News Items

According to Pindrop, the rise and adoption of Artificial Intelligence (AI), an impending recession, and the return of pre-pandemic fraud techniques are driving record rates of fraud attacks against consumers and businesses. States with restrictions on biometrics use are twice as likely to experience fraud. During periods of economic instability, fraud increases. In the fourth quarter of 2022, financial institutions experienced a 53 percent year-over-year increase in fraudulent activity. Fraudsters are taking advantage of data from the dark web and testing it in the Interactive Voice Response (IVR) to identify high-value accounts and attack those accounts together with other fraudsters. Retail has become one of the verticals with the highest incidence of fraud, with one in 347 calls to call centers supporting online retailers being fraudulent. This article continues to discuss key findings from Pindrop's Voice Intelligence and Security Report.

Help Net Security reports "Pre-Pandemic Techniques Are Fueling Record Fraud Rates"

UK-based photo editing, graphic design, and publishing software developer Affinity recently informed its forum members of a data breach that occurred on April 6. The company said a hacker gained access to forum user data after compromising an administrator's account. The adversary may have accessed information such as username, reputation, join date, post count, email addresses, and the last used IP address. The company noted that while most of the compromised information is already public, the email address and IP are not, and this type of information can be useful to malicious actors for targeted phishing attacks. It is unclear how many users had their data compromised, but the Affinity forum has nearly 175,000 members. The company said it's confident that user passwords were not compromised in the breach. The Affinity forum data breach has been reported to the UK Information Commissioner's Office (ICO), and steps have been taken to prevent such incidents in the future. It's unclear how the administrator account was compromised, but in many of these types of incidents, account hacking is possible because two-factor authentication has not been used.

SecurityWeek reports: "Creative Software Maker Affinity Informs Customers of Forum Breach"

Domino Backdoor is a new malware linked by security researchers to former members of the prolific Conti and FIN7 groups. It has been used to launch information-stealing malware, which involves the same techniques and source code as the infamous groups, indicating the formation of a new and dangerous alliance. IBM Security X-Force found Domino in the fall of 2022 and raised the alarm when an attack in February 2023 linked the new malware to former members of the Conti. Domino Backdoor is a 64-bit Dynamic-Link Library (DLL) with an undiscovered backdoor capable of delivering additional malicious payloads to infected systems. Once executed on a system, the malware determines the victim's username and hostname, uses this information to generate a hash, and then adds its own process ID. It then decrypts its configuration block, which contains two IP addresses for its command-and-control (C2) server and an RSA public key. The program then generates a random 32-byte key that is encrypted using the RSA key. Then it contacts its C2 using one IP address if the infected system is connected to a domain and the other IP address if it is not, and begins to harvest and encrypt core system data. It was observed decrypting and deploying its own payload using AES-256-CBC in a lab environment. Domino Backdoor and Domino Loader were discovered sharing code with Lizar, a malware with ties to the FIN7 cybercrime group, and using C2 addresses similar to those employed by FIN7 for its SSH-key-based backdoors. In addition, Domino Backdoor samples from December 2022 were discovered using the NewWorldOrder Loader, which FIN7 previously employed to install the Carbanak Backdoor malware. This article continues to discuss the new Domino Backdoor malware.

ITPro reports "New Domino Backdoor Malware Linked to Ex-Conti, FIN7 Criminals"

Palo Alto Networks Unit 42 found the Vice Society ransomware group exfiltrating data from a victim network using a custom-built Microsoft PowerShell script. Using this PowerShell tool, the threat actors are circumventing software and/or human-based security detection mechanisms. PowerShell scripting is commonly used in a typical Windows environment. A PowerShell-based tool can enable threat actors to hide in plain sight and execute their code while avoiding detection. Early in 2023, the researchers observed the gang exfiltrating data from a victim network using a script named w1.ps1. They were able to retrieve the script from the Windows Event Log (WEL). The PowerShell data exfiltration script created by Vice Society is a simple data exfiltration tool, with multi-processing and queuing used to prevent the script from consuming an excessive amount of system resources. The script focuses on files over 10 KB with file extensions and on directories on its "include list." According to researchers, the nature of PowerShell scripting in the Windows environment makes it difficult to completely prevent this type of threat. This article continues to discuss the Vice Society ransomware operators using a PowerShell tool to exfiltrate data from compromised networks.

Security Affairs reports "Vice Society Gang Is Using a Custom PowerShell Tool for Data Exfiltration"

It is important to protect social media users from harassment and bullying while also taking steps to protect their privacy. A team of researchers from four leading universities has proposed using Machine Learning (ML) technology to identify potentially risky conversations on Instagram without eavesdropping on them. The discovery could provide platforms and parents with the ability to protect vulnerable, younger users while maintaining their privacy. The team led by researchers from Drexel University, Boston University, Georgia Institute of Technology, and Vanderbilt University recently published their work on investigating what type of data input, such as metadata, text, and image features, could be most useful for ML models to identify risky conversations. Their findings suggest that risky conversations can be identified based on metadata characteristics, such as conversation length and participant engagement. Afsaneh Razi, Ph.D., an assistant professor in Drexel's College of Computing and Informatics and co-author of the study, stated that the prevalence of harassment, abuse, and bullying by malicious users is very concerning, considering Instagram's popularity among young people. Instagram makes its users feel safe enough to connect with others very openly. After the Cambridge Analytica scandal and the European Union's precedent-setting privacy protection regulations, platforms are under increasing pressure to protect their users' privacy. Therefore, Meta, the company behind Facebook and Instagram, is implementing end-to-end encryption for all platform messages, indicating that the message content is technologically protected and can only be accessed by those involved in the conversation. However, this increased degree of security makes it more difficult for platforms to use automated technology to detect and prevent online threats, which is why the team's system could play a crucial role in protecting users. This article continues to discuss the system developed to use ML to help flag risky messages on Instagram while preserving users' privacy.

Drexel University reports "Machine Learning Can Help to Flag Risky Messages on Instagram While Preserving Users' Privacy"

OpDefender, a technology created at Idaho National Laboratory (INL) for the US Department of Homeland Security (DHS), is founded on the principle of minimizing the attack surface as much as possible. Operational control technology exists at all levels of the nation's critical infrastructure, switching breakers at substations, opening floodgates at dams, and opening and closing valves in oil refineries and water treatment facilities. If left unprotected, Industrial Control Systems (ICS) are so vulnerable that anyone with basic programming skills can shut down a substation, leaving thousands of people in the dark. OpDefender operates on the premise that no device on a network of control systems can be trusted. It includes network switches that analyze and filter network packets in real-time, enabling operators to implement "whitelisting" rules. Its human-machine interface prevents any device from communicating with a network until an administrator has configured it. By default, an alarm sounds when a network receives data from a device that has not been whitelisted. OpDefender's proprietary software enables it to function as a "smart" switch, differentiating between routine and suspicious communications. When suspicious communication is detected, the system quarantines the packet and notifies a human operator. The operator then controls which commands reach the ICS via a simple interface. OpDefender, unlike detection systems that require span ports and big data analysis, analyzes packets in real-time and only flags violations. This article continues to discuss the capabilities, development, testing, and support of the OpDefender technology.

Idaho National Laboratory reports "Making a Smaller Target for Hackers: Technology Keeps Industrial Control Systems Safer by Limiting Online Access"

The US Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2023-20963 to its Known Exploited Vulnerabilities Catalog. CISA has given the government until May 4 to patch the zero-day vulnerability, which was allegedly exploited by an e-commerce app to eavesdrop on users. The high severity vulnerability was patched by Google last month after the firm said it may be under "limited, targeted exploitation." CISA stated that Android Framework contains an unspecified vulnerability that allows for privilege escalation after updating an app to a higher Target SDK with no additional execution privileges needed. Mobile security company Lookout confirmed late last month that the vulnerability, which has a CVSS score of 7.8, was being exploited by malicious versions of the Pinduoduo Android app. At least two versions of the popular Chinese e-commerce app available from third-party app stores were to blame. With over 750 million monthly active users, Pinduoduo is one of the world's most popular destinations for online shopping. The firm has denied its software is malicious, even though the two apps analyzed by researchers were apparently signed with an official key. The Pinduoduo app has been temporarily pulled from the official Play store, but most Chinese consumers rely on third-party app stores to source their Android downloads. Although the CISA catalog of known vulnerabilities is designed to force federal government agencies to improve patching processes, it is also strongly recommended that private enterprises use the same tool to help prioritize their efforts in this area.

Infosecurity reports: "CISA: Patch Bug Exploited by Chinese E-commerce App"

Russia's cyber capabilities are not to be underestimated, but NATO neighbors are more than capable of defending themselves against the Kremlin, according to the Lithuanian cyber chief. Constant cyberattacks from Russia are launched against the nations that border Moscow's empire. Everything is on the agenda, from ransomware attacks to attack attempts against critical infrastructure. As demonstrated by the war in Ukraine, military operations are often accompanied by cyber operations, prompting NATO and EU members such as Lithuania to develop tools and methods to defend against numerous and better-resourced adversaries. Liudas Alisauskas, the head of Lithuania's National Cyber Security Centre (NCSC), believes that one way to meet the challenge is by fostering local talent and forming partnerships with the most skilled hackers. Cybernews sat down with Alisauskas to discuss how the frontline NATO member defends against Moscow's hackers, whether Russia can still be considered a significant power after a year of disastrous warfare, and the impact of attacks launched by pro-Russian hacktivists such as Killnet. This article continues to discuss NATO members' defense against Moscow's hackers.

Cybernews reports "Genius Hackers Help Russia's Neighbors Thwart Cyber Incursions"

A Chinese nation-state group targeted an unnamed Taiwanese media organization to deliver Google Command and Control (GC2), an open-source red teaming tool, as part of a broader exploitation of Google's infrastructure for malicious purposes. Google's Threat Analysis Group (TAG) attributed the campaign to a threat actor it monitors as HOODOO, also known as APT41, Barium, Bronze Atlas, Wicked Panda, and Winnti. The attack begins with a phishing email containing links to a password-protected file hosted on Google Drive, which incorporates the GC2 tool to read commands from Google Sheets and exfiltrate data via the cloud storage service. After installation on a victim's computer, the malware queries Google Sheets for commands. In addition to exfiltration via Drive, GC2 allows the download of other files from Drive onto the victim system. Google reported that the same malware was previously used to target an Italian job search website in July 2022. The development is noteworthy because it suggests that Chinese threat actors are increasingly relying on publicly accessible tools, such as Cobalt Strike and GC2, to obfuscate attribution efforts. It also indicates that malware and tools written in the Go programming language are gaining popularity due to its cross-platform compatibility and modularity. This article continues to discuss APT41's use of GC2 and other findings surrounding the threat actor.

THN reports "Google Uncovers APT41's Use of Open Source GC2 Tool to Target Media and Job Sites"

Extended Internet of Things devices (xIoT) are attractive to cyberattackers aiming to move laterally within enterprise networks and establish persistence. Such devices have everything the bad guys need to gain a foothold as xIoT devices are significantly under-secured, present in large numbers, present in sensitive network areas, and are typically not well monitored. Brian Contos, a security researcher and strategist, explains that xIoT devices typically fall into three device categories that have all proliferated in business environments. The first category consists of enterprise IoT devices, such as cameras, printers, IP phones, and door locks. The second category consists of Operational Technology (OT) devices, such as industrial robots, valve controllers, and other digital equipment used to regulate physics in industrial settings. General network devices, such as switches, network-attached storage, and gateway routers, are the third and often the least-remembered category. Contos has explored how these devices can be used to launch massive attacks against enterprise resources, as well as what security strategists should do to mitigate the threat. This article continues to discuss the use of xIoT devices by attackers to establish persistence across networks and what enterprises should start doing about the risk.

Dark Reading reports "Why xIoT Devices Are Cyberattackers' Gateway Drug for Lateral Movement"

The Coastal Virginia Center for Cybersecurity Innovation (COVA CCI), the Commonwealth Cyber Initiative (CCI) node for southeastern Virginia, has awarded $581,100 to seven maritime industry-focused cybersecurity research projects. Old Dominion University, Christopher Newport University, and the College of William and Mary submitted proposals in response to the COVA CCI request for proposals titled "Addressing Cybersecurity Compliance Challenges to Technology Adoption for the Maritime Industry." Researchers were asked to collaborate with maritime industry partners to resolve barriers to technology adoption resulting from or related to cybersecurity compliance issues. The projects seek to eliminate or mitigate cybersecurity obstacles to adopting new technologies such as cloud computing, 5G connectivity, and Machine Learning (ML). The projects include "Applying Risk Assessment Methodology to Produce Cyber-Hardened 5G Communication Capabilities for Autonomous Maritime Platforms," "Machine Learning-Enabled Dependency Network Analysis for Quantifying Risks and Ripple Effects Stemming from Cybersecurity Non-Compliance Issues," "Spotlighting and Mitigating Cyber Attacks in Artificial-Intelligence-of-Things (AIoT)-Enabled Maritime Transportation Systems," and more. This article continues to discuss the awarded projects aimed at addressing maritime cybersecurity needs.

Old Dominion University reports "ODU Researchers Receive Grants to Address Maritime Cybersecurity Needs"

Passwords may soon become obsolete. However, the need for authentication and secure website access remains as strong as ever. Passkeys are digital credentials that are stored on a user's mobile device or computer. They are similar to actual keys. Access to a passkey is gained by logging into a device with a Personal Identification Number (PIN), a swipe pattern, or biometrics such as fingerprint or facial recognition. A user configures their online accounts to trust their computer or phone. In order to access accounts, a hacker would need physical access to the user's device and the ability to login in. Sayonnha Mandal, lecturer in interdisciplinary informatics and cybersecurity researcher at the University of Nebraska, believes that passkeys provide quicker, simpler, and more secure sign-ins and reduce human error in password security and authorization procedures. Passkeys eliminate the need to remember passwords and eliminate the need for two-factor authentication (2FA). Passkeys are created through public-key cryptography. They use a public-private key pair to guarantee a mathematically protected private relationship between the user's device and the online account being accessed. Since it would be almost impossible for a hacker to guess the passkey, the device from which the passkey is accessed must be physically at hand. This article continues to discuss Mandal's insights on how passkeys work and why they matter.

The Conversation reports "What Are Passkeys? A Cybersecurity Researcher Explains How You Can Use Your Phone to Make Passwords a Thing of the Past"

Louisiana State University (LSU) and the US Secret Service (USSS) have a formal agreement for the development of cyber technology and cyber talent, as well as for state and national security. The Memorandum of Understanding (MOU) strengthens interactions and collaborations between the agency and the university in research, talent, and outreach. LSU and the USSS have agreed to advance cyber-physical system security and forensics knowledge, operational processes, and tools through collaboration. The partnership will provide LSU faculty and students with the opportunity to gain insight into and work on pertinent, real-world law enforcement and protective services challenges, as well as increase the Secret Service's access to LSU's talented students and nationally renowned cybersecurity expertise. The partnership will drive agency-specific research projects, connect students with agents directly, defend vulnerable Louisiana residents from cyberattacks, and more. This article continues to discuss the partnership between LSU and the USSS aimed at addressing cyber challenges.

Louisiana State University reports "LSU and US Secret Service Partner to Address Cyber Challenges for Louisiana, Nation"

According to the Identity Theft Resource Center (ITRC), the volume of US data breaches fell in Q1 2023, but the number of notices with no actionable information contained within grew by 20% from the previous quarter. The ITRC is a non-profit that tracks publicly reported data breaches and leaks in the US and has been dismayed by the growing reluctance of breached firms to share important information about incidents. The ITRC argued that this means that those impacted can't make accurate assessments about the risk of data compromise and what actions they should take following a breach involving their data. The number of data breaches with no actionable information about the root cause of the compromise grew from just five in Q1 2021 to 155 a year later and 187 in Q1 2023. Eva Velasquez, president, and CEO of the ITRC stated that it is troubling to see the trend of a lack of actionable information in data breaches continue from 2022. Velasquez said that among the top ten breaches they saw in Q1, 60% did not include information about the root cause of the event, compared to 40% in Q4 2022. This means individuals and businesses remain at a higher risk of cyberattacks and data compromises. Last year, the ITRC claimed that only a third (34%) of breach notices included both victim and attack details, the lowest figure in five years and a 50% decline from 2019. The total number of reported breaches declined 13% from the previous quarter to 445 for the first three months of 2023. The number of victims decreased by 65% to 89 million. The ITRC noted that healthcare topped the list of most breached sectors for the third consecutive quarter, followed close behind by financial services. Incidents in the manufacturing and utilities, technology, healthcare, and transportation sectors impacted the most people. Velasquez claimed that the number of victims and compromises usually falls in Q1 each year.

Infosecurity reports: "Volume of Opaque Breach Notices Surges in Q1"

Alex Polyakov, CEO of the security company Adversa, only needed a couple of hours to break GPT-4. In March, when OpenAI released the latest version of its text-generating Artificial Intelligence (AI)-driven chatbot, Polyakov started entering prompts into the chatbot designed to circumvent OpenAI's safety systems. He eventually had GPT-4 making inappropriate remarks, writing phishing emails, and supporting violence. Polyakov is among a handful of security researchers, technologists, and computer scientists who are devising jailbreaks and prompt injection attacks against ChatGPT and other generative AI systems. The jailbreaking process seeks to create prompts that enable the chatbots to bypass restrictions on producing hateful content or writing about illegal acts. Prompt injection attacks can covertly insert malicious data or instructions into AI models. The attacks are a form of hacking that exploits system vulnerabilities with carefully crafted and refined sentences rather than code. Although the attack types are primarily used to circumvent content filters, security researchers warn that the rush to deploy generative AI systems increases the risk of cybercriminals stealing data and wreaking havoc on the web. Polyakov has developed a "universal" jailbreak that is effective against multiple Large Language Models (LLMs), such as GPT-4, Microsoft's Bing chat system, Google's Bard, and Anthropic's Claude. This article continues to discuss security researchers' work on jailbreaking LLMs to demonstrate the avoidance of safety rules.

Wired reports "The Hacking of ChatGPT Is Just Getting Started"

Cybersecurity company Darktrace issued a statement recently after it was named on the leak website of the LockBit ransomware group. In the statement, the company noted that the cybercriminal gang was claiming that they had compromised Darktrace's internal security systems and had accessed their data. The company stated that its security teams had run a full review of their internal systems and could see no evidence of compromise. Darktrace noted that they would continue to monitor the situation extremely closely, but based on their current investigations, they are confident that their systems remain secure and all customer data is fully protected. On LockBit's leak website, the post suggested that data was stolen from Darktrace and that the cybercriminals were asking for a $1 million ransom. The fake data on the LockBit site was apparently test data posted by the hackers while doing maintenance. A recent Twitter post from Singapore-based threat intelligence firm DarkTracer, which is unrelated to Darktrace, read, "The reliability of the RaaS service operated by LockBit ransomware gang seems to have declined." The cybercriminals were not happy with DarkTracer's allegations but confused it with UK-based Darktrace and published a post suggesting that they had hacked Darktrace. These types of mistakes are not uncommon for ransomware groups. It's worth noting that there is also no evidence that LockBit targeted DarkTracer either. LockBit has also been known to make false claims when it comes to cybersecurity companies.

SecurityWeek reports: "Darktrace Denies Getting Hacked After Ransomware Group Names Company on Leak Site"

European police have recently arrested five individuals in an attempt to bust a criminal network believed to have made $98m from tens of thousands of victims through investment fraud. According to Europol, some 33 German law enforcers teamed up with their peers in Bulgaria, Romania, Georgia, and Israel to search 15 locations, including five illegal call centers. Europol noted that the two action days in March were a follow-up to operations undertaken against the same criminal gang in 2021 and enabled police to glean new evidence that revealed a much larger cost to victims than the 15m euros first estimated. Europol stated that the fraudsters lured potential victims through legitimate-looking website advertising and social media, encouraging them to make small initial investments of between 200-250 euros. Contact center workers then called the individuals, tricking them with fake "graphics" showing the purportedly large profits they'd already made and promising even bigger returns if they invested more. Europol claimed that persistently low interest rates at the time of the scheme (2019-21) made the high-risk investments more attractive to the victims. In reality, their funds went straight to the gang members' bank accounts. In the latest crackdown, police seized high-value assets, including luxury watches, electronic equipment, cash, bitcoins, bank cards, and various documents. An estimated 33,000 victims lost money to the gang. Investment fraud cost victims an estimated $3.3bn in 2022, making it the highest-grossing cybercrime category that year.

Infosecurity reports: "Five Arrests in Crackdown on $98m Investment Fraud Gang"

Read The Manual (RTM) Locker is a developing cybercriminal group that operates as a private Ransomware-as-a-Service (RaaS) provider and conducts opportunistic attacks to generate illicit profit. According to a report by the cybersecurity company Trellix, the RTM Locker gang uses affiliates to extort victims, all of whom must adhere to the gang's strict rules. The group's business-like structure, in which members are required to remain active or notify the gang of their departure, demonstrates its organizational maturity, as has been observed with other groups, such as Conti. RTM Locker, first identified by ESET in February 2017 as a banking malware targeting Russian companies via drive-by downloads, spam, and phishing emails, started in 2015. Since then, the group's attack chains have evolved to deliver ransomware to compromised hosts. This article continues to discuss the RTM Locker cybercrime group.

THN reports "RTM Locker: Emerging Cybercrime Group Targeting Businesses with Ransomware"

The leading research agency of the Intelligence Community is moving forward with a plan to create new cybersecurity defenses by exploiting the decision-making biases and cognitive weaknesses of would-be hackers. Reimagining Security with Cyberpsychology-Informed Network Defenses (ReSCIND) is a program for which the Intelligence Advanced Research Projects Activity (IARPA) has issued a broad agency announcement soliciting contract bids. The solicitation describes a 45-month, three-phase program with the objective of identifying cognitive vulnerabilities relevant to cyberattackers and cognitive models to predict attacker behavior. The ultimate goal is to develop Adaptive Psychology-informed defenses involving specific defenses based on attacker behavior. Cyberpsychology has developed into the study of human interactions with Internet-connected devices, often focusing on domains in which web-based tools have the potential to impact mental health, such as social media, or also influence decision-making, such as e-commerce. This article continues to discuss the ReSCIND program that looks to exploit psychological biases among hackers for cyber defense.

FCW reports "IARPA's Plan to Hack the Brains of Hackers"

Google and other companies will develop and launch new initiatives aimed at providing policy guidance to governments and legal protection to security researchers engaged in "good faith" vulnerability research and disclosure. The tech giant also announced that it would formalize an internal policy to be transparent when vulnerabilities in Google products are exploited in the wild. The moves include establishing an industry-led Hacking Policy Council and a nonprofit that would fund the legal fees of security researchers who are sued or prosecuted for conducting vulnerability research. The council will consist of representatives from bug bounty companies HackerOne, BugCrowd, and Luta Security, as well as the cybersecurity law firm Venable. It will bring together like-minded organizations and leaders who will advocate for new policies and regulations that support best practices for vulnerability management and disclosure without jeopardizing the security of users. This article continues to discuss the new initiatives that will provide policy guidance to governments and legal protection to security researchers.

SC Media reports "Hacking Policy Council Launched to Support Security Research and Disclosures"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has announced the release of the "Considerations for Cyber Disruptions in an Evolving 911 Environment" document. Nationwide, Emergency Communications Centers (ECCs) are transitioning from older, legacy systems to NG911. NG911's enhanced connectivity introduces new vectors for threats that can disrupt ECC operations. For example, ECCs may experience cyber incidents due to malicious actors or a faulty software update to a managed service provider's network. Therefore, ECCs should ensure that their Continuity of Operations (COOP) plans define processes and procedures for responding to cyber incidents. The document was developed by CISA, SAFECOM, and the National Council of Statewide Interoperability Coordinators (NCSWIC) to help ECCs create or update their COOP plans to better respond to cyber incidents as they transition to NG911. The document discusses the threat vectors for NG911 systems and provides considerations for updating COOP plans, such as identifying alternate ECCs, maintaining data, and engaging partners. This article continues to discuss the release of the "Considerations for Cyber Disruptions in an Evolving 911 Environment" document.

CISA reports "SAFECOM and NCSWIC Develop Considerations for Cyber Disruptions in an Evolving 911 Environment"

Video surveillance giant Hikvision recently informed customers that it has patched a critical vulnerability affecting its Hybrid SAN and cluster storage products. The vulnerability tracked as CVE-2023-28808 has been described by the vendor as an access control issue that can be exploited to obtain administrator permissions by sending specially crafted messages to the targeted device. The impacted products are used by organizations to store video security data, and an attacker exploiting the vulnerability could gain access to that data. The company stated that while they are not aware of this vulnerability being exploited in the field, they recognize that some of their partners may have installed Hikvision equipment that is affected by this vulnerability, and they strongly encourage them to work with their customers to install the patch and ensure proper cyber hygiene. Hikvision noted in its advisory that an attacker needs to have network access to the targeted device in order to exploit CVE-2023-28808. Hikvision announced on April 10 that patches are included in version 2.3.8-8 for Hybrid SAN and version 1.1.4 for cluster storage devices. The vendor has provided detailed instructions for installing the updates.

SecurityWeek reports: "Critical Vulnerability in Hikvision Storage Solutions Exposes Video Security Data"

A KYOCERA Android printing app has been found to be vulnerable to improper intent handling, which enables malicious apps to exploit the vulnerability to download and potentially install malware on affected devices. According to a security advisory published by JVN, a state-supported portal dedicated to promoting security awareness, the flaw, tracked as CVE-2023-25954, affects KYOCERA Mobile Print, UTAX/TA Mobile Print, and Olivetti Mobile Print. Although the apps have different publishers, they are all based on the same code, so the flaw affects all three. The application class of KYOCERA Mobile Print allows data transmission from malicious third-party mobile apps, which could result in the download of malicious files. Furthermore, by using the KYOCERA Mobile Print web browser function, malicious sites can be accessed, and malicious files can be downloaded and executed, leading to the theft of sensitive information on mobile devices. This article continues to discuss the potential exploitation of CVE-2023-25954 impacting KYOCERA Mobile Print, UTAX/TA Mobile Print, and Olivetti Mobile Print apps.

Bleeping Computer reports "KYOCERA Android App With 1M Installs Can Be Abused to Drop Malware"

According to NETSCOUT, HTTP/HTTPS application-layer attacks have increased by 487 percent since 2019, with the most significant increase occurring in the second half of 2022. Much of the increase stems from the pro-Russian group Killnet and other groups targeting websites. This type of attack preceded the invasion of Ukraine, bringing down critical financial, government, and media sites. In the second half of 2022, the greatest volume of Distributed Denial-of-Service (DDoS) alert traffic in one day reached 436 petabits and over 75 trillion packets. Service providers scrubbed a substantial portion of this traffic, while enterprises stopped an additional daily average of 345 terabytes of unwanted traffic. In the past three years, direct-path attacks have increased by 18 percent, while traditional reflection/amplification attacks have decreased by nearly the same percentage, highlighting the need for a hybrid defense strategy to withstand fluctuating attack methods. This article continues to discuss the dynamic nature of the DDoS threat landscape, DDoS attacks reaching record highs in the second half of 2022, and the rise in carpet-bombing attacks targeting ISP networks.

Help Net Security reports "DDoS Alert Traffic Reaches Record-Breaking Level of 436 Petabits in One Day"