads Guilty to Cybercrime Charges"

Security researchers at Coveware believe that the Cl0p ransomware gang could earn as much as $100 million from the MOVEit hack. The researchers found that the percentage of victims that paid a ransom in the second quarter of 2023 fell to a record low of 34%. The researchers stated that the chances of cybercriminals getting paid in the case of attacks that only involve data theft without the deployment of file-encrypting ransomware, such as the MOVEit hack, is less than 50%, but the ransom amount has been typically higher. The researchers noted that while the MOVEit campaign may end up impacting over 1,000 companies directly, a tiny percentage of victims bothered trying to negotiate, let alone contemplated paying. Those that did pay paid substantially more than prior Cl0p campaigns and several times more than the global average ransom amount of $740,144. The researchers claimed that the Cl0p group might earn $75-100 million dollars just from the MOVEit campaign, with that sum coming from just a small handful of victims that succumbed to very high ransom payments.

SecurityWeek reports: "MOVEit Hack Could Earn Cybercriminals $100M as Number of Confirmed Victims Grows"