News Items

At the DEF CON hacker conference, white hat hackers demonstrated how to spoof an Apple device and deceive users into divulging sensitive information. Conference attendees who use iPhones saw pop-up messages prompting them to connect their Apple ID or share their password with a nearby Apple TV. The messages were part of a study conducted by security researcher Jae Bochs. According to Bochs, data was not collected during the experiment. He was sending out Bluetooth Low Energy (BLE) advertisement packets that do not require pairing. He used inexpensive equipment consisting of a Raspberry Pi Zero 2 W, two antennas, a Bluetooth adapter compatible with Linux, and a portable battery. This article continues to discuss the demonstrated spoofing of an Apple device that could trick users into sharing their sensitive data.

Security Affairs reports "Spoofing an Apple Device and Tricking Users Into Sharing Sensitive Data"

INTERPOL and AFRIPOL coordinated an operation across 25 African countries that led to the arrest of 14 suspected cybercriminals and the identification of 20,674 suspicious cyber networks, underscoring the rise of digital insecurity and cyber threats in the region. The identified networks were linked to losses of over $40 million. The four-month Africa Cyber Surge II operation centered on identifying cybercriminals and compromised infrastructure. It facilitated communication, provided analysis, and shared intelligence between countries. Cooperation was streamlined between African law enforcement agencies through the operation in order to prevent, mitigate, investigate, and disrupt cyber extortion, phishing, Business Email Compromise (BEC), and more. This article continues to discuss highlights from the operation.

HSToday reports "Thousands of Illicit Cyber Networks Disrupted in Africa Operation"

According to US intelligence agencies, unnamed Foreign Intelligence Entities (FIEs) are escalating cyberattacks against US-based space companies. The FBI, the National Counterintelligence and Security Center (NCSC), and the Air Force Office of Special Investigations (AFOSI) recently released an advisory warning of cyberattacks on the space industry. The agencies noted that FIEs recognize the significance of the commercial space industry to the US economy and national security, as well as the rising dependence of critical infrastructure on space-based assets. They consider the innovation and assets of the US in space as both potential threats and opportunities to acquire critical technologies and expertise. FIEs gain access to the US space industry through cyberattacks, strategic investments, and targeting key supply chain nodes, among other methods. This article continues to discuss the increase in cyberattacks on the US space industry by FIEs.

The Record reports "FBI, Air Force Warn of Cyberattacks on Space Industry by 'Foreign Intelligence Operations'"

The National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA), and National Institute of Standards and Technology (NIST) issued a warning that cyber actors could target the US' most sensitive information now and use future quantum computing technology to break traditional cryptographic algorithms that are not quantum-resistant. This could be especially detrimental for sensitive data with long-term confidentiality requirements. The joint Cybersecurity Information Sheet (CSI), titled "Quantum-Readiness: Migration to Post-Quantum Cryptography," helps the Department of Defense (DoD), National Security System (NSS) owners, the Defense Industrial Base (DIB), and others in protecting the confidentiality, integrity, and authenticity of sensitive information. This article continues to discuss the CSI on migrating to post-quantum cryptography.

NSA reports "Post-Quantum Cryptography: CISA, NIST, and NSA Recommend How to Prepare Now"

The BlackCat/ALPHV ransomware group has added Seiko to its leak website, claiming responsibility for a cyberattack disclosed by the Japanese company. Seiko is one of the largest and oldest watchmakers in the world, with around 12,000 employees and an annual revenue of more than $1.6 billion. On August 10, 2023, the company published a data breach notice revealing that an unauthorized third party accessed or exfiltrated data from at least a part of its Information Technology (IT) infrastructure. The BlackCat ransomware group claimed responsibility for the attack on Seiko, posting samples of the data stolen during the attack. In the listing, the threat actors leak what appear to be production plans, employee passport scans, new model release plans, and specialized lab test results. This article continues to discuss the cyberattack on Seiko and the BlackCat ransomware gang claiming to have been behind it.

Bleeping Computer reports "Japanese Watchmaker Seiko Breached by BlackCat Ransomware Gang"

According to IRONSCALES and Osterman Research, specialized email security vendors are leveraging a combination of Artificial Intelligence (AI) and human insights to improve email security and combat emergent threat methods enhanced by AI. The threat posed by AI-generated email attacks is expected to increase exponentially. More than 74 percent of respondents have witnessed an increase in the use of AI by cybercriminals over the past six months, and more than 85 percent believe that AI will be used to bypass their existing email security technologies. Seventy-seven percent of organizations now rank email security among their top three priorities, and almost all of the security leaders surveyed predict that AI will be moderately or extremely important to their future email defenses. This article continues to discuss cybercriminals using AI in email attacks, strengthening defenses with AI-enabled email security solutions, and organizations still relying on human insights for complementary protection.

Help Net Security reports "Organizations Invest in AI Tools to Elevate Email Security"

Tesla has recently disclosed a data breach impacting roughly 75,000 people, but the incident is the result of a whistleblower leak rather than a malicious cyberattack. Tesla recently told US authorities that a data breach discovered in May resulted in the exposure of the personal information, including social security numbers, of more than 75,700 individuals. A notification letter sent to impacted people reveals that the data breach is related to a couple of former employees sending confidential information to German media outlet Handelsblatt. Tesla said the ex-workers "misappropriated the information in violation of Tesla's IT security and data protection policies." The compromised information includes names, contact information, and employment-related records associated with current and former employees. Impacted individuals are being offered credit monitoring and identity protection services. The leak came to light in May when Handelsblatt reported that it had received 100 Gb of confidential Tesla data from a whistleblower. The leaked files, dubbed "Tesla Files," reportedly included information on more than 100,000 current and former employees, customer bank details, production secrets, and customer complaints regarding driver assistance systems. Handelsblatt has assured Tesla that it does not intend to publish the personal data provided by the whistleblower. Tesla stated that the chances of the exposed data being misused are slim, given the circumstances of the incident.

SecurityWeek reports: "Tesla Discloses Data Breach Related to Whistleblower Leak"

Advanced smartphone features entice users who want more from their devices, especially in regard to health and entertainment, but the question is whether these features pose a security risk when making or receiving actual calls. A team of researchers from Texas A&M University and four other institutions developed malware to answer that question. The researchers' malware, dubbed EarSpy, uses Machine Learning (ML) algorithms to filter caller information from ear speaker vibration data recorded by an Android smartphone's motion sensors without evading protections or needing user permissions. This article continues to discuss the malware created by academic researchers that shows how call security can be compromised in three areas.

Texas A&M University reports "Research Hack Reveals Call Security Risk in Smartphones"

Due to their complexity, hybrid cyber threats are dangerous. Oftentimes, cyberattacks are accompanied by an information component designed to achieve specific objectives, such as misleading the public or convincing them of things favorable to the nation launching the attack. The cybersecurity experts and professionals, Dr. Darius Stitilis and Associate Professor Marius Laurinaitis from Mykolas Romeris University (MRU), along with Professor Matthew Warren, the Director of the Cyber Security Center at the Royal Melbourne Institute of Technology (RMIT) in Adelaide, Australia, are sharing their insights on new generation hybrid threats and the need to expand the application of the hybrid threat model developed within the European Union (EU) beyond its borders. This article continues to discuss insights on combating hybrid cyberattacks.

Mykolas Romeris University reports "MRU Researchers Share Insights on How to Combat Hybrid-Cyber-Attacks"

Hackers recently managed to break into a US Air Force satellite in orbit and took home prizes of up to $50,000 for exposing the vulnerabilities. Italian team "mHACKeroni" were the winners of the US Space Force annual "Hack-A-Sat" competition, which took place at the hacker international conference DEF CON in Las Vegas on Friday and Saturday. The event was designed to figure out gaps in US cyber defenses before they can be exploited by rival states like Russia and China. For the first time, the hackers were asked to attack a real satellite in space, the US Air Force Moonlighter, which was deployed specifically for the event. Five teams were picked out of more than 700 applicants to strategically hack into the satellite. The participants aimed to break in and build a data link to the satellite while keeping competing teams out. The Italian team beat last year's winners, Poland-based "Poland Can Into Space." They came second and won $30,000, while the UK-US joint team "jmp fs:[rcx]" took $20,000 home. While the event had a decidedly fun-and-games tone to it, it reflects a serious and growing security threat. Satellite hacking can cause real geopolitics problems.

Business Insider reports: "Hackers Figured Out 3 separate Ways to Break Into US Air Force Satellites, And Won up to $50K For Doing it"

SentinelOne observed Bronze Starlight, also known as APT10, Emperor Dragonfly, and Storm-0401, an Advanced Persistent Threat (APT) group with ties to China, targeting the Southeast Asian gambling sector. The malware and infrastructure used in the campaign are similar to those observed in Operation ChattyGoblin, which the security company ESET attributed to threat actors linked to China. According to SentinelOne, the threat actors used DLL hijacking of executables of Adobe Creative Cloud, Microsoft Edge, and McAfee VirusScan executables to launch Cobalt Strike beacons. Bronze Starlight is a nation-state group known for using ransomware as a distraction or misattribution technique. The perpetrators used modified chat application installers to download .NET malware loaders. The loaders then retrieve a second-stage payload contained in a password-protected ZIP archive from Alibaba buckets. This article continues to discuss the ongoing campaign attributed to China-linked Bronze Starlight targeting the Southeast Asian gambling sector.

Security Affairs reports "Bronze Starlight Targets the Southeast Asian Gambling Sector"

Open source software development automation server Jenkins recently announced patches for high and medium severity vulnerabilities impacting multiple plugins. The patches address three high severity cross-site request forgery (CSRF) and cross-site scripting (XSS) issues in the Folders, Flaky Test Handler, and Shortcut Job plugins. Jenkins noted that the first bug, tracked as CVE-2023-40336, exists because no POST requests were required for an HTTP endpoint in version 6.846.v23698686f0f6 and earlier of the Folders plugin, leading to CSRF. This vulnerability allows attackers to copy an item, which could potentially automatically approve unsandboxed scripts and allow the execution of unsafe scripts. The second high severity bug, CVE-2023-40342, impacts Flaky Test Handler plugin versions 1.2.2 and earlier, which do not escape JUnit test contents when they are displayed in the Jenkins UI, allowing attackers to perform XSS attacks. Jenkins noted that Shortcut Job plugin versions 0.4 and earlier do not escape the shortcut redirection URL, leading to an XSS flaw tracked as CVE-2023-40346. Another high severity XSS flaw was identified in Docker Swarm plugin versions 1.11 and earlier, which do not escape values returned from Docker before they are inserted into the Docker Swarm Dashboard view. However, no patch was released for this bug. Jenkins also recently announced fixes for medium-severity vulnerabilities in the Folders, Config File Provider, NodeJS, Blue Ocean, Fortify, and Delphix plugins. According to Jenkins, these flaws could lead to information disclosure, credential leaks, CSRF attacks, HTML injection, and credential ID enumeration. Fixes were included in Blue Ocean version 1.27.5.1, Config File Provider version 953.v0432a_802e4d2, Delphix version 3.0.3, Flaky Test Handler version 1.2.3, Folders version 6.848.ve3b_fd7839a_81, Fortify version 22.2.39, NodeJS version 1.6.0.1, and Shortcut Job version 0.5. Additionally, Jenkins warned that no patches have been released for three medium severity flaws in the Maven Artifact ChoiceListProvider (Nexus), Gogs, and Favorite View plugins that could lead to credential exposure, information disclosure, and CSRF attacks.

SecurityWeek reports: "Jenkins Patches High-Severity Vulnerabilities in Multiple Plugins"

Researchers have discovered how to manipulate the iPhone's user interface to fake airplane mode while secretly maintaining Internet connectivity. Jamf Threat Labs detailed in a new report how the code controlling the different elements of iOS 16's airplane mode experience can be manipulated to simulate the real thing. They say that mobile device attackers could use this technique post-exploitation to enable 24/7 persistence without the user's knowledge. According to Jamf's vice president of portfolio strategy, Michael Covington, this is a different form of social engineering attack in which the user is duped into believing something that is false. This article continues to discuss the research on how mobile attackers could deceive iPhone users and provide the ideal cover for post-exploitation malicious activity.

Dark Reading reports "Researchers Trick an iPhone Into Faking Airplane Mode"

According to security researchers at TRM Labs, North Korea has stolen around $200 million in cryptocurrencies across 30 hacks so far in 2023, less than in 2022 but still a sum "10 times larger than attacks by other actors." The researchers noted that although this year has witnessed a considerable downturn in crypto hacks, largely attributable to the decrease in digital asset prices and the ongoing bear market, many cybercriminal groups remain undeterred. North Korean state-affiliated hacking groups were one of the most prolific actors in 2022, a record-breaking year for hacks, with nearly $4 billion stolen. In June, the Wall Street Journal reported the nation had netted more than $3 billion over the last five years, with stolen digital currency funding about 50% of the country's ballistic missile program. The researchers at TRM Labs puts that figure at $2 billion. U.S. officials say the North Korean government relies on a workforce of thousands of IT workers operating worldwide, including in China and Russia, earning as much as $300,000 a year. Officials noted that the operations also rely on "front people" who will apply for jobs at crypto firms and then make small changes to products to allow them to be hacked or slip malicious code to employees at targeted companies. The researchers at TRM Labs stated that although the proceeds from North Korean crypto hacks are down around 75% so far in 2023 compared with last year, the country is still responsible for over 20% of all crypto stolen so far this year. The most lucrative hack in 2023 targeted a non-custodial wallet provider called Atomic Wallet.

Forune reports: "North Korean Cybercriminals Have Already Stolen $200 Million in Crypto Hacks in 2023"

Researchers are trying to keep up with hackers and prevent data theft. Some standard tools include multi-factor authentication (MFA) systems, fingerprint technology, and retinal scans. Automatic speaker identification, which uses a person's voice as a passcode, is a type of security system growing in popularity. These systems, already in place for phone banking and other applications, effectively detect digitally-manipulated attempts to fake a user's voice. However, digital security engineers at the University of Wisconsin-Madison have discovered that these systems are not as foolproof in the face of an innovative analog attack. They found that speaking through customized PVC pipes, commonly found in hardware stores, can trick Machine Learning (ML) algorithms supporting automatic speaker identification systems. This article continues to discuss the method of defeating automatic speaker identification systems using the type of PVC pipe found at any hardware store.

The University of Wisconsin-Madison reports "Down the Tubes: Common PVC Pipes Can Hack Voice Identification Systems"

Adlumin security researchers are warning of the Play ransomware group targeting security Managed Service Providers (MSPs) to gain initial access and exploit up to five-year-old security appliance vulnerabilities. According to Kevin O'Connor, director of threat research at Adlumin, it is a clever tactic to attack companies via their security vendor. Cyber defenders find it difficult to detect the attack because it initially masquerades as legitimate administrative access and grants attackers unrestricted access to the target's network and Infomation Technology (IT) assets. According to the security firm, the gang also uses intermittent encryption to avoid triggering defenses that check for entire file modifications. The latest campaign targets the financial, software, legal, and logistics industries in the US, Australia, the UK, and Italy. The Play ransomware group is responsible for cyberattacks on the city of Oakland, the Judiciary of Cordoba in Argentina, and more. TrendMicro reported that the group's activities are similar to those of the ransomware groups Hive and Nokoyawa, indicating a possible affiliation. This article continues to discuss the Play ransomware group's history and most recent campaign.

BankInfoSecurity reports "Play Ransomware Using MSPs and N-Days to Attack"

A new cybersecurity technology that relies on the unique digital fingerprint of a semiconductor chip could help defend the equipment of electrical utilities from malicious attacks in which software updates are exploited on devices controlling critical infrastructure. The GridTrust project, successfully tested in a US municipal power system substation, combines the digital fingerprint with cryptographic technology to enhance security for utilities and other critical industrial systems that must update control device software or firmware. The project was led by researchers at the Georgia Institute of Technology (Georgia Tech) in collaboration with the City of Marietta, Georgia. It was supported by the US Department of Energy's Office of Cybersecurity, Energy Security, and Emergency Response (CESER). Researchers from Sandia National Laboratories and Protect Our Power, a security-focused not-for-profit organization, also contributed to the project. This article continues to discuss the GridTrust project.

Georgia Tech reports "GridTrust Helps Protect the Nation's Electric Utilities from Cyber Threats"

Researchers have discovered an extensive campaign that distributed proxy server apps to at least 400,000 Windows systems. The devices function as residential exit nodes without the users' permission. A company is charging for the proxy traffic running through the systems. Residential proxies are advantageous to cybercriminals because they facilitate the deployment of massive credential stuffing attacks from new IP addresses. Additionally, they serve legitimate functions such as ad verification, data scraping, website testing, and privacy-enhancing rerouting. Some proxy companies sell access to residential proxies and offer monetary incentives to users who agree to share their bandwidth. This article continues to discuss findings and observations regarding the 400,000 proxy botnet.

Bleeping Computer reports "Massive 400,000 Proxy Botnet Built With Stealthy Malware Infections"

According to Aqua Nautilus researchers, Microsoft's PowerShell Gallery poses a software supply chain risk due to its relatively weak protection against attackers uploading malicious packages to the online repository. Recent testing of the repository's policies regarding package names and owners revealed that a threat actor could easily exploit them to spoof legitimate packages and make it difficult for users to identify a true package owner. This article continues to discuss the software supply chain risk posed by Microsoft's PowerShell Gallery.

Dark Reading reports "PowerShell Gallery Prone to Typosquatting, Other Supply Chain Attacks"

Many highly sophisticated systems, such as those that power drones, fighter jets, and even secure authentication programs, are custom software developed at great expense. It is not as simple as downloading the latest software patch and clicking "Install" to update them. It often requires an expensive and time-consuming rewrite or reverse engineering process. Therefore, Georgia Tech engineers, computer scientists, and cybersecurity researchers are working to accelerate the process with a Defense Advanced Research Projects Agency (DARPA)-funded project. Their goal is to unpack these legacy systems, incorporate updates, and redeploy them in weeks or months as opposed to years. About halfway through the five-year project, the team has a prototype pipeline that automates significant portions of the process using Georgia Tech-developed software analysis techniques. This article continues to discuss the DARPA-funded effort to update critical defense software.

Georgia Tech reports "'Distilling' Outdated Software Could Save Defense Dept. Millions in Time and Money"

A missing piece of electronic equipment at Jefferson Health's hospital in Cherry Hill may have compromised the personal information of some of its patients, the health care provider recently revealed. Jefferson Health said it began mailing letters Tuesday to alert patients whose information may have been involved in a potential breach it describes as a "recent privacy incident." According to the hospital, the possible privacy breach involved a backup DEXA scan drive that contained partial information about patients. The hospital did not provide the number of patients that may have been impacted there but said the potential breach was recognized by a maintenance technician working on the machine. Jefferson said the information on the drive could be viewable and would include names, dates of birth, medical record numbers, the dates of studies, and, in some cases, mailing addresses. However, the hospital noted that other sensitive patient information, such as Social Security numbers, driver's licenses, phone numbers, and insurance numbers, are only viewable with the appropriate credentials, exact system software, and additional technology.

Courier Post reports: "Jefferson Cherry Hill Warns of Possible Data Breach. What Info May Have Been Exposed?"

An analysis of 3.5 million business assets revealed that most Internet-exposed web apps containing Personal Identifiable Information (PII) are vulnerable to cyberattacks. Hackers use PII for financial, credential, and phishing-related attacks. Seventy-four percent of the web apps the security company CyCognito examined contain PII vulnerable to at least one known major exploit, such as Apache Superset, Papercut, or MOVEit. The report discovered that 11 percent of vulnerable assets had multiple "easily exploitable" flaws, including misconfiguration, lack of secure HTTPS encryption, and the absence of a Web Application Firewall (WAF). According to the report, the average enterprise has over 12,000 web apps, of which at least 30 percent, or more than 3,000 assets, contain at least one exploitable or high-risk vulnerability. This article continues to discuss key findings from CyCognito's analysis.

SC Magazine reports "Web App Warning: 74% Of Apps With PII Are Vulnerable to a 'Major Exploit'"

OpenAI, Google, Meta, and other companies tested their Large Language Models (LLMs) at the DEF CON hacker conference. Results from the event have provided the White House Office of Science and Technology Policy and the Congressional AI Caucus with a new corpus of information. The Generative Red Team Challenge, organized by AI Village, SeedAI, and Humane Intelligence, provides greater insight into the potential misuse of generative Artificial Intelligence (AI) and what methods could secure it. During the challenge, hackers were tasked with forcing generative AI to produce personal or harmful information, contrary to its intended function. The AI Village team is still analyzing the event's data and expects to present it in September 2023. This article continues to discuss the Generative Red Team Challenge influencing AI security policy, the vulnerabilities LLMs are likely to have, and how to prevent these vulnerabilities.

TechRepublic reports "DEF CON Generative AI Hacking Challenge Explored Cutting Edge of Security Vulnerabilities"

Google recently announced the release of Chrome 116 to the stable channel with patches for 26 vulnerabilities, including 21 reported by external researchers. Of the externally reported bugs, eight have a severity rating of "high," with most of them being memory safety issues. Based on the bug bounty reward paid out, the most important of these is CVE-2023-2312, a use-after-free flaw in the Offline component. Google noted that the reporting researcher was awarded a $30,000 bounty for the finding. Next in line is CVE-2023-4349, a use-after-free issue in Device Trust Connectors, followed by an inappropriate implementation in Fullscreen (CVE-2023-4350), and a use-after-free bug in Network (CVE-2023-4351), for which Google paid out bounties of $5,000, $3,000, and $2,000, respectively. Google noted that the remaining four high-severity vulnerabilities that Chrome 116 resolves include a type confusion flaw in the V8 JavaScript engine, a heap buffer overflow bug in ANGLE, another in Skia, and an out-of-bounds memory access issue in the V8 engine. These issues were reported by researchers at Google Project Zero and Microsoft Vulnerability Research, and, per Google's policy, no bug bounty reward will be issued for them. Google stated that all the remaining externally-reported vulnerabilities addressed in Chrome 116 are medium-severity: six inappropriate implementation bugs, three use-after-free issues, two insufficient policy enforcement flaws, one insufficient validation of untrusted input, and one heap buffer overflow vulnerability. Overall, Google gave the reporting researchers $63,000 in bug bounty rewards. The internet giant does not mention any of these vulnerabilities being exploited in attacks. The latest Chrome iteration is rolling out as version 116.0.5845.96 for Mac and Linux and as versions 116.0.5845.96/.97 for Windows.

SecurityWeek reports: "Chrome 116 Patches 26 Vulnerabilities"