News Items

A new threat analysis report released by the cloud security provider Zscaler reveals patterns in the growth of phishing attacks in 2022. Based on data including 280 million transactions and an analysis of eight billion attempted attacks, the report found a 47 percent increase in phishing attacks in 2022. Attackers are using newer tools, such as Artificial Intelligence (AI), to strike organizations with inadequate security mechanisms. Phishing scams are a growing problem, and threat actors' methods are becoming more complex, thus making them more difficult to detect and thwart, according to the report. The number of attacks against the education sector has increased more than fivefold. Attackers have also shifted away from exploits associated with the coronavirus pandemic. According to the report, COVID-themed attacks accounted for 7.2 percent of phishing schemes in 2021, but just 3.7 percent in 2022. Additionally, the US remains the most targeted country for phishing attacks, a position it has traditionally held, with more than 65 percent of all phishing attempts occurring in the country. Some of the most commonly used techniques are SMS phishing, which applies voicemail-related phishing (vishing) to trick victims into opening malware attachments. Another commonly encountered approach is the use of sophisticated adversary-in-the-middle (AiTM) attacks that can help hackers circumvent multi-factor authentication (MFA) security. This article continues to discuss key findings from Zscaler's phishing report.

MeriTalk reports "Zscaler ThreatLabz Finds Alarming Growth in Phishing Attacks"

Hundreds of pension funds in the UK have been instructed to check whether their clients' data was stolen due to the Capita breach in March. Capita, the country's largest outsourcing firm, has contracts to manage the payment systems for pension funds used by more than 4 million people in the UK. Following the publication of sensitive data referencing home addresses and passport photos by the Black Basta ransomware gang, the company confirmed that it was investigating the release of the data allegedly stolen by the ransomware group. The Pensions Regulator has written to hundreds of pension funds, requesting that trustees contact Capita to find out if their data has been compromised. Capita has verified that there are currently some signs of limited data exfiltration from a small proportion of the impacted server estate, which could include customer, supplier, or colleague data. This article continues to discuss the Capita breach and UK pension funds being told to check on whether their clients' data had been stolen because of the breach.

The Record reports "UK Pension Funds Warned to Check on Clients' Data After Capita Breach"

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently announced that proposed guidance for secure software development is now open to public review and opinion. For 60 days, the public can provide feedback on the draft self-attestation form for secure software development, which requires the providers of software for the government to confirm that specific security practices have been implemented. CISA stated that the self-attestation form has been drafted in line with the requirements of Memorandum M-22-18 (Enhancing the Security of the Software Supply Chain through Secure Software Development Practices) that the Office of Management and Budget (OMB) released in September 2022. CISA noted that this self-attestation form identifies the minimum secure software development requirements a software producer must meet and attest to meeting before their software subject to the requirements of M-22-18 may be used by Federal agencies. Per M-22-18's requirements, federal agencies may use specific software only if the developer has attested compliance with government-issued guidance on software supply chain security. The self-attestation requirement applies to software produced after September 14, 2022, to software-as-a-service products and other software receiving continuous code changes and to existing software when major version changes occur. Software developed by the federal agencies and freely available software used by the agencies does not fall in scope for M-22-18 and does not require self-attestation. CISA stated that software producers who utilize freely obtained elements in their software are required to attest that they have taken specific steps to minimize the risks of relying on such software in their products. Suppose a software producer cannot provide a completed self-attestation form. In that case, federal agencies are required to obtain documentation on development practices, to document measures taken to mitigate resulting risks, and to require a plan of actions and milestones (POA&M) from the software producer. Minimum attestation requirements described by the new guidance include secure development environments, efforts to maintain trusted source code supply chains, maintaining provenance data for all code, and automated vulnerability checks.

SecurityWeek reports: "CISA Asks for Public Opinion on Secure Software Attestation"

Lookout Threat Lab researchers discovered BouldSpy, a new Android surveillance malware used by the Law Enforcement Command of the Islamic Republic of Iran (FARAJA). Although the BouldSpy spyware includes ransomware capabilities, Lookout researchers have yet to see the malicious code use them, suggesting that the malware is still in development or that it is a false flag used by its operators. Exfiltrated data from the spyware's command-and-control (C2) servers revealed that BouldSpy was used to spy on over 300 people, including minority groups such as Iranian Kurds, Baluchis, Azeris, and potentially Armenian Christian groups. The malware was most likely used to counter and track illegal trade in weaponry, drugs, and alcohol. According to Lookout, FARAJA uses physical access to devices, likely obtained during detention, to install BouldSpy and further monitor the target after release. Researchers obtained and evaluated a large amount of exfiltrated data, which includes images and device communications such as screenshots of chats, video call recordings, and SMS records. The researchers also found photos of drugs, firearms, and official FARAJA documents, indicating that the spyware may be used by law enforcement. However, much of the victim data points to its broader use, suggesting targeted surveillance efforts against Iranian minorities. This article continues to discuss Iranian authorities using the BouldSpy Android malware to spy on minorities and traffickers.

Security Affairs reports "Iranian Govt Uses BouldSpy Android Malware for Internal Surveillance Operations"

The National Institute of Standards and Technology (NIST) is updating its Cybersecurity Framework (CSF) in order to better incorporate topics such as supply chain risk management and governance. The framework, first released in 2014, is a set of standards aimed at helping organizations assess, understand, manage, and mitigate security risks. While voluntary for the private sector, the framework serves as the foundation for many government policies worldwide, and the 2017 executive order "Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure" made it mandatory for US federal agencies. In addition, certain insurance companies have made the framework mandatory for specific industries, and organizations can also require the framework to be used within their supply chain. Previously, the framework was lightly updated every three to five years, with CSF 1.1 released in 2018. However, with significant changes in the cybersecurity landscape since then, NIST has considered a more significant overhaul for its framework that includes newer security and privacy resources and addresses recent changes in technologies and risks such as supply chain security. This article continues to discuss the update of NIST's CSF.

Decipher reports "NIST's Cybersecurity Framework Gets 'Significant Update'"

The US Air Force Academy successfully defended its title as champions of the National Security Agency's (NSA) annual NSA Cyber Exercise (NCX). The team won a three-day cyber competition that put US service academies, senior military colleges, and NSA professional development programs to the test in order to train them to defend the nation's cyber networks. The NCX trophy was presented to the Air Force Academy's cyber competition team by GEN Paul M. Nakasone, Commander, USCYBERCOM, Director, NSA/Chief, CSS. The US Military Academy came in second place, while the US Coast Guard Academy came in third, beating the US Naval Academy and senior military universities such as Norwich, Texas A&M, The Citadel, Virginia Military Institute, Virginia Tech, and the University of North Georgia. The NCX is a year-round program that ends in a three-day unclassified cyber competition. It fosters and tests cybersecurity skills, planning, communication, decision-making, and more. The theme this year was transportation and food infrastructure, including exercises focusing on data analysis, forensics, reverse engineering, and policy, as well as the final attack-and-defend cyber combat exercise. This article continues to discuss the US Air Force Academy winning the NCX as well as the structure and benefits of this competition.

NSA reports "US Air Force Academy Wins NSA Cyber Competition"

According to the Computer Emergency Response Team of Ukraine (CERT-UA), Russian hackers are sending malicious emails to different government bodies with instructions on how to upgrade Windows in order to defend against cyber threats. The Russian state-sponsored hacking group APT28, also known as Fancy Bear, according to CERT-UA, sent these emails and impersonated system administrators of the targeted government entities to fool their targets. The attackers created Outlook email addresses using real employee identities obtained through unknown ways during the attack's preliminary stages. Rather than normal instructions for upgrading Windows systems, the emails direct recipients to run a PowerShell command. This command downloads a PowerShell script to the computer, imitating a Windows update procedure while simultaneously downloading a second PowerShell payload. The second-stage payload is an information-harvesting tool that uses the 'tasklist' and 'systeminfo' commands to capture data and send it through an HTTP request to a Mocky service Application Programming Interface (API). Mocky is a legitimate tool that allows users to produce custom HTTP responses, which APT28 used for data exfiltration in this case. System administrators should restrict the ability to launch PowerShell on critical workstations and monitor network traffic for connections to the Mocky service API. This article continues to discuss APT28 using fake Windows Update guides to target various Ukrainian government bodies.

Bleeping Computer reports "Hackers Use Fake 'Windows Update' Guides to Target Ukrainian Govt"

Researchers found five vulnerabilities in servers run by over a dozen major companies, including Huawei, Qualcomm, Nvidia, AMD, Dell, and HP, in December. The flaws had CVSS scores ranging from 5.3 (medium severity) to 9.8 (critical). The flaws reside in firmware developed by American Megatrends International (AMI) for Baseboard Management Controllers (BMCs), which are processors manufactured by AMI. BMCs are chips that sit on motherboards and allow administrators to monitor and change almost everything on a machine, from applications and data down to low-level hardware. Nate Warfield, Eclypsium's director of threat research and intelligence, and Vlad Babkin, Eclypsium's security researcher, will argue that AMI's BMC flaws were symptomatic of something larger, and more structurally flawed, in firmware security. This article continues to discuss firmware security.

Dark Reading reports "Firmware Looms as the Next Frontier for Cybersecurity"

Experts are concerned about the overall impact that new fees for security features on social media accounts will have on overall cybersecurity. Many are questioning whether basic security should be available to all users, regardless of whether they pay for it. For example, as of March 20, 2023, only subscribers to Twitter Blue, an upgraded account that starts at $8 a month, can use two-factor authentication (2FA) through text messages. In the past, all users could set their accounts to send a text code for new logins to prevent unauthorized access. In addition, Meta recently announced that its new subscription package, Meta Verified, includes impersonation protection for Facebook and Instagram users as part of its paid features. Experts are concerned about the consequences of this change because social media is the source of many cybercrimes. Although all accounts will have basic protection, only users with the financial means to pay will have access to the additional protections. Other users who do not understand the advantages of premium accounts may not choose to subscribe. Therefore, limiting security features to premium accounts, according to experts, will increase the overall cybersecurity risk. This article continues to discuss the potential impact of paid social media account security features on cybersecurity.

Security Intelligence reports "Are Meta and Twitter Making Cybersecurity Less Accessible?"

A team of researchers from the Massachusetts Institute of Technology (MIT) and Stanford University are working on an operating system that includes built-in cybersecurity protection. This new operating system will be resilient against common cyberattacks and recover from ransomware infections in minutes. Michael Stonebraker, a serial technology entrepreneur and computer scientist at MIT, is one of the individuals behind the project, with his work on database systems having earned him the Turing Award in 2015. Matei Zaharia, an associate professor at Stanford University and the creator of the Apache Spark project, and Jeremy Kepnew, the head of the MIT Lincoln Laboratory Supercomputing Center, are collaborating with Stonebraker on the operating system. The system is based on databases that save and track all events and changes within the operating system. This article continues to discuss the new operating system with built-in cybersecurity defenses developed by MIT and Stanford researchers.

CyberScoop reports "MIT and Stanford Researchers Develop Operating System With One Major Promise: Resisting Ransomware"

The US Department of Homeland Security (DHS) Science and Technology Directorate (S&T) has announced seven awardees for the "Software Supply Chain Visibility Tools" topic call, which pursued innovative technologies to provide Software Bill of Materials (SBOMs)-based capabilities for enterprise, system administrator, and software development community stakeholders. S&T's Silicon Valley Innovation Program (SVIP) issued the solicitation, looking for open-source-based technical solutions to provide the transparency that forms the foundation of a high-assurance software supply chain, and to enable visibility into software supply chains and new risk assessment capabilities. Melissa Oh, managing director of the SVIP, stated that it is essential to use innovative tools to create a more transparent software supply chain in order to defend against the growing number of software attacks. The seven awardees will collaborate to develop two key software modules: a multi-format SBOM translator and a software component identifier translator, which will be distributed as open-source libraries and integrated into their SBOM-enabled commercial products. Software vulnerabilities are a major cybersecurity risk, with known exploits serving as the primary route for malicious actors to perpetrate a variety of harms. Allan Friedman, the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) senior advisor and strategist, noted that leveraging SBOMs as critical elements of software security could mitigate the risk to the software supply chain and improve the response to new threats more quickly and effectively. This article continues to discuss the new startup cohort formed by DHS S&T to bolster software supply chain visibility tools.

DHS reports "DHS S&T Forms New Startup Cohort to Strengthen Software Supply Chain Visibility Tools"

HSB, a Texas-based financial institution, alerted customers about a Business Email Compromise (BEC) attack that compromised the personal data of thousands of customers. The company notified the Maine Attorney General's Office that threat actors may have gained access to customer names or other personal identifiers with Social Security numbers (SSNs), potentially exposing more than 17,000 customers. Malicious actors can use stolen SSNs in conjunction with names and driver's license numbers to commit fraud. The bank claims to have observed "unusual activity" on a former company employee's email account. The investigation revealed that the former employee was the victim of a phishing attack. Between July 28 to July 29, 2022, the threat actors had unauthorized access to the individual's HSB email account. The unauthorized activity only involved this email account. The letter of notice attached to the HSB breach notification states that all essential banking systems were unaffected and remain secure. The sensitive customer data was contained by attachments in the former employee's emails. This article continues to discuss the exposure of over 17,000 HSB customers' SSNs due to a suspected cyberattack.

Cybernews reports "Texas Bank Breach Exposed Thousands of Social Security Numbers"

According to security researchers at Guardio Labs, a recent "malverposting" campaign linked to a Vietnamese threat actor has been ongoing for months and is estimated to have infected over 500,000 devices worldwide in the past three months alone. The researchers stated that malverposting is the use of promoted social media posts and tweets to propagate malicious software and other security threats, and in this case, the abuse of Facebook's Ads service to deliver malware. The researchers noted that the initial enabler for those numbers is the abuse of Facebook's Ads service as the first stage delivery mechanism responsible for this mass propagation. The researchers observed that the Vietnamese campaign relied on malverposting while it evolved various evasion techniques. It particularly focused on the USA, Canada, England, and Australia. The researchers noted that this threat actor is creating new business profiles as well as hijacking real, reputable profiles with even millions of followers. They also repeatedly posted malicious clickbait on Facebook feeds promising adult-rated photo album downloads for free. Once victims click on those posts/links, a malicious ZIP file is downloaded to their computers. Inside are photo files (that are actually masqueraded executable files) that, when clicked, will initiate the infection process. The executable then opens a browser window popup with a decoy website showing related content. The researchers noted that while in the background, the stealer will silently deploy, execute and gain persistence to periodically exfiltrate one's sessions cookies, accounts, crypto-wallets, and more. The researchers clarified that they observed several variations of the latest payload, yet all shared a benign executable file to start the infection flow.

Infosecurity reports: "Vietnamese Hackers Linked to 'Malverposting' Campaign"

Engineers at Jefferson Lab contributed to the design and construction of a photon detection system that is essential to photonics-based quantum computing and unbreakable encryption. Nuclear physicists and quantum information experts have demonstrated the capability of a photon-number-resolving system to resolve more than 100 photons accurately. This accomplishment represents a significant stride forward in the development of quantum computing capabilities. It may also facilitate the quantum generation of truly random numbers, a long-sought objective in the development of unbreakable encryption techniques for applications such as military communications and financial transactions. Recently, the detector was disclosed in Nature Photonics. This article continues to discuss the research on the resolution of 100 photons and quantum generation of unbiased random numbers.

Jefferson Lab reports "Counting Photons for Quantum Computing"

An Ohio man has recently been sentenced to four years and three months behind bars after stealing 712 bitcoin ($21m), which were seized by investigators following the arrest of his brother. According to the Department of Justice (DoJ), Gary James Harmon, 31, of Cleveland, stole the cryptocurrency, which was the subject of "pending criminal forfeiture proceedings" in the case of his sibling, Larry Dean Harmon. Larry Harmon was arrested in February 2020 for operating a dark web cryptocurrency mixer known as Helix. It was used to launder over 350,000 Bitcoin, valued at the time of the transactions at over $300m, but which are now worth $10.3bn. The DoJ noted that the funds came from customers operating on dark web markets. During Harmon's arrest, law enforcers seized a cryptocurrency storage device containing funds generated by Helix, which were subject to forfeiture, meaning they were confiscated by the state. However, investigators were unable to recover the Bitcoin stored on the device due to built-in security features. The DoJ stated that Gary Harmon used his brother's logins to recreate and access the wallets stored on the device, transferring over 712 bitcoin to his own wallet. The digital currency was worth $4.8m at the time but is worth many times more today. Gary Harmon then laundered these funds through two online Bitcoin mixers before using the digital currency to finance some large purchases. Following his arrest, he subsequently agreed to forfeit to the state the crypto he stole, including over 647 Bitcoin, 2 Ethereum, and 17.4 million Dogecoin, which have a combined value in excess of $20m. Larry Harmon pleaded guilty to money laundering conspiracy in his case in August 2021.

Infosecurity reports: "Man Gets Four Years for Stealing Bitcoins Seized by Feds"

A software patch has been made available to prevent cybersecurity threats to patient care, genomic data, and provider networks posed by software vulnerabilities in benchtop and production-scale genomic sequencing instruments manufactured by Illumina. According to a letter to healthcare providers from the US Food and Drug Administration (FDA), malicious actors could take control of the devices, alter the software and patient test results, or compromise a provider's network and exfiltrate protected data. The FDA issued a statement to healthcare providers and laboratory personnel regarding the necessary steps to mitigate cybersecurity risks in Illumina's sequencing instruments. According to a medical advisory from the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA), the vulnerability affects the universal copy service in various versions of device control and operating software. The FDA noted that some laboratories may be using Illumina genomic sequencing devices for clinical diagnostic applications. In addition to the FDA and CISA, the FBI urges healthcare organizations to remain vigilant regarding medical device cybersecurity. The agency reports that risks associated with out-of-date software and a lack of security features in older hardware in unpatched, active medical devices are being increasingly targeted. In the event of a data compromise, genomic data is especially concerning. This article continues to discuss genomic device software vulnerabilities.

HealthITNews reports "FDA, CISA Advise on Genomic Device Software Vulnerabilities"

A collection of 38 Minecraft clones on Google Play infected devices with the Android adware HiddenAds in order to secretly load advertisements in the background to generate revenue for the operators. Numerous game publishers have attempted to replicate the success of Minecraft, a sandbox game with 140 million monthly active users. About 35 million Android users downloaded games resembling Minecraft that hid the adware, primarily from the US, Canada, South Korea, and Brazil. These users did not notice the adware activity taking place in the background because they were able to play the games as advertised. Additionally, any potential overheating, increased network data usage, or battery consumption caused by loading advertisements may be attributed to the game. The adware set was discovered by McAfee's Mobile Research Team, which was formed to defend Google Play against all forms of threats. All of the apps have been removed from the store following their reporting. This article continues to discuss Minecraft copycat games on Google Play infecting devices with the Android adware HiddenAds.

Bleeping Computer reports "Android Minecraft Clones With 35M Downloads Infect Users With Adware"

According to George Kurtz, CEO of CrowdStrike, and Michael Sentonas, president of the company, 71 percent of enterprise cyberattacks in 2022 were conducted without malware. At this year's RSA Conference, Kurtz and Sentonas walked the audience through a case study of how easily a threat actor can not only penetrate a network but also move laterally and remain undetected, showing the difficulty cybersecurity teams face when attempting to detect malwareless compromises. They detailed the "Spider" cybercrime group as a prime example of the phenomenon. Endpoint Detection and Response (EDR) and other malware detection technologies are not particularly useful for defending the enterprise against malware-free cyberattacks as there is no malicious code to detect. Instead, organizations are advised to focus on collecting as much telemetry as possible from the endpoint to the cloud and managing identity to the smallest details. However, after collecting all of this telemetry and identity data, teams are left with enormous amounts of information that are not particularly useful for threat hunting. This is where Artificial Intelligence (AI) and Machine Learning (ML) can be applied effectively to search for anomalous activity, such as newly created user accounts, to detect malicious activity without malicious code. This article continues to discuss the rise in malware-free cyberattacks and how to detect them.

Dark Reading reports "Malware-Free Cyberattacks Are on the Rise; Here's How to Detect Them"

Out-of-Band over Existing Communication (OBEC) is a novel communications technology developed at the Johns Hopkins University Applied Physics Laboratory (APL) to provide secure access to networks experiencing disruptions or cyberattacks. APL is one of seven federal laboratories to receive funding from the Science and Technology Directorate (S&T) of the Department of Homeland Security (DHS) in the latest round of the Commercialization Accelerator Program (CAP). The OBEC technology enables the creation of a new, physically isolated Out-of-Band (OOB) network on an existing Ethernet infrastructure, without the need for additional networking equipment or wireless connections. OOB communications occur outside of the normal systems, allowing users to communicate privately and securely, even on a compromised network. Alexander Beall, an electrical engineer at APL and project manager in the Asymmetric Operations Sector's Cyber Operations Mission Area, emphasizes that Industrial Control System (ICS) network connectivity is essential to operating and managing facilities and their processes. Cyberattacks on the network can have wide-reaching and severe effects, potentially endangering operators' safety, disrupting critical operations, and causing costly downtime. Beall and OBEC co-inventor Joseph Moore say that OOB communication supports network resilience, situational awareness, and secure management of networked devices by establishing alternative communication paths to manage network infrastructure devices. These alternative paths separate non-essential traffic from operational traffic, preventing hackers from compromising network infrastructure or interfering with network operations. This article continues to discuss APL's OBEC technology and its boost from DHS.

The Johns Hopkins University Applied Physics Laboratory reports "Johns Hopkins APL's Out-of-Band Communications Technology Receives Boost From Department of Homeland Security"

A team of researchers at the University of Glasgow published a paper describing their method, ThermoSecure, which discovers passwords and PINs. ThermoSecure involves using a combination of thermal imaging technology and Artificial Intelligence (AI) to expose passwords on input devices such as keyboards, touchpads, and touch screens. According to the researchers, during testing, ThermoSecure effectively attacked 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92 percent, 80 percent, 71 percent, and 55 percent, respectively. Furthermore, these results were based on relatively 'cold' evidence, and the paper adds that thermal images captured within 30 seconds provide even greater accuracy. The system requires a thermal camera, which has become significantly less expensive in recent years. According to the research paper, a useful device may only cost $150. In regard to AI, the system uses a Mask RCNN-based object detection technique that essentially maps the thermal image to keys. In three phases, variables such as keyboard localization are considered, followed by key entry and multi-press detection, and then algorithms determine the order of key presses. This article continues to discuss the research on thermal attacks against passwords.

Tom's Hardware reports "Thermal Cameras and Machine Learning Combine to Snoop Out Passwords"

According to (ISC)2, as cybersecurity policies and regulations evolve rapidly worldwide, greater collaboration is necessary to ensure more robust and resilient frameworks to support shared learning and best practices. The international cybersecurity non-profit has led new research in collaboration with the Royal United Services Institute (RUSI), a British think tank, examining cybersecurity legislation and regulation within the UK, the US, Canada, the EU, Japan, and Singapore. The RUSI and (ISC)2 researchers identified various challenges shaping cyber policy across all six jurisdictions, including the need to tackle the shortage of skilled cybersecurity professionals and the growing importance of protecting the critical national infrastructure (CNI). While these two priorities are shared by all six jurisdictions analyzed, the study provides valuable insights on the different approaches these countries take to solve them. The researchers stated that by bringing together insights from different jurisdictions and stakeholders, the study also shows the importance of cooperation between private and public stakeholders and that policymakers increasingly seek harmonization of cyber policy. The researchers stated that it is important to understand which policies are effective in increasing cyber resilience and how they impact businesses and the cyber workforce implementing them. The researchers noted that "ally countries should adopt "a proactive, rather than reactive, approach toward cybersecurity policy and collaborate across borders, industries, and sectors to establish common standards, protocols, and best practices." The research was conducted from December 2022 to March 2023 and was primarily based on a review of existing literature about policies enacted or proposed within the six jurisdictions between 2019 and 2023.

Infosecurity reports: "(ISC)2 Urges Countries to Strengthen Collaboration on Cybersecurity Regulation"

Google has recently revealed details of a new legal campaign to pursue the operators of prolific information-stealing malware, which has so far infected an estimated 670,000 computers. Google launched a civil case against several of CryptBot's major distributors, which it said are likely based in Pakistan. Google stated that to hamper the spread of CryptBot, the court has granted a temporary restraining order to bolster their ongoing technical disruption efforts against the distributors and their infrastructure. The court order allows Google to take down current and future domains that are tied to the distribution of CryptBot. Google noted that this will slow new infections from occurring and decelerate the growth of CryptBot. Google stated that lawsuits have the effect of establishing both legal precedents and putting those profiting and others who are in the same criminal ecosystem under scrutiny. CryptBot is typically hidden in legitimate-seeming but maliciously modified software like Google Earth Pro and Google Chrome. Google stated that if consumers unwittingly download the software, the CryptBot malware will get to work stealing authentication credentials, social media account logins, cryptocurrency wallets, and more from their machines.

Infosecurity reports: "Google Goes After CryptBot Distributors"

Microsoft has recently claimed that recent attacks exploiting two vulnerabilities in the PaperCut print management software are likely the result of a Clop ransomware affiliate. The two bugs in question are CVE-2023-27350, a critical unauthenticated remote code execution flaw, and CVE-2023-27351, a high severity unauthenticated information disclosure flaw. The former has a CVSS score of 9.8. Microsoft Threat Intelligence attributed recent attacks exploiting the bugs to "Lace Tempest," a threat actor it says overlaps with FIN11 and TA505. FIN11 is linked to the infamous Clop ransomware gang and the Accellion FTA extortion campaign, while TA505 is reportedly behind the Dridex banking Trojan and Locky ransomware. Microsoft stated that also known as DEV-0950, Lace Tempest is a Clop ransomware affiliate that has previously been detected using GoAnywhere exploits and Raspberry Robin malware in ransomware campaigns. Microsoft said the threat group exploited the PaperCut bugs in attacks as early as April 13. Microsoft stated that in observed attacks, Lace Tempest ran multiple PowerShell commands to deliver a TrueBot DLL, which connected to a C2 server, attempted to steal LSASS credentials, and injected the TrueBot payload into the conhost.exe service. Next, Lace Tempest delivered a Cobalt Strike Beacon implant, conducted reconnaissance on connected systems, and moved laterally using WMI. The actor then identified and exfiltrated files of interest using the file-sharing app MegaSync. Microsoft noted that other groups might also be exploiting the two PaperCut vulnerabilities in the wild, noting that some intrusions had led to the deployment of the prolific LockBit ransomware.

Infosecurity reports: "Microsoft Blames Clop Affiliate for PaperCut Attacks"

According to Dynatrace, as hybrid and multi-cloud environments become more complex and teams continue to rely on manual processes that make it easier for vulnerabilities to enter production environments, it becomes more difficult for CISOs to keep software secure. DevSecOps adoption is hindered by the continued use of siloed tools for development, delivery, and security tasks. This emphasizes the increasing need for observability and security to converge in order to fuel data-driven automation that enables development, security, and Information Technology (IT) operations teams to deliver faster, more secure innovation. Sixty-eight percent of CISOs report that vulnerability management has become more difficult due to the increased complexity of their software supply chain and cloud ecosystem. Before deployment in production environments, only 50 percent of CISOs are confident that the software delivered by development teams has been thoroughly tested for vulnerabilities. Additionally, 77 percent of CISOs say it is difficult to prioritize vulnerabilities due to a lack of information about the risk they pose to their environment. Fifty-eight percent of vulnerability alerts that security scanners alone flag as "critical" are not significant in production, wasting development time pursuing false positives. On average, members of development and application security teams dedicate 28 percent of their time, or 11 hours per week, on vulnerability management tasks, which could be automated. This article continues to discuss key findings from Dynatrace's report on CISOs struggling to manage risk due to DevSecOps inefficiencies.

Help Net Security reports "CISOs Struggle to Manage Risk Due to DevSecOps Inefficiencies"