News Items

The US government has placed Cytrox and Intellexa on an economic blocklist for trafficking in cyber exploits. The US Department of Commerce's Bureau of Industry and Security (BIS) added the two surveillance technology vendors to the Entity List for trafficking in cyber exploits used to gain access to information systems. The Entity List maintained by BIS is a trade control list created by the US government. It identifies foreign individuals, organizations, and government entities subject to specific export controls and restrictions due to their participation in activities that threaten the national security or foreign policy interests of the US. This article continues to discuss the US government adding surveillance technology vendors Cytrox and Intellexa to an economic blocklist for trafficking in cyber exploits.

Security Affairs reports "US Gov Adds Surveillance Firms Cytrox and Intellexa to Entity List for Trafficking in Cyber Exploits"

WyrmSpy and DragonEgg, two previously undocumented Android spyware strains, have been linked to APT41, a prolific nation-state actor with ties to China. According to Lookout, an established threat actor such as APT41, known for exploiting web-facing applications and infiltrating traditional endpoint devices, adding mobile malware to its arsenal, demonstrates that mobile endpoints are high-value targets with corporate and personal data. Since at least 2007, APT41, also known as Axiom, Blackfly, Brass Typhoon, Bronze Atlas, HOODOO, Wicked Panda, and Winnti, has been known to target various industries for intellectual property theft. Recent attacks launched by the group involved Google Command and Control (GC2), an open source red teaming tool, to target media and employment platforms in Taiwan and Italy. This article continues to discuss APT41 targeting mobile devices with WyrmSpy and DragonEgg spyware.

THN reports "Chinese APT41 Hackers Target Mobile Devices with New WyrmSpy and DragonEgg Spyware"

According to the 2023 Verizon Data Breach Investigations Report (DBIR), small and medium-sized businesses (SMBs) are targeted by cybercriminals as much as large companies. SMBs are often found to underestimate their appeal as potential targets since they believe they are not worth the effort of attackers and that their data is of little value. However, their systems contain sensitive information, including employee and customer data as well as financial data. In addition, they are frequently used to access the systems of larger organizations (i.e., partners, customers, or suppliers). According to a recent Proofpoint study, cybercriminals often target SMBs to breach larger organizations, especially through regional Managed Service Providers (MSPs). This article continues to discuss how SMBs can up their cybersecurity game.

Help Net Security reports "Cybersecurity Measures SMBs Should Implement"

Jake Guidry, an Idaho National Laboratory (INL) intern, has developed a cybersecurity research tool to improve the security of Electric Vehicle (EV) charging. The AcCCS tool provides access capabilities through the Combined Charging System (CCS) communications protocol. AcCCS combines hardware and software, emulating the electronic communications that occur between an EV and a charger during the charging process. The tool provides researchers with a new vulnerability search method for EVs and charging stations. The AcCCS hardware has a charging port and cable that can be plugged into real-world equipment. No charging power travels through the device. When AcCCS is plugged into an EV, the vehicle's computer believes the battery is being charged. If plugged into a 350-kilowatt fast charging station, the station thinks it is charging an EV. According to Guidry, it is essentially mimicking one to deceive another. Researchers have already used AcCCS to hack a charging station and a vehicle. Then they demonstrated a mitigation technique against the cyberattacks. Future experiments will help researchers in developing industry best practice recommendations. This article continues to discuss the cybersecurity research tool developed to improve the security of EV charging.

Idaho National Laboratory reports "Intern Develops Technology to Find EV Charging Vulnerabilities"

The experience gained at the largest unclassified Department of Defense (DOD) cyber defense exercise helps the Ohio Cyber Range Institute (OCRI) at the University of Cincinnati (UC) develop the country's civilian cybersecurity operation in Ohio. Last month, in North Little Rock, Arkansas, over 800 National Guard soldiers, airmen, and civilian cyber professionals attended Cyber Shield 2023, including people from UC. Bekah Michael, associate professor-educator in the UC School of Information Technology (IT) and executive staff director of the OCRI, said the DOD exercise experience has been directly applied to developing cybersecurity exercises in Cincinnati. UC will host teams from the Ohio Cyber Reserve for a validation exercise this summer, marking Cincinnati's second consecutive year for a statewide cybersecurity exercise. Three teams from the Ohio Cyber Reserve, a volunteer force commanded by the state's adjutant general, will participate in the OCRI-hosted exercise. This year's exercise will be different from the previous year in that it will be a validation exercise rather than a training exercise. The teams responding to an attack in a training exercise can consult with and get direction from the event organizers and the group doing the cyberattacks. They do not receive additional instruction during a validation exercise since they must demonstrate their ability to respond to a critical cybersecurity incident. This article continues to discuss the cybersecurity exercise that UC will host.

The University of Cincinnati reports "UC Prepares to Host Statewide Cybersecurity Exercise"

Henry Ford Health has recently confirmed that an email phishing scheme led to a data breach affecting 168,000 patients. Patients were told Monday that someone conducting an email phishing scheme gained access to business email accounts on March 30, 2023. According to officials, that access was quickly discovered, and the email accounts were secured. According to the company, some patient information was contained in the affected emails, but it's unclear if that information was accessed. This discovery was made on May 16. The affected information might have included name, gender, date of birth, age, lab results, procedure type, diagnosis, date of service, telephone number, medical record number and/or internal tracking number. Henry Ford Health stated that it is adding security measures and further employee training.

WDIV reports: "Henry Ford Health Confirms Data Breach Affecting 168,000 Patients"

The administrators of Genesis Market on the dark web have announced the sale of their platform to a threat actor who will resume operations next month. In April, the FBI seized Genesis Market, a marketplace for stolen credentials, launched in 2017. Genesis Market was an invite-only marketplace, but invitation codes were not difficult to find online. The platform provided access to "browser fingerprints" that enable criminals to impersonate victims' web browsers, including IP addresses, operating system data, time zones, device information, session cookies, and more. Amazon, eBay, Facebook, Gmail, Netflix, PayPal, Spotify, and Zoom were among the most popular services to which Genesis Market provided access. The seizure of the platform was part of Operation Cookie Monster, a law enforcement operation. This article continues to discuss the administrators of the dark web Genesis Market selling the platform on a hacker forum.

Security Affairs reports "Admins of Genesis Market Marketplace Sold Their Infrastructure on a Hacker Forum"

Metior is an analysis framework developed by MIT researchers to simplify hardware and software design frameworks in order to enhance defense capabilities against known and unknown side-channel attacks. Using Metior, engineers could quantitatively evaluate how much information an adversary can steal through a specific side-channel attack. It is considered a simulation sandbox in which chip designers and other engineers can determine, based on their use case, what combination of defenses maximizes their protection against side-channel attacks. As Metior allows the quantitative measure of how much information is stolen, users can calculate the impact of it being stolen, so they can implement protections against the most impactful types of attacks. This article continues to discuss the new Metior framework that bridges hardware design and cybersecurity.

Tom's Hardware reports "'Metior' Defense Blueprint Against Side-Channel Vulnerabilities Debuts"

Identity and access management solutions provider JumpCloud has recently revealed that it was the target of a security breach caused by a sophisticated nation-state-sponsored threat actor. The company noted that the breach first came to light on June 27 when anomalous activity was detected on an internal orchestration system. The investigation traced the incident back to a spear-phishing campaign initiated by the threat actor on June 22, which resulted in unauthorized access to a specific section of JumpCloud's infrastructure. While no evidence of customer impact was found then, JumpCloud proactively bolstered its security measures by rotating credentials, rebuilding infrastructure, and fortifying its network and perimeter. The situation escalated on July 5 when unusual activity was discovered in the commands framework for a small group of customers, indicating that customer data had been compromised. In response, JumpCloud force-rotated all admin API keys and notified affected customers immediately. After a forensic investigation conducted with incident response partners and law enforcement, the attack vector was identified as data injection into the commands framework. JumpCloud emphasized that the breach was highly targeted and limited to specific customers.

Infosecurity reports: "JumpCloud Confirms Data Breach By Nation-State Actor"

Cybernews researchers further explored how privacy-invasive Artificial Intelligence (AI)-powered applications like ChatGPT are. Large Language Models (LLM)s such as OpenAI's ChatGPT, Meta's LLaMA, and Google's PaLM2 are the most notable examples of advanced Natural Language Processing (NLP) models. To train their algorithms, these models must collect enormous amounts of data, as more data means they can generate more natural responses that resemble human language. They have crawled the web to collect data, including content from social media platforms such as Reddit, Facebook, Twitter, and Instagram. However, a part of the data collected contains sensitive personal information. AI tools must also record user prompts and file uploads, including images or voice commands, to improve their algorithms' training. AI users may inadvertently divulge sensitive personal and professional information, exposing them to the possibility of exposure to third parties. This article continues to discuss how AI-powered apps impact user privacy, the benefits AI brings to social media applications, and privacy concerns around ChatGPT.

Cybernews reports "How Popular AI Apps Are Invading Your Privacy"

Security operations and threat intelligence teams are understaffed, overwhelmed with data, and juggling competing demands, all of which can be remedied by Large Language Model (LLM) systems. However, the lack of experience with the systems prevents many companies from using the technology. According to researchers, organizations that implement LLMs can better synthesize intelligence from raw data and expand their threat intelligence capabilities, but such programs require the support of the security leadership to be appropriately focused. John Miller, head of intelligence analysis at Mandiant, notes that teams should implement LLMs for solvable problems, but first, they must evaluate the utility of LLMs in an organization's environment. In a presentation titled "What Does an LLM-Powered Threat Intelligence Program Look Like?" to be given at Black Hat USA in early August, Miller and Ron Graf, a data scientist on the intelligence analytics team at Mandiant's Google Cloud, will demonstrate the areas in which LLMs can help security analysts in accelerating and enhancing cybersecurity analysis. This article continues to discuss where LLMs can be of help to security professionals.

Dark Reading reports "How AI-Augmented Threat Intelligence Solves Security Shortfalls"

The Cybersecurity and Infrastructure Security Agency (CISA) has published a factsheet outlining free tools and guidance for securing digital assets after migrating to cloud environments. The factsheet helps network defenders, incident response analysts, and cybersecurity professionals in mitigating the risk of information theft, exposure, data encryption, and extortion attacks. It helps identify, detect, and mitigate known vulnerabilities and cyber threats faced when managing cloud-based or hybrid environments. The highlighted tools supplement the built-in tools provided by cloud service providers and help bolster the resilience of network infrastructures, enhance security measures, identify malicious compromises, map potential threat vectors, and pinpoint malicious activity following a breach. This article continues to discuss the free tools shared by CISA to help improve the security of data in the cloud.

Bleeping Computer reports "CISA Shares Free Tools to Help Secure Data in the Cloud"

Law enforcement agencies regularly sell items confiscated in criminal investigations or unclaimed from lost-and-found inventories. Many of these items, including cars, jewelry, watches, and devices such as mobile phones, end up on online auction sites. People searching for a bargain can bid on cell phones in bulk, picking up dozens at low prices. However, according to a recent study conducted by security researchers at the University of Maryland (UMD), many phones sold at police property auction houses are not adequately wiped of personal data. The study, which lasted over two years and involved cell phones purchased from the largest police auction house in the US, led to the discovery of troves of personal information from previous owners that was freely accessible. The UMD team successfully bid on 228 phones, 61 (27 percent) of which contained personal data such as Social Security numbers, credit card information, banking information, passport data, driver's license photos, and more. This article continues to discuss the UMD team's discovery of privacy risks in cell phones purchased at police auctions.

The University of Maryland reports "UMD Researchers Uncover Privacy Risks in Cell Phones Purchased at Police Auctions"

There is criticism regarding Microsoft charging its cloud services customers additional fees to access security records after a China-based threat group compromised the email accounts of more than two dozen organizations, including US government agencies. The State and Commerce Departments are reportedly among the targets. The threat group responsible for the attacks, identified by Microsoft as Storm-0558, used forged authentication tokens to access Microsoft 365 (M365) accounts via Outlook Web Access and Outlook[.]com. Following the reveal of the attacks on July 11, Microsoft provided a more comprehensive account of the breach. Microsoft noted that the attacks had been mitigated for all customers and that the company was still investigating how the attackers got the forged tokens. This article continues to discuss the email hack that calls for Microsoft to make security logs free.

SC Media reports "Email Hack Prompts Call for Microsoft to Make Security Logs Free"

The owner of the infamous cybercrime website BreachForums has recently pleaded guilty in a US court to conspiracy to commit device fraud, access device fraud, and possession of child pornography. The man, Conor Brian Fitzpatrick, 21, of Peekskill, New York, was arrested on March 15, 2023, being charged with conspiracy to commit access device fraud. Fitzpatrick, known online as "Pompompurin," has admitted to investigators that he was the owner and administrator of the BreachForums portal. Also known as Breached, BreachForums was launched in 2022 as an alternative to RaidForums, a cybercrime marketplace that was taken down by law enforcement in February 2022. According to US law enforcement, BreachForums claimed to have over 340,000 members at the time it was shut down. The FBI noted that during its year of operation, the website became a top hacker marketplace, facilitating the trading of hacked or stolen data, including bank account information, Social Security numbers, personally identifiable information, hacking tools, online account credentials, and hacking services for hire. According to the plea agreement, Fitzpatrick faces up to 10 years in prison for conspiracy to commit access device fraud, 10 years in prison for solicitation for the purpose of offering access devices, and up to 20 years in prison for possession of child pornography. The maximum penalty for each count also includes a fine of $250,000, and supervised release.

SecurityWeek reports: "Owner of Cybercrime Website BreachForums Pleads Guilty"

Gamaredon, a threat actor with connections to Russia, was observed conducting data exfiltration operations within an hour of the initial compromise. As a vector of primary compromise, emails and messages in messengers (i.e., Telegram, WhatsApp, Signal) are used, in most cases, with previously compromised accounts, according to a published analysis by the Computer Emergency Response Team of Ukraine (CERT-UA). Gamaredon, also known as Aqua Blizzard, Armageddon, Shuckworm, and UAC-0010, is a state-sponsored actor connected to the SBU Main Office in the Autonomous Republic of Crimea. It is estimated that this group has infected thousands of government computers. This article continues to discuss recent findings and observations regarding Gamaredon.

THN reports "CERT-UA Uncovers Gamaredon's Rapid Data Exfiltration Tactics Following Initial Compromise"

Guest accounts in Azure AD (AAD) provide external third parties with limited access to corporate resources. The objective is to facilitate collaboration without excessive risk of exposure. However, enterprises may inadvertently overshare access to sensitive resources and applications with Azure AD guests, thus enabling data theft and other threats. An upcoming presentation at Black Hat USA will detail how a toxic combination of easily manipulable default guest account settings and connections within Microsoft's low-code development platform known as Power Apps can open the door for guest accounts to gain access to the corporate jewels. This article continues to discuss the possible data theft by rogue Azure AD guests through Power Apps.

Dark Reading reports "Rogue Azure AD Guests Can Steal Data via Power Apps"

Brett Callow, a threat analyst at Emsisoft, has been monitoring the MOVEit attack carried out by a notorious cybercrime gang, and he is currently aware of 347 impacted organizations, including 58 educational institutions in the United States. Callow noted that the number of impacted organizations includes both ones that were directly affected and ones that were indirectly hit. Callow believes more than 18.6 million individuals had their data compromised as a result of the MOVEit hack. Callow warned that the Cl0p ransomware group conducted the attack and is in possession of a massive quantity of data that could be useful for business email compromise (BEC) and phishing attacks.

SecurityWeek reports: "MOVEit Hack: Number of Impacted Organizations Exceeds 340"

The City College of New York is participating in a $12 million Google initiative aimed at boosting the cybersecurity ecosystem and positioning New York City as the global leader in cybersecurity. Other institutions involved in the Google Cyber NYC Institutional Research Program include CUNY, Columbia University, Cornell, and New York University. Rosario Gennaro, Nelly Fazio, and Samah Saeed are three faculty members from The City College's Grove School of Engineering who are among the $12 million grant beneficiaries for advanced research. Gennaro and Fazio are conducting research together. They will work on developing new and more efficient Zero-Knowledge Proofs, which are used to protect the privacy and integrity of computations performed on data distributed over networks. The project scope includes new cryptographic schemes, resistance to quantum computing advances, and more. Saeed's research focuses on identifying new techniques for hiding information/gates in quantum circuits. Findings from this research will inform the development of a lightweight security application to prevent the illegal distribution of quantum circuits at a low cost by using information hiding. This article continues to discuss the cybersecurity research of the Grove School experts participating in Google's $12 million cybersecurity research program.

The City College of New York reports "Three Grove School Faculty Join $12 Million Google Cybersecurity Research Project"

Cybersecurity remains a global concern, with a lack of skilled professionals worsening the problem. Therefore, Carnegie Mellon's picoCTF-Africa, a computer security competition for high school, undergraduate, and graduate students on the African continent, seeks to raise awareness and introduce the future workforce to the cybersecurity field. In its second year, the cybersecurity hacking competition attracted more than 1,250 students, with the number of female competitors doubling and the number of high school competitors increasing by over 365 percent. In addition, four teams finished in the top 50 on the global leaderboard for picoCTF, showing the immediate impact of the effort. Assane Gueye, co-director of the Upanzi Network and CyLab-Africa initiatives and associate teaching professor at CMU-Africa, commented that cybersecurity is rarely considered when young Africans consider possible career paths. Students entering college lack cybersecurity awareness, and those who explore the field typically do so after getting an undergraduate degree in computer science. However, picoCTF-Africa aims to change this by introducing cybersecurity to high school students across the continent. This article continues to discuss the growth seen by Carnegie Mellon's picoCTF-Africa.

Carnegie Mellon University Africa reports "picoCTF-Africa Sees Significant Growth in Competition's Second Year"

According to security researchers at Comparitech, global financial services organizations have lost over $32bn in downtime since 2018 due to ransomware breaches. The researchers analyzed 225 confirmed attacks on the sector over the past five years and found that the average organization loses two weeks in downtime due to an incident. Among the sub-sectors analyzed in the financial sector were credit unions, accounting companies, public and retail banks, and insurers. Of these, insurance companies recorded the highest number of attacks over the period (65). The researchers noted that demands varied from $180,000 to $40m, with the average demand peaking in 2021 at $61.6m. The researchers noted that 2021 was the biggest year for ransomware attacks on finance companies, with 86 recorded in total, followed by 2020 (56).

Infosecurity reports: "Ransomware Costs Financial Services $32bn in Five Years"

As a result of a recent ransomware attack, residents of Cornelius, North Carolina, are facing delayed or inaccessible services. The town has a population of around 32,000 and is a prominent Charlotte suburb on Lake Norman. On the evening of July 11, government officials discovered a cybersecurity incident later identified as a ransomware attack. According to the town government, the Technology Operations (TechOps) Department promptly disconnected on-site technology from the network to contain the threat and prevent its spread. Last year, North Carolina became the first US state to prohibit all government entities from paying ransoms in response to ransomware attacks, a controversial measure questioned by several cybersecurity experts. When the law was passed, some feared it would provide ransomware gangs with an additional means of extortion, allowing them to threaten organizations not only with the release of stolen data but also with unverified claims of having paid a ransom in violation of state law. This article continues to discuss the ransomware attack on a North Carolina town and the state's ban on ransom payments associated with ransomware attacks.

The Record reports "Services in North Carolina Town Unavailable After Ransomware Attack"

A recently discovered remotely-exploitable critical vulnerability in the Cisco SD-WAN vManage software could allow unauthenticated attackers to retrieve information from vulnerable instances. Tracked as CVE-2023-20214 (CVSS score of 9.1), the vulnerability exists because the REST API feature of vManage does not sufficiently validate requests. Cisco noted that the vManage API allows administrators to configure, control, and monitor Cisco devices over the network. Cisco stated that an attacker could trigger the vulnerability by sending a crafted API request to a vulnerable instance to retrieve information from vManage or send information to it. Cisco explained in an advisory that a vulnerability in the request authentication validation for the REST API of Cisco SD-WAN vManage software could allow an unauthenticated, remote attacker to gain read permissions or limited write permissions to the configuration of an affected Cisco SD-WAN vManage instance. Cisco noted that the web-based management interface and the CLI are not impacted by this security defect. Cisco said that to hunt for attempts to access the REST API, administrators are advised to examine a log file. The existence of requests in the log, however, does not indicate unauthorized access. Cisco noted that while there are no workarounds to address this bug, implementing access control lists (ACLs) to limit vManage access mitigates the issue. Cisco explained that in cloud hosted deployments, access to vManage is limited by ACLs that contain permitted IP addresses. Network administrators should review and edit the permitted IP addresses in the ACLs. In on-premises deployments, vManage access can be limited in a similar way by using ACLs and configuring permitted IP addresses. The vulnerability has been addressed with the release of SD-WAN vManage versions 20.6.3.4, 20.6.4.2, 20.6.5.5, 20.9.3.2, 20.10.1.2, and 20.11.1.2. Versions 18.3 to 20.6.3.2 are not affected. Customers using SD-WAN vManage versions 20.7 and 20.8 are advised to migrate to a patched version. Cisco noted that it is unaware of this vulnerability being exploited in attacks.

SecurityWeek reports: "Critical Cisco SD-WAN Vulnerability Leads to Information Leaks"

Researchers at MIT developed a new data privacy metric, Probably Approximately Correct (PAC) Privacy, and an algorithm based on this metric that can automatically determine the minimum amount of randomness that must be added to a Machine Learning (ML) model in order to protect sensitive data such as lung scan images from adversaries. The algorithm does not require knowledge of a model's inner workings or its training process, making it simpler to apply to various models and applications. In multiple cases, the researchers demonstrate that the amount of noise needed to protect sensitive data is significantly less with PAC Privacy than with other approaches. This could help engineers develop ML models that provably hide training data while maintaining accuracy in the real world. This article continues to discuss the privacy technique created by MIT researchers that protects sensitive data while maintaining an ML model's performance.

MIT News reports "A New Way to Look at Data Privacy"