News Items

As technological advancement continues to accelerate, nation-states and unaffiliated individuals are quickly developing new malicious computer viruses to exploit computer system vulnerabilities and achieve their political and personal goals. To protect against these attacks, cybersecurity companies use various methods to prevent malware from entering systems. Current malware detection systems scan elements in a file or evaluate the file as a whole. According to new research, other avenues exist for detecting malware, specifically by dividing the file into sections and comparing the resulting pieces. A team of researchers developed an approach involving taking a set of known malware files and using their section hashes to identify and analyze other candidate files in a malware repository. This article continues to discuss the team's approach to detecting and grouping malware.

Software Engineering Institute - Carnegie Mellon University reports "Detecting and Grouping Malware Using Section Hashes"

A hacking group aligned with Belarusian government interests appears to combine cybercrime and cyber espionage. According to a new report by malware researcher Matthieu Faou at the security company ESET, the group known as "Asylum Ambuscade" has been involved in cybercrime and cyber espionage since 2020. Faou noted that it is uncommon to find a cybercriminal group conducting dedicated cyber espionage. In regard to cybercrime, the group primarily targets individual banking consumers, cryptocurrency traders, and small and midsize businesses (SMBs), mainly in North America and Europe. According to ESET, the number of victims exceeds 4,500. While the purpose of targeting cryptocurrency traders is quite apparent, which is the theft of cryptocurrency, ESET says it is unclear how Asylum Ambuscade monetizes its access to SMBs. The group may sell access to other crimeware groups that might, for example, deploy ransomware, but there are no indications that this is occurring. Regarding espionage, ESET reported that the group has primarily focused on European and Central Asian targets. This article continues to discuss observations regarding the Asylum Ambuscade hacking group.

BankInfoSecurity reports "Hacking Group Seen Mixing Cybercrime and Cyber Espionage"

A researcher at the University of Texas at Arlington is working to improve the security of Natural Language Generation (NLG) systems, such as those used by the Artificial Intelligence (AI)-driven chatbot ChatGPT, to prevent misuse and abuse that could lead to the spread of false information online. The National Science Foundation (NSF) awarded Shirin Nilizadeh, an assistant professor in the Department of Computer Science and Engineering, a five-year, $567,609 Faculty Early Career Development Program (CAREER) grant for her research. She emphasized the importance of understanding AI's vulnerability to online misinformation, a pressing issue that must be addressed. Nilizadeh's research will include an in-depth examination of the types of attacks that NLG systems are susceptible to, as well as the development of AI-based optimization techniques to test the systems against various attack models. In addition, she will conduct an analysis and characterization of the vulnerabilities that contribute to attacks and develop protective measures for NLG systems. The focus will be on two common NLG methods: summarization and question-answering. This article continues to discuss Nilizadeh's research aimed at increasing the security of NLG systems.

The University of Texas at Arlington reports "Researcher Explores Vulnerabilities of AI Systems to Online Misinformation"

The ALPHV/BlackCat ransomware gang claims to have accessed a trove of sensitive data, including the credentials of special agents and how tech giants respond to requests for information from special services. The attackers claim that a recent breach of the legal technology platform Casepoint allowed them access to 2TB of sensitive data, including law enforcement's interactions with tech companies such as Google and Facebook's parent company, Meta. In May, the Russia-linked ALPHV/BlackCat ransomware group allegedly breached Casepoint, which the US Courts, the Security Exchanges Commission (SEC), and the Department of Defense (DOD) use. The ALPHV/BlackCat ransomware gang was first observed in 2021. The group, like many others in the criminal underworld, maintains a Ransomware-as-a-Service (RaaS) business, selling criminals malware subscriptions. The gang's use of the programming language Rust was notable. According to a Microsoft analysis, the threat actors who began deploying it were also associated with other prominent ransomware families, including Conti, LockBit, and REvil. This article continues to discuss the ALPHV/BlackCat ransomware gang claiming to have accessed 2TB of sensitive information through the Casepoint breach as well as the history of this group.

Cybernews reports "Casepoint Attackers: We Have Meta and Google Comms With Special Services"

Orange Cyberdefense's Cy-Xplorer 2023 report analyzed cyber extortion activity during 2022. Data from 6,707 confirmed business victims reveals a fluctuation in the number of victims across different countries and industries, as well as the expansion of attacks into new regions. While the data indicate an 8 percent decrease in cyber extortion victims in 2022, this decrease appears to have been temporary, as the latest data shows the highest volumes to date in the first quarter of 2023. According to the report, 2022 was the year of 'distraction' and rebranding for some of the most noteworthy cyber extortion operations that Orange Cyberdefense monitors. The geographical shift of cyber extortion attacks has greatly impacted Indonesia, Singapore, Thailand, the Philippines, and Malaysia. The number of victims has decreased in regions including North America and Europe. Orange Cyberdefense has previously observed that countries are primarily targeted opportunistically and that the number of victims largely depends on the number of registered organizations in a country. This general trend is, however, shifting as larger Western countries respond actively to the threat and as threat actors are forced to find new hunting grounds. Threat actors are increasingly focusing on regions where they perceive a lower level of risk for them, which may be partly due to local governments' inaction. This article continues to discuss key findings from Orange Cyberdefense's report on cyber extortion activity.

Continuity Central reports "Cyber Extortion Activity Jumps to New Record in Q1 2023"

Cisco recently announced patches for a critical vulnerability in its Expressway series and TelePresence Video Communication Server (VCS) enterprise collaboration and video communication solutions. Tracked as CVE-2023-20105 (CVSS score of 9.6), the vulnerability allows an administrator with "read-only" rights to elevate their privileges to "read-write." The company noted that the issue exists because password change requests are not handled properly, allowing an attacker authenticated as a "read-only" administrator to send a crafted request to change the password for any user account on the system, including that of a "read-write" administrator, and then impersonate them. Cisco noted that its Expressway series and TelePresence VCS deployments that have granted CLI access to a "read-only" administrator are also vulnerable to CVE-2023-20192, a high-severity vulnerability that can lead to privilege escalation. According to Cisco, CLI access is disabled by default for "read-only" users. Cisco noted that this vulnerability is due to incorrect implementation of user role permissions. An attacker could exploit this vulnerability by authenticating to the application as a "read-only" CLI administrator and issuing commands normally reserved for administrators with "read-write" capabilities. Cisco stated that an attacker could exploit this flaw to execute commands they would not normally have access to, including modifying system configuration parameters. Expressway series and TelePresence VCS version 14.2.1 contains patches for CVE-2023-20105, while version 14.3.0 addresses CVE-2023-20192.

SecurityWeek reports: "Cisco Patches Critical Vulnerability in Enterprise Collaboration Solutions"

The enterprise security company Barracuda urges customers affected by a recently disclosed zero-day vulnerability in its Email Security Gateway (ESG) appliances to replace them immediately. Regardless of patch version level, impacted ESG appliances must be replaced, the company emphasized in an update. Barracuda disclosed a critical flaw in the devices, tracked as CVE-2023-2868 with a CVSS score of 9.8. It has been exploited as a zero-day for at least seven months since October 2022 to deliver custom malware and steal data. The vulnerability is a case of remote code injection that affects versions 5.1.3.001 through 9.2.0.006 and is caused by incomplete validation of attachments within incoming emails. Barracuda addressed it on May 20 and May 21, 2023. This article continues to discuss Barracuda urging customers impacted by a recently disclosed zero-day flaw in its ESG appliances to replace them immediately.

THN reports "Barracuda Urges Immediate Replacement of Hacked ESG Appliances"

Some ransomware groups have abandoned deploying malware to encrypt targets' files in favor of the data theft/extortion approach. Among them appears to be 0mega, a low-profile and seemingly low-active threat actor. 0mega is a newcomer to the ransomware/extortion business. Evidence of the gang's operations was initially discovered about a year ago, when one victim, a UK-based electronics repair and refurbishment company, refused to pay the demanded ransom, and the group leaked the company's data on its dedicated leak site. The group used ransomware that added the ".0mega" extension to encrypted files, but no sample of the malware has been discovered yet. Since then, the stolen data of two more victims has been exposed. However, the fact that the leak site only reveals a few victims does not mean that there are not many more. Data from one victim organization was disclosed and then removed. This article continues to discuss findings and observations regarding the 0mega ransomware operation.

Help Net Security reports "0MEGA Ransomware Gang Changes Tactics"

Despite efforts to anonymize user data, the fitness app Strava allows anyone to find personal information, such as the home addresses of some users. The finding, which is detailed in a recent study from North Carolina State University, raises serious privacy concerns. This could be problematic for users concerned about stalkers or have other reasons for wanting to keep their location information private. Strava is a mobile fitness-tracking app that enables users to track their exercise activities and includes features that facilitate user interaction. These capabilities can be used to organize clubs based on common interests, such as hiking or cycling. For example, the app contains a "heatmap" function that aggregates user data. Although all user data is anonymized, the heatmap feature allows users to see how many other Strava users hike, run, or ride bicycles in a particular area. This article continues to discuss key findings from the study "Heat Marks the Spot: De-Anonymizing Users' Geographical Data on the Strava Heatmap."

North Carolina State University reports "Fitness App Loophole Allows Access to Home Addresses"

Connected and automated vehicles (CAVs) promise to improve transportation operations, but they may also present avenues for malicious actors to undermine vehicle security, according to Rafael Stern, an assistant professor at the University of Minnesota. CAVs open up numerous possibilities for cyberattacks. If a malicious actor is familiar with the software that a CAV uses to make decisions, they can modify the vehicle's driving behavior. In one experiment, researchers demonstrated that a STOP sign could be changed with tape in a way that makes the vehicle read it as 45 MPH. These hacks would be detected and corrected promptly, but more subtle cyberattacks that cause little variations in driving behaviors on any one car, could have far-reaching consequences while remaining practically undetectable. This article continues to discuss the cybersecurity of CAVs.

The University of Minnesota reports "Preparing for the Future of CAVs: Cybersecurity, Winter Weather Research"

The pro-Russian hackers, who claim to have brought down Microsoft Outlook as part of an ongoing campaign against the US, warn that OpenAI's ChatGPT is next on their hit list. Anonymous Sudan has claimed responsibility for a series of intermittent Distributed Denial-of-Service (DDoS) attacks recently launched against the Microsoft 365 information management platform. The group's encrypted Telegram channel has dozens of threat posts identifying Microsoft as their most recent high-profile target. This article continues to discuss Anonymous Sudan claiming to have taken down Microsoft Outlook and its plans to target OpenAI's ChatGPT next, as well as the hacktivist gang's other recent activities.

Cybernews reports "Microsoft Outlook Hackers Threaten ChatGPT Next"

It was recently discovered that a data breach at the San Diego Unified School District last fall affected more people and more types of personal data than previously acknowledged. In addition to students' medical information, the breach in October also affected current and former employees' sensitive personal data, including Social Security numbers, direct deposit account information, medical information, and more, said the district's executive director of risk services, Dennis Monahan. Monahan stated that an additional investigation had revealed those findings in April and that the district had implemented additional security safeguards to help prevent another breach. The district did not immediately respond to questions about how many people have been affected or notified, whether the investigation is ongoing, or what specific security safeguards and controls it has implemented. Families were first informed in early December that a third party had accessed some of the district's systems on Oct. 25. District officials said staff quickly secured the network, launched an investigation, and notified law enforcement.

Government Technology reports: "San Diego Schools Hack Worse Than Initially Believed"

The Cybersecurity and Infrastructure Security Agency (CISA) and FBI have published a joint Cybersecurity Advisory (CSA) with recommended actions and mitigations to protect against and mitigate the impact of the CL0P Ransomware Gang exploiting the MOVEit vulnerability, which is tracked as CVE-2023-3436. CL0P Ransomware Gang, also known as TA505, started exploiting the previously unknown Structured Query Language (SQL) injection vulnerability in Progress Software's Managed File Transfer (MFT) solution called MOVEit Transfer in May 2023. CL0P infected Internet-facing MOVEit Transfer web applications with malware, which was then used to extract data from the underlying MOVEit Transfer databases. This article continues to discuss the joint advisory on the CL0P Ransomware Gang exploiting the MOVEit vulnerability.

CISA reports "CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability"

Google recently announced security updates for the Android operating system to resolve over 50 vulnerabilities, including an Arm Mali GPU flaw exploited by spyware vendors. Tracked as CVE-2022-22706, the exploited bug is a kernel driver issue that Arm fixed in January 2022 but which had been targeted in attacks before that. Despite known exploitation, however, Google and other Android vendors took more than a year to incorporate the patches for CVE-2022-22706 in their software updates. Last month, Google resolved another Android bug exploited by spyware vendors as a zero-day. Tracked as CVE-2023-0266, the issue is described as a moderate-severity kernel flaw leading to privilege escalation. The June 2023 Android update is split into two. The first part, which arrives on devices as the 2023-06-01 security patch level, resolves 10 vulnerabilities in the Framework component and 13 bugs in the System component. Google noted that three of these issues are critical-severity remote code execution (RCE) flaws. They are tracked as CVE-2023-21127, CVE-2023-21108, and CVE-2023-21130. The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution over Bluetooth if HFP support is enabled, with no additional execution privileges needed. Google stated that user interaction is not needed for exploitation. The remaining 20 fixed vulnerabilities, rated "high severity," lead to escalation of privilege, information disclosure, or denial-of-service (DoS). Arriving on devices as the 2023-06-05 security patch level, the second part of Android's June 2023 update resolves 33 flaws in Arm (3 vulnerabilities), Imagination Technologies (2), Unisoc (4), Widevine DRM (2), and Qualcomm components (22).

SecurityWeek reports: "Android's June 2023 Security Update Patches Exploited Arm GPU Vulnerability"

A Florida man has recently pleaded guilty to making over $100m from importing and selling counterfeit Cisco networking devices. Onur Aksoy, 39, of Miami, pleaded guilty to conspiring with others to traffic in counterfeit goods, to commit mail fraud, and to commit wire fraud and mail fraud. The Department of Justice (DoJ) stated that he is facing anywhere between four and six-and-a-half years behind bars and must forfeit $15m in illicit gains made from the scheme. The DoJ noted that Aksoy is a dual US/Turkish citizen and ran at least 19 companies in New Jersey and Florida, alongside 15 Amazon storefronts and at least ten eBay storefronts. He imported tens of thousands of knock-off Cisco networking devices from China and Hong Kong, complete with fake labels, stickers, boxes, documentation, and packaging designed to make them appear to be genuine products. The DoJ noted that these devices were older products, often previously sold or discarded, which Chinese forgers modified to make them appear newer, more expensive devices. Often, pirated Cisco software and unreliable and unauthorized components were also added, including components designed to circumvent Cisco anti-piracy checks. According to the DoJ, many of these products suffered from performance issues and, in some cases malfunctioned, causing damage to customers' networks and operations. Some recipients of the counterfeit Cisco networking devices included hospitals, schools, government agencies, and the military.

Infosecurity reports: "Cisco Counterfeiter Pleads Guilty to $100m Scheme"

A new malware campaign uses the Satacom downloader as a channel for distributing stealthy malware that can steal cryptocurrency via a malicious browser extension for Chromium-based browsers. The malware dropped by the Satacom downloader primarily aims to steal BTC from the victim's account through web injections into cryptocurrency-specific websites. The campaign's primary targets are Coinbase, Bybit, KuCoin, Huobi, and Binance users, mainly located in Brazil, Algeria, Turkey, Vietnam, Indonesia, India, Egypt, and Mexico. The Satacom downloader, also known as Legion Loader, emerged for the first time in 2019 as a dropper for next-stage payloads, such as information stealers and cryptocurrency miners. The infection chains involve users searching for cracked software and being redirected to fraudulent websites hosting ZIP archives containing the malware. According to researchers, different types of websites are used to spread the malware. Some of the malicious websites have a hardcoded download link, whereas others inject the 'Download' button via a legitimate advertising plugin. This article continues to discuss the malware campaign found to be leveraging the Satacom downloader to steal cryptocurrency.

THN reports "New Malware Campaign Leveraging Satacom Downloader to Steal Cryptocurrency"

Prism Infosec discovered two high-risk vulnerabilities in ABB's Aspect Control Engine Building Management System (BMS). Users can monitor a building's performance with ABB's Aspect BMS, which combines real-time integrated control, supervision, data logging, alarms, scheduling, and network management features with Internet connectivity and web serving capabilities. Therefore, users can examine system status, change setpoints and schedules, and more through their desktop, laptop, or mobile phone devices. The two vulnerabilities impact versions before 3.07.01. They could lead to Remote Code Execution (RCE) and privilege escalation within the Aspect Control Engine software, potentially granting an attacker complete control over the BMS. This article continues to discuss the discovery and potential impact of the two high-risk vulnerabilities in the Aspect Control Engine BMS developed by ABB.

Help Net Security reports "High-Risk Vulnerabilities Patched in ABB Aspect Building Management System"

The use of mobile technologies to collect and analyze location information on individuals has generated large amounts of consumer location data, further supporting a complex multibillion-dollar system in which consumers can exchange personal data for economic benefits. However, consumers continue to face privacy risks. In a recent study, Machine Learning (ML) was used to develop and test a framework that quantifies personalized privacy risks, performs personalized data obfuscation, and accommodates various risks, utilities, and acceptable levels of risk-utility tradeoff. The framework outperformed previous models, significantly reducing privacy risks for consumers while preserving advertisers' utility. Researchers from Carnegie Mellon University (CMU), the University of Virginia, and New York University conducted the study. This article continues to discuss the new framework that balances privacy risks and data utilities.

Carnegie Mellon University's Heinz College reports "Amid Volumes of Mobile Location Data, New Framework Reduces Consumers' Privacy Risk, Preserves Advertisers' Utility"

US Cyber Games kicked off the competition to identify and select the Season III US Cyber Team last week. Over the next few months, athletes aged 18 to 24 will participate in events that will culminate with the selection of the top cyber athletes in October for the Season III team to compete at the 2024 International Cybersecurity Challenge (ICC). The US Cyber Games, founded by Katzcy in collaboration with the National Initiative for Cybersecurity Education (NICE) program at the National Institute of Standards and Technology (NIST), is one of the Cybersecurity and Infrastructure Security Agency's (CISA) key partnerships aimed at inspiring and educating the next generation about pursuing careers in cybersecurity. This initiative identifies and cultivates the nation's top cyber talent, as well as emphasizes the significance of cybersecurity in the evolving digital landscape. This article continues to discuss the US Cyber Games.

CISA reports "Informing and Inspiring the Next Generation of Cyber Talent Through Competition"

Security researchers at Palo Alto Networks' Unit 42 discovered that the number of vulnerabilities exploited in 2022 has grown by 55% compared to 2021. The researchers noted that Linux malware emerged as a growing concern last year, particularly since 90% of public cloud instances are running on Linux. The researchers stated that botnets as the most prevalent type of Linux threat, accounting for 47% of attacks, followed by coin miners at 21% and backdoors at 11%. ChatGPT scams saw a 910% increase in monthly domain registrations, pointing to an exponential growth in fraudulent activities taking advantage of the widespread usage and popularity of AI-powered chatbots. The researchers noted that cryptominer traffic has also experienced a doubling in 2022, indicating a growing financial motive behind cybercriminal activities. The researchers also discovered that manufacturing, utilities, and energy industries witnessed a significant surge in malware attacks, particularly those targeting operational technology (OT). There was a staggering 238% increase in malware attacks experienced by organizations within these sectors between 2021 and 2022.

Infosecurity reports: "Exploitation of Vulnerabilities Have Soared, Unit 42 Report Finds"

Cybercriminals are using legitimate remote access software to gain access to victims' systems, blend in with regular network activity, and bypass detection. The National Security Agency (NSA), together with co-authors, released the "Guide to Securing Remote Access Software" Cybersecurity Information Sheet (CSI) in order to help network administrators and defenders follow best practices and provide recommendations on how to mitigate malicious activity. Eric Chudow, NSA's System Threats and Vulnerability Analysis Subject Matter Expert, commented that remote access may be a beneficial option for many organizations, but it could also be a threat vector into their systems. It could enable cyber actors to use or even control systems and resources if not properly secured. NSA, the Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Israel National Cyber Directorate (INCD) are among the co-authoring agencies. This article continues to discuss the new guide on securing remote access software.

NSA reports "NSA and Co-Authors Recommend Best Practices to Secure Remote Access Software"

University of Oklahoma researchers led a study recently published in Science Advances that demonstrates using spatial correlations in quantum entangled light beams to encode information and enable its secure transmission. Light can be used to encode information for high-speed data transmission, long-distance communication, and other purposes. For secure communication, encoding large amounts of information in light presents additional challenges for ensuring the privacy and integrity of the transferred data. The idea of the project is to encode large amounts of information using the spatial properties of light, similar to how an image contains information. However, this should be done in a way compatible with quantum networks for secure information transfer. This article continues to discuss the demonstration of secure information transfer using spatial correlations in quantum entangled beams of light.

The University of Oklahoma reports "Researchers Demonstrate Secure Information Transfer Using Spatial Correlations in Quantum Entangled Beams of Light"

Open source password manager KeePass has recently released an update to patch a vulnerability allowing attackers to retrieve the cleartext master password from a memory dump. Tracked as CVE-2023-32784 and impacting KeePass 2.x versions, the issue is related to the custom-developed textbox used for password entry, which creates a leftover string in memory for each character that the user types. The company noted that an attacker can use a KeePass process dump, a hibernation file, a swap file, or even a RAM dump of the entire system to retrieve the strings and reconstruct the typed password. Because the strings are ordered in memory, even multiple typed-in passwords can be retrieved. Several weeks ago, a security researcher published a proof-of-concept (PoC) tool that can exploit the vulnerability to retrieve passwords from memory dumps. The researcher also pointed out that the risks associated with the flaw were minimal, as remote exploitation was not possible. KeePass announced that a patch for the bug had been included in the test version of KeePass 2.54, with the stable release scheduled for July. The software update brings several other changes as well, including user interface and integration enhancements, new features, and other improvements and bug fixes.

SecurityWeek reports: "KeePass Update Patches Vulnerability Exposing Master Password"

State University of New York (SUNY) at Albany (UAlbany) researchers have opened two new campus labs to explore the future of social media monitoring, digital forensics, and geospatial analysis, as well as the cybersecurity vulnerabilities of toys and household items. According to a recent press release, the Open Source Intelligence (OSI) and Hack-IoT (Internet of Things) labs within the university's College of Emergency Preparedness, Homeland Security and Cybersecurity (CEHC) are now operational. The OSI Lab conducts research involving the collection and analysis of publicly accessible open source intelligence (OSINT) data, which is often used in criminal and civil investigations, legal disputes, and threat assessment. This type of sensitive data is also vulnerable to malicious use. The Hack-IoT Lab focuses on privacy flaws in various smart devices, such as toys and kitchen appliances. Students have already begun testing Zenbo robot toys and will report any discovered vulnerabilities to the manufacturers. This article continues to discuss the two new labs at SUNY's Albany campus aimed at searching for cybersecurity vulnerabilities in OSINT and IoT devices.

GovTech reports "UAlbany Research Looking for Cybersecurity Vulnerabilities"