News Items

Industrial and IoT cybersecurity firm Claroty recently disclosed the details of five vulnerabilities that can be chained in an exploit, potentially allowing threat actors to hack certain Netgear routers. The vulnerabilities were first presented at the 2022 Pwn2Own Toronto hacking competition, where white hat hackers earned a total of nearly $1 million for exploits targeting smartphones, printers, NAS devices, smart speakers, and routers. Claroty's router exploit, which targeted Netgear's Nighthawk RAX30 SOHO router, earned the company's researchers $2,500 at Pwn2Own. Claroty noted that the flaws used in the exploit chain are tracked as CVE-2023-27357, CVE-2023-27367, CVE-2023-27368, CVE-2023-27369, and CVE-2023-27370. They were all patched by Netgear with the release of firmware version 1.0.10.94 in early April. Claroty stated that three of the vulnerabilities have been rated "high severity," and their exploitation can lead to remote code execution, authentication bypass, and command injection. Chaining all the flaws can have a significant impact. Claroty noted that successful exploits could allow attackers to monitor users' internet activity, hijack internet connections and redirect traffic to malicious websites, or inject malware into network traffic. An attacker could also use these vulnerabilities to access and control networked smart devices (security cameras, thermostats, smart locks), change router settings, including credentials or DNS settings, or use a compromised network to launch attacks against other devices or networks. Claroty stated that one mitigating factor is that executing the exploit requires access to the LAN it's not a WAN attack that can be executed from the internet, which is why it earned a smaller reward at Pwn2Own. Netgear explained in an advisory that these vulnerabilities require an attacker to have your WiFi password or an Ethernet connection to your network to be exploited.

SecurityWeek reports: "Details Disclosed for Exploit Chain That Allows Hacking of Netgear Routers"

Threat actors are taking advantage of the leak of Babuk, also known as Babak or Babyk, ransomware code in September 2021 to build different ransomware families that can target VMware ESXi systems. Alex Delamotte, a security researcher at SentinelOne, noted that the emergence of these variants in the second quarter of 2022 and the first quarter of 2023 shows a growing trend of Babuk source code adoption. Leaked source code allows malicious actors to target Linux systems when they may otherwise lack the expertise to develop a working program. As a result, several large and small cybercrime groups have set their sights on ESXi hypervisors. At least three different ransomware strains, including Cylance, Rorschach, and RTM Locker, that have emerged since the start of the year are based on the leaked Babuk source code. The most recent analysis by SentinelOne indicates that this phenomenon is becoming more prevalent, with the cybersecurity company identifying source code overlaps between Babuk and ESXi lockers attributed to Conti and REvil. Other ransomware families that have adopted features from Babuk include LOCK4, DATAF, Mario, and Play ransomware. This article continues to discuss the leaked Babuk ransomware code sparking different ransomware strains that target VMware ESXi systems.

THN reports "Babuk Source Code Sparks 9 Different Ransomware Strains Targeting VMware ESXi Systems"

According to Salesforce, 30 percent of automotive employees do not check security protocols before attempting to use a new tool, thus putting their company and customer data at risk. As companies store and use exponentially more data to power connected car features, concerns regarding cybersecurity grows in the automotive industry. According to Upstream, the number of automotive Application Programming Interface (API) attacks increased by 380 percent last year alone. In addition, 34 percent of automotive employees who participated in Salesforce's survey reported that their company now faces more security threats than it did two years ago. Salesforce's research explores the impacts of gaps between company security efforts and employee actions, revealing the need for automotive organizations to equip employees with trusted, simple-to-use technologies. This article continues to discuss automotive industry employees being unaware of data security risks, the rise in automotive API attacks, automotive employees taking risks with personal devices at work, and data security in the automotive industry.

Help Net Security reports "Automotive Industry Employees Unaware of Data Security Risks"

Wendy's is teaming up with Google to add artificial intelligence to its menu. Wendy's plans to launch an AI chatbot to automate its restaurants' drive-thrus. Dubbed FreshAI, the AI tech will hold limited conversations with customers, handling their food orders and answering frequently asked questions. The bot will integrate with the store's hardware and cash register systems for processing orders. The burger chain, founded in Columbus in 1969, is using Google to power FreshAI with its existing cloud-based generative AI and large language models. The language models include the restaurant's menu as data and will allow the drive-thru chatbot to understand complex, customized, or indirect orders, as well as discern between a customer's voice and background noise. Wendy's will test FreshAI at one of its corporate-owned Columbus storefronts in June, though it did not specify which one. It also did not mention if the chatbot would ultimately result in fewer workers at restaurant locations. Google had first partnered with Wendy's in 2021 when the two companies announced they would work together to improve customer experiences with analytics and machine learning.

The Hill reports: "Wendy's to Test AI Chatbot at Ohio Drive-Thru"

UK-based business process outsourcing and professional services company Capita recently announced that it expects to incur costs ranging between roughly $19 million and $25 million due to a recent cybersecurity incident, but it has not clarified whether that includes a ransom payment to the hackers. The breach came to light on March 31, when Capita said it was experiencing a major IT incident that had been causing disruptions, but it took until April 3 for the company to confirm that the cause was a cyberattack. Capita initially said there was no evidence of customer or other information getting compromised but confirmed that files were stolen from its systems on April 20, days after a ransomware group named Black Basta started leaking information allegedly stolen from the company. The leaked files stored personal and financial information. In its latest update on the cybersecurity incident, the company said it determined that data was stolen from less than 0.1% of its server estate, it previously said that 4% of its servers were impacted. Capita is one of the largest business outsourcing providers in the UK, and its services are used by the government.

SecurityWeek reports: "Capita Says Ransomware Attack Will Cost It Up to $25 Million"

According to security researchers at Sophos, the share of ransomware victims whose data was encrypted by their extorters grew to 76% over the past year. In a new study, the researchers conducted interviews with 3000 cybersecurity/IT leaders carried out in the first quarter of 2023. Responding organizations were located in 14 countries and had between 100 and 5000 employees, with revenue ranging from less than $10m to more than $5bn. The researchers noted that the encryption rate in 2022 is the highest since tracking began in 2020 when it was 73%. The researchers claimed this is evidence of an "ever-increasing skill level of adversaries who continue to innovate and refine their approaches." The researchers noted that only the IT, technology, and telecoms sector managed to buck the trend, with an encryption rate of just 47%. In just under a third (30%) of cases where data was encrypted, it was also stolen in double extortion attacks. However, only in 3% of cases were victims held to ransom without data being encrypted. The researchers stated that interestingly, those who choose to pay their extorters double recovery costs: from an average of $375,000 for those who use backups to $750,000. They also run the risk of extending recovery times: 45% of organizations using backups recovered within a week versus 39% of those that paid the ransom. Around half (46%) of victims that had data encrypted elected to pay a ransom, rising to over half for higher-wealth businesses more likely to have standalone cyber-insurance policies.

Infosecurity reports: "Ransomware Encryption Rates Reach New Heights"

The Phishing-as-a-Service (PhaaS) platform called 'Greatness' has increased activity as it targets organizations using Microsoft 365 in the US, Canada, the UK, Australia, and South Africa. Many organizations use the Microsoft 365 cloud-based productivity platform, making it an attractive target for cybercriminals seeking to steal data or credentials for use in network breaches. In a new report by Cisco Talos, researchers detail how the Greatness phishing platform launched in the middle of 2022, with activity spiking in December 2022 and March 2023. Many victims work in manufacturing, healthcare, technology, education, real estate, construction, finance, and business services, with most being located in the US. The Greatness PhaaS includes everything a phisher requires to conduct a successful campaign. To initiate an attack, the user accesses the 'Greatness' administration panel with their Application Programming Interface (API) key and a list of target email addresses. The PhaaS platform provides the server that will host the phishing page and the HTML attachment generator. The affiliate then creates the email's content and provides any additional content or adjustments to the default settings. The service then sends the victims a phishing email with an HTML attachment. When this attachment is opened, the browser executes obfuscated JavaScript code to connect to the Greatness server and retrieve the malicious page to display to the user. The phishing service will inject the target's company logo and background image from the employer's Microsoft 365 login page. This article continues to discuss findings and observations regarding the Greatness PhaaS.

Bleeping Computer reports "New 'Greatness' Service Simplifies Microsoft 365 Phishing Attacks"

In a campaign that has been ongoing since October 2021, a China-aligned threat actor has targeted a gambling company in the Philippines. The cybersecurity company ESET is tracking the attacks against Southeast Asian gambling companies under the name Operation ChattyGoblin. According to ESET, these attacks target the support agents of victim companies via chat applications, specifically the Comm100 and LiveHelp100 apps. CrowdStrike first documented the use of a Trojanized Comm100 installer to deliver malware in October 2022. The company attributed the supply chain compromise to a potentially China-linked threat actor. The attack chains use the chat applications to deliver a C# dropper, which in turn deploys a second C# executable that ultimately serves as a conduit to drop a Cobalt Strike beacon on compromised workstations. Also highlighted in ESET's APT Activity Report Q4 2022-Q1 2023 are attacks against South Asian government institutions by threat actors Donot Team and SideWinder with ties to India. This article continues to discuss researchers' findings regarding Operation ChattyGoblin.

THN reports "Operation ChattyGoblin: Hackers Targeting Gambling Firms via Chat Apps"

Based on one of the mysteries of human perception known as synesthesia, a researcher at the Oak Ridge National Laboratory (ORNL) developed a new method to hide sensitive electric grid information from malicious actors in a cyberattack. This method involves a palette of colors that is constantly changing. The Grid Communications and Security group leader at ORNL, Peter Fuhr, was intrigued by synesthesia, a condition that causes some people to experience one sense through another, such as perceiving sounds as colors. Fuhr used this idea to encrypt the "language" of grid management software into colors. Utilities use a computer system to gather and analyze real-time data to monitor and control equipment. This system communicates with hardware using strings of letters, which can be translated into color combinations represented as bars, wheels, or swirls. The color patterns are then faded under another image, such as a colorful pointillist painting, or hidden between video feed frames. With each sensor reading, the decoding key rotates. According to Fuhr, this innovative approach has already gained attention from private companies interested in licensing. Using a secure link between ORNL and the public utility EPB of Chattanooga, the concept was tested for six months. The encoded colors are transferred via communication links among video cameras at EPB's electrical substations. This article continues to discuss the new synesthesia-inspired way to hide sensitive electric grid information from cyberattacks.

Oak Ridge National Laboratory reports "Cybersecurity Goes Undercover to Protect Electric Grid Data"

In order to make multi-factor authentication (MFA) less susceptible to social engineering attacks, Microsoft Authenticator will now require number matching for all push notifications. The use of MFA fatigue attacks by cybercriminals has proven effective. These attacks involve sending a barrage of MFA push notification requests to employees, usually at unsociable hours, to manipulate them into authenticating a login attempt to clear the notifications. To authorize the login attempt, number matching requires opening a push notification, launching Microsoft Authenticator, and entering a series of numbers that appear in the app. This technique has existed for years and combines MFA and two-factor authentication (2FA). These numbers typically reset after a predetermined amount of time, such as 30 seconds, and add an extra layer of interaction to reduce the risk of successful social engineering attacks. In a typical attack scenario, the recipients of the constant notifications are often asleep and awakened by loud smartphone alerts. The attack is successful if the individual hurries to approve the login attempts. Adding this layer makes the process more manual, giving the recipient more time to recognize that a malicious actor is triggering the event. This article continues to discuss the Microsoft Authenticator adding another layer of complexity to prevent social engineering attacks.

ITPro reports "Microsoft Authenticator Mandates Number Matching to Counter MFA Fatigue Attacks"

Delinea's new survey of over 2,000 Information Technology (IT) security decision-makers reveals that only 39 percent of respondents believe their company's leadership has a solid grasp of cybersecurity's role as a business enabler. In addition, more than one-third of respondents (36 percent) believe that cybersecurity is viewed as important only in regard to compliance and regulatory requirements, while 17 percent say it is not a business priority. This misalignment between business and security goals appears to have resulted in at least one negative consequence for 89 percent of respondents' organizations, with more than a quarter (26 percent) reporting an increase in the number of successful cyberattacks against their organization. Misaligned cybersecurity objectives have caused delays in investments (35 percent), delays in strategic decision-making (34 percent), and unnecessary increases in spending (27 percent). There are also consequences for individuals, with 31 percent of respondents reporting a stress-related impact on security teams. This article continues to discuss key findings from the survey of IT security decision-makers.

BetaNews reports "Business Leaders Don't Understand Cybersecurity"

Federal entities at the forefront of policing cybercrime and ransomware in the US urge organizations to continue reporting cyber incidents to help fill data gaps. Recent executive actions call for a stricter approach to penalizing ransomware incidents. Leaders from the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and FBI spoke at a recent George Washington University Business and Policy Forum about ongoing government initiatives to continue countering and preventing zero-day cyber incidents. CISA's CSO Valerie M. Cofield and the FBI's Cyber Division Section Chief David Ring discussed a data gap in the larger picture of the current cyber threat landscape and how sharing incident information contributes to the national security goal of strengthening digital networks. Ring reiterated that victim reporting is crucial and that federal agencies overseeing cybercrime in the US still have much work to do to close the gap regarding what is reported, what is actually seen, and what is occurring in the wild. The Cyber Incident Reporting for Critical Infrastructure Act, which became law in 2022, offers promise for CISA and the FBI's efforts. This legislation requires public and private sector entities to report any cyber incident. Cofield commented that while this is a step in the right direction, collecting the necessary data may take several years following the bill's passage. This article continues to discuss the importance of collaboration and data sharing to protect US digital networks.

NextGov reports "CISA, FBI Need Data from Cybercrime Victims to Support Policy"

US and international law enforcement agencies have announced the successful dismantling of a malware implant used by a Kremlin-sponsored hacking group. The US Justice Department (DOJ) obtained court authorization that permitted US law enforcement to wipe out the malicious code used by Turla called "Snake." Turla has a long history of ties to the Russian Federal Security Service (FSB). Snake has been assessed to be their premier espionage weapon, according to a senior FBI official, who added that it had been deployed against NATO countries and others to steal sensitive US information. According to the official, the initiative, dubbed "Operation Medusa," has denied the Moscow-backed group of a resource upon which it has relied for 20 years. In an affidavit released alongside the announcement, the bureau determined that the FSB compromised hundreds of computers in at least 50 countries using the Snake malware package. This article continues to discuss the elimination of the Kremlin-linked Snake espionage malware.

The Record reports "Kremlin-Linked 'Snake' Espionage Malware Eliminated, Justice Department Says"

The Royal ransomware group has become more active this year, targeting critical infrastructure organizations with various tools. Based on the group's leak site, Palo Alto Networks' Unit 42 reports that it has affected 157 organizations since its inception last year. Royal ransomware has affected different industries, including both small and large businesses. According to information from their leak site and public reporting agencies, the Royal ransomware has impacted manufacturing and more. The group has been observed using multiple initial access vectors, including callback phishing, Search Engine Optimization (SEO) poisoning, exposed Remote Desktop Protocol (RDP) accounts, and compromised credentials, to gain access to vulnerable systems. After securing access, the group uses multiple tools to support the intrusion operation, such as the TCP/UDP tunnel Chisel and the Active Directory query tool AdFind. Royal has compromised victims via a BATLOADER infection. BATLOADER will download additional payloads, such as VidarStealer, Ursnif/ISFB, and Redline Stealer, as well as legitimate system management and Remote Monitoring and Management (RMM) tools. Researchers have observed Royal operators using PowerTool, a piece of software with access to the kernel that is ideal for removing endpoint security software. This article continues to discuss researchers' findings and observations regarding the Royal ransomware gang.

SC Media reports "Royal Ransomware Gang Quickly Expands Reign"

Microsoft recently warned that more threat actors have started targeting a recently patched vulnerability in PaperCut MF/NG print management solutions, including Iranian state-sponsored groups. The critical flaw tracked as CVE-2023-27350 (CVSS score of 9.8) and patched in March 2023 could allow remote, unauthenticated attackers to bypass authentication and execute arbitrary code with the privileges of the System user. In late April, PaperCut urged customers to update their installations as soon as possible. A few days later, Microsoft reported that it had seen a Cl0p ransomware operator affiliated with the FIN11 and TA505 Russian groups exploiting the vulnerability for weeks. Now, Microsoft warns that Iranian state-sponsored threat actors Mint Sandstorm and Mango Sandstorm have adopted publicly available proof-of-concept (PoC) code exploiting the bug and are targeting unpatched PaperCut installations in attacks. For now, Microsoft stated that Mint Sandstorm activity targeting CVE-2023-27350 appears opportunistic, while Mango Sandstorm's exploitation of the flaw remains low. Microsoft noted that as more threat actors begin to use this vulnerability in their attacks, organizations are strongly urged to prioritize applying the updates provided by PaperCut to reduce their attack surface. Also tracked as Ajax Security Team, Charming Kitten, APT35, Magic Hound, NewsBeef, Newscaster, Phosphorus, and TA453, Mint Sandstorm has been active since at least 2011, targeting governments, critical infrastructure, activists, journalists, and other entities.

SecurityWeek reports: "Microsoft: Iranian APTs Exploiting Recent PaperCut Vulnerability"

As part of a campaign that began in late November 2022, the Advanced Persistent Threat (APT) actor known as SideWinder has been using a backdoor in attacks against Pakistani government organizations. According to the BlackBerry Research and Intelligence Team, the SideWinder APT group used a server-based polymorphism method to deliver the next stage payload. Another campaign discovered by the company in March 2023 shows that Turkey has also become a priority for the threat actor. SideWinder has been on the radar since at least 2012, and it is primarily known to target Southeast Asian organizations in Pakistan, Afghanistan, Bhutan, China, Myanmar, Nepal, and Sri Lanka. The group is also tracked under the names APT-C-17, APT-Q-39, Hardcore Nationalist (HN2), Rattlesnake, Razor Tiger, and T-APT4. It is believed to be an Indian state-sponsored group. In the past year, SideWinder has been linked to a cyberattack against the Pakistan Navy War College (PNWC) and an Android malware campaign that harvested sensitive information using rogue phone cleaner and Virtual Private Network (VPN) apps uploaded to the Google Play Store. What distinguishes this campaign is the threat actor's use of server-based polymorphism to circumvent traditional signature-based antivirus detection and spread additional payloads by responding with two variants of an intermediate RTF file. This article continues to discuss findings regarding SideWinder's attacks, techniques, and targets.

THN reports "Researchers Uncover SideWinder's Latest Server-Based Polymorphism Technique"

DEF CON's AI Village will host the first public assessment of Large Language Models (LLMs) to discover bugs and the potential for AI model misuse. There are numerous ways in which LLMs can help users' creativity, but there are also challenges, particularly regarding security and privacy. This event aims to bring further attention to the implications of using generative Artificial Intelligence (AI), a technology with many potential applications and unclear repercussions. Red teams will evaluate LLMs from leading vendors, including Anthropic, Google, Hugging Face, NVIDIA, OpenAI, Stability, and Microsoft. They will do so on a Scale AI-developed evaluation platform. This exercise is intended to reveal both the potential and limitations of LLMs. Red teams hope that testing these models will reveal any potential vulnerabilities and evaluate the extent to which LLMs are vulnerable to manipulation. The White House, the National Science Foundation's (NSF) Computer and Information Science and Engineering (CISE) Directorate, and the Congressional AI Caucus' support for the red teaming exercise indicate the importance of the use of LLMs. It also emphasizes the possible risks associated with this technology. This article continues to discuss the first public assessment of LLMs.

Help Net Security reports "Finding Bugs in AI Models at DEF CON 31"

According to a new study from researchers at the University of Georgia, the same blockchain technology that secures cryptocurrency systems could also shield users from intrusive and predatory advertising. Many consumers do not understand how their personal data is used in digital advertising. Which devices collect what data, how companies use that data, and how to block certain ads can be puzzling. Advertisers and publishers can experience the negative effects of ad fraud, such as unauthorized ads and bots that hijack ad traffic and divert profits. According to the researchers, blockchain can combat both of these challenges. Jooyoung Kim, the study's lead author, explained that there will always be malicious actors due to the size and complexity of the advertising ecosystem. Advertisers and publishers cannot effectively track them, and consumers are concerned about the security and privacy of their personal information. With the automated nature of blockchain, consumers have greater control over their exposure to ads. This could increase consumer trust in advertising by placing control in their hands. People can track how their data is used and opt out of certain ad categories. In addition to placing fake ads, fraudsters can use bots to defraud ads. These bots can click on ads, depleting the budgets of advertisers. Such fraud schemes have caused 15 to 50 percent of ads to be wasted, contributing to an estimated $100 billion in losses in 2022. Digital advertising fraud schemes have wasted consumers' attention and increased the number of potential threats to them. Although blockchain may not completely prevent fraud from the start, it does pave the way to do so. When a fraudulent ad is identified, it can be traced back to its source via the blockchain. This article continues to discuss the new study on the anti-fraud possibilities of blockchain.

The University of Georgia reports "Applying Blockchain to Digital Advertising"

The Computer Emergency Response Team of Ukraine (CERT-UA) warns of an ongoing phishing campaign aimed at distributing the SmokeLoader malware in the form of a polyglot file. Threat actors are sending emails with the subject line "bill/payment" and a ZIP archive attachment from compromised accounts. The JavaScript involved in the attack uses PowerShell to download and run an executable that launches the SmokeLoader malware. SmokeLoader serves as a loader for other malware. Upon execution, it injects malicious code into the running explorer process (explorer.exe) and downloads another payload. CERT-UA linked the campaign to the financially motivated threat actor UAC-0006 who has been active since at least 2013. The threat actors focus on compromising accountants' computers, which are used to support financial activities such as remote banking system access. They also steal credentials and initiate unauthorized fund transfers. This article continues to discuss researchers' findings regarding the phishing campaign distributing the SmokeLoader malware.

Security Affairs reports "CERT-UA Warns of an Ongoing SmokeLoader Campaign"

Information Technology security is of utmost importance when using cryptocurrencies. Ultimately, money, like other data, is susceptible to cyberattacks. Professor Ghassan Karame, head of the Chair for Information Security at Ruhr University Bochum, is exploring the security of various cryptocurrencies. He advocates for decentralized platforms, such as those on which cryptocurrencies are based. Karame explains that in decentralized platforms, unlike a bank, power is not centralized in a single entity. Instead, decisions are made by the majority of users. According to Karame, the two advantages of decentralized platforms are that it is difficult for a central body to impose censorship, and they are resilient against faults and misbehavior because a large community of developers monitors the technology. However, cryptocurrencies are vulnerable to security breaches like every other IT technology. As early as 2012, Karame and his team identified a critical flaw in the Bitcoin system that allowed people to spend the same Bitcoins many times to pay for different transactions. In 2015, Karame and his collaborators identified another critical vulnerability after Bitcoin's system was modified to accommodate more users. They demonstrated that if they controlled as few as tens of laptops in the system, they could halt the flow of information throughout the entire Bitcoin system. Bitcoin has long since resolved both of these security issues. This article continues to discuss security vulnerabilities associated with cryptocurrencies.

Ruhr University Bochum reports "Cryptocurrencies: Shared Irresponsibility"

Cookie consent banners appear, in some form, on nearly every website, but concerns remain as to whether users understand what they agree to when they select one of the available options or click the x button to close the banner. In order to comply with regulatory requirements, websites have implemented cookie consent banners, allowing users to choose how their personal information is collected and shared. However, according to researchers at the CyLab Security and Privacy Institute at Carnegie Mellon University (CMU), many of these banners miss the mark. They may not be the best method to provide users with privacy options. Hana Habib, special faculty instructor and associate director of the CMU Software and Societal Systems Department's Masters in Privacy Engineering program, explains that the primary problem with cookie consent interfaces has been the proliferation of dark patterns. Individuals were steered towards less privacy-protective options. In a new study titled "A US-UK Usability Evaluation of Consent Management Platform Cookie Consent Interface Design on Desktop and Mobile," CyLab researchers explored how US and UK users interact with and perceive cookie interfaces, how these interactions and perceptions vary on desktop and mobile devices, as well as how banner prominence, location of cookie category definitions, and initial cookie options influence users' attitudes and behaviors. This article continues to discuss findings from CyLab's US-UK usability evaluation of consent management platform cookie consent interface design.

CyLab reports "Cookie Consent Banners Need Improvement, May Not Be the Answer"

The return of Eurovision 2023 will occur on May 9, hosted by Liverpool on behalf of Ukraine. However, the excitement about this year's acts is accompanied by cybercriminals' eagerness to make money. This year's song contest again raises concerns about malware, phishing, and data management. In May 2022, a pro-Russian hacker group was observed discussing a cyberattack against Eurovision in order to hinder Ukraine's chances of winning the song contest, but Italy had effectively blocked Distributed Denial-of-Service (DDoS) attacks during the event. Italy's successful blocking of the attacks prompted the Russia-affiliated group called Killnet to declare "war on ten countries and the Italian police." This year, hackers are attempting to infiltrate the Eurovision space through every conceivable entry point and using multiple attack vectors. Ahead of the musical event in Liverpool, the North West Cyber Resilience Centre (NWCRC) advised organizations to remain vigilant. Numerous businesses engaging with new suppliers and customers throughout the supply chain have been warned to be alert for fraud attempts. In the run-up to the Eurovision Song Contest in May, the head of Cyber and Innovation at the NWCRC, DI Dan Giannasi, advised all businesses in the North West to be vigilant against potential cybercrime, including phishing schemes in which fraudsters impersonating businesses attempt to steal personal information and money. This article continues to discuss the cybercrime accompanying Eurovision 2023.

Cybernews reports "Eurovision 2023: A Goldmine for Cybercriminals"

Christopher Ahlberg, CEO of Recorded Future, emphasizes that cybercriminals are racing to discover powerful new hacks using Artificial Intelligence (AI). While defenders benefit from generative AI in bolstering cybersecurity, attackers also see the benefits of using AI technology. Cybercriminals are using AI to launch novel and sophisticated attacks on a massive scale. According to Ahlberg, defenders are using the same technology to protect critical infrastructure, government organizations, and corporate networks. Generative AI capabilities have helped malicious actors improve and develop new attack tactics, allowing them to remain one step ahead of cybersecurity defenses. AI helps cybercriminals automate attacks, scan attack surfaces, and generate content that resonates with different geographic regions and demographics, thus enabling them to target a broader range of potential victims. Cybercriminals have adopted the technology to create legitimate-looking phishing emails. AI-generated text facilitates the creation of highly personalized emails and text messages that are more likely to deceive targets. As AI becomes more pervasive in society, lawmakers, judges, and other decision-makers must understand the technology and its potential consequences. In order to navigate the future of AI in threat hunting and beyond, it is essential to develop stronger alliances between technical experts and policymakers. The opportunities, challenges, and ethical considerations of AI are complex and evolving in cybersecurity. This article continues to discuss how AI is impacting cybercrime and cybersecurity operations.

ZDNet reports "ChatGPT and the New AI Are Wreaking Havoc on Cybersecurity in Exciting and Frightening Ways"

Users of the Advanced Custom Fields plugin for WordPress are urged to update to version 6.1.6. The plugin has been discovered to contain a vulnerability, tracked as CVE-2023-30777, which relates to reflected cross-site scripting (XSS). It could be exploited to inject arbitrary executable scripts into websites. The plugin has over two million active installations and is available in both free and paid versions. On May 2, 2023, the problem was detected and reported to the maintainers. According to Patchstack researcher Rafie Muhammad, this vulnerability allows any unauthenticated user to steal sensitive information and gain escalated privileges on the WordPress site by tricking a privileged user into visiting a crafted URL path. Reflected XSS attacks typically occur when victims are lured into clicking on a fraudulent link received via email or another method, enabling the malicious code to be transferred to the vulnerable website, where it is reflected back to the user's browser. Since reflected XSS attacks do not have the same reach and scale as stored XSS attacks, threat actors will spread the malicious link to as many victims as possible. This article continues to discuss the potential exploitation and impact of the vulnerability found in the Advanced Custom Fields plugin for WordPress.

THN reports "New Vulnerability in Popular WordPress Plugin Exposes Over 2 Million Sites to Cyberattacks"