News Items

The US Department of Transportation has designated the Center for Assured and Resilient Navigation in Advanced Transportation Systems (CARNATIONS) at the Illinois Institute of Technology (Illinois Tech) as a Tier 1 University Transportation Center (UTC). As a Tier 1 UTC, CARNATIONS will receive a $10 million grant for increasing the resilience of transportation navigation systems against cyberattacks such as spoofing and jamming. CARNATIONS, a consortium of universities led by Professor of Mechanical and Aerospace Engineering Boris Pervan, conducts transformative research in resilient transportation systems, facilitates technology transfer to public agencies and industry, and advances workforce and educational development. Interference, such as jamming and spoofing, that targets critical infrastructure can cause delays and cascading failures across multiple modes of transportation. For example, a major aircraft manufacturer reported over 10,000 Global Navigation Satellite System (GNSS) interference events in 2021 alone, and repeated spoofing attacks have negatively impacted various military operations. Pervan and his team plan to approach the problem from different angles, including developing sophisticated algorithms that can distinguish between authentic and spoofed GPS signals and improving GPS receivers by combining them with other types of sensors resistant to jamming and spoofing. CARNATIONS will consider the possibility of a fully connected system in the future, in which self-driving cars exchange information with each other and with smart infrastructure such as traffic signals. This article continues to discuss CARNATIONS and its goal to enhance the resilience of transportation infrastructure against cyber threats.

Illinois Institute of Technology reports "Illinois Tech's CARNATIONS Receives $10M Federal Grant as New Tier 1 Transportation Center to Bolster Cybersecurity in Navigation Systems"

According to security experts, the new '.zip' top-level domain (TLD) could drive an increase in the spread of malware and undermine legitimate sources. TLDs are the letters that follow the final period in a URL, such as '.com.' At the beginning of May, Google announced the release of eight new options, including .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus. Although most of the new TLDs were created to correspond with specific job titles, there are concerns that the two that resemble file extensions, which are '.zip' and '.mov,' could be used by hackers to deceive users into entering malicious domains. Zipped archives are widely used in business because they enable the sharing of large amounts of data in a compressed format and are compatible with macOS, Windows, and Linux. Using the '.zip' TLD to disguise illegitimate links as downloadable files could lead to increased phishing attacks or the delivery of malicious .zip files, such as those used in recent Emotet botnet campaigns through domains resembling innocent files. This article continues to discuss the cybersecurity risk posed by the new .zip TLD.

ITPro reports "Is the New .zip Top-Level Domain a Cyber Security Risk?"

Secure Data Recovery shared the results of a data recovery project aimed at determining how many files could be recovered from hard drives purchased online. The company purchased 100 hard drives at random and used reasonable means to attempt data recovery. Secure Data Recovery was able to recover data from 35 drives, 34 of which were sanitized, 30 were damaged, and only one was encrypted. Over 5.7 million files were recovered, although that number was skewed by a single hard drive containing more than 3.1 million files. The findings emphasize a major problem among most users. After replacing damaged or obsolete hard drives, most users lack a thorough destruction or disposal plan. This article continues to discuss the recovery of millions of files from hard drives purchased online, users not properly destroying or disposing of damaged or obsolete hard drives, and how to securely dispose of a hard drive.

TechRadar reports "Millions of Deleted Files Recovered in Hard Drives Purchased Online"

Security researchers at Char49 have discovered that a vulnerability in the official website of luxury sports car maker Ferrari could have exposed potentially sensitive information. The issue was discovered in March. Ferrari addressed the weakness within a week. The researchers noticed that the "media.ferrari[.]com" domain is powered by WordPress, and it was running a very old version of W3 Total Cache, a plugin installed on more than a million websites. The plugin was affected by CVE-2019-6715, a flaw that can be exploited by an unauthenticated attacker to read arbitrary files. Exploitation of the vulnerability allowed the researchers to obtain the "wp-config.php" file, which stores WordPress database credentials in clear text. The researchers stated that the exposed database stored information associated with the media[.]ferrari.com domain. While the researchers did not dig too deep in order to avoid breaking responsible disclosure rules, the vulnerability could have been exploited to access other files on the web server, including ones that could contain information that is of value for threat actors. After being notified, Ferrari patched the vulnerability by updating the WordPress plugin. The researchers stated that while in this case there is no indication that the security hole directly exposed customer or other sensitive information, it's important for high-profile companies such as Ferrari to ensure that none of their systems are vulnerable. In March, Ferrari admitted to being targeted in a ransomware attack in which hackers stole customer information.

SecurityWeek reports: "WordPress Plugin Vulnerability Exposed Ferrari Website to Hackers"

Multiple security flaws have been discovered in the cloud management platforms of three industrial cellular router vendors, which could expose Operational Technology (OT) networks to attacks. The industrial cybersecurity company OTORIO presented its findings at the Black Hat Asia 2023 conference. The 11 vulnerabilities enable Remote Code Execution and complete control over hundreds of thousands of devices and OT networks. Specifically, the cloud-based management solutions provided by Sierra Wireless, Teltonika Networks, and InHand Networks for remotely managing and operating devices contain the vulnerabilities. Successful exploitation of the vulnerabilities could pose significant risks to industrial environments, allowing adversaries to bypass security layers, exfiltrate sensitive data, and remotely execute code on internal networks. The vulnerabilities could also be weaponized to gain unauthorized access to devices on the network and carry out malicious operations such as a shutdown with elevated permissions. This article continues to discuss the potential exploitation and impact of the vulnerabilities found in cloud-based management solutions offered by Sierra Wireless, Teltonika Networks, and InHand Networks.

THN reports "Industrial Cellular Routers at Risk: 11 New Vulnerabilities Expose OT Networks"

According to Cequence Security, Application Programming Interfaces (APIs) have emerged as a primary attack vector in several high-profile incidents, posing a significant threat to the security posture of organizations. Numerous high-profile organizations have suffered API attacks in recent months, increasing the need for CISOs to prioritize API security. According to Ameya Talwalkar, CEO of Cequence Security, traditional prevention methods are no longer sufficient as attackers become more inventive. Talwalkar added that as attack automation becomes an increasingly prevalent threat against APIs, organizations must have the tools, knowledge, and expertise to defend in real-time. About 45 billion search attempts were made for shadow APIs in the second half of 2022, a 900 percent increase from the 5 billion attempts made in the first half of 2022. From June to October 2022, attackers favored traditional application security techniques, but as the holidays approached, API security tactics experienced a 220 increase. This article continues to discuss key findings from Cequence Security's "API Protection Report: Holiday Build-up Shows 550% Jump in Unique Threats."

Help Net Security reports "Attack Automation Becomes a Prevalent Threat Against APIs"

The Department of Transportation (DOT) has recently been hit with a data breach that may have exposed personally identifiable information of federal government employees. The DOT said it was working to notify affected individuals whose personally identifiable information may have been compromised due to the breach and to help mitigate potential risks. The data breach impacts individuals that are enrolled in the US Department of Transportation's transit benefit program (TRANServe). TRANServe manages the transit benefit program for DOT and other federal agencies. The breach occurred within the system that supports TRANServe. TRANServe is a commuting benefits system that reimburses staff across the federal government for certain transportation costs. According to the DOT, the information compromised as a result of the breach may include details such as the name of TRANServe transit benefit recipients, their agency, work email address, work phone number, work address, home address, SmarTrip card number, and/or TRANServe Card number. The breach is expected to affect 114,000 current DOT employees and 123,000 former DOT employees.

FedScoop reports: "Transportation Dept Cyber Breach Exposes Data of Federal Employees"

A Californian VoIP provider has recently been accused of breaking telemarketing rules by providing services that sent billions of illegal robocalls to US consumers. The Department of Justice (DoJ) and Federal Trade Commission (FTC) on Friday announced a civil enforcement action against Los Angeles-headquartered XCast Labs. The DoJ alleges that XCast Labs services delivered pre-recorded marketing messages to recipients, many of whom are listed on the National Do Not Call Registry. These included scam calls impersonating government agencies and "other false or misleading statements to induce purchases." The DoJ claimed that some calls also used spoofed caller ID information to hide the true origin of the caller and/or failed to identify the seller of the services being marketed. XCast Labs, which describes itself as "the nation's leading supplier of business enterprise solutions," is accused of continuing to allow its services to be used in this way, even after being told that the calls were illegal. The newly filed complaint seeks monetary civil penalties and a permanent injunction to prevent XCast Labs from future violations.

Infosecurity reports: "US Says VoIP Firm Delivered Billions of Scam Robocalls"

Discord has recently notified users of a data breach that occurred when a threat actor gained unauthorized access to the support ticket queue of a third-party customer service agent. The company noted that due to the nature of the incident, "it is possible that user email addresses, the contents of customer service messages, and any attachments sent between users and Discord may have been exposed to a third party." The popular messaging platform said that when it discovered the issue, it deactivated the compromised account and completed malware checks on the machine. The company stated that while they believe the risk is limited, it is recommended that users be vigilant for any suspicious messages or activity, such as fraud or phishing attempts. It is expected that Discord's user base will reach nearly 200 million monthly active users by the end of 2023, making it an increasingly attractive target for attackers.

Infosecurity reports: "Discord Breached After Service Agent Targeted"

Quantum computing threatens to render the use of classic cryptography for secure communications obsolete. Quantum cryptography applies the laws of quantum mechanics to ensure security. Quantum Key Distribution (QKD) enables two parties to secure a message using a random secret key, which is generated by quantum particles known as photons. In order to accomplish this, scientists are increasingly using an alphabet based on specific properties of light particles (i.e., photons), namely their color composition. However, no equipment had been created to decode the information again. Therefore, researchers at Paderborn University have created such a decoder. They made a multi-output quantum pulse gate (mQPG) that separates incoming letters into various colors, which physicists can identify with a spectrometer. In addition, they have demonstrated a complete, high-dimensional mQPG-based decoder that enables encryption protocols based on individual photons. This article continues to discuss the new technology developed by researchers at Paderborn University for quantum cryptography applications.

Paderborn University reports "New Technology Developed for Quantum Cryptography Applications"

Federal authorities have warned the healthcare industry about a rise in cyberattacks against Veeam's backup application. The attacks appear to be linked to the March disclosure of a high-severity vulnerability in the vendor's software. The vulnerability, tracked as CVE-2023-27532, exposes Veeam Backup and Replication (VBR)-stored encrypted credentials. According to a recent alert from the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center (HHS HC3), its exploitation could lead to unauthorized access to backup infrastructure hosts. These intrusions may result in data theft or ransomware deployment. The issue affects all versions of the Veeam software, which backs up, replicates, and restores data on Virtual Machines (VMs). The software supports transaction-level restores of Oracle and Microsoft SQL databases, according to HHS HC3. In addition to backing up and recovering VMs, VBR is also used to protect and restore individual files and applications for environments such as Microsoft Exchange and SharePoint, which are used in the healthcare and public health sector, making the threat significant. This article continues to discuss the healthcare sector facing a rise in cyberattacks on VBR.

DataBreachToday reports "Feds Warn of Rise in Attacks Involving Veeam Software Flaw"

Lawmakers recently introduced bipartisan legislation to strengthen the cybersecurity of US election infrastructure and boost voter confidence by requiring penetration testing as part of voting machine certification. Senators. Mark Warner and Susan Collins introduced the "Strengthening Election Cybersecurity to Uphold Respect for Elections through Independent Testing" (SECURE IT) Act, which requires the Election Assistance Commission (EAC) to mandate that systems seeking certification undergo penetration testing, allowing researchers to search for vulnerabilities and simulate cyberattacks. Warner noted that the SECURE IT Act would enable researchers to assume the role of cybercriminals in order to identify vulnerabilities and flaws that might not otherwise be discovered. Under the SECURE IT Act, EAC and the National Institute of Standards and Technology (NIST) would accredit entities to conduct penetration testing. EAC must also establish a voluntary Coordinated Vulnerability Disclosure Program for election systems, in which researchers gain access to voting systems to identify and disclose vulnerabilities to the manufacturer and EAC. Discovered vulnerabilities will be submitted to the Common Vulnerabilities and Exposures database after 180 days. This article continues to discuss the SECURE IT Act.

NextGov reports "Voting Machines Must Be Test Hacked for Certification, Under Proposed Bill"

Software maker Brightly has recently confirmed that hackers stole close to three million SchoolDude user accounts in an April data breach. SchoolDude is a cloud-based work order management system used primarily by schools and universities to submit and track maintenance orders. Its users are school employees, like principals, executives, and maintenance workers, as well as students and other staff submitting repair requests. The company said it was notifying both past and present customers that the hackers took their names, email addresses, account passwords, and phone numbers if added to the account. The data also includes the names of school districts. Brightly said it reset customer passwords. The company warned users to change passwords on other online accounts that use the same credentials as they used on SchoolDude. This refers to credential stuffing, where hackers use passwords from previous data breaches to break into other user accounts with the same passwords. Brightly said it discovered the breach on April 28, more than a week after the mass data theft.

TechCrunch reports: "Brightly Says SchoolDude Data Breach Spilled 3 Million User Accounts"

According to a report by Bitdefender, a previously undocumented malware campaign called DownEx has been targeting government institutions in Central Asia for cyber espionage. The first instance of the malware was discovered in 2022 during a highly targeted attack aimed at exfiltrating data from Kazakhstan's foreign government institutions. Another attack was observed by researchers in Afghanistan. Bitdefender noted that the involved domain and IP addresses do not appear in any previously documented incidents, and the malware does not share code similarities with previously identified malware. Researchers believe that a state-sponsored group is responsible for these incidents based on the specific targets of the attacks, the document metadata that impersonates a real diplomat, and the primary focus on data exfiltration. Although the attacks have not been attributed to any specific threat actor, a Russian group is likely responsible for the attacks. Bitdefender said that the use of a cracked version of Microsoft Office 2016 prevalent in Russian-speaking countries is an indication of the attack's origin, adding that it is unusual to see the same backdoor written in two languages. This was previously observed with the Russian-based group APT28 and their backdoor Zebrocy. This article continues to discuss the new DownEx malware campaign.

CSO Online reports "New DownEx Malware Campaign Targets Central Asia"

The National Science Foundation (NSF) has awarded $2 million to Virginia Tech and George Mason University to develop distributed, mobile space and terrestrial networking infrastructure for multi-constellation coexistence. This work will be done through the agency's Computer and Information Science and Engineering Community Research Infrastructure (CCRI) program. Through developing the fundamental infrastructure and implementing cybersecurity protocols, the researchers hope to demonstrate the value and practicality of an open-source inter-constellation network with global benefits. The team will investigate software vulnerabilities and the physical security of satellites, ground stations, and more in order to ensure that future space communications remain secure from hacking or cyber threats. This article continues to discuss Virginia Tech and George Mason University teaming up to develop an open-source cyber-infrastructure and new space-based networking technology, and what they will do to bolster cybersecurity.

Virginia Tech reports "Virginia Tech, George Mason University Partner to Develop Networking Infrastructure for Satellite Constellations"

A new study identifies multiple challenges associated with relying on Internet of Things (IoT) devices during investigations. Many IoT devices, for example, lack security controls. A determined adversary can configure IoT devices to generate a false narrative that can conceal their activities and complicate forensic investigations. Instead of considering IoT data as the gold standard, it is essential to corroborate them with physical evidence from fire or crime scenes and to promote stronger security controls in IoT smart home devices. Overall, research should not only concentrate on ensuring the security and reliability of IoT devices but also on preventing the misuse of data. This article continues to discuss the use of IoT devices in investigations and the associated privacy and security challenges.

IEEE Spectrum reports "The Internet of Things: Fire Sleuth, Fire Starter"

Security researchers at Capterra have discovered that more than three-fifths (61%) of US businesses have been directly impacted by a software supply chain threat over the past year. The researchers polled 271 IT and IT security professionals to better understand the risk exposure of US companies to vulnerabilities in third-party software. Half of the respondents rated the software supply chain threat as "high" or "extreme," with another 41% claiming the risk is moderate. The researchers pointed to open source software as a key source of supply chain risk. It is now used by 94% of US companies in some form, with over half (57%) using multiple open source platforms. The researchers claimed that app sprawl is contributing to cyber risk, revealing that retailers that have experienced a cyberattack in the past two years are more than twice as likely to report being impacted by app sprawl as those that did not experience an attack (53% versus 22%). Alongside reducing app sprawl, the researchers recommended organizations request a software bill of materials (SBOM) from vendors and open source providers so that they can better track individual components. Yet only half (49%) of respondents are doing so currently.

Infosecurity reports: "Software Supply Chain Attacks Hit 61% of Firms"

An Advanced Persistent Threat (APT) actor called Red Stinger has been targeting Eastern Europe. Malwarebytes disclosed that the APT's targets included military, transportation, and critical infrastructure entities, as well as those involved in the September East Ukraine referendums. The attackers have been able to exfiltrate snapshots, USB drives, keyboard strokes, and microphone recordings, depending on the campaign. Red Stinger overlaps with a threat cluster known as Bad Magic that targeted Donetsk, Lugansk, and Crimea-based government, agriculture, and transportation organizations in April. Although there were signs that the APT group may have been active since at least September 2021, the most recent findings from Malwarebytes put the group's first operation in December 2020. Throughout the years, the attack chain has used malicious installer files to install the DBoxShell, also known as PowerMagic, implant on compromised systems. The MSI file is downloaded using a Windows shortcut file that is contained within a ZIP archive. It has been observed that subsequent waves detected in April and September 2021 use similar attack sequences, with slight variations in the MSI file names. According to security researchers, DBoxShell is malware that uses cloud storage services as a command-and-control (C2) mechanism. This article continues to discuss researchers' findings regarding the Red Stinger APT group.

THN reports "New APT Group Red Stinger Targets Military and Critical Infrastructure in Eastern Europe"

According to Telesign, digital fraud has significant financial and psychological consequences for victims. In addition, digital fraud can significantly impact a company's brand perception and bottom. In the digital realm, trust is of paramount importance. For businesses to establish and maintain long-lasting relationships with their customers, it is essential to understand consumer sentiment regarding this topic. Telesign researchers emphasize the responsibility of companies to ensure privacy protections and trust in every digital interaction, as well as what can occur when companies fail to meet this obligation. Data breaches, which accounted for 44 percent of fraud incidents in this study, have a profoundly negative effect on brand perception, with 44 percent of data breach victims discouraging others from associating with the brand. Forty-three percent of data breach victims ceased all personal association with the brand. Thirty percent of data breach victims posted about the fraud incident on social media, amplifying negative brand perceptions. Furthermore, 59 percent of victims who were initially exposed to fraud on social media indicate that they are less likely to use social media again in the future. Others report that their fraud experiences make them less likely to use online banking and payment services applications. This article continues to discuss key findings from Telesign's 2023 Trust Index report.

Help Net Security reports "Fraud Victims Risk More Than Money"

According to researchers from the University of California, San Diego, New York University, and Cornell, Google has made installing spyware apps on Android smartphones easy. The researchers demonstrated how these Android spyware apps are built and use relatively simple Android Application Programming Interfaces (APIs) for invasive spying capabilities. Although many of these APIs are required and provide beneficial functionality, researchers call on the Google/Android team to further explore how to prevent their misuse for spying on others. As a result of Google's decision to enable its Android operating system to install third-party apps from any online service, spyware apps can easily be installed on Android smartphones. The spyware installation process is as easy as it is for apps vetted as "safe" by the Google Play Store. Before being accepted by Apple's App Store, iOS apps are screened for safety on the iPhone. Android allows downloads from third-party websites, whereas Apple has chosen to restrict downloads to its own store. GitHub references hundreds of spyware apps, which often have similar names, such as Stalkerware and Watchware, as well as spyware services hidden in 3,988 dual-use apps. Criminals use spyware for illegal surveillance, profit, political leverage, blackmail, and other malicious purposes. This article continues to discuss spyware and how it can easily be installed on Android smartphones.

CACM reports "Spyware Lurks in Android Smartphones"

Foreign state actors are now regarded as the greatest threat to digital networks in the US. A recent survey of public sector organizations on the current cybersecurity landscape reveals that 60 percent of respondents are concerned about attacks from foreign actors. The report, commissioned by the software company SolarWinds, which suffered a significant cyberattack in 2020 that resulted in data breaches at multiple government agencies, analyzed survey responses from 400 public sector Information Technology (IT) leaders from federal, state, and local governments. State-sponsored cyberattacks have been a concern for years, but the report's finding of a significant increase demonstrates that government organizations, notably among federal respondents, view it as a leading threat. Fifty-eight percent of respondents cited careless or untrained insiders as the second-greatest threat to their digital networks, while 52 percent cited the general hacking community as the third-greatest concern. Ransomware, trojans, and spam ranked first, second, and third, respectively, among the different types of cyber threats. The complexity of IT, closely followed by budgetary constraints, was cited as the leading obstacle to network security. This article continues to discuss key findings from the new report surveying public sector organizations on the current cybersecurity landscape.

NextGov reports "State-Sponsored Actors Leading Cause of Cyber Concern in Public Sector"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of the white paper titled "Research, Development, and Innovation for Enhancing Resilience of Cyber-physical Critical Infrastructure: Needs and Strategic Actions," which was developed by the Resilient Investment Planning and Development Working Group (RIPDWG). As stated in the paper, federal research is often sector-specific or interdisciplinary fragmented, making it difficult to effectively mitigate cross-cutting and systemic infrastructure risks. The paper aims to help the federal research enterprise capitalize on the opportunity to make congressionally-funded research more relevant, equitable, accessible, and useful to decision-makers who must address critical infrastructure challenges at the local and regional levels. The paper identifies three significant gaps that call for a more unified, empirical, and user-centered approach to federal Research, Development, and Innovation (RD&I). First, critical services that depend on cyber-physical infrastructure systems require an integrated analysis of the consequences and risk reduction decision factors. There needs to be an understanding of the societal dimensions of enhancing the resilience of cyber-physical infrastructure systems as well as user-engagement in cyber-physical infrastructure research to translate resilience knowledge into effective action. In order to fill the identified RD&I gaps, the paper proposes a dozen strategic actions for implementation by research partners across the federal interagency in collaboration with stakeholders. This article continues to discuss CISA's release of a white paper that highlights RD&I needs and strategic actions for making critical infrastructure more resilient.

CISA reports "CISA Releases White Paper Highlighting R&D Needs and Strategic Actions for Enhancing the Resilience of Critical Infrastructure"

As soon as ChatGPT was released, hackers began "jailbreaking" the Artificial Intelligence (AI) chatbot in an attempt to circumvent its safeguards so that it presents something irrational or offensive. Its creator, OpenAI, and other major AI providers, including Google and Microsoft, are collaborating with the Biden administration to allow thousands of hackers to test the limits of their technology. They are looking into how chatbots can be manipulated to cause harm, whether they share private information provided by users, and more. Anyone who has interacted with ChatGPT, Microsoft's Bing chatbot, or Google's Bard will soon discover that they have a propensity to fabricate information and confidently present it as fact. These systems, which are based on what are known as Large Language Models (LLMs), also imitate the cultural biases they have learned by being trained on vast troves of online text. US government officials were drawn to the concept of mass hacking in March at the South by Southwest festival in Austin, Texas, where Sven Cattell, founder of DEF CON's long-running AI Village, and Austin Carson, president of the responsible AI nonprofit SeedAI, led a workshop inviting community college students to hack an AI model. This article continues to discuss hackers testing the limits of AI technology.

AP reports "Mass Event Will Let Hackers Test Limits of AI Technology"

The New Mexico Department of Health (DOH) recently started notifying the public, out of an abundance of caution, about an incident that could have compromised some information regarding decedent health information. On March 6, 2023, DOH discovered a spreadsheet containing information about individual deaths in New Mexico had been sent to a journalist requesting such information subject to the Inspection of Public Records Act. The spreadsheet contained some protected health information about every death in New Mexico from January 2020 through December 2021. The DOH noted that the information released did not include the names, birthdates, addresses, or contact information of anyone. As a result of this incident, DOH urges individuals to be alert for any financial or other activity done in the name of a recently deceased person in their family. The DOH noted that they are working to enhance policies and practices to elevate the protection of patient information in the future.

New Mexico Department of Health reports: "Department of Health Notification Regarding Decedent Information"