News Items

Walmart, Amazon, and Microsoft have warned employees to avoid disclosing corporate secrets or proprietary code when using ChatGPT and other generative Artificial Intelligence (AI) tools. A recent CISO panel at CyberRisk Alliance's Identiverse conference suggests that many businesses have considered the same. When moderator Parham Eftekhari, executive vice president of collaboration at CyberRisk Alliance, asked how many attendees' organizations have implemented AI usage policies, a considerable portion of the audience raised their hands. During the same session, Ed Harris, CISO of Mauser Packaging, disclosed that his company had issued a policy similar to those Walmart and others have established, stating that sensitive company information should not be entered into external AI tools. Harris envisioned a scenario in which an employee asks an AI tool for help in refining the company's marketing strategy and, in doing so, enters corporate information that the AI remembers and then shares with other users, possibly a competitor. Yahoo's vice president and CISO, Sean Zadig, commented that security leaders must act expediently when developing these policies to keep up with the rapid increase in AI adoption and experimentation. This article continues to discuss the need for guardrails on AI tools to protect secrets.

SC Magazine reports "Guardrails on AI Tools Like ChatGPT Needed to Protect Secrets, CISOs Say"

According to the threat intelligence analyst FalconFeedsio, SiegedSec, a hacktivist group, is attacking Colombian government websites. The threat actor analyst Dark Owl points out that SiegedSec is a hacktivist group that arose last February, around the time of Russia'sRussia's invasion of Ukraine. The group is said to be under the leadership of YourAnonWolf. However, it is unknown whether SiegedSec is entirely partisan. While it appears to randomly target victims, it does not appear to be motivated by money and is not believed to have demanded ransom from its victims. In February of this year, the cybersecurity analyst SocRadar said that SiegedSec shows no preference for the industries or locations of its victims, adding that it has successfully targeted businesses in a variety of industries around the world, including healthcare, Information Technology (IT), insurance, legal, and finance. In a single year, SiegedSec compromised approximately 30 companies by stealing data and leaking emails. This article continues to discuss findings and observations regarding SiegedSec.

Cybernews reports "Colombian Government Targeted by Suspected Cyber Partisans"

Google recently announced the release of Chrome 114 to the stable channel with a total of 18 security fixes inside, including 13 that resolve vulnerabilities reported by external researchers. Of the externally reported flaws, eight have a severity rating of "high," with six of them being memory safety bugs. Google noted that the most important of these flaws fixed is CVE-2023-2929, an out-of-bounds write issue in Swiftshader. Security researcher Jaehun Jeong received a $15,000 reward for reporting the flaw. Next in line is CVE-2023-2930, a use-after-free bug in Extensions, for which Google handed out a $10,000 bug bounty. Google noted that security researchers with Viettel Cyber Security reported three use-after-free vulnerabilities in the browser's PDF component, and each of them issued a $9,000 bug bounty reward. The remaining externally reported high-severity issues addressed with this Chrome update include an out-of-bounds memory access flaw in Mojo and two type confusion bugs in the V8 JavaScript and WebAssembly engine. All three issues were reported by Google Project Zero researchers, and per Google's policy, no bug bounty reward will be issued for any of them. Google stated that Chrome 114 also resolves four medium-severity defects reported by external researchers, including three inappropriate implementation flaws in Picture and Downloads and one insufficient data validation bug in Installer. A low-severity inappropriate implementation issue in the Extensions API was also addressed in this browser release. In total, Google handed out more than $65,000 in bug bounty rewards to the security researchers who reported these vulnerabilities. Google noted that the latest Chrome iteration is rolling out as version 114.0.5735.90 for Linux and macOS and as versions 114.0.5735.90/91 for Windows. Google did not mention if these flaws were being exploited in malicious attacks.

SecurityWeek reports: "Chrome 114 Released With 18 Security Fixes"

The scope of a cyberattack campaign from APT group Dark Pink is broader than researchers first thought, with researchers identifying five new victims. The group is linked to the Chinese state and was previously thought to only focus its efforts mainly on Southeast Asian countries. However, security researchers at Group-IB have discovered new victims, including one in Belgium, as well as its first targets in Thailand and Brunei. The researchers stated that the group uses a range of sophisticated custom tools and deploys multiple kill chains relying on spear-phishing emails. Once the attackers gain access to a target's network, they use advanced persistence mechanisms to stay undetected and maintain control over the compromised system. Among the updates to its tactics, techniques, and procedures (TTPs) is a new version of the KamiKakaBot malware, with functionality now split into two parts: one dedicated to controlling devices and the other to stealing data. The researchers also found a new GitHub account that hosts modules that can be installed onto victim machines when directed to do so by malicious code. Payloads are also being distributed through the TextBin[.]net service. The researchers also saw Dark Pink exfiltrate stolen data over HTTP using a service called Webhook.

Infosecurity reports: "Dark Pink APT Group Expands Tooling and Targets"

According to researchers at the supply chain security vendor Eclypsium, hundreds of models of Gigabyte PCs are impacted by a backdoor that poses supply chain risks. The researchers revealed that Eclypsium's platform recently detected backdoor-like behavior in Gigabyte Technology's computer systems. The backdoor appears to be a deliberate "insecure implementation" of the Gigabyte App Center, a tool for downloading applications for Gigabyte motherboards. A follow-up analysis revealed that the firmware in Gigabyte systems drops and executes a Windows native executable during the system startup process. This executable then downloads and executes additional payloads from Gigabyte servers. Eclypsium noted that the Gigabyte implementation is concerning because threat actors have previously exploited legitimate "OEM backdoors" to conduct threat campaigns, citing the Russian Advanced Persistent Threat (APT) group Fancy Bear abusing Computrace LoJack using a similar type of flaw as an example. There is concern about the flaw's potential use in supply chain attacks. However, the vendor has not yet observed threat actors exploiting the backdoor. This article continues to discuss the discovery and potential impact of the insecure implementation of Gigabyte's App Center.

TechTarget reports "Many Gigabyte PC Models Affected by Major Supply Chain Issue"

A new campaign spreading the RomCom backdoor malware impersonates the websites of well-known or fictitious software in order to deceive users into downloading and launching malicious installers. Trend Micro researchers, who have tracked RomCom since the summer of 2022, uncovered the latest campaign. According to the researchers, the threat actors behind the campaign have expanded the malware's evasion capabilities by using payload encryption and obfuscation. The threat actors have also expanded the tool's capabilities by introducing new and powerful commands. Most websites used to distribute RomCom to victims involve remote desktop management applications, increasing the likelihood of phishing or social engineering attacks being conducted by the attackers. Trend Micro's report on the most recent RomCom activity provides examples of websites used by the malware operators between December 2022 and April 2023 that impersonate legitimate software, such as GIMP, Go To Meeting, ChatGPT, WinDirStat, AstraChat, System Ninja, and Devolutions' Remote Desktop Manager. This article continues to discuss findings regarding the new RomCom campaign.

Bleeping Computer reports "RomCom Malware Spread via Google Ads for ChatGPT, GIMP, More"

It has been discovered that spyware masquerading as a marketing Software Development Kit (SDK) has infested 101 Android apps, with over 421 million downloads. Researchers at Doctor Web refer to the malicious SDK as "SpinOk" and report that it is advertised as a package of marketing functions, including mini-games and prize drawings, designed to keep visitors using apps for extended periods of time. Instead, unsuspecting developers helped spread spyware, according to Doctor Web. Researchers explained that upon initialization, this Trojan SDK connects to a command-and-control (C2) server by sending a request containing comprehensive technical information about the infected device. Included are sensor data from the gyroscope, magnetometer, and more, that can be used to detect an emulator environment and modify the module's operational routine to avoid detection by security researchers. This article continues to discuss the Trojan SDK sneaking past Google Play protections to infest 101 Android apps.

Dark Reading reports "421M Spyware Apps Downloaded Through Google Play"

GobRAT, a new Remote Access Trojan (RAT) written in the Go programming language, targets Linux routers in Japan, according to the JPCERT Coordination Center. To execute malicious scripts and deploy the GobRAT malware, threat actors are targeting Linux routers whose WEBUI is open to the public. Loader Script serves as a loader, supporting multiple functions for downloading and deploying the GobRAT. Researchers found an SSH public key, likely used as a backdoor, which is hard-coded in the script. The Loader Script uses crontab to maintain persistence because GobRAT does not support this function. According to researchers, the Loader Script has multiple functions, including disabling the firewall, downloading GobRAT for the target machine's architecture, creating the Start Script, creating and executing the Daemon Script, and more. The RAT communicates with the command-and-control (C2) server over TLS and can execute various commands. This article continues to discuss findings regarding GobRAT.

Security Affairs reports "New Go-written GobRAT RAT targets Linux Routers in Japan"

Cybersecurity researchers at Trend Micro have discovered a new information-stealing malware targeting browsers and cryptocurrency wallets. The malware called Bandit Stealer has only targeted Windows systems so far, but it can potentially spread to other platforms such as Linux. According to Trend Micro researchers, Bandit Stealer is particularly dangerous because it is difficult for victims to detect. For example, it can circumvent Windows Defender, a Microsoft-developed security utility that protects users from various threats, including viruses, malware, and spyware. Advertisements circulating in the malware community indicate that Bandit Stealer developers are constantly updating the malware's features. Researchers have not yet identified any active hacking group associated with the malware, nor have they determined how the group may use the stolen data. However, Trend Micro reports that the group and its consumers could use the malware for identity theft, data breaches, credential stuffing attacks, and Account Takeover (ATO) attacks. This article continues to discuss the capabilities of the Bandit Stealer information-stealing malware.

The Record reports "New 'Bandit Stealer' Malware Siphons Data From Browsers, Crypto Wallets"

A new 'File Archivers in the Browser' phishing kit exploits ZIP domains by displaying fake WinRAR or Windows File Explorer windows in the browser in order to trick users into launching malicious files. Google recently began allowing the registration of ZIP Top-Level Domains (TLDs) for hosting websites and email addresses. Since the release of the ZIP TLD, there has been a major debate regarding whether they pose a cybersecurity risk to users. While some experts believe the fears are exaggerated, the primary concern is that some websites will automatically convert a string ending in '.zip,' such as setup.zip, into a clickable link that could be used for malware distribution or phishing attacks. For example, sending someone instructions on downloading a file named setup.zip, Twitter will automatically turn setup.zip into a link, leading them to believe they should click it to download the file. This article continues to discuss the phishing toolkit developed by a security researcher involving ZIP domains.

Bleeping Computer reports "Clever 'File Archiver in the Browser' Phishing Trick Uses ZIP Domains"

As the summer holiday season approaches, travel-themed phishing scams are gathering momentum, posing a significant threat to individuals and organizations. According to a recent McAfee survey, 30 percent of adults have fallen victim to or know someone who has fallen victim to an online travel fraud, with two-thirds of victims losing up to $1,000. The Phishing Defense Center (PDC) published a report highlighting a phishing campaign in which threat actors impersonated an HR department to exploit users' trust in their employers. By sending deceptive emails, the perpetrators wanted to trick unsuspecting victims into clicking on a link claiming to be for submitting annual vacation requests. According to the company, this version of a Business Email Compromise (BEC) threat represents the evolution of travel-centric phishing campaigns. Clicking the link in the fake HR communication leads to a login prompt overlaying the victim's company homepage, which was detected and generated automatically based on their email address in the URL. This article continues to discuss the evolution of phishing campaigns targeting travelers.

Dark Reading reports "Travel-Themed Phishing, BEC Campaigns Get Smarter as Summer Season Arrives"

Nearly half a million members of a notorious cybercrime forum have recently had their details publicly exposed after a key database was published on another hacking site. Cybersecurity researchers at VX-Underground confirmed the news that over 478,000 users of RaidForums had their data leaked on the up-and-coming forum Exposed. The database includes members' usernames, email addresses, and hashed passwords. The researchers noted that while police likely already have this information following the site's takedown in April 2022, it could be useful to security researchers looking to build up more information on threat actors. The researchers noted that some users' details appear to have been removed from the leak, although it is unclear how many or why. Launched in 2015, RaidForums was one of the world's largest hacking forums, enabling members to trade and publish compromised data. Multiple high-profile database breaches ended up on the site. After coordinated law enforcement action on both sides of the Atlantic, the RaidForums domain was seized, and its alleged administrator and two accomplices were arrested. According to the Department of Justice (DoJ), RaidForums members offered hundreds of databases of stolen data containing more than 10 billion unique records for sale over the years, impacting countless US and global victims.

Infosecurity reports: "Dark Web Data Leak Exposes RaidForums Members"

Millions of customers of one of America's largest dental health insurers have had their personal information compromised after a ransomware breach. MCNA Dental stated that it became aware of unauthorized network activity on March 6. During the investigation, the company learned that a cybercriminal was able to see and take copies of some information in their computer system between February 26, 2023, and March 7, 2023. The information taken included: first and last names, home and email addresses, dates of birth, phone numbers, Social Security numbers, driver's license/government-issued ID numbers, health insurance information, and bills and insurance claims. The company noted that some of this information was not from customers but from parents, guardians, or bill-payers. According to a breach notice on the website of the Office of the Maine Attorney General, more than 8.9 million individuals were impacted, although MCNA claimed that "information which was seen and taken was not the same for everyone." The infamous ransomware group LockBit appears to have been behind the attack. It claimed to have published all the files it exfiltrated via its leak site back in early April after MCNA refused to pay a multimillion-dollar ransom demand.

Infosecurity reports: "Nine Million MCNA Dental Customers Hit by Breach"

The American Library Association's Bill of Rights explicitly addresses library patrons' right to privacy while using library facilities, which librarians have long held sacred. However, the digital age has challenged libraries' efforts to secure and defend privacy, according to Masooda Bashir, an associate professor at the University of Illinois Urbana-Champaign. Public libraries are essential, especially for people in lower socio-economic and underrepresented groups. They visit libraries to complete job applications, school assignments, and other day-to-day things, so libraries handle a great deal of sensitive and important information. Bashir and her research team collected data from over 800 different public libraries throughout the US for the first study to discover how public libraries protect such information. They surveyed library administrators, librarians, Information Technology (IT) professionals, and more who work in libraries. The project, which ran from September 2020 to February 2023, was supported by a $150,000 grant from the Institute of Museum and Library Services. Although all survey respondents recognized the need for privacy protection, the approaches to address that need differed greatly. According to survey responses, most public libraries recognized technical expertise as their main area of weakness. In addition, respondents noted that, while privacy safeguards were adopted in the libraries' daily operations, they were concerned about a lack of control in the digital realm. This article continues to discuss the study on how public libraries protect information and future research to enhance their patron privacy protections.

The University of Illinois Urbana-Champaign reports "Digital Age Creates Challenges for Public Libraries in Providing Patron Privacy"

When trying to employ the next generation of cyber professionals, intelligence and law enforcement agencies such as the CIA and FBI are "feeling the strain." Therefore, officials announced that they are using new talent acquisition programs to combat the cyber talent shortage. According to Cynthia Kaiser, deputy assistant director of the FBI's cyber division, inconsistent standards for science, technology, engineering, and mathematics hiring and incentives across the federal government can result in cascading or roundabout vacancies among agencies competing with the private sector to hire and retain top cybersecurity talent. Some agencies have established workforce expansion and cultivation efforts to address the cyber talent gap, such as training programs and new approaches to onboard a diverse candidate pool. According to Cindy Susko, director of the CIA's talent acquisition office, the agency switched from an open-application hiring model to an invitation-to-apply method this year, allowing applicants to submit resumes expressing interest in up to four jobs. The Office of the National Cyber Director is developing a cyber workforce strategy to address the nation's lack of proper cyber education and training, particularly in underserved communities. This article continues to discuss the different recruiting strategies being used to tackle the talent dearth in the cyber workforce.

NextGov reports "FBI and CIA Combat Cyber Talent Shortage With New Hiring Methods"

Cybersecurity experts around the world are concerned about the potential threats of AI in the hands of threat actors. In particular, malware being created through ChatGPT appears to be a reality. WithSecure's CEO stated that the company has observed malware samples that have been generated by ChatGPT. The CEO noted that since ChatGPT has the ability to provide different answers to the same question, you can also use it to generate many different variations, a mutation of the malware sample. This makes it harder for defenders to detect. Tim West, head of threat intelligence at WithSecure, added that the fact that malware created using ChatGPT is polymorphic will make it challenging for defenders. West noted that traditionally AI has been used by the defenders in the cybersecurity industry, and the attackers have done the offense manually, but now that will probably change." West stated that ChatGPT will support software engineering for good and bad, and it is an enabler and lowers the barrier for entry for the threat actors to develop malware.

Infosecurity reports: "AI Used to Create Malware, WithSecure Observes"

Barracuda Networks' new spear phishing trends report shows that 50 percent of organizations analyzed were victims of spear phishing in 2022, with 24 percent having at least one email account compromised by Account Takeover (ATO). The report is based on the analysis of a data set consisting of 50 billion emails across 3.5 million mailboxes, including nearly 30 million spear phishing emails, as well as a survey conducted by Vanson Bourne of Information Technology (IT) professionals at 1,350 companies. While spear phishing attacks account for only 0.1 percent of all email-based attacks, according to data from Barracuda, they account for 66 percent of all breaches. Additionally, 55 percent of respondents who experienced a spear phishing attack reported the infection of machines with malware or viruses. As a result of a spear phishing attack, 49 percent had sensitive data stolen, 48 percent had login credentials stolen, and 39 percent suffered direct financial loss. This article continues to discuss key findings from Barracuda Networks' spear phishing trends report.

BetaNews reports "Half of Organizations Fell Victim to Spear Phishing in 2022"

Researchers found the Iran-linked Agrius Advanced Persistent Threat (APT) group launching a wave of ransomware attacks against Israeli organizations using a new strain of malware. Researchers at Check Point discovered a ransomware strain named Moneybird with similarities to that of the Agrius group's previous campaigns. Agrius is known for targeting Israel-based organizations with variants of wiper malware, disguising the intrusions as ransomware attacks to confuse defenders. According to Check Point investigators, the new Moneybird strain is an upgrade to previous Agrius attacks involving its custom-built Apostle wiper malware. The use of new ransomware written in C++ is significant because it indicates the group's expanding capabilities and ongoing effort to develop new tools. This article continues to discuss the new Moneybird malware strain being used by the Iran-linked APT group.

DataBreachToday reports "Iranian Hackers Deploy New Ransomware Against Israeli Firms"

Security researchers at Perception Point have observed a 356% growth in the number of advanced phishing attacks attempted by threat actors in 2022. The total number of cyberattacks increased by 87%. The researchers noted that among the reasons behind this growth is the fact that malicious actors continue to gain widespread access to new tools, including artificial intelligence (AI) and machine learning (ML)-powered tools. These have automated the process of generating sophisticated attacks, including those characterized by social engineering as well as evasion techniques. The researchers stated that the changing threat landscape has resulted from the swift adoption of new cloud collaboration apps, cloud storage, and productivity services for external collaboration. Threat actors have adapted to this shift, with 2022 experiencing a 161% surge in attacks on cloud storage and collaboration apps, though email and the browser remained the leading attack vectors. Overall, phishing was the most pervasive threat, accounting for 67.4% of all attacks. The researchers noted that last year also experienced a significant increase in business email compromise (BEC) attacks, which grew by 83%. Microsoft was the brand most impersonated in malicious emails, 3.3x more than the next most copied brand, LinkedIn.

Infosecurity reports: "Advanced Phishing Attacks Surge 356% in 2022"

The CTO of CTERA, Aron Brand, discusses how the ILOVEYOU virus ushered in the era of social engineering in the digital world. The digital world experienced a cyberattack in 2000 that altered the approach to cybersecurity. The ILOVEYOU worm, also known as the Love Bug or Love Letter For You, infected over 10 million Windows personal computers within days of its emergence on May 5, 2000. Major companies, including Ford Motor Company, AT&T, and Microsoft, as well as government organizations, were forced to shut down their email services in order to contain the damage. Since an estimated 10 percent of the world's computers connected to the Internet were compromised, the total damage could have exceeded $10 billion. Many people were drawn in by the seemingly innocent "love letter" email attachment, demonstrating how vulnerable humans are to social engineering tactics. Although there have been technological advancements throughout the years, the human brain remains the most difficult vulnerability to fix. In the digital era, technological aspects of cybersecurity are often the focus of discussion, but the human factor remains the chain's weakest link. As we observe the emergence of Large Language Models (LLMs) such as ChatGPT and deepfake technologies, the potential for social engineering attacks on a large scale becomes a more alarming concern. This article continues to discuss the ILOVEYOU worm and the human aspect of security.

SC Magazine reports "How the ILOVEYOU Worm Exposed Human Beings as the Achilles Heel of Cybersecurity"

Dark Frost is a new botnet launching Distributed Denial-of-Service (DDoS) attacks against the gaming industry. According to a new technical analysis by Akamai security researcher Allen West, the Dark Frost botnet, modeled after Gafgyt, QBot, Mirai, and other malware strains, has grown to include hundreds of compromised devices. The botnet's targets include gaming companies, game server hosting providers, online streamers, and other gaming community members with whom the threat actor has had direct interactions. As of February 2023, the botnet consists of 414 machines with instruction set architectures, such as ARMv4, x86, MIPSEL, MIPS, and ARM7. Dark Frost appears to have been assembled using source code stolen from multiple botnet malware strains, including Mirai, Gafgyt, and QBot. After flagging the botnet on February 28, 2023, Akamai reverse-engineered it and estimated its attack potential to be approximately 629.28 Gbps via a UDP flood attack. Researchers believe the threat actor has been active since at least May 2022. This article continues to discuss findings and observations regarding the Dark Frost botnet.

THN reports "Dark Frost Botnet Launches Devastating DDoS Attacks on Gaming Industry"

Attackers are using encrypted restricted-permission messages (.rpmsg) attached to phishing emails in order to steal Microsoft 365 account credentials. According to researchers from Trustwave, the campaigns are low-volume, targeted, and use trusted cloud services, such as Microsoft and Adobe, to deliver emails and host content. The initial emails are sent from compromised Microsoft 365 accounts and appear to target recipient addresses where the sender may be familiar. The phishing emails are sent from a compromised Microsoft 365 account to employees working in the billing department of the recipient company. This article continues to discuss phishers' use of encrypted restricted-permission messages to steal Microsoft 365 account credentials.

Help Net Security reports "Phishers Use Encrypted File Attachments to Steal Microsoft 365 Account Credentials"

Researchers at Carnegie Mellon University's (CMU) Software Engineering Institute (SEI) have published a blog post explaining the concept of adversarial Machine Learning (ML) as well as examining the motivations of adversaries and what researchers are doing to mitigate their attacks. They also provided a taxonomy of what an adversary can accomplish or what a defender needs to defend against. Due to the significant growth of ML and Artificial Intelligence (AI), adversarial tactics, techniques, and procedures (TTPs) have generated a great deal of interest and expanded. When ML algorithms are used for a prediction model and then incorporated into AI systems, the focus is typically on making performance as high as possible and ensuring that the model can make accurate predictions. This emphasis on capability often places security as a secondary concern to other priorities, such as using properly curated datasets for training models, applying domain-appropriate ML algorithms, and tuning parameters and configurations for optimal results and probabilities. However, research has demonstrated that an adversary can influence an ML system by manipulating the model, the data, or both. By doing so, an adversary can force an ML system to learn, do, or reveal the wrong information. This article continues to discuss the concept of adversarial ML, how adversaries seek to influence models, and defending against adversarial AI.

Carnegie Mellon University reports "The Challenge of Adversarial Machine Learning"

Sophisticated threat groups are increasingly compromising Managed Service Providers (MSPs) and launching supply chain attacks against their small and medium-sized downstream customers. The analysis of data from more than 200,000 small and medium-sized businesses (SMBs), including regional MSPs, between the first quarters of 2022 and 2023 revealed the increased interest of APTs in this segment as a means to launch attacks against a large number of companies in a single geographic region. MSPs, in conjunction with solution providers and resellers, help end users with the deployment, customization, and management of cloud services and other technologies. Regional MSPs serve customers in concentrated geographic areas. Compromising these organizations could enable attackers to target "trusted relationships" between MSPs and their customers. According to Proofpoint, regional MSPs protect hundreds of SMBs local to their geography, many of which have inadequate and often non-enterprise-grade cybersecurity defenses. APT actors have observed this disparity between the levels of protection offered and the potential for gaining access to desirable end-user environments. This article continues to discuss APT groups increasingly targeting MSPs.

Decipher reports "More APTs Eye Managed Service Providers in Supply Chain Attacks"