News Items

Internet of Things (IoT) devices have become prevalent due to wearable fitness trackers, automotive key fobs, and smart home devices. Most of the information flow via IoT devices is vulnerable to attacks, as IoT security has not kept pace with technological advancements. Shantanu Chakrabartty, the Clifford W. Murphy Professor in the Preston M. Green Department of Electrical & Systems Engineering, and Mustafizur Rahman, a doctoral student in his lab, developed a prototype method to improve the security of these communications by using a Synchronized Pseudo-Random-Number Generator (SPRNG). The solution could be used to verify and authenticate secure IoT transactions. Chakrabartty and Rahman created a prototype synchronized self-powered timer array that is secure against manipulation, snooping, and side-channel attacks by using quantum-mechanical electron tunneling. They used Fowler-Nordheim (FN) quantum tunneling, in which electrons leap over a triangle barrier and alter its shape in the process. Chakrabartty stated that FN tunneling provides a far simpler and more energy-efficient link than existing methods that are too complex for computer modeling. Since it is self-powered, it is secure against attacks. This article continues to discuss the prototype method developed to better secure communications using an SPRNG.

Washington University in St. Louis reports "Making Internet of Things More Secure"

Ukrainian cyber police have recently disrupted a prolific phishing gang it claims made 160 million hryvnias ($4.3m) from victims across Europe. The Cyber Police of Ukraine claimed in a notice yesterday that over 30 locations were searched as part of the raids, including the homes of the accused, vehicles, and call centers. According to the police, mobile phones, SIM cards, and computer equipment were seized in the crackdown. The group is said to have created over 100 phishing sites offering heavily discounted goods which lured victims into attempting to purchase them. Once the phishers had victims' card details, they would use them for follow-on fraud. The police noted that scammers were also employed in two call centers in Vinnytsia and Lviv and were tasked with convincing shoppers to complete their purchases on the fake sites. The police claimed to have identified over 1000 victims in the Czech Republic, Poland, France, Spain, Portugal, and other European countries. The operation was carried out in cooperation with police officers from the Czech Republic. The police stated that two arrests were made in Ukraine of the suspected ringleaders, and another 10 individuals were detained in unnamed European countries. The suspected group leaders face charges under Part 4 of Art. 190 (fraud) and Part 1 of Art. 255 (creation, management, and participation in a criminal organization) of the Criminal Code of Ukraine. They could face up to 12 years in jail as a result.

Infosecurity reports: "Ukrainian Police Bust Multimillion-Dollar Phishing Gang"

As the market for cybersecurity insurance evolves, Lloyd's of London plans to exclude the majority of nation-state attacks from its coverage policies. In response to these changes, companies are reevaluating their cyber insurance plans. While Lloyd's decision does not explicitly exclude all nation-state or nation-inspired cyber incidents, it clarifies several coverage parameters. If organizations want to understand the risks that cyber insurance cannot handle, they must determine which policies provide the best value and coverage and investigate other risk treatment plans. Self-insurance may help businesses to better customize their insurance coverage and expenses. This article continues to discuss the opportunities and risks in self-insurance, improving security as an insurance strategy, and broader changes in the cyber insurance market.

Dark Reading reports "Organizations Consider Self-Insurance to Manage Risk"

RedGolf, a Chinese state-sponsored threat group, has been linked to the use of KEYPLUG, a custom Windows and Linux backdoor. According to Recorded Future, RedGolf is a prolific Chinese state-sponsored threat actor group that has likely been targeting various companies globally for many years. The group has demonstrated the ability to weaponize newly discovered vulnerabilities such as Log4Shell and ProxyLogon quickly. It has a history of creating and deploying various custom malware families. The threat actors' use of KEYPLUG was disclosed for the first time in March 2022 by Mandiant in attacks against multiple US state government networks between May 2021 and February 2022. In October 2022, Malwarebytes detailed a different wave of attacks targeting Sri Lankan government entities in early August that used a novel implant named DBoxAgent to deliver KEYPLUG. According to Recorded Future, Winnti, also known as APT41, Barium, Bronze Atlas, or Wicked Panda, closely overlaps with RedGolf in each of these campaigns. This article continues to discuss findings regarding the RedGolf group.

THN reports "Chinese RedGolf Group Targeting Windows and Linux Systems with KEYPLUG Backdoor"

Security researchers at SlashNext have discovered that roughly four out of five employees (71%) store sensitive work passwords on their personal phones, and 66% use their personal texting apps for work. The researchers also found that 95% of security leaders are increasingly concerned about phishing attacks via private messaging apps. The researchers stated that with the widespread use of personal mobile devices in the workplace, it is increasingly difficult for employers to ensure the security of sensitive information. In 2022, the researchers saw that the use of personal devices and personal apps was the direct cause of many high-profile corporate breaches. The researchers noted that this is a trend that will surely continue, as employees often use corporate and personal devices for work, effectively doubling the attack surface for cybercriminals. The researchers also found during their study that a majority (89%) of IT and security leaders acknowledged legal concerns about having access to employees' private data. According to roughly four out of five employers (81%), the solution to most of the issues above is providing employees with a separate phone just for work.

Infosecurity reports: "Over 70% of Employees Keep Work Passwords on Personal Devices"

National accounts receivable management company and debt buyer NCB Management Services has recently started informing roughly 500,000 individuals that their personal information was compromised in a data breach. The company stated that an unauthorized party compromised some of its systems on February 1 and "gained access to Bank of America credit card accounts information." The incident was discovered on February 4, and the data theft was confirmed on March 8. Exposed personal information, the company says, includes names, addresses, phone numbers, email addresses, birth dates, driver's license numbers, Social Security numbers, and employment positions. Financial information such as pay amounts, credit card numbers, routing numbers, account numbers and balances, and/or account statuses were also stolen. According to the company, the impacted credit card accounts had already been closed when the cyberattack occurred. The incident did not involve the compromise of Bank of America systems. The company also says it is unaware of the potentially accessed information being distributed or used maliciously. NCB did not share information on the type of cyberattack it suffered, but its description of the incident suggests that it engaged in communication with the attackers, which implies that a ransom demand might have been made.

SecurityWeek reports: "500k Impacted by Data Breach at Debt Buyer NCB"

The SafeMoon token liquidity pool lost $8.9 million following a hacker's exploitation of a new 'burn' smart contract function that artificially raised the price, allowing the actor to sell SafeMoon at a significantly higher price. Liquidity pools in Decentralized Finance (DeFi) platforms are large deposits of cryptocurrency that facilitate trading, provide market liquidity, and enable exchanges to operate without borrowing from a third party. John Karony, the CEO of SafeMoon, confirmed that the attack took place on March 28, affecting the SFM:BNB liquidity pool but not the platform's exchange. The blockchain security company PeckShield revealed additional information about the vulnerability exploited by the hacker to steal almost $9 million. According to PeckShield, a recent update included a new SafeMoon smart contract function that burns tokens. However, the function was inadvertently made accessible to the public, allowing anybody to execute it as they chose. Previously, Karony said that this system would only be used in emergencies, such as when the liquidity pool encounters risks with malicious smart contracts, excessive slippage, and more. The hacker used the function to burn large amounts of SafeMoon tokens, causing the token's price to skyrocket. This article continues to discuss the heist against SafeMoon carried out by a hacker.

Bleeping Computer reports "SafeMoon 'Burn' Bug Abused to Drain $8.9 Million from Liquidity Pool"

Several cybersecurity companies have warned that the official Windows desktop app for the widely used 3CX softphone solution has been trojanized by malicious actors suspected to be state-sponsored. 3CX is Private Automatic Branch Exchange (PABX) software that supports Voice over Internet Protocol (VoIP). It provides video conferencing and live chat features. 3CX has app versions for Windows, macOS, Linux, Android, and iOS, as well as a Chrome extension and a Progressive Web App (PWA) version, allowing the software to be accessed via any web browser. 3CX CISO Pierre Jourdan confirmed that the Windows version of the 3CX client app had been injected with malware, advising users to temporarily uninstall the app and use the PWA version until a clean version can be released. Researchers from Trend Micro and Crowdstrike revealed that macOS versions of the 3CX desktop app have also been compromised. It is still unclear when the trojanized versions began to be served to customers, but it is known that 3CX customers reported receiving threat alerts from SentinelOne as early as March 22. This article continues to discuss 3CX's legitimate apps being switched with trojanized ones.

Help Net Security reports "3CX Customers Targeted via Trojanized Desktop App"

Even though over 70 percent of companies claim to have an Insider Risk Management (IRM) program, a new report from Code42 Software found that data loss incidents increased by 32 percent among the same organizations. Based on a survey of 700 cybersecurity leaders, cybersecurity managers, and cybersecurity practitioners in the US, 71 percent expect increased data loss due to insider incidents during the next 12 months. Data loss caused by insiders is not new, but it has become increasingly complicated. Past Data Exposure Report (DER) research from Code42 Software focused on the primary causes of insider risks, such as workforce turnover and cloud adoption. According to Joe Payne, president and CEO of Code42 Software, the company's objective this year was to learn about the specific challenges security teams encounter while developing and managing insider risk programs. The report emphasizes that detection and response to insider incidents have become more difficult. Payne urges companies to reevaluate their approach to insider risks to ensure the effectiveness of technology and programs and foster cultures in which employees make safer data decisions. This article continues to discuss key findings from Code42 Software's DER regarding insider risks.

BetaNews reports "Companies Struggle to Protect against Insider Risks"

Security researchers at Salt Security have discovered that attacks targeting application programming interfaces (APIs) have increased by 400% in the last six months. The researchers also found that 80% of these attacks happened over authenticated APIs. During their study, the researchers surveyed 400 security professionals and API developers. Of the respondents, "94% of them have experienced security problems in production APIs over the past year, with 17% having experienced an API-related breach." Due to the impact of such security issues, nearly half (48%) of respondents said that API security had become a C-level discussion within their organization. The researchers stated that the rapid increase in attacks, in addition to the data provided by their survey respondents, reflects a growing understanding in the C-suite about the importance of purpose-built API security to reduce business risk. According to the researchers, API use substantially contributes to businesses' digital transformation. During the study, the researchers also found that API management has also become a significant business issue, with more than half of respondents (59%) saying they had to slow the rollout of new applications because of API security concerns. Only 23% said their existing security approaches were very effective at preventing API attacks. According to the researchers, 90% of investigations undertaken by Salt Labs uncovered API security vulnerabilities, and 50% of those discovered should be considered critical.

Infosecurity reports: "Attacks Targeting APIs Increased By 400% in Last Six Months"

Cybersecurity Snapshots #40 -

Trigona Ransomware

According to security researchers at Microsoft, a surge in workload identities, super admins, and "over-permissioning" is driving increased cyber risk for organizations running cloud infrastructure. The researchers calculated that over 40,000 permissions could be granted across the major cloud platforms and that over half of these are high-risk. Permissions refer to the authorization given to users or machines that enable them to access specific resources. The researchers noted that, unfortunately, a lack of visibility and control over these authorizations could be exposing organizations to the risk of cloud security breaches and misuse. The researchers found that user and workload identities are using just 1% of permissions granted for their day-to-day job functions. More than half (50%) of identities are defined as "Super Identities," meaning they have access to all permissions and all resources. Over 60% of all identities are inactive. The researchers noted that given that Super Identities can create and modify service configuration settings, add or remove identities, and access or delete data, it is concerning that less than 2% of permissions granted to these are actually used. The researchers stated that it is machine rather than human identities where some of the biggest risks lie. The number of cloud-based workload identities, including apps, VMs, scripts, containers, and services, has increased "exponentially," and these now outnumber human identities 10 to 1. The average percentage of inactive workload identities (80%) has doubled since 2021, and less than 5% of permissions granted are used by workload identities. The researchers stated that closing the permissions gap and reducing the risk of permission misuse requires organizations to implement the principle of least privilege. The researchers noted that this must occur consistently to all human and workload identities across multi-cloud environments. Organizations can achieve this at a cloud scale by adopting a Cloud Infrastructure Entitlement Management (CIEM) solution to continuously discover, remediate and monitor the activity of every unique user and workload identity across multi-cloud.

Infosecurity reports: "Just 1% of Cloud Permissions Are Actively Used"

Australian casino giant Crown Resorts recently confirmed that the Cl0p ransomware group contacted them to claim they had stolen data as part of the GoAnywhere attack. The incident occurred in late January when a zero-day vulnerability in Fortra's GoAnywhere managed file transfer (MFT) software was exploited to access files belonging to Fortra customers. The exploitation of the bug tracked as CVE-2023-0669 and patched in early February was attributed to a Russian-speaking threat actor associated with the Cl0p ransomware, which recently started adding the names of alleged victims to its Tor-based leak site. The Cl0p ransomware operators have claimed the theft of data from roughly 130 organizations that used GoAnywhere, with some of them already confirming potential impact. The company stated that no customer data had been compromised, and their business operations were unaffected. They noted that they would provide relevant updates as necessary.

SecurityWeek reports: "Casino Giant Crown Resorts Investigating Ransomware Group's Data Theft Claims"

According to BackBox, Information Technology (IT) professionals are frustrated by the increase in network update velocity and tech stack sprawl, the lack of support from leadership, and disagreements and concerns regarding methods of resolving network issues. When managed manually, network and security device updates are time-consuming and prone to human error, despite their importance. Ninety-two percent of network security and operations professionals cite an inability to keep up with network updates. In addition, 98 percent concur that network automation will enable their team to focus on more impactful tasks. Ninety-six percent of respondents believe that scaling is impossible without network automation. While 61 percent of organizations only upgrade network and security devices quarterly or less, 48 percent of respondents claim their company has not implemented or invested in network automation, leaving them vulnerable to security breaches and other major problems. This article continues to discuss key findings from BackBox's research on network operations and security.

Help Net Security reports "Ignoring Network Automation Is a Ticking Time Bomb for Security"

A new version of the NullMixer dropper incorporates polymorphic loaders from Dark Web Malware-as-a-Service (MaaS) and Pay-Per-Install (PPI) providers. It is being used to target organizations in North America, Italy, and France. The malware, which is a known threat, often installs a suite of downloaders, banking Trojans, stealers, and spyware on victims' computers in a single operation. According to a NullMixer analysis conducted by Security Affairs, further improvements make the threat considerably more dangerous because the malware can now adapt to any environment it infects. The analysis also describes how threat actors have used Search Engine Optimization (SEO) poisoning and malicious video tutorials to trick Information Technology (IT) staff into installing the new malware. The newly updated NullMixer malware has gained initial access to over 8,000 endpoints in just one month, stealing data to sell to brokers on underground marketplaces. This article continues to discuss the new NullMixer polymorphic malware variant.

Dark Reading reports "NullMixer Polymorphic Malware Variant Infects 8K Targets in Just a Month"

A new study conducted by researchers at the University of East Anglia's School of Psychology demonstrates how simple repetition can cause individuals to overshare, exposing themselves to the risk of identity theft and cybercrime. The research team suggests that a better understanding of why people divulge personal information could help in the development of solutions to the problem. Personal data is continuously getting mined, from online newspaper subscriptions to customer surveys. However, there are potential costs and security risks for consumers who share their personal information. The research team asked for a variety of personal information from 27 study participants, including their height, weight, phone number, and views on immigration, abortion, and politics. Then the participants ordered the questions from least to most intrusive and were asked how much of their personal information they would "sell" to be made available on a purpose-built website for two weeks. They were again asked how much information they would sell for even more money. Their information would appear for another two weeks. In a second, larger online study, 132 individuals were asked how much information they would sell at two different times, in addition to various personality questions. The first study showed that asking for actual personal information boosted information disclosed when it was requested again. This impact was mirrored in the second study, which found no change in people's related privacy concerns. People alter their behavior but not their opinions. This indicates that simple repetition can cause people to overshare. This article continues to discuss the new study on people over-disclosing their personal information due to repetition.

The University of East Anglia reports "How Repeated Questions Could Put You at Risk of Cybercrime"

A Nigerian man has recently been handed a four-year jail sentence for his role in a multinational criminal gang that scammed countless individuals and businesses over several years. Solomon Ekunke Okpe, 31, of Lagos, worked with others on business email compromise (BEC), work-from-home, check-cashing, romance, and credit card scams designed to cause losses in excess of $1m. After being arrested in Malaysia and extradited to Arizona after a two-year legal battle, Okpe pleaded guilty in December 2022 to conspiracy to commit wire, bank, and mail fraud. According to the FBI, the BEC schemes typically started with a phishing attack to hijack user inboxes. The gang would then email companies doing business with the victim, requesting payments to new bank accounts under its control. The work-from-home scams required the group to pose as online employers on job websites, using fictitious monikers. They would then hire individuals for legitimate-seeming jobs, which were actually a front for more fraudulent activity, including the creation of bank and payment accounts, transferring or withdrawing money from accounts, and cashing or depositing counterfeit checks. The FBI stated that Okpe and his co-conspirators also carried out romance scams by creating fake accounts on dating websites, engaging romantically with their victims, then tricking them into either transferring their funds overseas and/or receiving money from wire-transfer scams. Okpe stole tens of thousands of dollars from some victims, according to the Department of Justice (DoJ). One co-conspirator, Johnson Uke Obogo, was extradited from the UK and sentenced on March 20 to one year and one day in prison for his role in the fraud operation. The fraud schemes ran from December 2011 to January 2017.

Infosecurity reports: "Four Years Behind Bars for Prolific BEC Scammer"

Microsoft is implementing a new security feature for Exchange Online that will automatically start throttling and eventually block all emails sent from "persistently vulnerable Exchange servers" 90 days after the admins are pinged to secure them. These are Exchange servers in on-premises or hybrid environments running end-of-life software or that have not been patched against known security vulnerabilities. According to the Exchange Team, any Exchange server that has reached end-of-life, such as Exchange 2007, Exchange 2010, and soon Exchange 2013, is unpatched for known vulnerabilities. For example, Exchange 2016 and Exchange 2019 servers that are behind on security updates are regarded as continuously vulnerable. Microsoft says this new Exchange Online "transport-based enforcement system" has three primary functions: reporting, throttling, and blocking. The new system's primary goal is to help Exchange admins identify unpatched or unsupported on-premises Exchange servers, so they can update or patch them before they evolve into security risks. However, it will also be capable of throttling and eventually blocking emails from Exchange servers that have not been fixed prior to reaching Exchange Online mailboxes. This new enforcement system will only impact servers running Exchange Server 2007 using OnPremises connectors to send mail in order to enable fine-tuning before expanding to all Exchange versions. This article continues to discuss the new Exchange Online security feature.

Bleeping Computer reports "Exchange Online to Block Emails from Vulnerable On-Prem Servers"

Shadow Information Technology (IT) teams, also known as rogue IT teams, have become more prevalent in recent years because of the rise of cloud-based apps and remote work. This has led to operational stress and security risks within many companies. According to Capterra, 58 percent of small and midsize businesses (SMBs) have experienced high-impact shadow IT efforts. Half of SMBs believe shadow IT teams are most typically formed because employees lack understanding about the process for purchasing new technology. This is closely followed by the view that the IT department is excessively slow or cumbersome, cited by 41 percent of SMBs, and the creation of an incubator team without the IT department's awareness, cited by 37 percent of SMBs. Shadow IT initiatives lead to risks and consequences for businesses. For example, 89 percent of SMBs note unfavorable financial effects from past shadow IT efforts at their organization, such as paying fines and replacing the developed software. In addition, 76 percent of SMBs say the shadow IT effort poses a moderate to severe threat to the cybersecurity of their organization. This article continues to discuss key findings shared by Capterra regarding shadow IT efforts.

Help Net Security reports "Balancing Security Risks and Innovation Potential of Shadow IT Teams"

A new phishing campaign is targeting European entities to distribute Remcos RAT and Formbook using DBatLoader, a malware loader. According to Zscaler researchers, the malware payload is delivered through WordPress websites with authorized SSL certificates, which is a common tactic used by threat actors to circumvent detection engines. The findings expand upon a report published by SentinelOne last month that highlighted phishing emails with malicious attachments masquerading as financial documents in order to initiate the infection chain. Some of the file formats used to deliver the DBatLoader payload involve the use of obfuscated HTML files with many layers and OneNote attachments. As a result of Microsoft's decision to block macros by default in files downloaded from the Internet, there has been a rise in the use of OneNote files as an initial vector for spreading malware. DBatLoader, also known as ModiLoader and NatsoLoader, is a Delphi-based malware capable of distributing follow-on payloads through cloud services such as Google Drive and Microsoft OneDrive, and adopting image steganography to bypass detection engines. This article continues to discuss the DBatLoader malware loader being used to distribute Remcos RAT and Formbook.

THN reports "Stealthy DBatLoader Malware Loader Spreading Remcos RAT and Formbook in Europe"

Three researchers at CyLab, Carnegie Mellon University's security and privacy institute, recently received National Science Foundation (NSF) Faculty Early Career Development Program (CAREER) awards. Wenting Zheng, an assistant professor in the Computer Science Department (CSD), will develop a framework for automating Multiparty Computation (MPC), a cryptographic technique that enables organizations to perform complex computations on joint data sets without disclosing sensitive inputs to other parties. Dimitrios Skarlatos, an assistant professor in the CSD, will design and develop a scalable, heterogeneous, and secure virtual memory abstraction for today's data center computing. Assistant professor at the Human-Computer Interaction Institute (HCII) Sauvik Das will create and evaluate adversarial Machine Learning (ML) anti-surveillance methods against automated online identity recognition. This article continues to discuss the work of the three CyLab researchers supported through NSF CAREER awards.

CyLab reports "CyLab Researchers Earn NSF CAREER Awards"

After falling for a UK law enforcement honeypot operation, thousands of suspected cybercriminals have revealed their identities. The National Crime Agency (NCA) of the UK created a fake Distributed Denial-of-Service (DDoS)-for-hire website that prompted a large number of people to enter information that will be used to investigate them. Throughout the operation, multiple fake websites claiming to offer cybercriminal services were developed. The operation was part of a global effort by law enforcement to crack down on cybercriminals launching DDoS attacks against online businesses and users. During the operation, the NCA reported that "several thousand" individuals visited the websites and provided personal information in order to gain access to criminal services. Investigators disclosed that prospective consumers' information had been compiled and would be used to target cybercriminals. According to an NCA statement, all the NCA-operated websites have been designed to appear as if they provide the tools and services that enable cybercriminals to conduct these attacks. DDoS-for-hire services, also known as booter services, allow users to set up accounts and coordinate DDoS attacks in a matter of minutes. In the past, these attacks have shown to be very effective against companies, critical national infrastructure, and public services. This article continues to discuss the recent crackdown on DDoS-for-hire services.

ITPro reports "UK Crime Fighters Wrangle 'Several Thousand' Potential Cyber Criminals in DDoS-For-Hire Honeypot"

Researchers with a seafaring background at the Norwegian University of Science and Technology (NTNU) warn that cyberattacks on ships could have severe real-world consequences. Erlend Erstad, a Ph.D. candidate at NTNU, did not know of any reported safety accidents at this time. However, he cautioned that "unexplainable" incidents have occurred that have not yet been traced to a cyberattack or technical flaw. Erstad noted that there are unreported incidents in the industry because ship owners and charterers have not had proper reporting mechanisms until recently. According to Erstad, sailors have handled cyber issues similarly to other technical issues. At the turn of the century, cyberattacks on industrial systems, including nuclear enrichment facilities in Iran and several sections of the Ukrainian power grid, have demonstrated that digital interference can have a direct physical impact. Currently, there have been no publicly recognized hacks that have had a comparable impact on a ship, but cyberattacks on other shipping-related systems are well-known in the industry and marine academia. The researchers warn that this lack of public awareness does not mean that the risks do not exist. They want to raise awareness of these risks among seafarers and equip them with how to respond to such an attack. As Erstad explained, doing so raises the bar for attackers enough that these publicly available vulnerabilities do not harm shipping. This article continues to discuss cyberattacks on ships and what must be done to prevent such attacks.

The Record reports "Cyberattacks on the High Seas? Norwegian Sailors, Researchers Sound a Warning"