News Items

Recently, over 34 million Indonesian passports were leaked in a massive data breach impacting the country's Immigration Directorate General at the Ministry of Law and Human Rights. Cybersecurity researcher and founder of Ethical Hacker Indonesia, Teguh Aprianto, disclosed the breach, attributing the attack to a hacktivist identified as Bjorka. Indonesian authorities are investigating the breach while the threat actor has offered the treasure trove for sale on his data leak site. Aprianto posted a screenshot on his Twitter of the allegedly stolen 4GB of passport data, currently selling for $10,000. The hackers have provided 1 million data samples which appear to be valid. The timestamp is from the 2009-2020 period. The exposed data includes full names, passport numbers, dates of issue, expiry dates, dates of birth, and gender of 34.9 million Indonesian passport holders. Indonesia's Ministry of Communications and Information Technology has confirmed being notified of the alleged data leak.

CPO Magazine reports: "34 Million Indonesian Passports Exposed in a Massive Immigration Directorate Data Breach"

A new strain of malware has been targeting small office/home office (SOHO) routers covertly for over two years, infiltrating more than 70,000 devices and creating a botnet with 40,000 nodes across 20 countries. The malware has been dubbed AVrecon by Lumen Black Lotus Labs, making it the third strain to target SOHO routers over the past year after ZuoRAT and HiatusRAT. According to the company, AVrecon is one of the largest SOHO router-targeting botnets ever. The campaign's objective appears to be the creation of a covert network to facilitate various criminal activities, including password spraying and digital advertising fraud. The US and the US account for most infections, followed by Argentina, Nigeria, Brazil, Italy, Bangladesh, Vietnam, India, Russia, and South Africa. This article continues to discuss the AVrecon malware behind one of the largest SOHO router-targeting botnets.

THN reports "New SOHO Router Botnet AVrecon Spreads to 70,000 Devices Across 20 Countries"

Cybercriminals are using generative Artificial Intelligence (AI) technology to help conduct activities and execute Business Email Compromise (BEC) attacks. WormGPT is a black-hat alternative to GPT models designed specifically for malicious activities. According to a report by SlashNext, WormGPT was trained on a variety of data sources, with a focus on malware-related data. It generates human-like text based on the input it receives and can produce highly convincing phishing emails. Screenshots from a cybercrime forum show exchanges between malicious actors discussing how to use ChatGPT to boost the success of BEC attacks, suggesting that hackers with limited fluency in the target language can use generative AI to create a convincing email. The research team also looked at the potential risks associated with WormGPT, focusing on BEC attacks, by instructing the tool to generate an email to drive an account manager into making payment for a fraudulent invoice. This article continues to discuss the WormGPT cybercrime tool.

Dark Reading reports "WormGPT Cybercrime Tool Heralds an Era of AI Malware vs. AI Defenses"

According to Sarah Parker, the chair of health systems and implementation science at Virginia Tech Carilion School of Medicine, physicians spend much of their days handling computer inputs. Parker emphasized that while medical professionals work to save a patient's life, they are also responsible for the patient's digitized information. Therefore, she and her team are developing methods to improve data security while reducing machine interactions to improve patient care. The team is exploring how to foster a shared awareness between healthcare providers and patients. Recently, the project's scope has been expanded to research how to integrate privacy and security into the location-to-location flow of medical data within healthcare systems. This article continues to discuss the Virginia Tech research team's project aimed at exploring methods to streamline the workflow of medical data while integrating privacy and security.

Virginia Tech reports "Virginia Tech Researchers Maximize Data Security, Minimize Machine Interactions to Improve Patient Care"

According to recently published research, cloud computing technologies pose significant cybersecurity risks to federal agencies and other organizations that do not adapt their processes and workforce to the cloud paradigm. In its report, the Cyber Statecraft Initiative at the Atlantic Council examines emerging risks associated with critical infrastructure organizations that use new cloud services and offerings. The report highlights two different risks associated with cloud technologies: compounded risk and delegated control and visibility. Multiple cloud services create an increasingly complex infrastructure, heightening the threat of security vulnerabilities and thus compounding risk. Delegated control and visibility can pose risks when cloud service users have limited insight into the underlying infrastructure of their products and lack direct command over critical security issues. This article continues to discuss key findings and points shared in the report.

NextGov reports "Cloud Poses Special Cyber Risks for Critical Infrastructure, Report Warns"

Networking appliances maker Juniper Networks recently announced software updates that patch multiple high-severity vulnerabilities in Junos OS, Junos OS Evolved, and Junos Space. The company published 17 advisories detailing roughly a dozen Junos OS-specific security defects and nearly three times as many issues in third-party components used in its products. Three of the new advisories describe high-severity vulnerabilities in Junos OS and Junos OS Evolved that could lead to denial-of-service (DoS). The flaws impact QFX10000, MX, and SRX series networking appliances. Eight other advisories deal with medium-severity Junos OS and Junos OS Evolved flaws that could also be exploited to cause DoS conditions. Juniper Networks also recently released software updates to patch all 11 vulnerabilities, noting that no workarounds are available for any of these issues. The company also announced software updates for SRX series and MX series devices to resolve a high-severity issue in Intrusion Detection and Prevention (IDP) that could allow an unauthenticated attacker on the network to cause a DoS condition. The company is unaware of any of these vulnerabilities being exploited in attacks.

SecurityWeek reports: "Juniper Networks Patches High-Severity Vulnerabilities in Junos OS"

Bard, Google's Artificial Intelligence (AI)-powered content generator, will readily compose phishing emails upon request and, under the right prompting, can generate basic ransomware code. Researchers at Check Point note that this places Bard behind its principal rival ChatGPT in terms of cybersecurity. The cybersecurity company conducted the analysis as there are concerns that OpenAI's Large Language Model (LLM) could be used to generate similarly malicious texts and programs. According to Check Point, while ChatGPT's creator has strengthened security, Google has a ways to go before the same can be said about it. The research team ran identical queries through both AI programs. Its initial request for "a phishing email" was denied by both, but ChatGPT added the disclaimer that such activities were "fraudulent," while Bard merely stated that it was unable to follow through. This article continues to discuss Check Point's research on Bard's potential to generate malicious content that poses a significant cybersecurity risk.

Cybernews reports "Google's Bard Poses Ransomware Risk, Say Researchers"

According to security researchers at Barracuda Networks, global email-based extortion scams are the work of just a small group of fraudsters. The researchers teamed up with Columbia University to analyze over 300,000 extortion emails tracked by the firm over a one-year period. They looked specifically at the Bitcoin addresses used by the scammers in order to discern specific trends. The researchers found that the attacks are concentrated within a small number of Bitcoin addresses. There are, in total, around 3000 unique Bitcoin addresses in their dataset, of which the top 10 addresses appear in about 30% of emails, and the top 100 addresses appear in about 80% of emails. The researchers concluded that "even though extortion is a significant email threat with millions of malicious emails sent to victims every year, it is caused by a relatively small group of perpetrators (fewer than 100 attackers, and probably an even smaller number than that, assuming attackers use multiple Bitcoin addresses)." The researchers noted that they suspect these small groups of attackers use similar best practices and templates. The researchers noted that to stay under the radar, the fraudsters typically demand an amount between $400 and $5000, with 90% asking for less than $2000. This "sweet spot" is thought to be chosen because it's more likely victims will pay without investigating whether the scammer actually has compromising information on them.

Infosecurity reports: "Fewer Than 100 Scammers Responsible For Global Email Extortion"

This year could be another record breaker for data compromise following 951 publicly reported incidents in the second quarter, the Identity Theft Resource Center (ITRC) has warned. The ITRC has been tracking publicly reported data breaches and exposures since 2005. The ITRC noted that while the figures for Q2 2023 represent a 114% increase on the previous three months, the total for the first half of the year stands at 1393 data compromise events. That's higher than the total figure for every year but one between 2005 and 2020, the ITRC said. It also puts 2023 on track to beat the previous all-time high of 1862 compromises recorded in 2021. The ITRC stated that the H1 2023 figure represents a 153% year-on-year increase, with breach notices impacting a staggering 156 million individuals. The ITRC noted that although that's some way short of the 424 million people affected by data events in 2022, the figures should be concerning for security teams. The vast majority (99%) of incidents in the half year were the result of breaches, with just 12 data exposures recorded. Cyberattacks accounted for 75%, while "system and human error" contributed 22% of the total. Supply chain attacks accounted for 8% of total data compromise incidents and 14% of victims. The top industry affected by incidents was healthcare, followed by financial services. The ITRC noted that the number of data breaches with no actionable information about the root cause of the compromise grew 67% to 534 in H1 2023. The ITRC stated that opacity on the part of breached organizations impairs the ability of impacted parties to make informed decisions about what actions to take in the aftermath of incidents.

Infosecurity reports: "US on Track For Record Number of Data Breaches"

According to the U.S. Cybersecurity and Infrastructure Security Agency (CISA), two security vulnerabilities affecting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models could be exploited for Remote Code Execution (RCE) and Denial-of-Service (DoS). Researchers at Dragos noted that depending on the ControlLogix system configuration, exploiting these vulnerabilities could result in denial or loss of control, denial or loss of view, theft of operational data, or manipulation of control with disruptive or destructive effects on the industrial process for which the ControlLogix system is responsible. CISA noted that successfully exploiting these vulnerabilities could enable malicious actors to gain remote access to the running memory of the module and conduct malicious activity. This article continues to discuss the potential exploitation and impact of the two security flaws impacting Rockwell Automation ControlLogix EtherNet/IP (ENIP) communication module models.

THN reports "Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks"

After researching QuickBlox's Software Development Kit (SDK) and Application Programming Interface (API), Team 82 and Check Point Research discovered critical vulnerabilities that put millions of users' personal data at risk. The chat and video calling platform QuickBlox is used in various fields, including the medical and financial sectors. Team 82 and Check Point Research were the first to develop multiple proof-of-concept (PoC) exploits for applications running the API as part of their research into the platform's vulnerabilities. The teams also showed examples of how threat actors may access information about QuickBlox users by using secret tokens and passwords in the platform's architecture. This article continues to discuss the QuickBlox API vulnerabilities.

Dark Reading reports "QuickBlox API Vulnerabilities Open Video, Chat Users to Data Theft"

Microsoft mitigated an attack by a threat actor with ties to China, tracked as Storm-0558, which targeted customer emails. Storm-0558 threat actors have been observed conducting cyber espionage, data theft, and credential access attacks against government agencies in Western Europe. A customer reported the attack on June 16, 2023, but the investigation revealed that the attack began on May 15, 2023, when Storm-0558 gained access to the email accounts, impacting around 25 organizations, including government agencies and consumer accounts likely associated with these organizations. Using an acquired Microsoft account consumer signing key, the attackers forged authentication tokens to access user email. This article continues to discuss Microsoft's mitigation of a cyberattack by Storm-0558 threat actors.

Security Affairs reports "Microsoft Mitigated an Attack by Chinese Threat Actor Storm-0558"

Fortinet recently announced security updates that address a critical-severity vulnerability in FortiOS and FortiProxy that could be exploited for remote code execution (RCE). Tracked as CVE-2023-33308 (CVSS score of 9.8), the bug is described as a stack-based overflow issue impacting the deep inspection function in proxy mode. Fortinet noted that a stack-based overflow vulnerability in FortiOS & FortiProxy may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. The company stated that because the issue only occurs if deep inspection is enabled on proxy policies or firewall policies with proxy mode, disabling the function prevents exploitation. The vulnerability impacts FortiOS and FortiProxy versions 7.2.x and 7.0.x and was resolved in FortiOS versions 7.4.0, 7.2.4, and 7.0.11, and FortiProxy versions 7.2.3 and 7.0.10. Fortinet noted that the bug was addressed in a previous release without an advisory. Recently, Fortinet also announced patches for a medium-severity FortiOS vulnerability that could allow an attacker to reuse a deleted user's session. Tracked as CVE-2023-28001, the flaw exists because an "existing websocket connection persists after deleting API admin." Fortinet noted that an insufficient session expiration vulnerability in FortiOS REST API may allow an attacker to reuse the session of a deleted user, should the attacker manage to obtain the API token. The vulnerability impacts FortiOS versions 7.2.x and 7.0.x and was addressed in FortiOS version 7.4.0. Fortinet users are advised to apply the patches as soon as possible.

SecurityWeek reports: "Fortinet Patches Critical FortiOS Vulnerability Leading to Remote Code Execution"

The Association for Computing Machinery's global Technology Policy Council (ACM TPC) has issued "Principles for the Development, Deployment, and Use of Generative AI Technologies" in response to significant advancements in generative Artificial Intelligence (AI) technologies and the important questions these technologies raise in areas such as intellectual property, the future of work, and even human safety. Using the extensive technical knowledge of computer scientists in the US and Europe, the ACM TPC statement outlines eight principles designed to promote fair, accurate, and advantageous decision-making regarding generative and all other AI technologies. One of the principles pertains to increased security and privacy. Generative AI systems are vulnerable to many new security and privacy risks, including new attack vectors and data breaches. This article continues to discuss the principles for generative AI technologies issued by the ACM TPC.

ACM reports "World's Largest Association of Computing Professionals Issues Principles for Generative AI Technologies"

According to cybersecurity researchers, hackers are targeting Chinese-speaking Microsoft users with a tool called RedDriver that enables them to intercept web browser traffic. The Cisco Talos team has identified multiple variants of the RedDriver tool, which they believe has been used since at least 2021. The creators of RedDriver appear to be skilled in driver development and have an in-depth understanding of the Windows operating system. Drivers enable an operating system to communicate with hardware components, such as printers and monitors. This threat appears to target native Chinese speakers, as it seeks to take over Chinese-language web browsers. RedDriver was not linked to a specific cyber threat group. According to the researchers, the attack begins with a malicious file named DNFClient, referencing the popular game Dungeon Fighter Online. Once the file is executed, it initiates the download of RedDriver, described as a critical element of a multi-stage infection chain that ultimately hijacks browser traffic and redirects it. This article continues to discuss hackers targeting Chinese-speaking Microsoft users with RedDriver.

The Record reports "Hackers Target Chinese-Speaking Microsoft Users With 'RedDriver' Browser Hijacker"

A snapshot of cryptocurrency-related crimes at the midpoint of 2023 revealed a drop in the amount of money directed to wallets associated with known or suspected criminal activity in nearly every category of crime. A report by Chainalysis revealed that the largest revenue decreases were attributable to cryptocurrency scams, which include investment scams, romance scams, pig butchering, and fraudulent cryptocurrency services. So far this year, wallets associated with fraudsters have received around $1 billion, a $3.3 billion decrease from the $4.3 billion they took during the first six months of 2022. Similar but less severe drops were also observed for hack-related wallets ($1.12 billion), cybercriminal administrators ($839 million), darknet markets ($59.8 million), and fraud shops ($44.1 million). This article continues to discuss insights from Chainalysis' report on revenue dips tied to cryptocurrency scams.

SC Media reports "Cryptocurrency Crime Is Down in 2023, but Ransomware Is Up"

Researchers have discovered a Microsoft-signed rootkit designed to communicate with an actor-controlled attack infrastructure. Trend Micro attributes the activity cluster to the same actor previously identified as being responsible for the FiveSys rootkit, which was discovered in October 2021. According to Trend Micro's researchers, this malicious actor originates in China, and their primary victims are the gaming sector in China. Their malware appears to have gone through the Windows Hardware Quality Labs (WHQL) process to get a valid signature. Multiple variants of the rootkit spanning eight separate clusters have been identified, and 75 of such drivers were signed using Microsoft's WHQL program in 2022 and 2023. Trend Micro's analysis of a portion of the samples revealed debug messages in the source code, suggesting that the operation is still in the development and testing phase. This article continues to discuss the rootkit signed by Microsoft used by Chinese hackers to target the gaming sector.

THN reports "Chinese Hackers Deploy Microsoft-Signed Rootkit to Target Gaming Sector"

According to the H1 2023 ESET Threat Report, trends in the threat landscape demonstrate the adaptability of cybercriminals as they seek out new methods of attack, such as exploiting vulnerabilities, gaining unauthorized access, compromising sensitive information, and defrauding individuals. Microsoft's stricter security policies, particularly regarding the opening of macro-enabled files, are a factor in the evolution of attack patterns. ESET telemetry data also suggests that the threat actors behind the once-notorious Emotet botnet have struggled to adapt to the shrinking attack surface, perhaps indicating that a different group has taken control of the botnet. Actors in the ransomware realm are increasingly reusing released source code to create new ransomware variants. This article continues to discuss key findings from the H1 2023 ESET Threat Report.

Help Net Security reports "Same Code, Different Ransomware? Leaks Kick-Start Myriad of New Variants"

Using a combination of modern cryptographic techniques and the fundamental properties of quantum light, scientists from the University of Vienna have designed an unconditionally secure system for shopping in digital settings. The research team demonstrated how the quantum properties of light particles or photons can guarantee unconditional security for digital payments. In an experiment, the researchers showed that each transaction cannot be duplicated or redirected by malicious parties, and that the user's sensitive data remains confidential. This article continues to discuss the demonstration of quantum physics-secured digital payments.

The University of Vienna reports "Quantum Physics Secures Digital Payments"

A Harvard University subdomain vulnerability exposed the website to Remote Code Execution (RCE) attacks, potentially enabling threat actors to steal and modify stored data. The Cybernews research team discovered the WebLogic Server vulnerability with a severity score of 9.8 out of 10, affecting the Harvard University courses website. WebLogic Server is a Java-based application server developed by the American multinational computer technology company Oracle. The vulnerability, tracked as CVE-2020-2551, enables an adversary to execute code remotely on a vulnerable server without authentication. Researchers note that exploiting this vulnerability allows an attacker to gain complete control over the vulnerable server and access or modify sensitive data or disrupt business operations. This article continues to discuss the potential exploitation and impact of the Harvard University subdomain vulnerability.

Cybernews reports "Harvard University Web Flaw Exposed It to Remote Attacks"

A voice-based phishing (vishing) malware is targeting Android phones and stealing sensitive financial information from victims, as part of a trend generating millions of dollars in profits using vishing attack techniques. These attacks, unlike the common and simple vishing scams, take over handsets, implant prerecorded voice messages, and reroute calls to scammer call centers. Researchers' analysis of the vishing campaign details how the malware operates and links it to a collection of malicious Android apps. When victims are tricked into installing the malware, malicious actors can launch a series of vishing attacks. The malware currently targets victims in South Korea, but researchers believe it could be easily adapted to operate in any country and sold as a service on the dark web. ThreatFabric researchers noted in a recent report that they discovered the malicious Letscall app during their routine threat-hunting activities. According to the researchers, the malware is particularly effective for stealing personal information and conducting financial scams. Once infected, threat actors can take over the device's calling function, thus enabling them to make spoofed calls claiming to be from a financial institution or to redirect calls to their own call center when the victim attempts to call their bank. This article continues to discuss findings regarding the vishing campaign targeting Android phones.

SC Magazine reports "Clever Letscall Vishing Malware Targets Android Phones"

HCA Healthcare recently announced that the personal information of roughly 11 million patients was stolen in a data breach. The incident was discovered on July 5 after a threat actor posted on an underground forum information allegedly stolen from HCA Healthcare. The threat actor posted a list containing names, addresses, birth dates, gender information, phone numbers, email addresses, service dates, and appointment dates, according to HCA Healthcare. The company is currently investigating the incident and cannot confirm the number of individuals whose information was impacted. HCA Healthcare believes that the list contains approximately 27 million rows of data that may include information for approximately 11 million HCA Healthcare patients. The company noted that the information was extracted from "an external storage location exclusively used to automate the formatting of email messages." According to the healthcare services provider, clinical information, payment information, or other sensitive information (such as passwords, Social Security numbers, and driver's license numbers) was not stolen in the attack. HCA Healthcare has informed law enforcement of the incident and plans to contact the impacted individuals but believes the incident will not have a material impact. One of the largest healthcare services providers in the US, HCA Healthcare operates 180 hospitals and more than 2,300 ambulatory sites of care across 20 states and the United Kingdom.

SecurityWeek reports: "Personal Information of 11 Million Patients Stolen in Data Breach at HCA Healthcare"

Researchers at Resecurity have identified the emergence of mobile Android-based tools called "mobile anti-detects." Criminals involved in online banking theft use these tools to impersonate compromised account holders and circumvent anti-fraud controls. The tools are priced between $700 and $1,000 and are designed for Android-based devices. They contain software that enables device firmware updates and customizable features, including fingerprint impersonation, GPS spoofing, and network anonymization. In addition, they include a version of HuskyDG's Magisk Delta, a popular tool for rooting and customizing Android devices by installing modules containing the "magiskhide" module. This article continues to discuss the emergence of adversarial mobile Android-based anti-detect tooling for mobile OS-based fraud.

Security Affairs reports "Cybercriminals Evolve Anti-detect Tooling for Mobile OS-Based Fraud"

Security operations teams observe firsthand how quickly attackers reinvent their attack strategies, automate attacks on multiple endpoints, and do whatever it takes to evade cyber defenses. Attackers have shown themselves to be persistent. For example, they consider holidays opportunities to breach a company's cybersecurity defenses. Consequently, SecOps teams are on call 24 hours a day, seven days a week, including weekends and holidays, combating burnout, alert fatigue, and a lack of life balance. One of the most difficult aspects of leading a SecOps team is gaining scale from legacy systems that generate different types of alerts, alarms, and real-time data streams. The most troublesome and exploited gaps created by this lack of integration is not knowing whether a given identity has permission to use a particular endpoint and, if so, for how long. Systems unifying endpoints and identities help define the future of zero trust, and the Artificial Intelligence (AI)-driven chatbot ChatGPT demonstrates promise for addressing identity-endpoint gaps and other vulnerable threat surfaces. This article continues to discuss the potential use of ChatGPT to close the SecOps gap.

VentureBeat reports "10 Ways SecOps Can Strengthen Cybersecurity With ChatGPT"