News Items

There is a common misconception that a website with low traffic or that does not offer transaction-intensive online commerce does not need to prepare for Distributed Denial-of-Service (DDoS) attacks because it is not an attractive target. According to Jag Bains at TechRepublic, cybercriminals do not care about a website's popularity or offerings. In addition, hackers are always looking for new methods to launch even more complex and effective attacks that could have devastating financial and reputational outcomes for unprepared victims. It is currently simple and inexpensive to execute cyberattacks on a large scale. A DDoS attack can even be booked on one of many shady platforms, allowing low-skilled attackers to easily carry out such attacks without having to deal with the technology themselves. Therefore, not being prepared for DDoS attacks is no longer an option, no matter what a company's size, industry, or level of popularity is. This article continues to discuss the assumptions businesses should not make about their DDoS defenses and the steps they should take to reduce the likelihood of such attacks.

TechRepublic reports "DDoS Threats and Defense: How Certain Assumptions Can Lead to an Attack"

According to a new report by Akamai, hackers launched 14 billion attacks against the e-commerce industry in 15 months, placing it at the top of the list of targets for Application Programming Interface (API) and web application exploits. Researchers found that the volume of attacks against e-commerce companies is primarily due to the digitalization of the industry and the wide variety of vulnerabilities hackers can exploit in the web applications of their intended targets. E-commerce companies store sensitive data such as Personally Identifiable Information (PII) and payment account details, making them a lucrative target for cybercriminals, according to researchers who analyzed web attacks from January 1, 2022, to March 31, 2023. Retail, hotel, and travel companies topped the list of 13 industries with 14.5 billion attacks, or more than one-third of all attacks explored by Akamai. The high-tech industry ranked second with approximately 9 billion attacks, followed by the financial services industry with around 7 billion. This article continues to discuss e-commerce companies being the top targets for API and web application exploits.

BankInfoSecurity reports "E-Commerce Firms Are Top Targets for API, Web Apps Attacks"

Researchers at B42 Labs have shared some findings from their exploratory research on the application of Large Language Models (LLMs) to malware automation, examining how a potential new type of autonomous threat may manifest in the near future. The researchers explored the potential architecture of an autonomous malware threat based on four main steps: Artificial Intelligence (AI)-assisted reconnaissance, reasoning and planning, and AI-assisted execution. They demonstrated the possibility of using an LLM to recognize infected environments and determine which malicious actions would be most appropriate for the environment. In order to leverage LLMs in the complex task of generating code on the fly to accomplish the malicious objectives of the malware agent, they adopted an iterative code generation strategy. This article continues to discuss findings from B42 Labs researchers' analysis of the application of LLMs to malware automation.

Security Affairs reports "LLM meets Malware: Starting the Era of Autonomous Threat"

Hackers are posing as cybersecurity researchers on Twitter and GitHub to publish fake proof-of-concept (PoC) exploits for zero-day vulnerabilities that infect Windows and Linux with malware. The alleged researchers advertise these malicious exploits through a fake cybersecurity company called "High Sierra Cyber Security," which promotes the GitHub repositories on Twitter, likely targeting cybersecurity researchers and companies engaged in vulnerability research. The repositories seem legitimate, as the users who maintain them even use headshots to impersonate real security researchers from Rapid7 and other security companies. The same personas maintain Twitter accounts to lend credibility to their research and code repositories, such as GitHub, as well as to attract victims from the social media platform. According to VulnCheck, this campaign has been active since at least May 2023, promoting exploits for zero-day vulnerabilities in software such as Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange. This article continues to discuss the impersonation of cybersecurity researchers to publish fake PoC exploits that push Windows and Linux malware.

Bleeping Computer reports "Fake Zero-Day PoC Exploits on GitHub Push Windows, Linux Malware"

A Chinese cyber espionage group that researchers previously spotted targeting VMware ESXi hosts has been exploiting a zero-day authentication bypass flaw in the virtualization technology to execute privileged commands on guest Virtual Machines (VMs). Researchers from Mandiant discovered the vulnerability during ongoing investigations of UNC3886, a Chinese threat actor they have been monitoring for some time. They disclosed the vulnerability to VMware, which then issued a patch to address it. VMware Tools, a collection of services and modules for improved administration of guest operating systems, contains the zero-day vulnerability, tracked as CVE-2023-208670. The vulnerability enables attackers to use a compromised ESXi host to transfer files to and from Windows, Linux, and vCenter guest VMs without the need for guest credentials and without the activity being logged by default. VMware rated the vulnerability as having a medium severity because an attacker must already have root access to an ESXi host in order to exploit it. This article continues to discuss UNC3886 and the threat actor's exploitation of a zero-day vulnerability in VMware Tools.

Dark Reading reports "Chinese Threat Actor Abused ESXi Zero-Day to Pilfer Files From Guest VMs"

Scientists from the University of Science and Technology of China (USTC) of the Chinese Academy of Sciences (CAS) and their collaborators from Tsinghua University, Jinan Institute of Quantum Technology, and Shanghai Institute of Microsystem and Information Technology (SIMIT) have achieved point-to-point long-distance Quantum Key Distribution (QKD) over a distance of 1,002 kilometers. This achievement sets a new world record for non-relay QKD and offers a solution for high-speed intercity quantum communication. QKD is based on quantum mechanics principles and enables the secure distribution of keys between two remote parties. It can attain the highest level of security for confidential communication when combined with the "one-time pad" encryption technique. However, QKD's range has been limited by channel loss and system noise. This study's achievement has significant implications for the development of secure quantum communication. This article continues to discuss the achievement of point-to-point long-distance QKD over a distance of 1,002 km.

SCIENMAG reports "USTC Achieves Thousand-Kilometer Quantum Key Distribution"

According to the FBI's Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) is a sophisticated scam targeting businesses and individuals performing legitimate transfer-of-funds requests. The scam is often perpetrated when someone compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized fund transfers. BEC is not always associated with a request to transfer funds. BEC attack variations often involve compromising legitimate business email accounts and requesting Personally Identifiable Information (PII), Wage and Tax Statement (W-2) forms, and cryptocurrency wallets from employees. The BEC scam continues to evolve, targeting small local businesses, larger companies, and personal transactions. In 2022, the IC3 observed an increase in the reporting of BEC incidents. BEC attacks have been reported in all 50 states and 177 countries. According to the financial data reported to the IC3 for 2022, banks in Hong Kong and China were the primary international destinations of fraudulent funds. The UK, which often serves as an intermediary stop for funds, Mexico, and Singapore followed. This article continues to discuss the concept of BEC attacks, statistical data on these attacks, and suggestions for protecting against BEC attacks.

HSToday reports "Business Email Compromise: The $50 Billion Scam"

France's foreign minister recently announced that France had prevented a hybrid digital attack on the ministry's website, likely carried out by Russian state-linked actors, along with attacks on other government websites and French media sites. Foreign Minister Catherine Colonna also said France believed there was a broader campaign of spreading disinformation in France by Russian protagonists. Colonna noted that this campaign is notably based upon creating fake internet pages to hack into the identity of national media and government websites, as well as by creating fake accounts on social media networks. Moscow has consistently denied that it carries out hacking operations. However, Colonna said Russian embassies and Russian cultural institutes were also involved in this campaign and reaffirmed France's support for Ukraine in its conflict with Russia.

Reuters reports: "France Says it Thwarted Attack on Websites From Russian State-Linked Actors"

Professor Kevin Jones and Dr. Kimberly Tam at the University of Plymouth share their expertise and provide some answers regarding whether clean maritime solutions are resilient to cyberattacks at sea. Companies throughout the UK are benefiting from a funding boost aimed at accelerating the development of clean maritime solutions, which will create a supportive but competitive environment at a time when innovations and new challenges are emerging. However, in order for solutions to be long-lasting, they must be not only effective but also resilient. Many of these solutions rely heavily on cutting-edge technology, which increases their vulnerability to cyberattacks. Therefore, cybersecurity must be considered in the early phases of technological development. Only by combining efficiency and security can we ensure clean technologies' short- and long-term viability. This includes bolstering the security of the data that the technology uses and generates, and reducing the likelihood of cyber-physical effects, such as a Denial-of-Service (DoS) attack, which could prevent clean maritime solutions from functioning. This article continues to discuss insights on the resilience of maritime solutions to cyberattacks at sea.

The University of Plymouth reports "Are Clean Maritime Solutions Resilient to Cyber-Attacks at Sea?"

Intellihartx, a company providing patient balance resolution services to hospitals, is starting to inform roughly 490,000 individuals that their personal information was compromised in the GoAnywhere zero-day attack earlier this year. Disclosed in early February and linked to the infamous Cl0p ransomware gang, the cyberattack exploited a zero-day vulnerability in Fortra's GoAnywhere managed file transfer (MFT) software. Tracked as CVE-2023-0669 and leading to remote code execution, the flaw had been exploited starting January 28. Intellihartx says it has concluded its review of the data potentially compromised during the attack and has also identified the impacted individuals. The company stated that the affected information includes names, addresses, insurance data and medical billing, diagnosis and medication information, birth dates, and Social Security numbers. Intellihartx says it is not aware of the compromised information being misused. However, the Cl0p gang has made the data allegedly stolen from the company available on its leak site.

SecurityWeek reports: "Intellihartx Informs 490k Patients of GoAnywhere-Related Data Breach"

There are disagreements among security researchers regarding the danger posed by the recently discovered malware "CosmicEnergy" to critical infrastructure. Last month, the threat intelligence company Mandiant identified CosmicEnergy as a "plausible threat" to electric grid operators. Mandiant first identified the malware after the code was uploaded to a public malware scanning tool in December 2021. In an analysis report released last month, the company noted that there was evidence indicating that it had been designed as a red teaming tool for simulated power disruption exercises. According to the report, given that threat actors use red team tools and public exploitation frameworks for targeted threat activity, CosmicEnergy is believed to pose a plausible threat to impacted electric grid assets. In a report published last week, however, researchers from the industrial cybersecurity company Dragos noted that the malware is not yet mature enough to endanger Operational Technology (OT) networks. Dragos also mentioned CosmicEnergy's probable origins as a training tool for detection development, figuring that while its discovery should prompt organizations to reevaluate OT security, there was no immediate threat to OT environments. Jimmy Wylie, technical lead malware analyst and lead author, commented that there are no indications that an adversary is actively deploying CosmicEnergy. This article continues to discuss disputes regarding the CosmicEnergy malware.

SC Magazine reports "CosmicEnergy's Threat to Critical Infrastructure in Dispute"

Security researchers have recently discovered a breach at Zacks Investment Research dating back to 2020, which appears to have impacted millions of customers. So far, the stock research and analysis firm has made no public disclosure about the incident. However, a post on the breach site HaveIBeenPwned revealed that a trove of data numbering nearly nine million customers are being widely shared on a popular hacking forum. Security researchers noted that the most recent data was dated May 2020 and included names, usernames, email and physical addresses, phone numbers, and passwords stored as unsalted SHA-256 hashes. The publication of the data means that customers should expect follow-on phishing and other attacks. In January, the firm revealed a data breach that affected an estimated 820,000 customers, which it said occurred "sometime between November 2021 and August 2022." This particular incident involved a legacy database of customers who signed up for the Zacks Elite product between November 1999 and February 2005.

Infosecurity reports: "Historic Zacks Breach Impacts Nearly Nine Million"

A study involving high-interaction honeypots with a Remote Desktop Protocol (RDP) connection accessible from the public web demonstrates that attackers are relentless and follow a daily schedule that closely resembles office hours. Researchers at GoSecure, a threat detection and response company with headquarters in the US and Canada, logged close to 3.5 million login attempts to their RDP honeypot system over the course of three months. At the NorthSec cybersecurity conference in Montreal, Canada, Andreanne Bergeron, a GoSecure cybersecurity researcher, explained that the honeypots are tied to a research program aimed at understanding attacker strategies, which could then be translated into prevention advice. The honeypot has operated intermittently for more than three years and continuously for over a year, but the data compiled for the presentation only represents three months, from July 1 to September 30, 2022. During this time period, the honeypot was hit 3,427,611 times by more than 1,500 unique IP addresses. However, the total number of login attempts for the entire year reached 13 million. This article continues to discuss the GoSecure researchers' experiment involving its RDP honeypot system.

Bleeping Computer reports "RDP Honeypot Targeted 3.5 Million Times in Brute-Force Attacks"

According to Trend Micro, security leaders recognize that the cloud and how cloud security teams operate today are becoming increasingly critical to business and Information Technology (IT) operations. Therefore, cloud security and the foundational practices of their teams will be integrated into the Security Operations Center (SOC) in the coming years to increase efficiencies. Leaders who have navigated cloud security successfully are well-equipped to navigate a similar transition to the modern SOC landscape. Software consumes everything, creating system infrastructure increasingly defined as code and dependent on large volumes of data, with automation serving as the foundation for delivering value at accelerating rates. These concepts are foundational to teams building and securing in the cloud, but SOC and IT infrastructure teams' tooling, such as cross-detection and response (XDR), also use them and can benefit from absorbing the scale, skills, and expertise of cloud teams. Trend Micro predicts that viable SOC tools will increasingly incorporate cloud protection capabilities. This article continues to discuss Trend Micro's predictions regarding cloud security.

Help Net Security reports "Incorporating Cloud Security Teams Into the SOC Enhances Operational Efficiencies"

Transferring sensitive data to non-Health Insurance Portability and Accountability Act (HIPAA)-covered entities may result in compliance complications, data breaches, lawsuits, and patient privacy risks. Third-party tracking tools promise functionality but may transmit sensitive data back to technology companies, potentially threatening the privacy of patients. Multiple high-profile healthcare data breaches and lawsuits against hospitals and technology companies over the use of third-party tracking tools prompted researchers to further examine the trend. Matthew McCoy, assistant professor of medical ethics and health policy at the University of Pennsylvania and one of the study's authors, noted that prior to the study, there had been some investigative reporting on the use of tracking technologies on the websites of small groups of hospitals. McCoy, together with Ari B. Friedman, assistant professor of emergency medicine at the University of Pennsylvania, and their colleagues set out to explore the prevalence of tracking technologies on hospital websites. The researchers discovered third-party tracking technologies on 98.6 percent of all US nonfederal acute care hospital websites. This article continues to discuss analytics tools and third-party tracking technologies posing threats to patients' privacy.

HealthCareExecIntelligence reports "How Analytics Tools, Third-Party Tracking Tech Pose Threats to Patient Privacy"

Researchers expect a rise in Log4J exploits as cybercriminals continue to find new methods to circumvent the ongoing implementation of Microsoft's anti-phishing measures. Microsoft blocked the enablement of VBA macros in Office documents by default in 2022, after the Information Technology (IT) community had demanded it for years. Therefore, one of the leading methods for delivering malware via Office documents and phishing emails was nullified. Since then, ESET researchers have observed a global increase in exploits targeting the Log4J vulnerability. Researchers are uncertain as to the cause of the increase in attempts, but cybercriminals may be seeking new attack methods now that phishing with malicious documents has become more difficult. This article continues to discuss the expected rise in Log4J exploits, the latest Log4J numbers, and the effectiveness of blocking VBA macros.

ITPro reports "Log4J Exploits May Rise Further as Microsoft Continues War on Phishing"

According to researchers at the San Francisco-based company Robust Intelligence, a feature in Nvidia's Artificial Intelligence (AI) software can be manipulated to disregard safety restrictions and reveal private information. The "NeMo Framework" developed by Nvidia enables developers to work with various Large Language Models (LLMs), the underlying technology that drives generative AI products such as chatbots. The chipmaker designed the framework to be adopted by businesses. Researchers at Robust Intelligence discovered they could easily circumvent so-called guardrails intended to ensure the AI system's safe use. After using the Nvidia system on its own data sets, it took Robust Intelligence analysts hours to get LLMs to overcome restrictions. In one test scenario, the researchers instructed the Nvidia system to replace the letter 'I' with the letter 'J.' This action triggered the release of Personally Identifiable Information (PII) from a database. This article continues to discuss researchers manipulating a feature in Nvidia's AI software to reveal sensitive information.

Ars Technica reports "Nvidia's AI Software Tricked Into Leaking Data"

The Australian Capital Territory (ACT) Government is among an estimated 5 percent of Barracuda Networks' Email Security Gateway (ESG) customers who have been instructed to remove and replace their appliances due to a zero-day flaw compromise. Barracuda Networks disclosed the critical vulnerability on May 19 and patched impacted ESG appliances the next day, but the vendor recently warned those whose appliances had been compromised by the remote command injection vulnerability to replace their compromised appliances immediately. The ACT government rebuilt its Barracuda system after discovering the vulnerability and determining that malicious hackers had exploited it. According to Chris Steel, the Digital and Data Special Minister of State for the ACT Government, there was a "strong likelihood" that data had been stolen. However, they are currently unaware of any information that may have been accessed on ACT Government systems and made available on the dark web. The ACT Government administers the federal territory of Australia, which is home to the country's capital city, Canberra. Its ESG service was linked to the government's main citizen-facing transaction portal, health services, and more. This article continues to discuss the impact of the Barracuda ESG zero-day bug on the ACT Government.

SC Media reports "Barracuda ESG Zero-Day Exploit Hits Australia's ACT Government"

A hacking group identified as "Pink Drainer" impersonates journalists in phishing attacks to compromise Discord and Twitter accounts in order to steal cryptocurrency. According to ScamSniffer analysts, Pink Drainer effectively compromised the accounts of 1,932 victims to steal approximately $2,997,307 worth of digital assets on the Mainnet and Arbitrum. The on-chain monitoring bots used by ScamSniffer found the threat actor when they stole $327,000 worth of NFTs from a single victim. The CTO of OpenAI Mirai Murati, Steve Aoki, Evmos, Pika Protocol, Orbiter Finance, LiFi, Flare Network, Cherry Network, and Starknet are believed to be recent targets. Pink Drainer hijacks accounts through social engineering, in which the threat actors spend a few days impersonating journalists from major media outlets such as Cointelegraph and Decrypt in order to conduct fake interviews with the victims. This article continues to discuss the Pink Drainer hacking group impersonating journalists in phishing attacks to compromise Discord and Twitter accounts for cryptocurrency-stealing attacks.

Bleeping Computer reports "Hackers Steal $3 Million by Impersonating Crypto News Journalists"

The Cl0p ransomware group lingered on a zero-day vulnerability it discovered in Progress Software's MOVEit Transfer file transfer application for nearly two years before beginning to exploit it. During this holding period, group members launched periodic waves of malicious activity against vulnerable systems to test their access to organizations and determine which ones to target. Kroll Threat Intelligence researchers who investigated the recent attacks discovered evidence that Cl0P actors were experimenting with exploiting the MOVEit Transfer vulnerability as early as July 2021. Kroll's examination of Microsoft Internet Information Services (IIS) logs belonging to clients impacted by the attacks uncovered evidence of the threat actors undertaking similar activity in April 2022 and twice last month. This article continues to discuss the Cl0p ransomware group sitting on a zero-day vulnerability discovered in Progress Software's MOVEit Transfer file transfer app for nearly two years.

Dark Reading reports "Cl0P Gang Sat on Exploit for MOVEit Flaw for Nearly 2 Years"

The primary objective of the Resilient, Autonomous, Networked Control Systems (RANCS) Research Group at the University of South Florida is to make the world smarter by investing in the autonomy of Networked Control Systems (NCSs). However, while autonomy provides significant benefits, it also introduces potential system safety and security risks. Therefore, the lab emphasizes the resilience of NCSs, ensuring that these systems can effectively withstand and recover from disruptions. RANCS are a new type of control system designed to be more reliable and adaptable than traditional control systems. They consist of features, such as autonomous decision-making, networked communication, and resilient design that enable them to operate in complex and quickly changing environments. For example, a RANCS could be used to safely navigate a self-driving car's route. In this situation, the RANCS would be required to make autonomous navigational judgments, such as when to change lanes or stop at a red light. To prevent accidents, the autonomous vehicle would also need to communicate with other vehicles and infrastructure. In addition, the system would need to be resilient against failures, including sensor malfunctions, software bugs, and cyberattacks. This article continues to discuss the RANCS Research Group at the University of South Florida and the lab's emphasis on making autonomous control systems resilient to cyberattacks and other failures.

The University of South Florida reports "Researchers Work to Fulfill Promise of Resilient Autonomous Control Systems"

A group of researchers at the MIT Computer Science and Artificial Intelligence Laboratory (CSAIL) devised an approach to the long-standing issues of privacy and inefficiency associated with Large Language Models (LLMs). They came up with a logic-aware model that outperforms its 500-times-larger counterparts on some language-understanding tasks without human-generated annotations, while maintaining privacy and robustness. LLMs, which have demonstrated some promising capabilities in generating language, art, and code, are computationally costly, and their data requirements pose privacy risks when using Application Programming Interfaces (APIs) to upload data. This article continues to discuss the MIT researchers' work that paves the way for more sustainable and privacy-preserving Artificial Intelligence (AI) technologies.

MIT News reports "MIT Researchers Make Language Models Scalable Self-Learners"

It is no longer possible to patch everything because security teams are significantly overwhelmed with managing vulnerabilities. Due to the current skills gap, security teams with inadequate staffing must prioritize the most necessary patches for their organization. Therefore, Rezilion published a blog describing the top seven vulnerabilities of the first half of 2023. The research emphasized that it is challenging to determine which vulnerability to address first because so much depends on the type of business and technology being handled and how employees use applications. Rezilion noted that, as a general rule, security teams should focus on the recent Apache Superset, Papercut, MOVEit, and ChatGPT vulnerabilities. This article continues to discuss the top six or seven vulnerabilities of the first half of 2023.

SC Media reports "Top Vulnerabilities So Far of 2023: Apache Superset, Papercut, MOVEit and, Yes, ChatGPT"

Researchers have published a proof-of-concept (PoC) exploit for an actively exploited Windows local privilege escalation flaw. The Win32k subsystem manages the operating system's window manager, screen output, input, and graphics, as well as functions as an interface between various types of input hardware. Therefore, exploiting vulnerabilities of this type typically results in elevated privileges or code execution. Avast discovered the vulnerability, tracked as CVE-2023-29336, with a CVSS score of 7.8. It allows low-privileged users to gain Windows SYSTEM privileges. Avast reported that they noticed the vulnerability after it had been actively exploited in zero-day attacks. The Cybersecurity and Infrastructure Security Agency (CISA) published an alert and added the vulnerability to its "Known Exploited Vulnerabilities" catalog. A month after a patch became available for the flaw, security analysts at the Web3 cybersecurity company Numen released complete technical details of the vulnerability and a PoC exploit for Windows Server 2016. This article continues to discuss the release of a PoC exploit for the Windows Win32k bug.

Bleeping Computer "PoC Released for Windows Win32k Bug Exploited in Attacks"