News Items

Researchers at the University of Nevada, Reno, are working to strengthen power grids' resilience, stability, and cybersecurity. They may soon have a new tool for protecting energy supplies. This tool consists of large-scale digital simulators for cyber-physical energy systems. These simulations can be used to test processes and hardware that could protect the power grid against cyberattacks and natural disasters. Associate Professor of Electrical and Biomedical Engineering Mohamed Ben-Idris and his collaborators recently received a grant from the National Science Foundation (NSF) to acquire a real-time digital simulator and set up a large-scale testbed. This new testbed's potential users include university researchers, students, and their industry partners. Faculty and students working on cyber-physical energy systems, which are intelligent systems that add new capabilities to energy systems through the integration of communication, computation, information, and control, will be able to test solutions for power-grid issues in a virtual environment prior to implementing them in the real world. Researchers will use the large-scale digital simulator for various studies, including developing components required for secure information exchange. This article continues to discuss the new testing tool, considered the only one of its kind in Nevada, that enables the expansion of research into power grids, including cybersecurity-related studies.

The University of Nevada, Reno reports "Power On: New Testing Instrument"

Hoxhunt, the industry leader in behavior change software for cybersecurity, has issued a report analyzing the effectiveness of ChatGPT-generated phishing attempts. The study compared the success rate of simulated phishing attacks developed by human social engineers and those created by Artificial Intelligence (AI) Large Language Models (LLMs). While the potential for ChatGPT to be used for harmful phishing activities continues to captivate everyone's interest, Hoxhunt's research demonstrates that human social engineers continue to surpass AI when it comes to persuading users to click on dangerous links. The study found that professional red teamers generated a 4.2 percent click rate compared to ChatGPT's 2.9 percent click rate among an email user demographic sample. Sixty-nine percent of the time, humans outperformed AI at deceiving other humans. This article continues to discuss the effectiveness of ChatGPT-generated phishing attacks.

PR Newswire reports "Hoxhunt ChatGPT / Cybersecurity Research Reveals: Humans 1, AI 0"

During the past nine months, a previously unknown Russian-speaking threat actor has launched cyber espionage campaigns against government, energy, and international organizations in Azerbaijan, Kyrgyzstan, Tajikistan, as well as European nations. The campaigns involve various commodity and custom malware tools. Researchers from Cisco Talos have identified the group behind the campaigns as YoroTrooper. According to Cisco Talos, the YoroTrooper campaigns have been running since at least June 2022. The threat actor uses phishing as the initial attack vector and customizes the emails and attachments for each target company by establishing typosquatting or lookalike domains. YoroTrooper has compromised Turkmenistan and Azerbaijan embassies and stole credentials from at least one European health care agency account. In its campaigns, the gang uses Remote Access Trojans (RATs) and information-stealing malware, but it also has custom Python implants. Researchers have determined that YoroTrooper is a separate entity with its own operations, despite having some overlaps and connections with existing attack groups, such as the PoetRAT gang. This article continues to discuss researchers' findings and observations regarding the YoroTrooper group.

Decipher reports "YoroTrooper Group Targets European, CIS Countries in Cyberespionage Campaigns"

Security researchers at BlackBerry have observed Russia-linked cyberespionage group APT29 abusing two legitimate information exchange systems used by European countries. APT29 is a Russian advanced persistent threat (APT) actor mainly focused on cyber espionage. The group, believed to be sponsored by the Russian Foreign Intelligence Service (SVR), is also tracked as Cozy Bear, the Dukes, Nobelium, and Yttrium. The researchers stated that as part of a recently observed campaign aimed at EU governments, the group was seen sending phishing emails with a malicious document attached, using the Polish Foreign Minister's recent visit to the US as a lure. Another lure abuses multiple legitimate systems, including LegisWrite and eTrustEx, two official services used for information and data sharing among the governments of European countries. The researchers noted that LegisWrite is an editing program that allows secure document creation, revision, and exchange between governments within the European Union. The researchers stated that the fact that LegisWrite is used in the malicious lure indicates that the threat actor behind this lure is specifically targeting state organizations within the European Union. The malicious document includes a link leading to an HTML file hosted on a compromised online library website based in El Salvador. The file is APT29's malicious dropper named RootSaw and EnvyScout, which relies on HTML smuggling to deploy an IMG or ISO file on the victim's system. The researchers noted that in this campaign, an ISO file was dropped from the compromised domain. The image contains two files, a link (.lnk) file to run specified command line arguments and a DLL library. When run, the DLL achieves persistence via a newly created registry key and proceeds to collect information about the target system and send it to its command-and-control (C&C) server. The researchers noted that APT29 abuses the API of a commonly used note-taking application called Notion for C&C, which allows it to disguise its traffic as benign. According to BlackBerry, the APT removed all metadata from the link file to avoid leaking any information related to its operations systems.

SecurityWeek reports: "Russian Cyberspies Abuse EU Information Exchange Systems in Government Attacks"

According to a team of computer scientists from New York and San Diego, smartphone spyware apps that allow people to spy on each other are difficult to notice and detect, and easily leak the sensitive personal information they collect. Spyware apps are often used by abusers to secretly spy on a spouse or partner, despite being advertised as tools for monitoring children and employees. These apps require little technical expertise as they provide clear installation instructions and only need temporary access to the victim's device. After installation, they secretly record the victim's device activities, including text messages, emails, photos, and calls. The apps also enable abusers to remotely access this information via a web interface. Between September 2020 and May 2021, the number of devices containing spyware apps rose by 63 percent. Enze Liu, a Ph.D. student in computer science at the University of California, San Diego, and their colleagues conducted an in-depth technical analysis of 14 of the most popular spyware apps for Android phones. They discovered that spyware apps use various approaches to secretly record data. One app was found to use an invisible browser capable of streaming live video from the device's camera to a spyware server. The apps can also record phone calls using the device's microphone, sometimes activating the device's speaker to capture conversations. Several apps also take advantage of smartphone accessibility features designed to read what appears on the screen to vision-impaired users. These features effectively enable spyware to record keystrokes. The team also discovered a number of techniques used by the spyware apps to hide on the target's device. This article continues to discuss the findings from the study "No Privacy Among Spies: Assessing the Functionality and Insecurity of Consumer Android Spyware Apps."

UC San Diego Today reports "This is What Happens When Your Phone is Spying on You"

Security researchers at Proofpoint have uncovered several new phishing campaigns using the collapse of Silicon Valley Bank (SVB) as a lure to steal cryptocurrency. The researchers stated that they spotted lures related to USD Coin (USDC), a digital stablecoin tied to the dollar, that was impacted by the SVB collapse. This campaign used messages that impersonated several cryptocurrency brands, which were sent via malicious SendGrid accounts and containing SendGrid URLs. The URLs redirected to several different domains that asked the victim to claim their crypto/redeem to USD. The researchers noted that clicking the button would try to open a DeFi URL, so the victim would need to have a DeFi handler installed, such as MetaMask wallet. The victim would then be lured to install a smart contract that would transfer the contents of the victim's wallet to the attacker. P2P payments tech firm Circle, which was exposed by the failure of SVB, announced that USDC would remain redeemable at a 1:1 rate with the dollar, sparking additional phishing campaigns. Researchers at Cyble spotted several phishing sites impersonating Circle promoting the 1:1 deal. Some request users scan a QR code to proceed, which results in their crypto wallet being compromised.

Infosecurity reports: "Phishing Campaigns Use SVB Collapse to Harvest Crypto"

The first known cryptojacking operation mining the Dero cryptocurrency has been observed targeting vulnerable Kubernetes container orchestrator infrastructure with exposed Application Programming Interfaces (APIs). Dero is a privacy coin advertised as a Monero alternative with stronger anonymity protection. Dero promises faster and greater monetary mining returns than Monero and other cryptocurrencies, which is why it has attracted the interest of threat actors. In a recent report by CrowdStrike, researchers detail how the ongoing campaign was found in February 2023, when monitoring customer Kubernetes clusters revealed strange behavior. According to the researchers, the attacks begin with threat actors scanning exposed, vulnerable Kubernetes clusters with "anonymous-auth=true" authentication settings, providing anonymous access to the Kubernetes API. After getting access to the API, the threat actors will deploy a DaemonSet named "proxy-api" that enables the attackers to simultaneously engage the resources of all nodes in the cluster and mine Dero with the available resources. The installed miners will be added to a Dero mining pool, where each participant contributes hashing power and receives a share of any earnings. Analysts at Crowdstrike have observed no purpose on the part of the threat actors to move laterally, disrupt cluster operations, steal data, or do additional damage. Therefore, the campaign appears to be purely financially motivated. This article continues to discuss the Dero cryptojacking operation.

Bleeping Computer reports "First Known Dero Cryptojacking Operation Seen Targeting Kubernetes"

Two zero-day vulnerabilities need to be patched immediately, one in Microsoft Outlook's authentication mechanism and another discovered to be a Mark-of-the-Web (MOTW) bypass. Automox researchers advised enterprises to patch these vulnerabilities within 24 hours, as they are being exploited in the wild. In addition, several of the vulnerabilities addressed in the March update enable Remote Code Execution (RCE), making them a patching priority. Vendors reported slightly varying estimates of the total number of new severe vulnerabilities in Microsoft's March update, presumably because of differences in what they counted. For example, Trend Micro's Zero-Day Initiative (ZDI) determined that six of the vulnerabilities in Microsoft's March update were critical, whereas Tenable and Action1 estimated nine. One of the zero-day vulnerabilities is a critical privilege escalation flaw, tracked as CVE-2023-23397, in Microsoft Outlook, which allows an attacker to access the victim's Net-NTLMv2 challenge-response authentication hash and then impersonate the user. An attacker could exploit the vulnerability by sending a specially crafted email that Outlook gets and processes before the user views it in the Preview Pane. This article continues to discuss the actively exploited bugs in Microsoft Outlook and the MOTW feature.

Dark Reading reports "Microsoft Zero-Day Bugs Allow Security Feature Bypass"

The LockBit ransomware group recently claimed to have stolen valuable SpaceX files after breaching the systems of piece part production company Maximum Industries. The Texas-based Maximum Industries specializes in waterjet, laser cutting, and CNC machining services and advertises itself as a contract manufacturing facility. The hackers claim Elon Musk's rocket and spacecraft maker SpaceX uses Maximum Industries services. They also claim that on Maximum Industries' systems, they found roughly 3,000 "drawings certified by space-x engineers," which they plan on selling through an auction. While Maximum Industries may have been hacked, it's not uncommon for cybercrime groups to make exaggerated claims regarding the impact of their attacks or the value of the data they have obtained. The LockBit ransomware operation was launched in 2019 and has been evolving ever since. The cybercriminals believed to be operating out of Russia exploit unpatched vulnerabilities, rely on insiders or acquire access from specialized groups to gain access to victim systems. Once they have access, they collect valuable data, after which they deploy file-encrypting malware.

SecurityWeek reports: "Ransomware Group Claims Theft of Valuable SpaceX Data From Contractor"

The US Cybersecurity and Infrastructure Security Agency (CISA) has recently launched a pilot program to warn critical infrastructure organizations if their systems contain vulnerabilities that may be exploited in ransomware attacks. The new Ransomware Vulnerability Warning Pilot (RVWP), which kicked off on January 30, is meant to help those organizations that might be unaware that a vulnerability targeted by ransomware groups is lurking in their networks. According to CISA, when such a security defect is identified, CISA's regional cybersecurity personnel notify the impacted entity via phone or email so that the issue can be resolved before it's exploited. CISA noted that the RVWP uses "existing authorities and technology" to proactively discover information systems affected by flaws known to be exploited in ransomware attacks. The agency stated that it accomplishes this work by leveraging its existing services, data sources, technologies, and authorities, including CISA's Cyber Hygiene Vulnerability Scanning service and the Administrative Subpoena Authority granted to CISA under Section 2209 of the Homeland Security Act of 2002. CISA stated that as per the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), critical infrastructure entities are required to report cyberattacks and ransom payments. CIRCIA also mandates that CISA proactively identifies systems vulnerable to ransomware attacks. CISA noted that the notifications sent to vulnerable entities will include details about the vulnerable system, including manufacturer and model, the IP address in use, how the vulnerability was detected, and guidance on how to address the issue. CISA stated that receiving a notification through CISA RVWP is not indicative of a compromise. However, it does indicate you are at risk, and the information system requires immediate remediation. CISA noted that the notified entities are not required to comply with the provided recommendations.

SecurityWeek reports: "CISA Program Warns Critical Infrastructure Organizations Vulnerable to Ransomware Attacks"

The Housing Authority of the City of Los Angeles (HACLA) has recently issued a public notice outlining the impact of a ransomware breach first reported at the start of this year. The public agency, which claims to hold the largest stock of affordable housing in the city, acknowledged a "cyber-event that resulted in disruption to its systems" at the start of January 2023. The ransomware group LockBit claimed that it had stolen and would publish over 15TB of files from the authority. In a fresh update, HACLA has now confirmed it discovered encrypted files in its IT environment on December 31, 2022. The forensic investigation determined there was unauthorized access to certain servers between January 15, 2022, through December 31, 2022. The HACLA noted that after undertaking a "comprehensive review" of all its data, it finally determined on February 13, 2023, that the impacted systems contained personal information. While the specific data elements vary for each potentially affected individual, the scope of information potentially involved includes an individual's name, Social Security number, date of birth, passport number, driver's license number or state identification number, tax identification number, military identification number, government issued identification number, credit/debit card number, financial account number, health insurance information, and medical information. The housing agency has informed the relevant authorities and the individuals impacted by the incident.

Infosecurity reports: "LA Housing Authority Suffers Year-Long Breach"

BCI's latest Cyber Resilience Report, sponsored by Daisy, explores the levels of disruption and cyber resilience arrangements across organizations, as well as the reporting and role of senior executives in developing cyber resilience strategies. Although 74 percent of respondents reported an increase in cyberattacks over the last 12 months, most organizations rated the impact of these attacks as small to medium. A growing number of companies are taking proactive measures to lessen the impact of cyberattacks. The report proves taking a more proactive approach to cybersecurity results in fewer negative effects on organizations. Several organizations are using dedicated technologies to boost the likelihood of an early warning and a quicker, more efficient response. Regarding their most recent cyber incident, 39.9 percent of respondents were alerted by a Security Information Event Management (SIEM) system, whereas 35.2 percent received an antivirus or End Detection and Response (EDR) alert. Using these tools typically results in the detection of an attack before business effects are recorded. However, 14.5 percent of organizations realized a cyberattack was occurring as a result of a system failure, which runs the risk of customer impacts and reputational damage while also forcing the organization to have a more reactive, slower response. This article continues to discuss key findings from BCI's 2023 Cyber Resilience Report.

Continuity Central reports "The BCI Cyber Resilience Report 2023"

Water is crucial to life for communities across the US, but water systems are facing increasingly complex threats, including cyberattacks. Therefore, House and Senate lawmakers have introduced a pair of bills aimed at bolstering the cybersecurity of clean water and wastewater utilities. The Water System Threat Preparedness and Resilience Act plans to make it simpler for utilities to get information regarding potential cyberattacks or natural disasters that could have a significant impact on operations. The legislation plans to accomplish this by helping small utilities join the Water Information Sharing and Analysis Center (WaterISAC) through a proposed Environmental Protection Agency grant program. WaterISAC, a nonprofit organization founded in 2002 and governed by a board of directors composed of water and wastewater utility managers and state drinking water administrators, delivers critical infrastructure threat intelligence to members. This article continues to discuss the Water System Threat Preparedness and Resilience Act.

GCN reports "New Bills Look To Help Small Water Systems Tap Cybersecurity Help"

The threat of Business Email Compromise (BEC) is growing as the number of BEC attacks is predicted to surpass the number of phishing attacks significantly. According to a new report from the cloud email security platform IRONSCALES, more than 93 percent of organizations have encountered one or more types of BEC attacks within the previous 12 months, with 62 percent encountering three or more attack variants. In addition, 43.3 percent of respondents from major organizations expect an increase in BEC attacks over the next 12 months. The report also reveals that finance employees and C-level executives are the two groups most commonly targeted by BEC attacks. About half of all groups report daily, weekly, or monthly BEC attacks. The most typical types of BEC attacks are fake invoices, data theft, and account takeover. In the past 12 months, one in five companies has experienced these types of attacks. Two in three organizations have seen three or more types of BEC attacks in this time, with data theft attacks occurring most frequently. This article continues to discuss key findings from IRONSCALES' new report on BEC attacks.

BetaNews reports "93 Percent of Organizations Suffer Business Email Compromise Attacks"

The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and Girl Scouts of the USA (GSUSA) have announced a new Memorandum of Understanding (MOU) that formalizes their collaboration to close the gender gap in cybersecurity. According to a recent Women in CyberSecurity (WiCyS) and Cybersecurity Ventures report, women make up only 25 percent of the global cybersecurity workforce, while women compose 51 percent of the population. Without women pursuing cybersecurity careers, the field is missing out on a massive portion of the population's talent pool. In order to address this gap, it is essential that young girls develop an interest in cybersecurity as early as elementary school. CISA and GSUSA have a history of collaboration. In 2017, CISA provided collaboration and guided the development of GSUSA's 18 cybersecurity badges. Girl Scouts have earned over 315,000 cybersecurity badges in less than five years. In addition, in 2021, the Department of Homeland Security (DHS) and CISA teamed up with CYBER.ORG and GSUSA to create the 2021 Girl Scout Cyber Awareness Challenge in an effort to cultivate the next generation of diverse cybersecurity talent and increase the nation's cyber resilience. This article continues to discuss CISA and GSUSA strengthening the collaboration aimed at increasing cybersecurity interest among young women and bridging the gender gap in cybersecurity.

CISA reports "CISA and Girl Scouts of the USA Strengthen Collaboration to Bring More Young Women into Cybersecurity"

Cloud software provider Blackbaud has recently agreed to pay $3m to settle charges over regulatory filings it made following a major 2020 ransomware attack. The South Carolina-based firm, which sells software to non-profits, schools, and other "social good" organizations, said at the time that it discovered and contained the May 2020 attack, but threat actors managed to steal sensitive data belonging to customers. Blackbaud paid their extorters and stated at the time that they had no reason to believe the stolen data was or will be misused, or will be disseminated, or otherwise made available publicly. However, the SEC's order published late last week claimed that a quarterly report Blackbaud filed in August 2020 omitted details about the scope of the attack. The firm had said the risk of donor information being taken by the hackers was "hypothetical." The SEC stated that, in reality, Blackbaud tech and customer service staff knew that donor bank account details and social security information had been stolen but didn't communicate this to senior management. The SEC ruled that this was down to a failure to properly maintain disclosure controls and procedures. David Hirsch, chief of the SEC Enforcement Division's Crypto Assets and Cyber Unit, stated that Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that their earlier public statements about the attack were erroneous. Hirsch noted that public companies have an obligation to provide their investors with accurate and timely material information and that Blackbaud failed to do so. The firm has agreed to cease and desist from committing violations of the Securities Act and Securities Exchange Act. In the end, the ransomware breach impacted over 13,000 customers, the SEC said.

Infosecurity reports: "Blackbaud Settles $3m Charge Over Ransomware Attack"

Medical technology developer Zoll Medical is notifying roughly one million individuals that their personal information might have been compromised in a recent data breach. The company develops and markets medical equipment and software for advanced emergency care, including cardiac monitoring, oxygen therapy, ventilation, data management, and more. The company identified the breach at the end of January when it discovered unusual activity on its internal network. The company stated that they determined that their information may have been affected on or about February 2, 2023. The company noted that its investigation into the incident is ongoing. According to Zoll, the compromised information included names, addresses, birth dates, and Social Security numbers. Zoll says it has no indication that the exposed information was misused. It's unclear what type of cyberattack Zoll fell victim to and whether ransomware was deployed on its systems.

SecurityWeek reports: "Zoll Medical Data Breach Impacts 1 Million Individuals"

The greater the popularity and critical acclaim of a pirated film, the greater the likelihood that it contains more infected files. A ReasonLabs research team analyzed data on film piracy from January 2022 until last month, focusing on some of the most well-known films from the previous year, all of which were nominees for awards at the 95th Academy Awards. The researchers discovered thousands of cases in which these highly nominated films masked cyber threats. The traps include spyware, Trojans, and malware. This past year, "Everything Everywhere All at Once," "Top Gun: Maverick," and "Avatar: The Way of Water," all of which were fan and critic favorites, were among the top films used to phish and draw victims. ReasonLabs discovered that the most prevalent threats in this year's pirated Oscar nominees were spyware personal document stealers, password stealers extensions, keyloggers, search hijacker extensions, and the Bat Worm. This article continues to discuss the rise in malicious files present in attempts to watch popular films for free.

Dark Reading reports "And the Cyberattack Goes to ... Fans of Oscar-Nominated Films"

Researchers at the School of Cyber Security at Korea University in Seoul have unveiled a new covert channel attack called CASPER that can leak data from air-gapped computers to a neighboring smartphone at a rate of 20bits/sec. The CASPER attack uses the target computer's internal speakers as a data transmission channel to transfer high-frequency audio that the human ear cannot detect, and convey binary or Morse code to a microphone up to 1.5m away. The receiving microphone may be in an attacker's pocket-recording smartphone or a laptop in the same room. Researchers in the past have devised similar attacks using external speakers. However, systems used in critical areas, such as government networks, energy infrastructure, and weapon control systems, that are air-gapped and network-isolated are unlikely to have external speakers. Internal speakers that offer audible feedback, such as boot-up noises, are still deemed necessary. Therefore, their prevalence makes them preferable targets. This article continues to discuss the new CASPER covert channel attack.

Bleeping Computer reports "CASPER Attack Steals Data Using Air-Gapped Computer's Internal Speaker"

Researchers have discovered a method for predicting the behavior of many-body quantum systems that are coupled to their environment. The study demonstrates a method for protecting quantum information in quantum devices, which is essential for the practical use of quantum technology. In a study published in Physical Review Letters, researchers from Aalto University in Finland and IAS Tsinghua University in China describe a novel method for predicting the behavior of quantum systems, such as groups of particles, while they are connected to the outside world. Connecting a system, such as a quantum computer, to its environment typically results in decoherence and leaks, which destroy any knowledge about what is occurring inside the system. Now, researchers have created a method that transforms this dilemma into its solution. In the latest work, the researchers demonstrated that connecting a quantum device to an external system can be advantageous under certain conditions. When a quantum device possesses so-called non-Hermitian topology, it leads to protected quantum excitations whose resilience stems from the fact that they are open to the environment. These types of open quantum systems have the potential to give rise to innovative new tactics for quantum technologies that use external coupling to prevent information decoherence and leaks. This article continues to discuss the researchers' work toward turning interactions that typically ruin quantum information into a way of protecting it.

Aalto University reports "Researchers Take a Step Towards Turning Interactions That Normally Ruin Quantum Information into a Way of Protecting It"

AT&T customer data was exposed in January through a third-party vendor that had been hacked. The company noted that the breach affected around nine million customer accounts. The breached data included basic personal information but no financial data or Social Security numbers. The data that AT&T had provided to the marketing vendor, which had been exposed, was mostly related to device upgrade eligibility. It included basic personal information like customer names, account numbers, phone numbers, and email addresses, as well as the number of lines on the account, devices used, and installment agreement information. AT&T noted that the exposed data didn't include Social Security numbers, credit card information, account passwords, or "other sensitive information." The data set was also several years old. AT&T said that its own systems were not breached and that it was notifying customers who had been affected.

CNET reports: "AT&T Vendor Data Breach Exposed 9 Million Customer Accounts"

Swiss data protection firm Acronis has clarified that a single customer's account has been compromised after a hacker leaked gigabytes of information allegedly stolen from the company. On a popular cybercrime forum, a hacker recently announced that they were "leaking data of a cybersecurity company called Acronis," claiming that they hacked the company because they were bored and wanted to humiliate them. The hacker is the same one who recently offered to sell 160 Gb of data stolen from computer giant Acer. In the case of Acronis, the cybercriminal published a 12 Gb archive file allegedly containing certificate files, command logs, system configurations and information logs, filesystem archives, scripts, and backup configuration data. Acronis offers backup, disaster recovery, antivirus, and endpoint protection management solutions. After the incident came to light, the company clarified that the leaked data appears to come entirely from a single customer's account. The company noted that based on their investigation so far, the credentials used by a single specific customer to upload diagnostic data to Acronis support had been compromised. The company stated that they are working with that customer and have suspended account access as they try to resolve the issue. The company noted that no other system or credential had been affected. There is no evidence of any other successful attack, nor is there any data in the leak that is not in the folder of that one customer. Acronis has also separately clarified that none of its products are impacted by the breach.

SecurityWeek reports: "Acronis Clarifies Hack Impact Following Data Leak"

Akamai mitigated the largest Distributed Denial-of-Service (DDoS) attack ever launched against a customer in the Asia-Pacific region. DDoS is an attack that delivers a high volume of garbage requests to a targeted server, therefore depleting its capacity and preventing legitimate users from accessing the websites, applications, or other online services it hosts. The record-breaking attack mitigated by Akamai peaked at 900.1 gigabits per second and 158.2 million packets per second on February 23, 2023. According to Akamai, the attack was powerful and brief, with its peak lasting approximately one minute, which is consistent with current patterns in DDoS attacks. The company handled the attack by redirecting garbage traffic to its scrubbing network, most of which ended up in centers in Hong Kong, Tokyo, So Paulo, Singapore, and Osaka. A scrubbing network is a DDoS mitigation technique that uses a distributed infrastructure with multiple strategically located centers to filter incoming traffic and delete unwanted requests from the target's network. This article continues to discuss the record-breaking DDoS attack recently mitigated by Akamai and other record-holding DDoS attacks.

Bleeping Computer reports "Akamai Mitigates Record-Breaking 900Gbps DDoS Attack in Asia"

Hackers have launched the IceFire ransomware against Linux enterprise networks, a notable change for malware that was once exclusive to Windows. According to a report by SentinelOne, this may reflect an emerging trend. Recently, ransomware actors have increasingly targeted Linux systems in cyberattacks, which is significant because, compared to Windows, Linux is more difficult to launch ransomware against at scale, according to Alex Delamotte, security researcher at SentinelOne. IceFire, which was first discovered in March of last year, is a ransomware variant consistent with other Big-Game Hunting (BGH) ransomware families, according to Delamotte. BGH ransomware is characterized by double extortion, large company targeting, multiple persistence tactics, and log file deletion to evade analysis. IceFire was formerly restricted to Windows-based systems, but its most recent attacks have targeted Linux-based enterprise networks. This article continues to discuss the shift in OS targeting by the IceFire malware.

Dark Reading reports "IceFire Ransomware Portends a Broader Shift From Windows to Linux"