News Items

Sweetwater Union High School District recently announced that the personal information of students, families, and current and former employees was compromised in a February data breach. Between Feb. 11 and 12, an unauthorized person gained access to the district's computer network and took files that contained the personal information of an unknown number of people, including employees' dependents. The district, which serves about 36,000 middle and high school students, initially would not say whether there had been a cybersecurity attack. The district has not said how many people were potentially affected by the incident and has not publicly announced what information was compromised. Employees and parents began receiving letters last week from the district informing them about the breach. In one letter received by a teacher, it said that an unauthorized person gained access to files that included their name and Social Security number. The district said it is offering a one-year credit monitoring and identity theft protection service via a third party to those affected.

Goverment Technology reports: "Sweetwater UHSD Data Breach Compromises Student, Staff Info"

IOActive researchers explored the development of fault injection attacks against hardened Unmanned Aerial Vehicles (UAVs) as the use of drones continues to increase. The researchers focused on executing code on a commercially available drone, supporting security features such as the use of signed and encrypted firmware, Trusted Execution Environment (TEE), and Secure Boot, through the use of non-invasive methods. The research aimed to achieve the goal by using electromagnetic (EM) side-channel attacks or EM fault injection (EMFI). They tested the attacks against DJI's Mavic Pro, one of the most popular quadcopter drones. This article continues to discuss the possibility of EMFI attacks on drones.

Security Affairs reports "Using Electromagnetic Fault Injection Attacks to Take Over Drones"

A new vulnerability, tracked as CVE-2023-26258, was identified in the web management interface of Arcserve UDP by security researchers at MDSec. The researchers noted that successfully exploiting the bug could allow an attacker to access the administrative interface. According to the researchers, the flaw was discovered in the way HTTP requests containing login information were transmitted between the web browser and the administrative interface. Specifically, the security researchers observed that a user validation method being invoked creates a client acting as a proxy that communicates with a web service responsible for validating the supplied credentials. The researchers noted that because the location of the web service is supplied in the request, they were able to modify the request so that the client would contact an HTTP server controlled by them. Further analysis of the requests transmitted between the client and the web service allowed the researchers to identify information such as OS version, domain name, and administrator account name, along with a method that validates users by UUID, and an AuthUUID value. The researchers stated that once they supplied the AuthUUID value to the web service, they received the cookie for a valid administrator session in response, which allowed them to retrieve the encrypted password for that account. MDSec reported the vulnerability in early February 2023. A patch was released on June 27, roughly four months after a CVE identifier was assigned to the bug. Arcserve UDP 9.1 resolves CVE-2023-26258, along with an Apache Commons FileUpload (CVE-2023-24998) flaw, three Spring Framework vulnerabilities made public last year, and various other issues.

SecurityWeek reports: "Serious Vulnerability Exposes Admin Interface of Arcserve UDP Backup Solution"

The "Akira" ransomware operation now uses a Linux encryptor to encrypt VMware ESXi Virtual Machines (VMs) in double extortion attacks against companies globally. Akira first appeared in March 2023, targeting Windows systems in different industries, including education, finance, real estate, and manufacturing. The threat actors, like other enterprise-targeting ransomware groups, steal data from breached networks and encrypt files to carry out double extortion on victims, demanding payments of several million dollars. Since its emergence, the ransomware operation has claimed more than 30 victims in the US alone, with two different surges in ID Ransomware submissions at the end of May and in June. The malware analyst rivitna recently shared a sample of the new encryptor on VirusTotal after discovering the Linux variant of Akira. This article continues to discuss the Linux version of Akira ransomware targeting VMware ESXi servers.

Bleeping Computer reports "Linux Version of Akira Ransomware Targets VMware ESXi Servers"

According to Rezilion, many popular generative Artificial Intelligence (AI) projects pose an increased security risk. Open source projects that use insecure generative AI and Large Language Models (LLMs) also have a poor security posture, resulting in a risky environment for organizations. The popularity of generative AI has grown, allowing users to create, interact with, and consume content in unprecedented ways. With the advancements in LLMs, such as Generative Pre-Trained Transformers (GPT), machines can now generate text, images, and code. The number of open source projects implementing these technologies is rising exponentially. More than 30,000 open source projects on GitHub are now using the GPT-3.5 family of LLMs. However, GPT and LLM projects pose several security risks to organizations that use them, such as trust boundary risks, data management risks, inherent model risks, and general security issues. This article continues to discuss generative AI security risks.

Help Net Security reports "Popular Generative AI Projects Pose Serious Security Threat"

The Center for Cyber Law, Policy, and Security (Pitt Cyber), together with Pitt Information Technology (Pitt IT), recently held the sixth annual Air Force Associate (AFA) CyberCamp. The EQT Foundation and Grable Foundation, along with the Pitt Community Engagement Centers and Pitt Engineering, supported the one-week camp. High school students in the Pittsburgh area who are interested in learning about cybersecurity principles, skills, and future career opportunities were welcome to participate for free. Students were taught throughout the week on cyber ethics and security fundamentals, as well as Windows, Ubuntu, and Linux security policies. Although many people believe cybersecurity is all about the attack strategies used by malicious actors, CyberCamp participants learned defensive strategies to thwart hackers. This article continues to discuss the sixth annual AFA CyberCamp and the importance of increasing cybersecurity interest among young people.

The University of Pittsburgh reports "CyberCamp Introduces Students to Cybersecurity"

In recent years, ransomware attacks have evolved into a persistent security risk. The inability to effectively respond to this challenge has normalized what should be intolerable: organized cybercriminals harbored by hostile states disrupting and extorting businesses and critical services regularly. Following last year's cyberattacks on Optus and Medibank, the Australian government has signaled its willingness to address one of the most difficult and divisive questions in cyber policy, which is whether ransomware payments should be prohibited. According to the specialist ransomware negotiation company Coveware, the profits ransomware attackers generate outweigh the risks. There are almost no entry barriers, and the profit margin can reach 98 percent. Therefore, a ban on payments makes logical sense. Stopping payments will eliminate the primary motivation for ransomware attacks, and those in search of a fast buck will look elsewhere. This article continues to discuss the debate regarding ransomware payments.

Australian Strategic Policy Institute reports "To Pay or Not to Pay? Ransomware Attacks Are the New Kidnapping"

Cybercriminals frequently target software development and delivery supply chains. These environments can be used to compromise cloud deployments throughout the automated software development and delivery lifecycle. The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a Cybersecurity Information Sheet (CSI) titled "Defending Continuous Integration/Continuous Delivery (CI/CD) Environments" to provide guidance for incorporating security best practices into typical software development and operations (DevOps) CI/CD environments. The CSI recommends best practices for authentication and access control, development environments and tools, and the development process for hardening CI/CD pipelines. NSA and CISA recommend that organizations and network defenders implement the mitigations in this CSI to reduce CI/CD environment compromise and create a difficult environment for malicious cyber actors. This article continues to discuss the CSI released by NSA and CISA on defending CI/CD environments.

NSA reports "NSA and CISA Best Practices to Secure Cloud Continuous Integration/Continuous Delivery Environments"

New research conducted by Group-IB reveals that threat actors are increasingly compromising ChatGPT accounts. They may use this access to collect sensitive data and launch additional targeted attacks. According to Group-IB, ChatGPT credentials have become a major target for malicious activities. Researchers cautioned that because OpenAI's Artificial Intelligence-driven chatbot stores past user queries and AI responses by default, each account could be an entry point for threat actors to access user data. Dmitry Shestakov, head of threat intelligence at Group-IB, emphasizes that exposed information, whether personal or professional, could be used for malicious purposes such as identity theft, financial fraud, targeted scams, and more. Over the past year, Group-IB researchers identified 101,134 information stealer-infected devices storing ChatGPT data. Using Group-IB's Threat Intelligence platform to gain visibility into dark web communities, researchers were able to find compromised ChatGPT credentials within the logs of information stealers sold by threat actors via illicit marketplaces. Most victims were found to reside in the Asia-Pacific region. This article continues to discuss threat actors exploiting stolen ChatGPT accounts to collect users' sensitive data and professional credentials.

TechTarget reports "ChatGPT Users at Risk for Credential Theft"

Security researchers at FortiGuard Labs discovered a new infostealer called ThirdEye that is potentially targeting Windows users. The researchers stated that ThirdEye is designed to extract valuable system information from compromised machines, which can be used in future cyberattacks. The researchers said that while ThirdEye is not considered technically elaborate, its capabilities include harvesting BIOS and hardware data, enumerating files and folders, identifying running processes, and collecting network information. The researchers noted that after collecting the compromised system's information, the malware sends it to a command-and-control (C2) server. Notably, the infostealer uses a unique string, "3rd_eye," to identify itself to the C2. The researchers stated that analysis of the samples revealed that the earliest variant, discovered in April 2023, collected limited information compared to the more recent samples. Over time, the infostealer has evolved, adding additional data-gathering capabilities. The researchers noted that ThirdEye variants were submitted to a public scanning service from Russia, and the latest variant has a file name in Russian, suggesting a potential focus on Russian-speaking organizations. The researchers emphasized that while there is no concrete evidence of ThirdEye being used in attacks, system defenders should still be wary of this malware tool.

Infosecurity reports: "ThirdEye Infostealer Poses New Threat to Windows Users"

According to security researchers at Zimperium, the volume of mobile malware, phishing sites dedicated to mobiles, and mobile vulnerabilities increased significantly in 2022. The researchers found that the percentage of phishing sites targeting mobile devices increased from 75% to 80% year-on-year in 2022. The researchers also found that the average user is between six and ten times more likely to fall for an SMS phishing attack than an email-based one. The researchers detected an average of four malicious or phishing links clicked for every device protected with the company's anti-phishing technology. The researchers noted that phishing is not the only threat facing BYOD and corporate devices. The researchers detected a 51% increase in mobile malware variants between 2021 and 2022, reaching 920,000 unique samples. From 2021 to 2022, the share of Android devices with malware detected rose from one in 50 to one in 20. The researchers detected over 3000 unique spyware samples. EMEA (35%) and North America (25%) had the highest percentage of devices impacted by spyware last year. The researchers also found that mobile vulnerabilities are also surging. There was a 138% increase in detected bugs on the Android ecosystem in 2022, while Apple's iOS accounted for 80% of zero-days actively exploited in the wild last year.

Infosecurity reports: "Mobile Malware and Phishing Surge in 2022"

Observing a computer program's behavior, such as how much time it spends accessing the computer's memory, enables a skilled hacker to obtain sensitive data, such as a password. Approaches to security that completely block these side-channel attacks are so computationally costly that they are impractical for many real-world systems. Therefore, engineers often use obfuscation schemes that aim to limit, but not eliminate, an attacker's ability to discover secret information. In order to help engineers and scientists better understand the effectiveness of various obfuscation schemes, MIT researchers developed a framework to quantitatively evaluate the amount of information an attacker could glean from a victim program with an obfuscation scheme. Their framework, dubbed "Metior," helps the user examine how different victim programs, attacker strategies, and obfuscation scheme configurations impact how much sensitive information is leaked. Engineers who develop microprocessors could use the framework to evaluate the effectiveness of multiple security schemes and determine the most promising architecture early in the design process. This article continues to discuss the system devised by MIT researchers that analyzes the likelihood that an attacker could thwart a certain security scheme to steal secret information.

MIT News reports "MIT Researchers Devise a Way to Evaluate Cybersecurity Methods"

Cybersecurity researchers have uncovered a new ongoing campaign targeting the npm ecosystem that involves a unique execution chain to deliver an unknown payload to victim systems. According to the software supply chain security company Phylum, the packages in question appear to be published in pairs, with each pair working to retrieve additional resources that are then decoded and/or executed. As the first of the two modules is designed to store locally a token retrieved from a remote server, the order in which the packages are installed is crucial for executing a successful attack. The second package sends this token along with the operating system type as a parameter to an HTTP GET request in order to retrieve a second script from the remote server. A successful execution returns a Base64-encoded string that is executed immediately, but only if the returned string is longer than 100 characters. This article continues to discuss the new ongoing campaign aimed at the npm ecosystem.

THN reports "New Ongoing Campaign Targets npm Ecosystem with Unique Execution Chain"

A ransomware gang named "8Base" has been targeting organizations worldwide in double-extortion attacks, with a constant stream of new victims. The ransomware group appeared for the first time in March 2022, maintaining a low profile with few notable attacks. In June 2023, the ransomware operation had a surge in activity, targeting many businesses across industries. So far, 8Base's dark web extortion site has listed 35 victims, with some days claiming as many as six victims simultaneously. This is a significant increase from March and April, when the group reported only a few victims. In May 2023, the extortion gang launched its data leak website, claiming to be "honest and simple" penetration testers. According to a new report by VMware's Carbon Black team, the tactics used in recent 8Base attacks indicate a rebranding of an established ransomware group, possibly RansomHouse. This article continues to discuss findings and observations regarding the 8Base ransomware group.

Bleeping Computer reports "8Base Ransomware Gang Escalates Double Extortion Attacks in June"

SoS Musings #74 -

Cybercriminals Ramping Up Business Email Compromise (BEC) Attacks

Cyber Scene #81 -

California Gold Rush: AI, Chips, and the Tech Arms Race

Researchers from the Ben-Gurion University of the Negev and Cornell University have discovered that it is possible to recover secret keys from a device by analyzing video footage of its power LED in a clever side-channel attack. They found that cryptographic computations conducted by the CPU alter the device's power consumption, thereby affecting the brightness of the power LED. Threat actors can extract the cryptographic keys from a smart card reader by leveraging video camera devices such as an iPhone 13 or an Internet-connected surveillance camera. Specifically, video-based cryptanalysis is performed by getting video footage of rapid changes in an LED's brightness and using the rolling shutter effect of the video camera to capture the physical emanations. This article continues to discuss the side-channel attack that makes it possible to recover secret keys from a device by analyzing video footage of its power LED.

THN reports "Researchers Find Way to Recover Cryptographic Keys by Analyzing LED Flickers"

Daniel Prince, a cybersecurity professor at Lancaster University, explores how criminals could use Artificial Intelligence (AI) to target victims. AI is a tool used to improve productivity, process and organize large volumes of data, and offload decision-making. However, AI tools are accessible to anyone, including criminals. Observing how criminals have adapted to and adopted technological advancements in the past can provide insight into how they may use AI. AI tools such as ChatGPT and Google's Bard provide writing assistance, enabling, for example, inexperienced writers to compose effective marketing messages, but this technology could also help criminals sound more credible when contacting potential victims via phishing emails and text messages. The technique known as "brute forcing" could also benefit from AI. This is where numerous character and symbol combinations are tried to determine if they match passwords. This article continues to discuss the different ways in which criminals could use AI to target victims.

The Conversation reports "Four Ways Criminals Could Use AI to Target More Victims"

Permiso has published its "2023 Cloud Detection and Response Survey," which surveyed over 500 security, Information Technology (IT), and engineering professionals to gain further insight into how their organizations address security challenges in cloud environments. The survey looked into the respondents' cloud security practices and the scale of their environments, including the number of identities and secrets they manage, their response time to an attack, the various access methods they have implemented, and the types of solutions they use to secure their environments. In addition, their confidence in the power of their tools and teams to defend against and detect a breach was explored. Most respondents (70 percent) place their response time to an attack between 12 and 24 hours. According to data gathered from actual production environments and incident responses, this time exceeds two weeks (16 days). This article continues to discuss key findings from Permiso's 2023 Cloud Detection and Response Survey.

Help Net Security reports "95% Fear Inadequate Cloud Security Detection and Response"

Siemens Energy and the University of California, Los Angeles (UCLA) recently announced that they were among the victims of the MOVEit hack that has affected scores of corporations, governments, and other institutions recently. The hackers behind the wide-ranging breach, Cl0p, had earlier boasted about stealing data from UCLA and Siemens on their website. Siemens and UCLA provided few additional details about the scope or consequences of the breach. Siemens said that none of its critical data had been compromised and that its operations remained unaffected. UCLA said its campus systems were unaffected and that "all of those who have been impacted have been notified."

Reuters reports: "Siemens And UCLA Say Data Compromised in MOVEit Data Breach"

Google recently announced a new Chrome 114 update that patches a total of four vulnerabilities, including three high-severity bugs reported by external researchers. Google says it paid out a total of $35,000 in bug bounty rewards to the reporting researchers. The highest payout went to GitHub Security Lab researcher Man Yue Mo, who discovered a type confusion issue in Chrome's V8 JavaScript rendering engine. Tracked as CVE-2023-3420, the vulnerability was awarded a $20,000 bug bounty. Next in line is CVE-2023-3421, a use-after-free vulnerability in Media. Cisco Talos researcher Piotr Bania earned a $10,000 bug bounty for finding this security defect. Google noted that use-after-free vulnerabilities in Chrome could lead to a sandbox escape if the attacker targets a privileged browser process or a vulnerability in the underlying operating system. The third externally reported bug is CVE-2023-3422, a use-after-free flaw in Guest View for which Google paid a $5,000 reward to a security researcher known as "asnine." Google makes no mention of any of these vulnerabilities being exploited in attacks. The latest Chrome iteration is now rolling out as version 114.0.5735.198 for macOS and Linux and as versions 114.0.5735.198/199 for Windows.

SecurityWeek reports: "Chrome 114 Update Patches High-Severity Vulnerabilities"

Cybersecurity experts at Macquarie University have created a multilingual chatbot designed to keep scammers on lengthy fake conversations and, ultimately, reduce the number of people who lose money to global criminals. The new Artificial Intelligence (AI)-driven system has created convincing fake victims in the form of multilingual chatbots that waste the time of scam callers in an effort to reduce the estimated $55 billion annual loss to thieves. The "Apate" system, named after the Greek goddess of deception, is a system that uses convincing voice clones to engage in conversations with actual scammers. This article continues to discuss the Apate system developed by Macquarie University cybersecurity experts that uses voice clones to keep scammers on the line in fake conversations with AI chatbots.

Macquarie University reports "Scamming the Scammers: New AI Fake Victims to Disrupt Criminal Business Mode"

According to a recent report, over 150 industrial operations were impacted by cyberattacks in 2022, with physical consequences in process manufacturing, discrete manufacturing, and critical industrial infrastructures. Additionally, the total number of attacks increased by 2.4 times compared to the previous year. In the next five years, cyberattacks could close down up to 15,000 industrial sites at this rate. The new report by Waterfall Security revealed a 140 percent increase in cyberattacks against industrial operations in 2022, most of which involved ransomware encrypting critical computer systems and invaluable data across Information Technology (IT) networks. The attacks also affected Operational Technology (OT), with consequences extending beyond system delays. The Waterfall Security report highlighted significant incidents, such as outages at well-known companies, including 14 plants of a leading automobile manufacturer, 23 tire plants of a popular brand, and more. This article continues to discuss the growth in high-impact cyberattacks on critical infrastructure.

Security Intelligence reports "High-Impact Attacks On Critical Infrastructure Climb 140%"

Fortinet has recently released patches to address a critical vulnerability in its FortiNAC network access control solution. The zero-trust access solution allows organizations to view devices and users on the network and provides granular control over network access policies. One of the vulnerabilities patched is tracked as CVE-2023-33299 (CVSS score of 9.6) and is described as an issue related to the deserialization of untrusted data that can lead to remote code execution (RCE). Fortinet noted that an unauthenticated attacker could exploit this vulnerability "to execute unauthorized code or commands via specifically crafted requests to the TCP/1050 service." The vulnerability impacts FortiNAC versions up to 7.2.1, up to 9.4.2, up to 9.2.7, and up to 9.1.9, as well as all 8.x iterations. Fortinet has addressed the security defect with the release of FortiNAC versions 9.4.3, 9.2.8, 9.1.10, and 7.2.2, but will not release patches for FortiNAC 8.x. Another vulnerability patched was CVE-2023-33300, a medium-severity command injection via FortiNAC's TCP/5555 service. This vulnerability is described as an improper neutralization of special elements that can be exploited by "an unauthenticated attacker to copy local files of the device to other local directories of the device via specially crafted input fields." According to Fortinet, access to the copied data is only possible if the attacker has an existing foothold and enough privileges on the device. The vulnerability was resolved with the release of FortiNAC versions 9.4.4 and 7.2.2. Fortinet makes no mention of any of these vulnerabilities being exploited in attacks.

SecurityWeek reports: "Fortinet Patches Critical RCE Vulnerability in FortiNAC"