News Items

A Liverpool man has recently been handed a five-year jail term after a sophisticated hacking campaign in which he and others hijacked celebrity Twitter accounts in a bid to scam followers. Joseph O'Connor was extradited from Spain to the US on April 26 and pleaded guilty to two sets of charges on May 9. One relates to the mass hacking of social media accounts, online extortion, and cyberstalking. The Department of Justice (DoJ) noted that in early 2020, O'Connor and his co-conspirators phoned some Twitter employees and socially engineered them into handing over their logins, which granted the hackers access to the site's internal admin tools. They used this access to publish a Bitcoin scam via over 130 celebrity Twitter accounts and also sold access to some accounts to third parties. The DoJ stated that O'Connor also used SIM swap techniques to access the account of top TikTok creator Addison Rae, to whose millions of followers he published self-promotional messages and videos. He used a similar technique to hijack a high-profile Snapchat account, stealing sensitive images and threatening to release them publicly. The DoJ noted that the UK man also carried out a series of swatting attacks on a third individual in June and July 2020 and threatened several of the victim's family members. Separately, O'Connor and his co-conspirators successfully used SIM swap attacks to compromise three executives at a Manhattan-headquartered crypto firm and used their access to divert digital funds now worth $1.6m from their wallets. The DoJ stated that he pleaded guilty to multiple counts of conspiracy to commit computer intrusions, wire fraud, and money laundering, as well as two counts of committing computer intrusions, making extortive communications, two counts of stalking, and making threatening communications. As well as the five-year prison term, O'Connor will also be forced to go through three years of supervised release and was ordered to pay $794,012 in forfeiture.

Infosecurity reports: "Twitter Celeb Hacker Jailed For Five Years"

The US government has recently captured the surface web domains associated with notorious cybercrime marketplace BreachForums, despite the arrest of the site's owner months ago. It is currently unclear why it has taken three months to get to this stage following the arrest of Fitzpatrick. Fitzpatrick, 20, of Peekskill, New York, is accused of operating BreachForums, enabling cybercriminals to trade stolen data and other contraband since March 2022. The Department of Justice (DoJ) stated that alongside the legitimate BreachForums domains, the Feds have also seized one that used to be owned by "Pompompurin" but is currently the property of breach notification site DataBreaches.

Infosecurity reports: "US Authorities Seize BreachForums Domain"

Deception technologies can provide a more effective method for detecting network attackers, but it is unclear how well security leaders understand their maturity and capabilities. Debi Ashenden, a cybersecurity professor at Adelaide University, described deception technologies as relatively immature during a panel discussion at Infosecurity Europe. She noted that deception evolved from the concept of honeypots, and while organizations may be on the verge of seeing deception technologies mature, the technology still needs strong use cases and reference customers willing to discuss their experience with deception. Gonzalo Cuatrecasas, CISO of Nordic industrial manufacturer Axel Johnson International, stated that when technology is adopted, it must be mature enough to perform the task for which it was designed. Otherwise, it becomes half-baked technology that gets caught in the middle. This article continues to discuss the relative immaturity of deception technologies.

Dark Reading reports "Deception Technologies Have a Maturity Problem"

A trojanized installer for the popular Windows game "Super Mario 3: Mario Forever" has spread malware to unsuspecting players. Super Mario 3: Mario Forever is a free-to-play remake of the Nintendo game created by Buziol Games and released for Windows in 2003. Cyble researchers discovered that threat actors are distributing a modified version of the Super Mario 3: Mario Forever installer via unidentified channels as a self-extracting archive executable. The trojanized game is likely promoted on gaming forums, social media groups, and through malvertising, Black SEO, and other means. This article continues to discuss the trojanized installer for the popular Super Mario game that has been infecting unsuspecting players with multiple malware infections.

Bleeping Computer reports "Trojanized Super Mario Game Used to Install Windows Malware"

In March 2022, a deepfake video showed Ukrainian President Volodymyr Zelenskyy ordering his people to lay down their weapons and surrender to Russia. The potential for malicious applications and the rapid evolution of deepfake techniques have ignited a race between the groups producing synthetic media and the scientists seeking more effective and resilient detection methods. Siwei Lyu, a computer scientist at the University at Buffalo, State University of New York, explains that researchers are playing a game of chess in which detection attempts to keep up with or surpass creation. Once adversaries know the techniques used to detect their deepfakes, they can modify their models to render detection algorithms ineffective. In the early days, it was relatively simple for people to identify a fake video due to the prevalence of inconsistencies in skin tone, facial structure, and movement. However, with the advancement of synthesis engines, detection has become increasingly difficult. In order to keep up with the fast development of deepfake technology, researchers have been creating tools to detect telltale indicators of digital forgery. This article continues to discuss the advancement of deepfakes and the efforts that have been made to combat them.

CACM reports "Outsmarting Deepfake Video"

During the week of June 5-9, the University of North Georgia (UNG) hosted the third annual Advancing GenCyber Education for North Georgia Teachers (AGENT) Initiative to help 25 middle and high school teachers and administrators learn how to teach cybersecurity. They will also have the opportunity to receive additional training throughout the remainder of the year. The AGENT Initiative was funded by a National Security Agency (NSA) grant of more than $144,000. It is a professional development program for teachers and administrators interested in enhancing computer science instructional practices and cybersecurity. According to CyberSeek, more than 663,000 cyber jobs are available in the US, including more than 20,000 in Georgia. This article continues to discuss the third annual AGENT Initiative hosted by UNG and the purpose of this effort.

The University of North Georgia reports "AGENT Preps Teachers in Cyber Education"

Hongyi Liu, a computer science Ph.D. student at Rice University, uses a novel method to deploy cloud devices as security enforcers. The Ph.D. student became a member of the computer science research group led by Ang Chen, and contributed to four co-authored papers. He will present the team's most recent findings, "Remote Direct Memory Introspection," at the 2023 USENIX Security conference. The USENIX Security paper explored how to improve the security of Remote Direct Memory Access (RDMA), a widely used cloud technology. Programmable network devices were used to create in-network security support in this work. As they learned how programmable network devices could be used to further secure RDMA connections in the cloud, they wondered if the newly-secured RDMA NIC could help ensure the security of their host. Their research led to the development of Remote Direct Memory Introspection (RDMI) and an even greater vision, which is to further improve cloud security by delegating security tasks to hardware substrates, consisting of cloud-available equipment that had not been previously considered a policing or enforcing agent. This article continues to discuss the work that advances cloud security.

Rice University reports "Hongyi Liu, Ang Chen and Team Advance Cloud Security in USENIX Security Paper"

Following an earlier breach, staff and students at Manchester University have recently been sent threatening emails designed to put pressure on the institution to pay a ransom. The university revealed on June 9 that it had suffered a data breach after an unauthorized party accessed some of its systems. The attack was first discovered three days earlier. The threat actors behind the attack now appear to be employing a classic "triple extortion" tactic, where they contact the individuals whose data has been compromised, hoping that they demand the breached organization pays up. The university stated that all staff and students should be wary of opening suspicious emails or phishing attempts and report them to their IT department. The university noted that it was working around the clock to determine what data had been accessed.

Infosecurity reports: "Manchester University Breach Victims Hit With Triple Extortion"

Virtualization giant VMware has recently published software updates to address multiple memory corruption vulnerabilities in vCenter Server that could lead to remote code execution. Five security defects were patched in the software's implementation of the DCERPC protocol, including four that VMware flags as "important," with a CVSS score of 8.1. VMware noted that two of these issues tracked as CVE-2023-20892 (heap buffer overflow due to uninitialized memory) and CVE-2023-20893 (use-after-free) could lead to code execution. VMware stated that a malicious actor with network access to vCenter Server may exploit this issue to execute arbitrary code on the underlying operating system that hosts vCenter Server. Another vulnerability patched is CVE-2023-20894, a remotely exploitable out-of-bounds write bug that can be triggered via specially crafted packets to cause memory corruption. The fourth vulnerability, CVE-2023-20895, is a memory corruption flaw that can be exploited over the network to bypass authentication. The software updates also addressed an important severity out-of-bounds read vulnerability that a malicious actor can exploit remotely to cause a denial-of-service (DoS) condition on services such as vmcad, vmdird, and vmafdd. Patches for all flaws were included in vCenter Server and Cloud Foundation versions 8.0 U1b and 7.0 U3m. VMware also released Async patches for VCF customers.

SecurityWeek reports: "VMware Patches Code Execution Vulnerabilities in vCenter Server"

The country's largest public pension fund says the personal information, including Social Security numbers, of about 769,000 retired California employees and other beneficiaries was among data stolen by Russian cybercriminals in the breach of a popular file-transfer application. It blamed the breach on a third-party vendor that verifies deaths. The same vendor, PBI Research Services/Berwyn Group, also lost the personal data of at least 2.5 million Genworth Financial policyholders, including Social Security numbers, to the same criminal gang. The breach of the MOVEit file-transfer program, discovered last month, is estimated by cybersecurity experts to have compromised hundreds of organizations globally.

SecurityWeek reports: "2.5M Genworth Policyholders and 769K Retired California Workers and Beneficiaries Affected by Hack"

If a user is notified of a data breach involving their personal information and responds with fear rather than anger, they are more likely to stop using the impacted site. This was the main finding of a study conducted by Rajendran Murthy, a professor of marketing at Rochester Institute of Technology, and three co-authors to determine which emotions cause consumers to alter their behavior following a data breach. They discovered that angry consumers are more likely to vent on various social media platforms before returning to the compromised site. They surveyed 208 US consumers between 18 and 60 and asked them to describe their emotions upon learning of a data breach on their favorite and most frequented website. Consideration was given to subscription websites, such as Netflix and Xbox Live, and free-to-use websites, such as Facebook and Snapchat. The researchers then asked the participants to describe the actions they took in response. As indicated by some prior research, they discovered that positive attitudes toward the website before the breach had no meaningful impact on whether consumers reengaged with the website after the breach. Fear weighed significantly on the customers. This article continues to discuss the study "Better Angry Than Afraid: The Case of Post Data Breach Emotions on Customer Engagement."

The Conversation reports "Fear Trumps Anger When It Comes to Data Breaches - Angry Customers Vent, but Fearful Customers Don't Come Back"

A variant of the Mirai botnet is exploiting nearly two dozen vulnerabilities to gain control of D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek devices for use in Distributed Denial-of-Service (DDoS) attacks. Researchers from Unit 42 of Palo Alto Networks identified the malware in two campaigns that began on March 14 and spiked in April and June. Researchers warn in a new report that botnet developers continue to add code for exploitable vulnerabilities. The malware targets at least 22 known security flaws in various connected products, including routers, DVRs, NVRs, WiFi communication dongles, thermal monitoring systems, access control systems, and solar power generation monitors. This article continues to discuss the Mirai botnet variant targeting vulnerabilities in D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek devices.

Bleeping Computer reports "Mirai Botnet Targets 22 Flaws in D-Link, Zyxel, Netgear Devices"

Researchers have discovered a vulnerability in Microsoft Teams that could allow attackers to deliver malware directly to employees' inboxes. Max Corbridge, a researcher at Jumpsec, explained that organizations using Microsoft Teams inherit Microsoft's default configuration, which allows users from outside their organization to communicate with their employees. With a social engineering pretext to prime the target, exploiting this vulnerability to deliver malware has a significant chance of success. This article continues to discuss the potential exploitation and impact of the Microsoft Teams vulnerability.

Help Net Security reports "Microsoft Teams Vulnerability Allows Attackers to Deliver Malware to Employees"

New Human-Computer Interaction (HCI) research suggests that designing technologies for children's online privacy and security, as well as focusing on children's interests in these efforts, is complex and challenging. According to Priya Kumar, assistant professor in Penn State's College of Information Sciences and Technology (IST) and leader of the multi-institution research team, involving children early and frequently in the development of online privacy and security features could result in technologies that better protect them while also addressing their interests. The team analyzed 90 HCI research publications from 2009 to 2019 in order to explore not only the problems and solutions associated with designing online technologies for children's privacy and security, but also how the research involved children. Kumar noted that they wanted to know what it means to design for children's privacy and security and what role, if any, children played in this work. The team discovered that by defining online privacy and security objectives more specifically and engaging children earlier in the design process, technology designers could avoid conflicts between what children want and what they need to be secure. This article continues to discuss the study of what it means to design for children's privacy and security and how children play a role in such work.

The Pennsylvania State University reports "More Engagement in Tech Design Can Improve Children's Online Privacy, Security"

Car mount and mobile accessory maker iOttie has recently warned that its site was compromised for almost two months to steal online shoppers' credit cards and personal information. iOttie is a popular manufacturer of mobile device car mounts, chargers, and accessories. The company stated that it discovered on June 13 that its online store was compromised between April 12, 2023, and June 2 with malicious scripts. The company noted that they believe criminal e-skimming occurred from April 12, 2023, through June 2, 2023. However, on June 2, 2023, during a WordPress/plugin update, the malicious code was removed. iOttie has not shared how many customers were impacted but said that names, personal information, and payment information could have been stolen, including financial account numbers, credit and debit card numbers, security codes, access codes, passwords, and PINs. While iOttie has not shared how they were breached, their online store is a WordPress site with the WooCommerce merchant plugin.

BleepingComputer reports: "iOttie Discloses Data Breach After Site Hacked to Steal Credit Cards"

Cybercriminals could exploit a known vulnerability in the secure startup process of Microsoft Windows to bypass Secure Boot protection and execute "BlackLotus" malware. The National Security Agency (NSA) has published the "BlackLotus Mitigation Guide" Cybersecurity Information Sheet (CSI) in order to help system administrators and network defenders mitigate this threat. The guide highlights recommended measures to detect and prevent malicious BlackLotus activities. BlackLotus exploits a known vulnerability called "Baton Drop," tracked as CVE-2022-21894, which bypasses security features during the startup process of the device, also known as Secure Boot. The malware targets Secure Boot by exploiting vulnerable boot loaders not included in the Secure Boot Deny List Database (DBX). This article continues to discuss the CSI released by the NSA on mitigating the BlackLotus threat.

NSA reports "NSA Releases Guide to Mitigate BlackLotus Threat"

The US Department of Justice (DOJ) has recently announced the establishment of the National Security Cyber Section, also known as NatSec Cyber, within its National Security Division (NSD). Assistant Attorney General Matthew G. Olsen of the Justice Department's National Security Division stated that NatSec Cyber will give us the horsepower and organizational structure we need to carry out key roles of the Department in this arena. Olsen noted that this new section will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security. The primary objective of the National Security Cyber Section is to enhance the Justice Department's capacity to counter malicious cyber activities effectively. Olsen stated that by fostering partnerships both within the DOJ and across the government, the section aims to address the growing sophistication and aggression of cyber-threats posed by hostile nation-state adversaries.

Infosecurity reports: "US Justice Department Launches New National Security Cyber Section"

A security researcher has recently published proof-of-concept (PoC) code targeting a recently patched high-severity vulnerability in the Cisco AnyConnect Secure Mobility Client and Secure Client for Windows. Cisco AnyConnect Secure Mobility Client and Secure Client for Windows allow remote employees to connect to an organization's network using a secure virtual private network (VPN) and provide monitoring capabilities. The vulnerability is tracked as CVE-2023-20178 (CVSS score of 7.8) and is a security defect that impacts the client update process of the software, allowing a local attacker with low privileges to elevate their access and execute code with System privileges. Cisco noted that this vulnerability exists because improper permissions are assigned to a temporary directory that is created during the update process. An attacker could exploit this vulnerability by abusing a specific function of the Windows installer process. The security researcher who released the PoC is Filip Dragovic, who reported CVE-2023-20178 to Cisco. Dragovic stated that he tested the PoC on Secure Client version 5.0.01242 and AnyConnect Secure Mobility Client version 4.10.06079. Dragovic noted that only the Windows iterations of the software are impacted. Cisco addressed CVE-2023-20178 in early June with the release of AnyConnect Secure Mobility Client version 4.10.07061 and Secure Client version 5.0.02075.

SecurityWeek reports: "PoC Exploit Published for Cisco AnyConnect Secure Vulnerability"

In the physical world, the Red Cross, Red Crescent, and Red Crystal displayed on hospitals and ambulances across the globe are internationally recognized symbols of legal protection for the sick, the wounded, and those who care for them during armed conflict. Humanitarian relief and healthcare organizations are increasingly vulnerable to cyberattacks as they rely more on computer networks to provide care. Malicious cyber operations have disrupted relief efforts and contributed to delayed care, overmedication, and increased mortality. Therefore, the Johns Hopkins Applied Physics Laboratory (APL) in Laurel, Maryland, collaborated with the International Committee of the Red Cross (ICRC) to create a technical framework to replicate the protection signaled by the ICRC's physical emblems in the digital realm. APL teamed up with the ICRC on a two-year research project involving experts from academic, humanitarian, and technical organizations. The team examined how a digital emblem could mark and identify medical and humanitarian organizations' digital assets, services, and data. The emblem would show their status as protected. The emblem's widespread visibility would enable more people to participate in its protection by design. Internet Service Providers (ISPs) monitor network traffic already. If protected parties are marked publicly, providers can more easily identify malicious traffic aimed at protected sites. If the digital emblem were to be incorporated into the international humanitarian legal framework, it would afford legal protection against cyberattacks. This article continues to discuss the technical framework developed to replicate the protection signaled by the ICRC's physical emblems in the digital world and how a digital emblem would work in the protection of medical and humanitarian entities against cyberattacks.

Johns Hopkins University Applied Physics Laboratory reports "Johns Hopkins APL Designs Framework for a Digital Red Cross"

The North Korean APT37 hacking group uses a new information-stealing malware called "FadeStealer" with a wiretapping feature, allowing the threat actor to eavesdrop and record from victims' microphones. It is believed that APT37, also known as Reaper and RedEyes, is a state-sponsored hacking group with a history of conducting cyber espionage attacks in line with North Korean interests. These attacks target North Korean defectors, academic institutions, and EU-based organizations. In the past, the hackers used custom malware known as "Dolphin" and "M2RAT" to execute commands and steal data, credentials, and screenshots from Windows devices and even mobile phones connected to the network. In a new report from the AhnLab Security Emergency Response Center (ASEC), researchers detail the new custom malware called "AblyGo backdoor" and "FadeStealer" that the threat actors have used in cyber espionage operations. This article continues to discuss the use of the new FadeStealer eavesdropping malware by the North Korean APT37 hacking group.

Bleeping Computer reports "APT37 Hackers Deploy New FadeStealer Eavesdropping Malware"

According to SUSE, increased cloud adoption has raised cloud security concerns among Information Technology (IT) teams, who are faced with challenges stemming from the widespread use of complex cloud environments. According to a survey, IT decision-makers have experienced an average of four cloud-related security incidents in the past year, with the number increasing to five in the US and decreasing to three in Europe. This contributes to the security concerns that hold back cloud technologies. Thirty-one percent of respondents cited cloud- or third-party-hosted data stores as their main cloud security concern. Runtime attacks launched by threat actors, security policy management, federation, and automation follow data stores as secondary concerns (29 percent each). Significantly more US IT decision-makers (35 percent) than European IT decision-makers (25 percent) cite security policy management, federation, and automation as their top cloud security concerns. This article continues to discuss key findings from SUSE's industry trend report "Securing the Cloud."

Help Net Security reports "US and European IT Decision-Makers Have Different Cloud Security Priorities"

Attacks on grid substations increased by 70 percent in 2022 alone. Therefore, engineers at the Department of Energy's (DOE) Oak Ridge National Laboratory (ORNL) expect new attack vectors and are taking measures against hackers using them. According to Peter Fuhr, head of ORNL's Grid Communications and Security group, the researchers try to stay ahead of cyber threats rather than just react to them after they occur. Recently, Fuhr's team demonstrated a novel method that encodes grid sensor data subliminally into a video feed using a rotating color wheel and a Fibonacci sequence decoding key that rotates the color wheel so that each sensor reading uses a unique color code. This novel implementation is a type of steganography that conceals critical information within the live video feeds from the grid substations themselves. According to Fuhr, the technique translates the encrypted character codes currently used by utilities into a color code hidden in the video feeds of cameras that already monitor substation activity. EPB effectively tested the technique for six months using a Virtual Local Area Network (VLAN) link between the central-EPB grid control center and its substations. This article continues to discuss the method ORNL developed to protect our critical grid infrastructure against hackers.

CACM reports "Keeping Hackers Off the Electrical Grid"

A ransomware attack and subsequent data breach at Harvard Pilgrim Health Care in April affected over 2.5 million members, but the system outage caused by the ransomware attack has prevented the insurer from directly informing many of the potential victims because the insurer could not access their contact information. Two months after the breach, the insurer is only just beginning to reach out to members directly, but many remain in the dark about whether their personal information was compromised. Harvard Pilgrim, part of health insurer Point32Health, first disclosed in mid-April that it had been the victim of a ransomware attack, affecting the systems it uses to service members, accounts, brokers, and providers. On May 23, the insurer disclosed that patient data had been stolen but declined to publicly say how many members were affected. The next day, however, the insurer informed the US Department of Health and Human Services Office for Civil Rights that millions of people's data potentially had been compromised. Potential victims include those who are or were enrolled in Harvard Pilgrim Commercial or Medicare health plans since March 28, 2012. The data in the accessed files could contain a slew of patient information, including names, addresses, phone numbers, dates of birth, health insurance account information, Social Security numbers, provider taxpayer identification numbers, and medical history such as diagnoses, treatment, dates of service, and provider names. A spokeswoman at Harvard Pilgrim Health Care stated that the system outage has prevented the insurer from contacting members directly "as contact information was not accessible." Harvard Pilgrim has instead sought to inform members through employers, insurance brokers, press releases, and its website, and has made credit monitoring services available through a website for those wishing to enroll. The spokeswoman also said that Harvard Pilgrim began alerting potentially affected members by mail starting June 15. The company noted that it has repaired several functions in the two months since the attack, including the ability to check member eligibility. It also has been issuing temporary member ID cards and distributed payments to providers that had been submitted before the attack. However, Harvard Pilgrim's website and many of its internal functions remain down. The insurer cannot process claims or requests for prior authorization. Some members said they were unable to use their insurance at all. While consumers wait for notification, a class-action lawsuit against the company is moving forward, spearheaded by a woman who said that her credit card was hacked following the cybersecurity breach.

The Boston Globe report: "Harvard Pilgrim Data Breach Affected Millions, Yet Insurer Struggled to Contact Many Potential Victims For Months"

The US Department of Agriculture (USDA) is investigating a "possible data breach" of a department contractor connected to a broader hack on multiple federal agencies that officials have blamed on Russian cybercriminals. A department spokesperson stated that they are aware of a possible data breach with a vendor that may impact a very small number of employees, and any employees whose data may have been affected will be contacted and provided support. The spokesperson noted that the data breach did not occur to the USDA network. Currently, the USDA estimates that fewer than 30 USDA employees may have been impacted by a third-party vendor data breach. No federal agencies have reported receiving demands, but corporate victims have previously reported demands of millions of dollars. The hackers last month began exploiting a vulnerability in widely used file-transfer software known as MOVEit, made by the Massachusetts-based firm Progress Software.

CNN reports: "USDA is Investigating a 'Possible Data Breach' of Contractor Related to The Global Russian Cybercriminal Hack"