News Items

IBM published its annual Cost of a Data Breach Report, revealing that the global average data breach cost reached $4.45 million in 2023, a 15 percent increase over the previous three years. Detection and escalation costs increased by 42 percent during the same time, representing the largest portion of breach costs and signaling a shift toward more complex breach investigations. According to the report, business strategies regarding the rising cost and frequency of data breaches are diverse. The study found that although 95 percent of organizations studied have experienced multiple breaches, breached organizations are more likely to pass incident costs on to consumers (57 percent) than to increase security investments (51 percent). This article continues to discuss key findings from IBM's latest Cost of a Data Breach Report.

Help Net Security reports "Average Cost of a Data Breach Reaches $4.45 Million in 2023"

Purdue University has been selected as a partner in a new University Transportation Center (UTC) focused on cybersecurity and funded by the US Department of Transportation (DOT). The Transportation Cybersecurity and Resilience (TraCR) center, led by Clemson University, is the first national security center funded by the DOT. UTCs will help the next generation of transportation professionals improve the safety, innovativeness, and efficiency of roads, bridges, shipping, and more. TraCR will monitor and address cybersecurity vulnerabilities in Transportation Cyber-Physical-Social Systems (TCPSS). Researchers will identify challenges and threats across transportation modes, geographies, and applications, as well as develop cybersecurity strategies and solutions for multimodal transportation. They expect to develop software and hardware that will serve as the essential foundation for preventing and mitigating potential cyberattacks on transportation systems, such as data falsification and Global Positioning System (GPS) spoofing. This article continues to discuss Purdue University becoming part of the national research center aimed at bolstering transportation systems against cyberattacks and expected research.

Purdue University reports "Purdue Part of a National Research Center Aimed At Hardening Transportation Systems Against Cyberattacks"

There are various infiltration strategies adversaries can use to threaten the smart grid. For example, in a false-data injection attack, someone could hack into the grid's communication networks and replace actual measurements with false data. Denial-of-Service (DoS) attacks, in which threat actors flood the communication infrastructure with maliciously-generated data packets, are another technique in the cyber intruder's arsenal. Game theory involves mathematical models to simulate and analyze scenarios where the "players" in the game, in this case, the attackers and cyber defenders of the power grid, make a series of interdependent decisions as they execute and adapt their attack and defense strategies. Modeling attack jamming and defense anti-jamming as a zero-sum stochastic (probabilistic) game is part of the research at Purdue University. This article continues to discuss the use of game theory in defending the smart grid against attacks.

Purdue University reports "Game Theory Comes to the Defense of the Smart Grid"

Cybercriminals continue to look for new methods to manipulate search results. They are flooding Google with paid advertisements through malvertising campaigns, which direct unsuspecting users to malicious websites that exploit their data and trust. The cybersecurity company Sophos disclosed that hackers and fraudsters are paying to place malicious sites at the top of search results in the form of advertisements. This practice, known as malvertising, ensures visibility and typically targets users searching for popular downloads, such as software applications. Previous campaigns targeted users who searched for CCleaner, WinRAR, Notepad++, VLC, OBS, VirtualBox, Blender, or Capcut. Even searching for Adobe, Gimp, Slack, Tor, or Thunderbird may be risky, as malicious advertisements can infect a computer with Aurora Stealer, RedLine, Vidar, FormBook, and other stealers or trojans. The most recent paid advertisements often involve Artificial Intelligence (AI) tools such as Midjourney or ChatGPT. This article continues to discuss recent trends in malvertising.

Cybernews reports "First Search Result Leads to Malware: Crooks Now Paying for Ads"

According to researchers at NCC Group, ransomware attacks in June soared 221% year-on-year to hit a record 434 for the month. The researchers claimed that the figures were driven by Clop's targeting of global organizations via the MOVEit flaw, "consistently high levels" of activity by groups such as Lockbit 3.0, and the appearance of new groups since May. The researchers noted that Clop was responsible for a fifth (21%) of activity last month after it exploited SQL injection zero-day vulnerability CVE-2023-34362 in the popular managed file transfer software MOVEit. LockBit 3.0 accounted for 14% of ransomware attacks in the period, down 21% from the previous month. However, the group is still the most prolific of 2023 so far. The researchers stated that June also saw 8base, a new group first discovered in May, ramp up activity quickly. It was responsible for 40 attacks, 9% of the total recorded by the researchers. Two other groups spotted for the first time in May, Rhysida, and Darkrace, contributed 17 and nine attacks, respectively. The researchers stated that, unsurprisingly, North America once again contributed the most victims (51%), followed by Europe (27%) and Asia (9%). The most targeted sector in June was "industrials," which accounted for a third of victims, followed by "consumer cyclicals" (12%) and technology (11%).

Infosecurity reports: "Clop Drives Record Ransomware Activity in June"

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) sent a letter to 130 hospitals and telehealth providers highlighting the security and privacy risks posed by third-party tracking technologies. As previously reported, numerous healthcare data breaches have resulted from the presence of third-party tracking technology on hospital websites, which inadvertently transmitted sensitive data back to technology companies like Facebook and Google. A study published in Health Affairs found third-party tracking technology on 98.6 percent of US nonfederal acute care hospital websites. OCR has previously issued a bulletin regarding the appropriate use of tracking technology under the Health Insurance Portability and Accountability Act (HIPAA), and the FTC has settled high-profile cases with GoodRx and BetterHelp regarding their use of this technology. This article continues to discuss HHS and the FTC bringing further attention to the privacy and security risks of online tracking technologies.

HealthITSecurity reports "HHS, FTC Warn Hospitals and Telehealth Providers About Third-Party Tracking Tech"

Rutgers recently announced that it was among numerous universities across the nation that may have exposed the personal information of students and employees through vendors that use a particular file transfer software that was hacked by a Russian ransomware gang. In the case of Rutgers, the university was notified by the National Student Clearinghouse (NSC), a nonprofit that provides a range of higher education data and research services, of a cybersecurity issue involving NSC information, including data from the university. The NSC issue involves a vulnerability in a third-party software tool, MOVEit Transfer. The NSC determined that an unauthorized party obtained certain files transferred through the clearinghouse's MOVEit environment,' including files from customers. Rutgers noted that the incident was not a data breach of Rutgers' systems. School officials stated that, at this time, the impact on Rutger's information is unclear. The NSC works with 3,600 colleges and universities, including Rutgers, to gather student data required by the U.S. Department of Education. The breach affected multiple other universities, including Stony Brook University, Middlebury College, Rutgers University, Loyola University Chicago, Trinity College in Connecticut, Colorado State University, the University of Dayton, and the University of Alaska.

NJ Advanced Media reports: "Rutgers Among Universities Impacted by MOVEit Hack That Exposed Data"

According to GitHub, a social engineering campaign is attempting to infect the devices of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity industries with malware. The campaign has been attributed to the North Korean state-sponsored Lazarus Group, also known as Jade Sleet and TraderTraitor. The hacking group is known for targeting cryptocurrency companies and researchers to conduct cyber espionage and steal cryptocurrency. In a new security alert, GitHub warns that Lazarus Group is impersonating developers and recruiters on GitHub and social media by compromising legitimate accounts or creating fake personas. These personas are used to initiate conversations with targets. After gaining the target's trust, the threat actors invite them to collaborate on a project and clone a GitHub repository themed around media players and cryptocurrency trading tools. However, according to GitHub, these projects use malicious NPM dependencies that download malware. This article continues to discuss Lazarus hackers targeting developers with malicious projects.

Bleeping Computer reports "GitHub Warns of Lazarus Hackers Targeting Devs With Malicious Projects"

According to Code42, life sciences companies, such as medical device manufacturers, biotechnology companies, and pharmaceutical companies, are experiencing increased insider-caused data loss. With this expanding threat, life sciences leaders increasingly prioritize effective modern data loss prevention strategies. While data loss from insiders, or insider risk, occurs in all industries, it is especially damaging for life sciences companies as they contain large amounts of sensitive data, including patient information, product designs, formulations, trial results, and manufacturing details. Therefore, it is essential to protect sensitive data from unauthorized access in order to maintain a competitive advantage and guarantee uninterrupted business operations. Nearly 70 percent of respondents in the life sciences sector have observed an increase in data loss incidents caused by insiders over the past year, and they expect an even greater increase over the next 12 months. Seventy-eight percent of CISOs in the life sciences industry have a program dedicated to insider risk or threats, indicating that they recognize the issue's urgency. This article continues to discuss key findings regarding data exposure in the life sciences sector.

Help Net Security reports "Life Sciences Leaders Act to Counter Insider-Driven Data Loss"

Two years ago, ransomware criminals breached the hardware manufacturer Gigabyte and released over 112 GB of data, including information from Intel and AMD, two of its most important supply chain partners. Researchers now warn that the leaked information exposed critical zero-day vulnerabilities that could threaten much of the computing world. The vulnerabilities exist within the firmware AMI makes for Baseboard Management Controllers (BMCs). BMCs enable cloud centers and sometimes their customers to streamline the remote management of vast fleets of computers. They allow administrators to remotely reinstall operating systems, install and deactivate applications, and more. Researchers from the security company Eclypsium analyzed the leaked AMI firmware from the 2021 ransomware attack and discovered vulnerabilities that had remained dormant for years. They can be exploited by any local or remote adversary with access to the industry-standard remote management interface Redfish to execute malicious code that will run on every server inside a data center. This article continues to discuss the new AMI BMC vulnerabilities.

Ars Technica reports "Firmware Vulnerabilities in Millions of Computers Could Give Hackers Superuser Status"

On July 5, 2023, Phoenician Medical Center, Inc. and its affiliates, Phoenix Neurological & Pain Institute and Laser Surgery Center (collectively, "PMC"), filed a notice of data breach with the U.S. Department of Health and Human Services Office for Civil Rights after discovering that an unauthorized party accessed and potentially stole patient data. According to PMC, on March 31, they learned of a data security incident after some of the company's systems experienced disruption.

On July 19, 2023, Tampa General Hospital ("TGH") recently announced that the personal information of about 1.2 million Tampa General Hospital patients was leaked in a recent cyberattack. On May 31, 2023, TGH detected suspicious activity within its computer systems. In response, TGH notified the FBI, contained the incident, and then launched an investigation with the assistance of third-party data security specialists. The TGH investigation confirmed that an unauthorized third party accessed TGH's network and obtained certain files from its systems between May 12, 2023, and May 30, 2023. After learning that sensitive consumer data was accessible to an unauthorized party, TGH reviewed the compromised files to determine what information was leaked and which consumers were impacted. While the breached information varies depending on the individual, it may include an individual's name, Social Security number, address, phone number, date of birth, health insurance information, medical record number, patient account number, dates of service, and treatment information. On July 19, 2023, Tampa General sent out data breach letters to anyone who was affected by the recent data security incident.

JD Supra reports: "Tampa General Hospital To Notify 1.2 Million Patients of Recent Data Breach"

According to experts on energy infrastructure, the US power grid is facing many escalating cybersecurity risks and threats from foreign adversaries and domestic extremists. The latest annual threat assessment from the Intelligence Community identifies Chinese cyber operations against the US homeland as a significant national security threat. It warns that Beijing can almost certainly launch cyberattacks capable of disrupting national critical infrastructure services, such as the power grid. In recent months, domestic extremists have been charged with plotting to attack energy facilities and power infrastructure across the country. Bruce Walker, former assistant secretary for the US Department of Energy's (DOE) Office of Electricity, testified before the House Energy and Commerce subcommittee on oversight and investigations that the most important evolving threat to the electric grid is related to cybersecurity and physical security. He called for increased public-private collaboration. This article continues to discuss the power grid facing heightened cyber threats from foreign adversaries and domestic extremist groups that can pose significant consequences for the nation's electricity supply.

NextGov reports "US Power Grid Faces Escalating Cyber Threats, Infrastructure Experts Warn"

Kevin Mitnick, a hacker who famously served time in prison for various computer and communications-related crimes, has died after a battle with pancreatic cancer. He was 59. Mitnick gained global fame in the mid-1990s when the FBI arrested him on computer hacking and wire fraud charges. After a plea deal, he was sentenced to prison, and would later write books, and was considered "world's most famous hacker ever." At the time of his death, Mitnick worked as a security evangelist and "Chief Hacking Officer" at KnowBe4, a security awareness training company based in Florida.

SecurityWeek reports: "Famed Hacker Kevin Mitnick Dead at 59"

Researchers have discovered a vulnerability in the secure networking suite OpenSSH, tracked as CVE-2023-38408, that would enable hackers to remotely execute code using simple commands. Exploiting the vulnerability involves the helper program in OpenSSH called ssh-agent, which stores a user's private keys for frequent, often automated SSH public key authentication. Administrators managing remote servers often enable 'ssh-agent forwarding,' which allows the ssh-agent to be accessed from a specified server so that local SSH keys can be used without storing keys on the server itself. According to Qualys researchers, when a forwarded agent is set up using default settings, with PKCS11 enabled, a threat actor with a connection to the same remote server can load and unload shared libraries on a victim's machine with malicious side effects. Security researchers were able to use this technique for one-shot, Remote Code Execution (RCE) by combining only four side effects of loading and unloading common shared libraries. This article continues to discuss the potential exploitation and impact of the OpenSSH vulnerability.

ITPro reports "OpenSSH Vulnerability Uncovered by Researchers, RCE Exploit Developed"

According to security researchers at Endor Labs, open source is playing a growing role across the AI technology stack, but most (52%) projects reference known vulnerable dependencies in their manifest files. The researchers claimed that just five months after its release, ChatGPT's API is used in 900 npm and PyPI packages across "diverse problem domains," with 70% of these brand new packages. The researchers warned that, as for any open source projects, the security risks associated with vulnerable dependencies must be managed. The researchers stated that, unfortunately, organizations appear to be underestimating the risk not only of AI APIs in open source dependencies but security sensitive APIs in general. Over half (55%) of applications have calls to security sensitive APIs in their code base, which rises to 95% when dependencies are included. The researchers also warned that large language model (LLM) technology like ChatGPT is poor at scoring the malware potential of suspicious code snippets. It found that OpenAI GPT 3.5 had a precision rate of just 3.4%, while Vertex AI text-bison performed a little better, at 7.9%. The researchers noted that both models produced a significant number of false positives, which would require manual review efforts and prevent automated notification to the respective package repository to trigger a package removal. The researchers also found during their research that developers may be wasting their time remediating vulnerabilities in code which isn't even used in their applications. The researchers found that 71% of typical Java application code is from open source components but that apps use only 12% of imported code. The researchers noted that vulnerabilities in unused code are rarely exploitable and that organizations can eliminate or de-prioritize up to 60% of remediation work with reliable insight into which code is reachable throughout an application.

Infosecurity reports: "Half of AI Open Source Projects Reference Buggy Packages"

After facing criticism following a recent espionage attack campaign aimed at its email infrastructure, Microsoft has announced that it will expand cloud logging capabilities to help organizations investigate cybersecurity incidents and gain more visibility. The company noted that the change directly responds to the increasing frequency and evolution of cyber threats from nation-states. The rollout is expected to begin in September 2023 for all government and commercial customers. Microsoft will provide its customers access to wider cloud security logs at no additional cost. The US Cybersecurity and Infrastructure Security Agency (CISA) applauded the action, emphasizing that having access to key logging data is essential for quickly mitigating cyber intrusions and that this is a major step forward in advancing security by design principles. The development follows disclosures that a China-based threat actor named Storm-0558 compromised 25 organizations by exploiting a validation error in the Microsoft Exchange environment. This article continues to discuss Microsoft expanding cloud logging capabilities, what prompted this move, and the response to this decision.

THN reports "Microsoft Expands Cloud Logging to Counter Rising Nation-State Cyber Threats"

Turla, also known as Secret Blizzard, Snake, and UAC-0003, has been targeting defense sector organizations in Ukraine and Eastern Europe with DeliveryCheck and Kazuar backdoors and infostealers. The group has also been controlling them with compromised Microsoft Exchange servers. It is believed that the Russian state is behind the sophisticated and persistent Advanced Persistent Threat (APT) group Turla, which has been active for over a decade. The group has been linked to many attacks against government and military organizations, as well as cyber espionage campaigns against other organizations with information the Russian government may find useful. This article continues to discuss recent findings regarding the Turla APT group.

Help Net Security reports "Microsoft Exchange Servers Compromised by Turla APT"

Growing vehicle technology sophistication can make cars more vulnerable to hacking and theft. A research team led by the University of Michigan has developed a solution that involves what is considered to be the lowest-technology feature of modern vehicles, the auxiliary power outlet. The team is ready to begin large-scale testing of Battery Sleuth, a vehicle security system that can protect against sophisticated wireless hacking and old-school jimmying. The wireless connection that key fobs rely on is sidestepped by Battery Sleuth, as is the standardized onboard communication network used in modern vehicles. Instead, it authenticates drivers by measuring voltage fluctuations in the electrical system of a vehicle. Drivers control it through a keypad device inserted into the auxiliary power outlet. When the driver enters a numerical code on the keypad, Battery Sleuth sends a predetermined series of voltage fluctuations, a sort of "voltage fingerprint," to the car's electrical system. Then, a receiver recognizes the fingerprint and allows the vehicle to start. This article continues to discuss the Battery Sleuth authenticator device.

The University of Michigan reports "A Surprisingly Simple Way to Foil Car Thieves"

WormGPT is a new, custom-trained version of a Large Language Model (LLM) based on the GPT-J language model released in 2021. It is a conversational tool developed and trained to write and deploy black hat code and tools. WormGPT allows users to develop sophisticated malware at a fraction of the cost and level of expertise previously required. The cybersecurity company SlashNext tested the tool and warned that malicious actors are now creating their own ChatGPT-like modules. The custom modules created by the adversaries are said to be easier to use for malicious purposes. According to screenshots posted by the creator, WormGPT functions like an unprotected version of ChatGPT. It can produce Python-based malware and offer deployment-related tips, strategies, and solutions. This article continues to discuss findings and observations regarding WormGPT.

Tom's Hardware reports "WormGPT Might Become Hackers' New Best Imaginary Friend"

Norwegian recycling giant Tomra has recently taken some of its systems offline after falling victim to what it describes as "an extensive cyberattack." Tomra is a multinational company that manufactures waste collection and sorting products, including reverse vending machines and food sorters. The company operates close to 100,000 recycling systems worldwide. On Monday, Tomra announced that some of its data systems were impacted by a cyberattack that was discovered on July 16 and that it immediately disconnected some systems to contain the incident. In an update on Tuesday, the company announced that it had disconnected additional systems and that it would keep all impacted systems offline until the incident is resolved. The attack currently has a limited impact on Tomra's customer operations. Tomra noted that most of their digital services are designed to operate offline for a certain amount of time but may have reduced functionality in the interim. The company announced that its internal IT services and some back office applications remain offline, with an impact on its supply chain management. With major office locations offline, employees have been asked to work remotely. Tomra's reverse vending machines (RVMs) in Australia and North America remain fully operational, RVMs in Europe and Asia continue to work in offline mode, but some older models are no longer operating. The company's recycling and food sorter systems are operating as usual, with some limited functionality due to digital services being offline. The company stated that they have not received any contact from those who are behind the cyberattack.

SecurityWeek reports: "Recycling Giant Tomra Takes Systems Offline Following Cyberattack"

Cameron Whitehead of the University of Central Florida won the US Department of Energy's (DOE) 2023 CyberForce Conquer the Hill - Reign Edition Competition. This virtual event, coordinated by the DOE's Argonne National Laboratory, included 144 participants from collegiate institutions nationwide. Competitors explored a virtual escape room where they were required to complete tasks that simulated real-world scenarios, such as hacking into server rooms, interacting with Artificial Intelligence (AI) robots, and deciphering secret messages. Due to the growing number of cyber threats in the digital world, there is a high demand for cybersecurity experts. DOE and Argonne acknowledge the significance of inspiring and educating a new generation of cybersecurity professionals. This is why DOE created the CyberForce Program, which offers opportunities for aspiring professionals to develop their skills and defend critical infrastructure. This article continues to discuss Whitehead of the University of Central Florida winning the DOE's 2023 CyberForce Conquer the Hill - Reign Edition Competition and the purpose of the CyberForce Program.

The US Department of Energy reports "Cameron Whitehead Wins US Department of Energy's 2023 CyberForce Conquer the Hill - Reign Edition Competition"

According to new research from the Content Delivery Network (CDN) provider Cloudflare, in the second quarter of this year, companies were hit with well-planned Distributed Denial-of-Service (DDoS) attacks launched by hacking groups, many of which are based in Russia. From April to June, the total number of DDoS requests reached 5.4 trillion, a 15 percent increase over the first quarter of this year. Despite the surge in attacks in 2023, DDoS incidents are down compared to the second quarter of 2022, when Cloudflare recorded 8.3 trillion requests. According to Cloudflare, the number of requests does not indicate the number of "unique" attacks, but rather the total volume of DDoS attacks. In recent months, the industries impacted the most by DDoS attacks were cryptocurrency, gaming, and gambling, with cryptocurrency companies alone having seen a 600 percent increase in DDoS attacks. This article continues to discuss key findings from Cloudflare's report on DDoS attack trends for the second quarter of 2023.

The Record reports "Cloudflare Reports Surge in Sophisticated DDoS Attacks"

Eric Goldstein, Executive Assistant Director for Cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), emphasizes that access to key logging data is crucial for quickly mitigating cyber intrusions, such as the recently identified incident affecting a federal agency's Microsoft Exchange Online environment. In this case, the affected agency used available logging data as a resource to detect suspicious activity, enable remediation actions to limit damage, and help Microsoft and CISA teams in identifying and assisting additional victims. Goldstein stresses that requiring organizations to pay more for essential logging leads to insufficient visibility when investigating cybersecurity incidents, which could give adversaries dangerously high levels of success when targeting American organizations. CISA applauds Microsoft's decision to make necessary logs, identified by CISA and its partners as critical to identifying cyberattacks, available to customers without additional cost. This article continues to discuss the importance of logging data in mitigating cyber incidents.

CISA reports "When Tech Vendors Make Key Logging Info Available for Free, Everyone Wins"