News Items

According to the technology market analyst Canalys, global spending on cybersecurity in the first quarter of 2023 increased by 12.5 percent to $18.6 billion, compared to the same period the previous year. The results released on Monday, June 19, were consistent with the company's best-case forecasts for the cybersecurity market and outpaced the rest of the technology industry. An April forecast by the management consulting company Gartner found that global Information Technology (IT) spending was projected to increase to $4.6 trillion in 2023, a 5.5 percent growth from 2022. Customers prioritized spending on the most critical projects and those with the highest return. Matthew Ball, a principal analyst at Canalys, noted that longer sales cycles, delays, and project downsizing have increased, while hardware refresh programs have been pushed to future quarters. Spending on identity security increased by 14.3 percent, while investments in Security Service Edge (SSE) within web and email security increased by 16 percent. This article continues to discuss new findings regarding cybersecurity spending.

SC Media reports "Cybersecurity Market Grew 12.5% In First Quarter, Outpacing Overall Tech Market"

The US Department of Justice (DOJ) is adding a new section to its National Security Division that will prosecute malicious foreign cyber activity, a top department official recently announced. The department wants to be more active in combating digital threats from outside the US. Assistant Attorney General Matthew Olsen, the division's chief, revealed that the entity will enable the division to expand the scope and speed of disruption campaigns and prosecutions of nation-state cyber threats and state-sponsored cybercriminals. The department's Criminal Division will maintain its computer crimes section. The decision to place cyber on an equal footing with the division's three existing sections comes as the DOJ has increased its own efforts to combat botnets, contain or eliminate malware outbreaks, and pursue digital criminals worldwide. This article continues to discuss the new DOJ unit aimed at prosecuting malicious foreign cyber activity.

The Record reports "New DOJ Unit Will Focus On Prosecuting Nation-State Cybercrime"

The exploitation of a pre-authentication command injection flaw, tracked as CVE-2023-20887, in VMware Aria Operations for Networks (previously vRealize Network Insight), has been observed in the wild. There are no workarounds available to mitigate the risk of exploitation, so enterprise administrators are advised to patch their deployments. The vulnerability is one of three recently discovered and privately communicated to VMware by Sina Kheirkhah of Summoning Team and an anonymous researcher. The company confirmed that a malicious actor with network access to VMware Aria Operations for Networks could perform a command injection attack resulting in Remote Code Execution (RCE). Kheirkhah published a proof-of-concept (PoC) exploit for the vulnerability on June 13, and according to GreyNoise, attempts to exploit the vulnerability began two days after. This article continues to discuss the VMware Aria Operations for Networks vulnerability.

Help Net Security reports "VMware Aria Operations for Networks Vulnerability Exploited in the Wild (CVE-2023-20887)"

In a recent campaign spanning from late 2022 to early 2023, a Chinese state-sponsored actor named "Flea" targeted foreign affairs ministries in the Americas. According to Broadcom's Symantec, the cyberattacks involved a new backdoor called "Graphican." Other targets included a government finance department, a company that markets products in the Americas, and an unidentified victim in a European country. In this campaign, Flea used many tools, the company said, describing the threat actor as "large and well-resourced." In addition to the new Graphican backdoor, the attackers used various living-off-the-land (LOTL) methods and tools previously associated with Flea. Since 2004, Flea, also known as APT15, BackdoorDiplomacy, ke3chang, Nylon Typhoon (formerly Nickel), Playful Taurus, Royal APT, and Vixen Panda, has been known to target governments, diplomatic missions, and embassies. This article continues to discuss the Chinese state-sponsored actor Flea targeting foreign affairs ministries in the Americas with the Graphican backdoor.

THN reports "Chinese Hacker Group 'Flea' Targets American Ministries with Graphican Backdoor"

Microsoft is responding to Distributed Denial-of-Service (DDoS) attacks that recently interrupted the company's popular services, including Azure, Outlook, and OneDrive. Microsoft's Security Response Center (MSRC) released a comprehensive analysis of the crippling cyberattacks. The response outlines a series of Layer 7 DDoS attacks launched by a threat actor Microsoft tracks as "Storm-1359." A "Layer 7" attack is a DDoS attack that targets the application layer of the Internet protocol suite. The attack vector involves many requests to overwhelm the application layer and cause service interruptions or outages. Microsoft has determined that Storm-1359 has access to a large collection of botnets and tools, which could allow the threat actor to launch DDoS attacks from multiple cloud services and open proxy infrastructures. MSRC reported that Storm-1359 appears to be focused on causing disruption and gaining publicity. This article continues to discuss Microsoft's response to recent DDoS attacks.

Techzine reports "Microsoft Issues Detailed Response to Layer 7 DDoS Attacks"

New research on the password behaviors of over 8,000 people in the UK, France, and Germany reveals that 75 percent of individuals put themselves at risk by not following widely accepted password best practices. Sixty-four percent of those surveyed by Keeper Security use either weak or repeated passwords for their online accounts. Additionally, more than a third of people report feeling overwhelmed in regard to improving their cybersecurity. Thirty-nine percent of respondents do not know if they have been breached, and 32 percent are unaware of whether their passwords are available on the dark web. Although 41 percent of respondents believe cybersecurity is too difficult to understand, older generations appear to be performing better. Only 20 percent of respondents of Generation Z use strong and unique passwords for every account, compared to 29 percent of baby boomers. Generation Z has the highest percentage of respondents who find cybersecurity overwhelming. This article continues to discuss key findings from Keeper Security's report on password management.

BetaNews reports "75 Percent of People Risk Being Hacked Through Poor Password Practice"

Gen Digital, the company behind known cybersecurity brands such as Avast, Avira, AVG, Norton, and LifeLock, has recently announced that employees' personal information was compromised in the recent MOVEit ransomware attack. The attack exploited a zero-day vulnerability in the MOVEit Transfer managed file transfer (MFT) software that Progress Software disclosed on May 31. Gen Digital revealed that employees' compromised personal information includes names, addresses, birth dates, and business email addresses. The company noted that they use MOVEit for file transfers and have remediated all of the known vulnerabilities in the system. The company said there was no impact to their core IT systems or services and that no customer or partner data has been exposed.

SecurityWeek reports: "Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack"

The Office of the Australian Information Commissioner (OAIC) recently announced that some of its files were stolen in a ransomware attack on law firm HWL Ebsworth. One of the largest law firms in Australia, HWL Ebsworth, stated that it became aware of the incident on April 28, after the Alphv/BlackCat ransomware gang boasted about the hack, and that it immediately informed the Australian authorities and started investigating the incident. The investigation indicates the threat actor had accessed and exfiltrated certain information on a confined part of the firm's system but not on their core document management system. On June 9, HWL Ebsworth noted that the ransomware group published on their leak site some of the data allegedly stolen from its systems. The law firm says it has yet to determine the full impact of the data breach and that it will notify all individuals whose personal information might have been compromised. On Saturday, June 10, HWL Ebsworth advised the OAIC that a document or documents relating to a limited number of OAIC files were included in the breach experienced by HWL Ebsworth. The incident reportedly impacted the NDIS Quality and Safeguards Commission, the Australian Federal Police, the Commonwealth Director of Public Prosecutions, the Department of Defence, the Department of Home Affairs, the Department of Foreign Affairs, and the Taxation Office as well. The National Australian Bank (NAB), one of the four largest banks in the country, also disclosed some impact from the incident, stating that a small percentage of its customers might have been affected. The Alphv/BlackCat ransomware gang has leaked roughly 1.5 terabytes of data from the roughly 3.6 terabytes it allegedly stole from HWL Ebsworth.

SecurityWeek reports: "Australian Government Says Its Data Was Stolen in Law Firm Ransomware Attack"

"Secrets" are considered sensitive pieces of information that grant access to a cloud environment. Orca Security's research reveals that attackers typically identify misconfigured and vulnerable assets within two minutes and immediately begin exploiting them. Orca Security conducted six months of research by setting up honeypots in nine different cloud environments. The purpose of these honeypots is to attract attackers by simulating misconfigured resources. Every honeypot contained a secret AWS key. Researchers monitored the honeypots to determine if and when an attacker would bite. The goal was to gain insight into the most frequently targeted cloud services, the time it takes for attackers to access public or readily accessible resources, and the time it takes for them to discover and use leaked secrets. Orca's report indicates that exposed secrets on GitHub, HTTP, and SSH were all detected in less than five minutes. AWS S3 Buckets were discovered in under an hour. This article continues to discuss findings from the analysis of cloud-focused cybercrime tactics.

Cybernews reports "Hackers Can Weaponize Exposed Cloud Secrets in Just 2 Minutes"

Researchers have discovered malicious files with backdoor capabilities, which they believe to be a component of a toolkit targeting Apple macOS systems. Researchers at Bitdefender found the set of malicious files with backdoor capabilities believed to be part of an advanced toolkit. According to the researchers, the investigation is ongoing, and the samples remain largely undetected. The researchers analyzed four samples submitted to VirusTotal, with the earliest sample uploaded on April 18, 2023, by an anonymous actor. Two of the three samples uploaded by a victim are backdoors written in Python that target Windows, Linux, and macOS. The first file identified by the researchers is "shared.dat," which, when executed, generates a unique device identifier UID and uses a routine to determine the operating system running on the target machine. The malware can be instructed to extract system information and run specific commands. This article continues to discuss researchers' discovery of malicious files with backdoor capabilities believed to be part of a toolkit targeting Apple macOS systems.

Security Affairs reports "Experts Found Components of a Complex Toolkit Employed in macOS Attacks"

Unidentified attackers are compromising poorly managed Linux SSH servers and instructing them to launch Distributed Denial-of-Service (DDoS) attacks while simultaneously mining cryptocurrency in the background. Tsunami, also known as Kaiten, is a DDoS bot often distributed in conjunction with Mirai and Gafgyt malware strains. The fact that Tsunami functions as an Internet Relay Chat (IRC) bot distinguishes it from other DDoS bots. It uses IRC to communicate with the threat actor. Since Tsunami's source code is publicly available, it is used by various threat actors. It is primarily used in attacks targeting Internet of Things (IoT) devices. Researchers from AhnLab's Security Emergency Response Center (ASEC) explained that it is also frequently used to target Linux servers. This article continues to discuss the targeting of poorly managed Linux SSH servers in DDoS and cryptomining attacks.

Help Net Security reports "Compromised Linux SSH Servers Engage in DDoS Attacks, Cryptomining"

Between June 2022 and May 2023, over 101,100 compromised OpenAI ChatGPT account credentials appeared on illicit dark web marketplaces, with India alone making up 12,632 stolen credentials. Group-IB noted that the credentials were discovered in information stealer logs for sale on the cybercrime underground. In May 2023, the number of available logs containing compromised ChatGPT accounts peaked at 26,802 records. The Asia-Pacific region has seen the greatest number of ChatGPT credentials for sale over the past year. Pakistan, Brazil, Vietnam, Egypt, the US, France, Morocco, Indonesia, and Bangladesh are other countries with the most compromised ChatGPT credentials. Most logs containing ChatGPT accounts have been breached by the Raccoon information stealer (78,348), followed by Vidar (12,987) and RedLine (6,646). This article continues to discuss the discovery of compromised OpenAI ChatGPT account credentials on illicit dark web marketplaces.

THN reports "Over 100,000 Stolen ChatGPT Account Credentials Sold on Dark Web Marketplaces"

The Alphv/BlackCat ransomware gang recently took credit for the February 2023 cyberattack against the social media site Reddit. Reddit disclosed the breach shortly after being hacked earlier this year and described the incident as the result of a sophisticated and highly targeted phishing attack in which an employee's credentials and second-factor authentication tokens were stolen. Reddit noted that the attackers accessed internal documents, internal dashboards, business systems, source code, the information of hundreds of contacts and current and former employees, and advertiser data. Alphv/BlackCat ransomware gang over the weekend listed Reddit on its leak site and claimed to have stolen 80GB of data. No file-encrypting ransomware appears to have been deployed on Reddit's systems. The attackers are demanding a $4.5 million ransom to be paid in exchange for deleting the stolen data and that Reddit drops the API pricing changes set to go into effect this week.

SecurityWeek reports: "Ransomware Gang Takes Credit for February Reddit Hack"

Security researchers at Crossword Cybersecurity have recently discovered 2.2 million breached credentials linked to the UK's 100 top universities available on the dark web, putting staff, students, and their data at risk. The researchers who found the credentials claimed that over half (54%) belong to elite Russel Group institutions. The researchers stated that there is a potential risk to sensitive research if threat actors are able to access user accounts with compromised credentials. The researchers noted that over half (54%) of breached credentials came from UK universities with research facilities with government-funded programs in areas like nuclear energy and defense. The researchers found that the top 30 universities in the country are up to 50% more likely to have breached credentials than other institutions in the top 100 and that London's universities have more breached logins (506,330) than those in Scotland, Wales, and Northern Ireland combined (465,767).

Infosecurity reports: "Millions of UK University Credentials Found on Dark Web"

In April 2023, over 1,300 cybersecurity professionals and experts convened virtually for the first Zero Trust Symposium. The event was sponsored and co-hosted by the MIT Lincoln Laboratory, the Defense Acquisition University (DAU), and the Zero Trust Portfolio Management Office of the Department of Defense (DoD). In cybersecurity, the concept of a zero trust framework has gained significant attention in recent years. Zero trust is the practice of never implicitly trusting a device or user, even if they are already within a network. In this framework, a user and their device are continuously monitored and are only permitted access to job-critical applications and data. Zero trust concepts represent a departure from traditional network security, which for years has regarded a network as a "castle and moat" where, once inside the moat, users are often granted wide-reaching access. The strategy puts organizations at risk from malicious insiders or accounts with compromised credentials. This type of vulnerability has enabled numerous high-profile data breaches, including the 2015 Office of Personnel Management breach in which 22.1 million government personnel records were stolen. This article continues to discuss the event on zero trust that emphasized cultural shifts needed to reach a new cybersecurity norm.

MIT Lincoln Laboratory reports "Symposium Charts Progress to Zero-Trust Cybersecurity"

Researchers at Carnegie Mellon University (CMU) have launched a new website that provides a convenient and easy way for Android users to see how their data is collected and shared. The Android Network Traces (ANT) project maintains a database of more than 14,000 apps, providing comprehensive insight into the apps' data collection and sharing practices. Previously, the research team had created a website that graded the privacy of smartphone apps. However, they continued to receive the same questions regarding the types of data the apps collect, who receives it, and what it is used for. Therefore, Jason Hong, a professor at CMU's Human-Computer Interaction Institute, and members of the Human-Computer Interaction: Mobility Privacy Security Lab (CHIMPS), developed MobiPurpose to track network requests made by Android apps and classify data collection purposes. In their paper titled "Why Are They Collecting My Data?: Inferring the Purposes of Network Traffic in Mobile Apps," the authors describe how MobiPurpose parses each traffic request body into key-value pairs and uses supervised learning and text pattern bootstrapping to infer the data type and data collection purpose of each pair. MobiPurpose can predict the data collection purpose with an average accuracy of 84 percent. Using their method, the researchers collected network traces from thousands of apps and grouped them into five data type categories: network, device, general, location, and account. Then they transformed the information into easily readable charts on the ANT website. This article continues to discuss the research and development behind the new website highlighting Android apps' data collection and sharing practices.

CyLab reports "New Website Highlights Thousands of Android Apps' Data Collection Practices"

Millions of people in Louisiana and Oregon have recently had their data compromised in the sprawling cyberattack that has also hit the US federal government. Authorities stated that the breach had affected 3.5 million Oregonians with driver's licenses or state ID cards and anyone with that documentation in Louisiana. The Louisiana governor's office did not put a number on the number of victims, but over 3 million Louisianians hold driver's licenses. The states did not blame anyone in particular for the hack, but federal officials have attributed a broader hacking campaign using the same software vulnerability to a Russian ransomware gang. Authorities noted that the sweeping hack has likely exposed data at hundreds of organizations across the globe and also compromised multiple US federal agencies, including the Department of Energy, as well as data from major corporations in Britain like the BBC and British Airways. The Russian-speaking hackers that claimed credit are known to demand multimillion-dollar ransoms, though US and state governments say they have not received any demands. The data exposed in the breach of the Oregon and Louisiana motor vehicle departments may include Social Security numbers and driver's license numbers, prompting state authorities to advise their residents on how to protect themselves from identity fraud.

CNN reports: "Millions of Americans' Personal Data Exposed in Global Hack"

A team led by Guo Guangcan from the University of Science and Technology of China (USTC) of the Chinese Academy of Sciences made an advancement in the practical security of Quantum Key Distribution (QKD). They identified a potential security flaw in the modulator device of the QKD transmitter and exploited this vulnerability to conduct quantum hacking attacks. Theoretically, QKD enables the generation of secure keys between users. However, the non-ideal characteristics of practical devices may deviate from the theoretical assumptions, making them vulnerable to eavesdropping attacks. In order to advance the practical application of QKD, it is essential to perform a comprehensive and in-depth analysis of the security of QKD systems and then design more robust and secure practical systems. This article continues to discuss the team's progress in analyzing the practical security of QKD systems and developing attack-defense techniques.

SCIENMAG reports "Quantum Hacking Alert: USTC Uncovers Critical Vulnerabilities in Quantum Key Distribution"

Baseboard Management Controllers (BMCs) are common server-class computer components. Cybercriminals could exploit the capabilities of these controllers to compromise industry and government systems. Neal Ziring, the Technical Director of the National Security Agency's (NSA) Cybersecurity Directorate, commented that implementing effective security defenses for these embedded controllers is often neglected. The firmware in these controllers is highly privileged, so malicious actors can use the firmware's capabilities to remotely control a critical server while evading traditional security tools. Therefore, organizations must take measures to protect servers with BMCs. NSA and the Cybersecurity and Infrastructure Security Agency (CISA) published the Cybersecurity Information Sheet "Harden Baseboard Management Controllers" to help network defenders. The guidance provides network defenders with recommendations and mitigations for securing their systems. This article continues to discuss the guidance released on hardening BMCs.

NSA reports "NSA and CISA Release Guide To Protect Baseboard Management Controllers"

A zero-day vulnerability in the Barracuda Email Security Gateway (ESG) discovered in late May has been exploited in a Chinese espionage campaign since October 2022, according to security researchers at Mandiant. The researchers noted that new threat actor UNC4841 began sending phishing emails as far back as October 10 last year. The researchers stated that these malicious emails contained file attachments designed to exploit the Barracuda bug CVE-2023-2868 to gain initial access to vulnerable appliances. Once a foothold had been established, the group used Saltwater, Seaside, and Seaspray malware to maintain a presence on the devices by masquerading as legitimate Barracuda ESG modules or services. The researchers noted that post-initial compromise, they observed UNC4841 aggressively target specific data of interest for exfiltration and, in some cases, leverage access to an ESG appliance to conduct lateral movement into the victim network or to send mail to other victim appliances. The researchers also observed UNC4841 deploy additional tooling to maintain a presence on ESG appliances. Barracuda discovered the campaign on May 19 and released patches to contain and remediate the threat two days later. However, the threat group switched malware and deployed new persistence mechanisms to maintain access. The researchers noted that between May 22 and 24, UNC4841 targeted victims in 16 countries with "high frequency" operations, prompting Barracuda to take the unusual step of urging customers to isolate and replace their appliances, whatever their patch status. The researchers stated that UNC4841 has shown to be highly responsive to defensive efforts and actively modifies TTPs to maintain their operations.

Infosecurity reports: "Barracuda Zero-Day Exploited by Chinese Actor"

According to Proofpoint, cybercriminals resumed normal operations in 2022 following two years of pandemic-induced disruption. As COVID-19 medical and economic programs began to slow down, attackers were forced to find new ways to make a living by sharpening their social engineering skills, commercializing once-sophisticated attack techniques, and creatively seeking new opportunities. From scaling brute-force and targeted attacks on cloud tenants to an increase in conversational smishing attacks and the expansion of multi-factor authentication (MFA) bypass, the cyberattack landscape in 2022 saw significant developments on multiple fronts. Despite sending over 25 million messages in 2022, which is more than double the volume of the second most prominent threat actor, Emotet's presence has been unsteady, and the group has demonstrated a lack of adaptability to the post-pandemic threat landscape. This article continues to discuss key findings from Proofpoint's annual Human Factor report.

Help Net Security reports "Cybercriminals Return to Business as Usual in a Post-pandemic World"

Research published in the International Journal of Web Based Communities introduces a new method for identifying abnormal users in social networks, which involves analyzing multiple user behavior characteristics. Using the APIs of different social networks, Jian Xie of the College of Education at Fuyang Normal University in Fuyang, China, collected comprehensive data about users, including information about their accounts, the content they post, and the specific behaviors they exhibit. This data analysis allowed him to ascribe a set of attributes to users. Through attribute reduction, he eliminated redundant features and built a targeted attribute feature set to analyze suspicious accounts. Xie then used the data to train the XGBoost model, a Machine Learning (ML) algorithm, in order to develop a highly objective function that can quickly flag abnormal behavior on a social network. Xie was able to identify abnormal users with 95 percent accuracy. This level of accuracy in identification is enough to alert the system's administrators to any potential issues, which could then be manually investigated and handled (e.g., blocking malicious users). The approach could set the groundwork for developing highly effective social network security policies. This article continues to discuss the proposed approach to identifying abnormal users in social networks and its potential impact on security for social networking.

Inderscience reports "Detecting Deviators From the Norm - 'An Accurate Identification Method of Abnormal Users in Social Network Based on Multivariate Characteristics'"

The popular disposable email provider Temp Mail left its systems publicly accessible for over three months, thus risking potential security breaches and widespread malware distribution. The Cybernews research team recently discovered a configuration error in the Temp Mail system that exposed sensitive data. Temp Mail is a free disposable email service that enables users to receive email at a temporary address, which then self-destructs after a specified amount of time. The email service is a popular option for users who wish to avoid spam and protect their email addresses from disclosure when registering on different websites, blogs, and forums. The recently discovered misconfiguration could have allowed malicious actors access to the internal systems of Temp Mail, manipulate sensitive data, deliver malware on a large scale, and target users. The severity of the situation is highlighted by the fact that Temp Mail's Android app alone has over 10 million downloads. This article continues to discuss the Temp Mail system leaving sensitive data exposed and the potential impact of this exposure.

Cybernews reports "Popular Email Provider Leaves Systems Wide Open"

SAP on Tuesday announced the release of eight new security notes as part of its June 2023 Security Patch Day, including two notes that address high-severity vulnerabilities. Five other notes were updated. The most important of SAP's new security notes resolve a stored cross-site scripting (XSS) bug in UI5 Variant Management. The bug is tracked as CVE-2023-33991 (CVSS score of 8.2), and it can be exploited to gain user-level access to the UI5 Varian Management application and compromise confidentiality, integrity, and availability. The second high-severity flaw is a missing authentication issue in Plant Connectivity and Production Connector for Digital Manufacturing, tracked as CVE-2023-2827 (CVSS score of 7.9). SAP noted that it can be exploited to connect to a vulnerable application without a valid JSON Web Token (JWT). According to enterprise application security firm Onapsis, "in order to fully patch this vulnerability, both components must be patched, and JWT signature validation must be configured from the Cloud Connector settings." This week, SAP also updated two notes dealing with high-severity bugs in Knowledge Warehouse (CVE-2021-42063) and SAPUI5 (CVE-2023-30743). The updates only contain "minor textual or structural" changes from the previous notes. Of the eight new and updated medium-severity security notes that SAP released this week, six deal with XSS flaws in NetWeaver, CRM ABAP (Grantor Management), CRM (WebClient UI), and BusinessObjects. The other two notes resolve an information disclosure bug in S/4HANA and an SQL injection issue in Master Data Synchronization. The last security note published on SAP's June 2023 Security Patch Day resolves a low-severity denial-of-service (DoS) vulnerability in NetWeaver (Change and Transport System).

SecurityWeek reports: "SAP Patches High-Severity Vulnerabilities With June 2023 Security Updates"