News Items

Researchers have found that attackers can exploit ChatGPT's proneness for returning false information to spread malicious code packages. This poses a significant threat to the software supply chain because it can allow malicious code and Trojans to be included in legitimate applications and code repositories such as npm, PyPI, GitHub, and others. Using "AI package hallucinations," threat actors can make ChatGPT-recommended, yet malicious, code packages that a developer could download when using the chatbot, adding them to software that is then widely used, according to researchers from Vulcan Cyber's Voyager18 research team. In Artificial Intelligence (AI), a hallucination is a reasonable response by the AI that is incomplete, biased, or false. This article continues to discuss attackers exploiting false recommendations to spread malicious code via developers that use ChatGPT to create software.

Dark Reading reports "ChatGPT Hallucinations Open Developers to Supply Chain Malware Attacks"

Researchers at the University of British Columbia imagine the possibility of a digital doppelganger or clone created from the depths of Artificial Intelligence (AI) that accurately reflects a person in appearance, speech, and behavior. New research conducted at the University of British Columbia sheds light on this possibility. With advances in deep learning technologies such as interactive deepfake applications, voice conversion, and virtual actors, it is possible to digitally replicate the appearance and behavior of an individual. This duplicate of a person produced by AI is known as an "AI clone." The study explores how these AI clones could impact self-perception, relationships, and society. The researchers identified three categories of risks AI clones pose: doppelganger phobia, identity fragmentation, and living memories. These clones are personal data-based AI technologies. As the amount of personal data people generate increases, so does the fidelity with which these AI clones replicate human behavior. This article continues to discuss the possibility of personal data being used to create an AI clone that can mimic a user's behavior, as well as the potential effects of AI clone technologies.

The Conversation reports "AI Clones Made From User Data Pose Uncanny Risks"

New research on the Qakbot malware network reveals that the bots in the network have a high rate of turnover over time and that the average lifespan of a bot or command-and-control (C2) server is typically only a few days. Qakbot is considered ancient because it has been active since 2007 and has significantly evolved throughout the years. It evolved from a traditional banking Trojan into a malware delivery platform and ransomware network. In response to the evolution and improvement of defenses over the past few years, Qakbot operators have modified their strategies, delivery methods, and the types of malicious attachments they use in their spam emails. At the beginning of 2023, the most significant change was the transition from macro-laden attachments to Microsoft OneNote files. In recent months, there have been major increases in Qakbot activity, which is typical for a cyclical network. Although the spam runs and intrusions primarily target enterprise users, many C2 nodes are located on consumer devices, which is one of the defining characteristics of the Qakbot network. Qakbot is one of the most resilient and persistent malware networks currently active, and its operators have demonstrated the ability to adapt their tactics as necessary. This article continues to discuss new findings regarding the Qakbot malware network.

Decipher reports "Qakbot Ducks for Cover With New Tactics"

Artificial intelligence technology startup OpenAI has recently launched a $1 million cybersecurity grant program aimed at boosting defender-focused research and capabilities and measurements. OpenAI, makers of the popular ChatGPT bot application, plans to shell out grants in increments of $10,000 in the form of API credits or direct funding for projects that empower defensive use cases for generative AI technology. The company stated that its goal is to work with defenders across the globe to change the power dynamics of cybersecurity through the application of AI and the coordination of like-minded individuals working for our collective safety. The company noted that the program is meant to nudge developers into creating cutting-edge AI capabilities that benefit defenders and to develop methods for quantifying the cybersecurity capabilities of AI models. "OpenAI said projects in scope include those that collect and label data from cyber defenders to train defensive cybersecurity agents; detect and mitigate social engineering tactics; automate incident triage, and identify security issues in source code." The company is also looking to fund projects that assist network or device forensics, automatically patch vulnerabilities, and optimize patch management processes to improve prioritization, scheduling, and deployment of security updates. The company noted that it would evaluate and accept applications for funding or other support on a rolling basis, noting that strong preference will be given to practical applications of AI in defensive cybersecurity (tools, methods, processes). Offensive-security projects will not be considered for funding at this time. The company noted that all submissions should be intended to be licensed or distributed for maximal public benefit and sharing.

SecurityWeek reports: "OpenAI Unveils Million-Dollar Cybersecurity Grant Program"

Security researchers have linked new mass hacks, targeting a popular file transfer tool, to the Clop ransomware gang. Hackers are exploiting a newly discovered flaw in MOVEit Transfer, a file transfer tool businesses use to share large files over the Internet. The vulnerability enables hackers to gain unauthorized access to the database of a vulnerable MOVEit server. The developer of the MOVEit software, Progress Software, has already released patches. However, attack victims have begun to come forward. Zellis, a UK-based human resources software developer and payroll service provider, confirmed that its MOVEit system had been compromised, affecting a "small number" of its corporate customers. British Airways, one of these customers, disclosed that the breach compromised the payroll information of its UK-based employees. Initially, it was unclear who was behind this new wave of cyberattacks, but Microsoft security researchers have attributed them to a group dubbed "Lace Tempest." This gang is a known affiliate of the Russia-backed Clop ransomware group, which was previously linked to widespread attacks involving the exploitation of vulnerabilities in Fortra's GoAnywhere file transfer tool and Accellion's file transfer tool. This article continues to discuss the first confirmed victims of the MOVEit mass hacks and the Clop ransomware gang's connection to the hacks.

TechCrunch reports "Microsoft Says Clop Ransomware Gang Is Behind MOVEit Mass-Hacks, as First Victims Come Forward"

Veracode has released research findings indicating that applications developed by public sector organizations typically contain more security vulnerabilities than those created by private sector organizations. The findings are significant because an increase in the number of application vulnerabilities and flaws correlates with an increase in risk. The research arrives as the federal government increases efforts to strengthen cybersecurity, with initiatives aimed at reducing vulnerabilities in government-critical applications. Researchers discovered that nearly 82 percent of applications developed by public sector organizations contained at least one security vulnerability in their most recent scan over the past 12 months, compared to 74 percent of applications developed by private sector organizations. Public sector applications had a 7-12 percent greater likelihood of introducing a flaw in the last 12 months, depending on the type of flaw tracked. This article continues to discuss key findings from Veracode's State of Software Security report.

Business Wire reports "Research Reveals Software Security at Public Sector Organizations Lagging"

British Airways and retailer Boots recently discovered that their staff was amongst those hit by a cyberattack on Zellis, a payroll provider used by hundreds of companies in Britain. British Airways, owned by IAG, said it had notified affected employees and was providing them with support. The company stated that they had been informed that they are one of the companies impacted by Zellis' cybersecurity incident, which occurred via one of their third-party suppliers called MOVEit. Part of the Walgreens Boots Alliance, Boots said the attack had included some of its employees' personal details. Boots employs over 50,000 people in Britain, while British Airways has about 30,000 staff. U.S. security researchers warned last Thursday that hackers had stolen data from the systems of a number of users of file transfer tool MOVEit Transferone one day after the software maker disclosed that a security flaw had been discovered. The compromised data the researchers saw included names, addresses, and national insurance numbers.

U.S. News reports: "British Airways, Boots Staff Data Compromised by Payroll Cyber Hack"

A popular provider of cryptocurrency wallets has recently revealed that some of its customers have been compromised in a campaign that has already cost them an estimated tens of millions of dollars. Atomic Wallet, which offers a decentralized wallet that supports over 500 coins and tokens, says its mission is to "provide a convenient way of managing cryptocurrencies." However, reports recently started coming in of customer wallets being compromised. The company noted that, at the moment, less than 1% of their monthly active users have been affected/reported. A security investigation is ongoing. The company noted that they report victim addresses to major exchanges and blockchain analytics to trace and block the stolen funds. One blockchain investigator claimed as of Sunday that at least $35m had been stolen, with the biggest victim losing nearly $8m and the five biggest losses amounting to nearly half of the total ($17m). More than 100 customer wallets have been listed as impacted by the attacks, and any additional users that have been compromised are urged to share their addresses and transaction hashes to help determine the scope and scale of the incident.

Infosecurity reports: "Atomic Wallet Customers Lose Over $35m in Crypto Attacks"

An unknown threat actor has been observed targeting Spanish- and Portuguese-speaking victims in Mexico, Peru, and Portugal to compromise online banking accounts. According to the BlackBerry Research and Intelligence Team, this threat actor uses techniques such as LOLBaS (living-off-the-land binaries and scripts) and CMD-based scripts to perform malicious activities. Based on an analysis of the artifacts, the cybersecurity company attributed the campaign, called "Operation CMDStealer," to a Brazilian threat actor. The attack chain relies primarily on social engineering, sending Portuguese and Spanish emails containing tax- or traffic violation-related lures to initiate infections and get unauthorized access to victims' systems. The emails include an HTML attachment containing obfuscated code to fetch the next-stage payload as a RAR archive file from a remote server. The files, which are geofenced to a particular country, include a .CMD file. The .CMD file has an AutoIt script aimed at downloading a Visual Basic Script to steal Microsoft Outlook and browser password data. This article continues to discuss cybercriminals using LOLBaS and CMD-based scripts to compromise online banking accounts.

THN reports "Brazilian Cybercriminals Using LOLBaS and CMD Scripts to Drain Bank Accounts"

According to LexisNexis Risk Solutions, carriers and customers are becoming increasingly concerned about data privacy as the digital revolution changes the claims process. Over 60 percent of customers are concerned about the security of their personally identifiable information (PII) when submitting virtual claims. Carriers are concerned about the actual cost of fraud, which can cost four times the value of a fraudulent transaction and damage a carrier's reputation. Ninety-three percent of respondents say that identity-related fraud harms their business, and 80 percent report that it occurs at least monthly. However, 73 percent of respondents say it is difficult to know how identity-related fraud occurs, and 47 percent say it is extremely difficult to detect. Only 33 percent say they have an effective method to detect and prevent identity-related fraud. This article continues to discuss key findings from LexisNexis Risk Solutions' report regarding identity-related fraud among insurance carriers, balancing customer experience with fraud mitigation, and mitigating identity-related fraud.

Help Net Security reports "Virtual Claims Raise Alarms Among Insurance Carriers and Customers"

Researchers are exploring approaches to truly unbreakable security. Cyberattacks are becoming more frequent and sophisticated, and as the amount and value of data continue to increase, the impact of these attacks is growing almost exponentially. Cybersecurity Ventures predicts that the annual cost of cybercrime will increase from $8 trillion in 2023 to $210.5 trillion in 2025. Industrial and commercial sectors, including healthcare, finance, education, and more, are on the list of targets. Even the most secure systems can be compromised with enough time and computing resources. According to Steve Hanna, an engineer at Infineon Technologies, any system can be infiltrated with the right resources, but there are many ways to make a system highly resistant to attacks. Cybersecurity is an evolving process. As hackers become more sophisticated, a defense mechanism must be able to respond dynamically to future threats. Researchers point out that no set formula exists for designing a practically unbreakable system. However, essential design principles can help designers in achieving this objective. These principles include being proactive, implementing well-known and tested security standards, deploying security effectively, securing memory, improving the security of chip architecture, and properly applying Artificial Intelligence (AI). This article continues to discuss the pursuit of unbreakable cybersecurity systems and the progress made by experts in developing practically unbreakable systems.

Semiconductor Engineering reports "Developing An Unbreakable Cybersecurity System"

The US Cyber Command (USCYBERCOM) hosted the inaugural USCYBERCOM Cyber Recon 2023 conference in Maryland from April 19-20, 2023. The Analyst Award was won by a team from UCCS composed of Ph.D. student Mark Maldonado and academic advisor Shouhuai Xu, Gallogly Endowed Engineering Chair in Cybersecurity and professor of computer science, along with USCYBERCOM Mentors CDR Stephanie Pendino and LTC Dr. Robert James Ross. Their project, titled "Towards Detecting Log4j Attacks via Machine Learning," seeks to detect high-profile attacks such as Log4j using Machine Learning (ML) methods. This article continues to discuss the UCCS student research that won the Analyst Award at the USCYBERCOM research competition and the structure of this competition.

UCCS reports "UCCS Student Research Wins Award at the USCYBERCOM Research Competition"

Design is an integral component of the development process for most software engineers. A programmer devises algorithms to support their code and constructs models to visualize how the various parts of their systems will function together, similar to an architect drawing blueprints. Programmers should be able to test these algorithms and models in order to identify design flaws before they become bugs in the written code. This is the goal of TLA+, an open source, high-level language for modeling software programs and hardware systems. The logic behind it is based on the Temporal Logic of Actions (TLA), a mathematical technique for reasoning about the correctness of concurrent algorithms. Leslie Lamport, a distinguished scientist at Microsoft Research who is best known for inventing LaTeX, a document-preparation system for scientific papers, created both TLA and TLA+. Lamport notes that TLA+ is a specification language, not a programming language. He explains that it describes the program at a higher level of abstraction--what it is intended to do and how it is supposed to do it. Therefore, TLA+ is useful for verifying the validity of a program's design or supporting algorithm, a capability made possible by the TLA+ model checker. After developing specifications and writing models on TLA+, engineers can use the model checker to detect and correct design errors prior to implementing code. This article continues to discuss TLA+ helping programmers address bugs before coding.

IEEE Spectrum reports "TLA+ Helps Programmers Squash Bugs Before Coding"

Google recently announced significantly higher bug bounty rewards for vulnerability reports containing full chain exploits leading to a sandbox escape in Chrome. Until December 1, 2023, the first report to contain a full chain exploit leading to a Chrome sandbox escape, Google says, may receive up to $180,000, or even more if cumulated with other bonuses, which is triple the current reward amount. Google noted that subsequent full chain exploits that are submitted during the timeframe may receive up to $120,000, which is double the current reward amount. All reports should be submitted through the Chrome vulnerability rewards program. According to Google, interested researchers may submit the vulnerability report in advance but need to provide a functional exploit by December 1 to be eligible for the increased rewards. The first functional full chain exploit submitted during the timeframe, which demonstrates attacker control or code execution outside the Chrome sandbox, is eligible for the triple reward amount. Google noted that the exploit chain should be performed remotely and require no or very limited user interaction. Furthermore, it should target an active Chrome release channel at the time of the initial reports of the bugs in that chain. Exploits targeting publicly disclosed bugs in past versions of Chrome are not eligible for the reward.

SecurityWeek reports: "Google Temporarily Offering $180,000 for Full Chain Chrome Exploit"

Splunk recently announced Splunk Enterprise security updates that resolve multiple high-severity vulnerabilities, including some impacting third-party packages used by the product. The most severe of these is CVE-2023-32707, a privilege escalation issue that allows low-privileged users with the "edit_user" capability to escalate privileges to administrator via a specially crafted web request. Splunk explained that this can happen because the "edit_user" capability does not honor the "grantableRoles" setting in the authorize.conf configuration file, which prevents this scenario from happening. The next most severe vulnerability patched is CVE-2023-32706, a denial-of-service (DoS) flaw in the Splunk daemon, which occurs when an incorrectly configured XML parser receives specially-crafted messages within SAML authentication. Splunk explained that the input contains a reference to an entity expansion, and recursive references may cause the XML parser to use all available memory on the machine, leading to the daemon's crash or to process termination. Another high-severity vulnerability addressed in Splunk Enterprise is CVE-2023-32708, an HTTP response splitting issue that allows a low-privileged user to access other REST endpoints on the system and view restricted content. Splunk also resolved multiple severe issues in third-party packages used in Splunk Enterprise, such as Libxml2, OpenSSL, Curl, Libarchive, SQLite, Go, and many others. Some of these vulnerabilities have been public for more than four years. Splunk noted that all these flaws were addressed with the release of Splunk Enterprise versions 8.1.14, 8.2.11, and 9.0.5. The updates resolve multiple medium-severity vulnerabilities as well.

SecurityWeek reports: "High-Severity Vulnerabilities Patched in Splunk Enterprise"

The National Security Agency (NSA) is collaborating with several organizations to draw attention to the Democratic People's Republic of Korea's (DPRK) use of social engineering and malware to target think tanks, academic institutions, and the news media. In order to help in protecting against these DPRK attacks, the NSA and its partners are publishing a Cybersecurity Advisory (CSA) titled "North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media." Rob Joyce, director of Cybersecurity at the NSA, stated that DPRK-sponsored cyber actors continue to impersonate trusted sources in order to collect sensitive information, adding that education and awareness are the first line of defense against these social engineering attacks. The FBI, US Department of State, and more have observed sustained information-gathering efforts by a group of DPRK cyber actors known as Kimsuky, THALLIUM, or VELVETCHOLLIMA. This article continues to discuss the alert about the DPRK's use of social engineering and malware to target victims.

NSA reports "US, ROK Agencies Alert: DPRK Cyber Actors Impersonating Targets to Collect Intelligence"

Since at least November 2020, a previously unknown campaign involving the Horabot botnet malware has been targeting Spanish-speaking users in Latin America, infecting them with a banking Trojan and spam tool. The malware allows the operators to seize control of the victim's Gmail, Outlook, Hotmail, or Yahoo email accounts. They could steal incoming email data and two-factor authentication (2FA) codes, and send phishing emails from the compromised account. The new Horabot operation was discovered by Cisco Talos analysts, who report that the threat actor responsible for it likely resides in Brazil. This article continues to discuss findings regarding the new Horabot campaign.

Bleeping Computer reports "New Horabot Campaign Takes Over Victim's Gmail, Outlook Accounts"

Jiaming Xu, an associate professor at Duke University's Fuqua School of Business, and his coauthors explored how to keep data safe and private when using a new decentralized, collaborative way of training Artificial Intelligence (AI) models. Xu says federated learning is a new approach that can revolutionize AI systems training. He explains that traditional Machine Learning (ML) requires all data to be centralized in a single data center, while federated learning, also known as collaborative learning, trains the algorithm of a central model using data from decentralized sources. Edge devices are crucial in federated learning. These data-collecting tools, including smartphones, climate sensors, semi-autonomous vehicles, satellites, bank fraud detection systems, and medical wearables, could remotely share their data to train the central learning model in a repeatable cycle. According to Xu, federated learning is appealing to scientists, doctors, and companies because the data itself never leaves the edge devices. Due to privacy laws such as the Health Insurance Portability and Accountability Act (HIPAA), and the threat of hacking, federated learning is attractive to various industries. However, according to Xu, federated learning is not a perfect solution since the possibility of hacking still exists when the server and edge devices communicate. It is still possible for an eavesdropper to infer the private data based on the sent parameters. Therefore, Xu has developed querying strategies and analytical techniques that can be incorporated into theft-proof frameworks for federated learning in order to help find privacy solutions. His findings are presented in two papers titled "Learner-Private Convex Optimization" and "Optimal Query Complexity for Private Sequential Learning Against Eavesdropping." This article continues to discuss the concept of federated learning and the research on privacy solutions for this approach.

Duke University's Fuqua School of Business reports "Will Federated Learning Revolutionize AI Training?"

The US Department of Energy (DOE) has announced the seventh selection for the Office of Cybersecurity, Energy Security, and Emergency Response's (CESER) University-Based Scalable Cyber-Physical Solutions Funding Opportunity Announcement (FOA). The seventh selection is Florida State University's Concurrent Learning Cyber-Physical Framework for Resilient Electric Power System (CyberPREPS) project. The project will allow transmission systems to withstand a cyberattack while maintaining critical functions. This project and other CESER-funded research, development, and deployment (RD&D) efforts contribute to the Biden-Harris Administration's ongoing efforts to protect US critical infrastructure and advance the energy sector's cybersecurity capabilities. This article continues to discuss the seventh selection for the CESER University-Based Scalable Cyber-Physical Solutions FOA.

The US Department of Energy reports "CESER Announces New Funding Recipient to Fortify Energy Delivery Systems"

The UL Hospitals Group (ULHG), which runs six hospitals in the mid-west region, has recently announced that it is writing to more than 1,000 patients whose personal and medical information was inadvertently shared with an unknown third party in a data breach. The data breach occurred last January when a staff member mistakenly sent the information to an "unknown party." The company noted that efforts to recall the information about the 1,066 patients attending gastroenterology services at three hospitals have proved unsuccessful. The company stated that they are writing to over 1,000 patients in relation to a data breach within the gastroenterology services at University Hospital Limerick, Ennis Hospital, and Nenagh Hospital. The data breach concerns patients who attended these services between 2018 and January 2023. The company noted that a file attached to the email included patient names, dates of birth, medical chart numbers, and limited medical information. The company stated that no personal contact details, such as patient phone numbers or email addresses, have been disclosed in this breach.

Journal.ie reports: "Over 1,000 Patients of UL Hospitals Group Affected by Data Breach Involving Unknown Party"

Organizations using Moxa's MXsecurity product have been informed about two potentially serious vulnerabilities that could be exploited by malicious hackers targeting operational technology (OT) networks. MXsecurity is an industrial network security management software designed for OT environments. Simon Janz, a security researcher, discovered recently that the product is impacted by a critical vulnerability that can be exploited remotely to bypass authentication (CVE-2023-33235) and a high-severity flaw in the SSH command-line interface that can lead to remote command execution (CVE-2023-33236). Moxa patched the security holes with the release of version 1.0.1. Advisories for the two bugs have been published by the US Cybersecurity and Infrastructure Security Agency (CISA), which noted that the impacted product is used worldwide in multiple sectors.

SecurityWeek reports: "Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks"

As NASA's Artemis program, China's Tiangong Space Station, and a growing number of space-tourism companies prepare to usher in a new era of human spaceflight, more attention is needed for cybersecurity in space. Cyber threats to crewed spacecraft may focus on proximity methods, such as the installation of malware or ransomware on a spacecraft's internal computer. In a paper titled "Cybersecurity and Human Spaceflight Safety," Gregory Falco, an assistant professor of civil and systems engineering at Johns Hopkins University, and co-author Nathaniel Gordon outline four ways in which crew members, including space tourists, may be used as part of these threats: crew as the attacker, crew as an attack vector, crew as collateral damage, and crew as the target. Private and national proprietary secrets could be stolen, the crew could be placed at risk by ransomware, and crew members could be targeted through an attack on safety-critical systems such as air filters. This article continues to discuss the cybersecurity problems that could put astronauts at risk.

IEEE Spectrum reports "Cybersecurity Gaps Could Put Astronauts at Grave Risk"

Security researchers at Rapid7 are urging Zyxel networking device users to update their firewalls and VPNs after it was discovered that hackers are actively exploiting a vulnerability in the wild to enable remote code execution. The Taiwanese vendor fixed CVE-2023-28771 on April 25, revealing that the flaw affects its ATP, USG Flex, VPN, and ZyWall/USG products, from versions ZLD V4.60 to V5.35. In the case of the ZyWall/USG product, it impacts versions ZLD V4.60 to V4.73. Zyxel warned that improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device. The researchers at Rapid7 noted that the bug is present in the default configuration of vulnerable devices and is exploitable in the Wide Area Network (WAN) interface, which is designed to be exposed to the internet. The researchers stated that successful exploitation of CVE-2023-28771 allows an unauthenticated attacker to execute code remotely on the target system by sending a specially crafted IKEv2 packet to UDP port 500 on the device. The researchers warned that the CVE is being "widely exploited" to compromise devices and conscript them into a Mirai-based botnet, most likely for DDoS attacks.

Infosecurity reports: "Zyxel Customers Urged to Patch Exploited Bug"

Researchers have uncovered a novel attack on the Python Package Index (PyPI), the official repository of third-party open-source Python projects. The attack uses compiled Python code to evade detection by application security tools. ReversingLabs analyst Karlo Zank noted that it may be the first supply chain attack to exploit the fact that Python bytecode (PYC) files can be directly executed. PYC files are compiled bytecode files generated by the Python interpreter when executing a Python program. The malicious fshec2 package was removed from the package registry on April 17, 2023, following responsible disclosure on the same date. This article continues to discuss the discovery of a novel attack on PyPI.

THN reports "Malicious PyPI Packages Using Compiled Python Code to Bypass Detection"