News Items

Microsoft has issued a warning that some Windows 10 users may experience the Blue Screen of Death (BSOD) after installing its latest "Patch Tuesday" security updates. The company disclosed that the blue screen issue could affect some users who downloaded the KB5021233 update as part of this month's security patches. Initially, KB5021233 was meant to remedy an issue impacting the Camera app after users reported that the program ceases to respond when memory is low. According to the company, the BSOD issue has affected users running Windows 10 versions 22H2, 21H2, 21H1, and 20H2. The BSOD and error code 0xc000021a have prevented affected customers from using their devices. Microsoft disclosed that it is actively working on a fix for the problem and will publish an upgrade in a forthcoming version. However, for consumers currently affected by the issue, the company provided a temporary solution involving the Windows Recovery Environment (WinRE). This article continues to discuss the BSOD issue encountered by some Windows 10 users after installing the KB5021233 update in Microsoft's latest Patch Tuesday and how affected users can mitigate this issue until an official resolution is provided.

ITPro reports "Windows 10 Users Encounter 'Blue Screen of Death' After Latest Patch Tuesday Update"

According to researchers at Flashpoint, a recently identified information stealer named "RisePro" is being distributed by pay-per-install malware downloader service "PrivateLoader." RisePro is written in C++ and harvests potentially sensitive information from the compromised machines and then attempts to exfiltrate it as logs. The researchers noted that RisePro was initially spotted on December 13, featured on a cybercrime marketplace called Russian Market, where cybercriminals upload and sell logs exfiltrated using stealers. The researchers stated that the malware appears to be based on Vidar stealer, which has been analyzed several times in the past. Vidar is known for downloading a series of dependencies and configuration settings from its command-and-control (C&C) server. The infostealer was cracked in 2018, and several clones were seen in the past, including the "Oski" and "Mars" stealers. The researchers noted that they have seen RisePro using dropped dynamic link library (DLL) dependencies that Vidar uses, and the malware's analysis suggests that it is very likely a clone of Vidar. However, RisePro also shows similarities with other information stealers out there.

SecurityWeek reports: "New RisePro Infostealer Increasingly Popular Among Cybercriminals"

Researchers at Cyble Research and Intelligence Labs have identified two phishing sites, one masquerading as a Cisco webpage and the other as a Grammarly site, which threat actors are using to deliver a severe piece of malware known as "DarkTortilla." The .NET-based malware can be modified to deliver numerous payloads and is notorious for its quiet and persistent behavior on compromised systems. Since at least 2015, multiple threat groups have used DarkTortilla to distribute information stealers and Remote Access Trojans (RATs), such as AgentTesla, AsyncRAT, and NanoCore. Additionally, some ransomware gangs, such as the operators of Babuk, have incorporated DarkTortilla into their payload delivery chain. In several of these efforts, attackers have largely employed spam emails with malicious file attachments to infect unsuspecting users with the malware. Cyble's analysis of the payload revealed that the malware is packed with features for persistence, process injection, performing antivirus and virtual machine/sandbox checks, displaying fake messages, connecting with its command-and-control (C2) server, and downloading additional payloads. DarkTortilla places a duplicate of itself into the system's Startup folder and creates Run/Winlogin registry entries to ensure persistence on infected systems. DarkTortilla creates a subdirectory and copies itself into it as an additional persistence method. DarkTortilla's fake message feature serves up messages to deceive victims into believing the Grammarly or Cisco application they wanted could not be executed due to missing necessary application components. This article continues to discuss the spread of DarkTortilla malware through spoofed Grammarly and Cisco sites.

Dark Reading reports "Sophisticated DarkTortilla Malware Serves Imposter Cisco, Grammarly Pages"

Threat actors have uploaded on PyPI a malicious Python package named 'SentinelOne' that masquerades as the authentic Software Development Kit (SDK) client for a reputable American cybersecurity company, but actually steals data from developers. The package provides the requested functionality, which is access to the SentinelOne Application Programming Interface (API) from another project. However, this package has been Trojanized to collect sensitive information from infected developer systems. ReversingLabs found the attack, confirmed the malicious behavior, and reported the package to SentinelOne and PyPI, resulting in the package's removal. Since its initial upload to PyPI on December 11, 2022, the malicious SentinelOne package has been updated twenty times. According to the researchers, the package is considered to be a replica of the legitimate SentinelOne SDK python client, and the threat actor updated it to enhance and repair its malicious capability. All released versions of the malware package have been downloaded more than 1,000 times from PyPI. This article continues

Bleeping Computer reports "Malicious 'SentinelOne' PyPI Package Steals Data From Developers"

Titaniam recently surveyed corporate security professionals for insight into their predictions regarding cyberattack pattern trends in 2023. In 2023, large organizations will be the primary target of cyberattacks, as threat actors broaden their targeting strategies. Forty-one percent of the respondents predicted this to be the case, with financial institutions (36 percent), government (14 percent), healthcare (9 percent), and education (8 percent) being the top targets. Findings from the survey suggest that the rapid rate of development has introduced new vulnerabilities into corporate networks, making them a more desirable target for cybercriminals. Large firms are embracing more cloud services, gathering data, pushing code into production faster, and linking apps and systems via Application Programming Interfaces (APIs) in order to compete in the digital marketplace. As a result, attackers can exploit numerous misconfigured services, unprotected databases, poorly tested applications, and unknown and insecure APIs. Malware (30 percent), ransomware and extortion (27 percent), insider threats (26 percent), and phishing (17 percent) comprised the top four threats in 2022. The study indicated that malware (40 percent) is anticipated to be the greatest risk for businesses in 2023, followed by insider threats (26 percent), ransomware and related extortion (21 percent), and phishing (16 percent). However, organizations are more concerned about malware in 2023 than they were in 2022. It is essential to recognize that various threats may overlap, as insiders could be involved in ransomware attacks, phishing may be a source of malware, and more. In an effort to surprise and surpass security teams who have strengthened ransomware protections and phishing detection, attackers are adapting their techniques. They are employing new malware, such as loaders, information stealers, and wipers, to expedite attacks, steal critical information, and cause chaos. They also purchase and steal employee credentials to gain access to business networks. This article continues to discuss key findings from Titaniam's survey of security professionals on cyberattack trend predictions for 2023.

Continuity Central reports "Survey Looks at Enterprise Security Priorities for 2023"

Critical infrastructure companies are experiencing an increase in cyberattacks, prompting organization executives to strengthen their security postures beyond perimeter security. As patient safety is at stake, healthcare organizations cannot afford to be vulnerable to expanding cyber threats. According to a report released by Vanson Bourne on behalf of Imprivata, it will be essential for healthcare organizations to prioritize security outside the firewall. Researchers surveyed 760 Information Technology (IT) security experts in the healthcare, banking, manufacturing, and pharmaceutical industries to identify areas where current security measures and compliance strategies might be improved. The present IT world is nothing like it was a decade ago. IT infrastructures have evolved into complex ecosystems that exist beyond well-defined perimeters in order to establish new services, facilities, and locations, as well as maximize existing investments and keep up with numerous users, roles, and applications. The latest findings reveal that almost 99 percent of security leaders have faced a cyberattack in the last year. Cyberattacks generally result in monetary losses due to ransom payments and increased cyber insurance costs. However, the implications for the healthcare industry may extend to patient care. Roughly three out of every ten healthcare delivery firms indicated that a cyberattack resulted in diverted patient care. Additionally, 31 percent claimed that cyberattacks had been related to poor patient outcomes coming from delayed operations and examinations. This article continues to discuss key findings from the survey of IT security leaders in healthcare, finance, manufacturing, and pharmaceutical industries.

HealthITSecurity reports "Healthcare Cybersecurity Measures Must Go Beyond Perimeter Security"

Protecting against phishing, malware, and other cyber threats is a significant cybersecurity problem for any organization, but when a company has over 20,000 workers and operates a service used by nearly a billion people, the challenge becomes considerably more difficult. LinkedIn, the world's largest professional network, has over 875 million members, ranging from entry-level professionals to high-level executives, who use it to network with colleagues and peers, share ideas, and find new employment opportunities. LinkedIn's Threat Detection and Incident Response team is responsible for ensuring its systems' security against various developing cyber threats. It is common knowledge that skilled hacking groups have prominent firms such as LinkedIn in their sights, whether they are attempting to fool users into clicking phishing links or installing malware through manipulative social engineering attacks. LinkedIn's Moonbase program sought to improve threat identification and incident response while enhancing the quality of life for LinkedIn's security analysts and engineers by automating file and server log examination. Between March and September 2022, LinkedIn reconstructed its threat detection and monitoring capabilities, as well as its Security Operations Center (SOC). This process began with reevaluating how potential threats are initially examined and recognized. Jeff Bollinger, the company's director of incident response and detection engineering, emphasizes that it is essential for every team and program to begin with an accurate threat model, as it is important to identify the actual risks facing the organization. This awareness begins with an analysis of the data that need protection the most, such as intellectual property, customer information, and information governed by laws or regulations. This article continues to discuss how LinkedIn made its cybersecurity operations more effective.

ZDNet reports "LinkedIn Has Massively Cut the Time It Takes to Detect Security Threats. Here's How It Did It"

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI co-chaired the second meeting of the Joint Ransomware Task Force (JRTF), an inter-agency organization created by Congress to unify and bolster efforts against ransomware attacks. The initial JRTF meeting took place in September 2022. During the second meeting, the JRTF discussed measures and activities intended to reduce the prevalence and effect of ransomware attacks. JRTF members reviewed Working Group initiatives, such as victim assistance, measurement, partner involvement, continuous improvement, intelligence integration, and campaign coordination. This article continues to discuss key points made during the second JRTF meeting.

HSToday reports "CISA, FBI Hold Second Meeting of Joint Ransomware Task Force"

Meta has recently revealed that it has taken down over 200 covert influence operations on its platforms since 2017. Meta, which owns Facebook, Instagram, and WhatsApp, said these networks were disrupted for violating its Coordinated Inauthentic Behavior (CIB) policy. Meta noted that the deceptive networks originated from 68 countries and operated in at least 42 languages. Only a third of them solely targeted audiences outside of their own countries, with the majority focusing on people within their own borders. The most common location for CIB networks was Russia (34), followed by Iran (29) and Mexico (13). Meta noted that Russian operations targeted Ukraine most often, followed by Africa and the United States. Meta stated that Russian influence operations were run by a variety of actors, such as individuals with links to the Russian military and military intelligence, marketing firms, and entities associated with a sanctioned Russian financier. Tactics ranged from writing spammy comments to running fictitious cross-platform media entities that hired real journalists to write for them. Meta stated that Iranian campaigns since 2021 focused mainly on politics in the target country, with the perpetrators linked to smaller groups, like academics or people with a background in teaching English as a foreign language. In contrast, Meta noted that most CIB networks originating in Mexico focused on local audiences, often relating to local elections. Overall, the US was the most targeted country by operations (34), followed by Ukraine (20) and the UK (16). In September 2022, Meta revealed it closed down two significant but unconnected disinformation operations originating in China and Russia, which attempted to influence public opinion in Western countries.

Infosecurity reports: "Meta Takes Down Over 200 Covert Influence Operations Since 2017"

The Office of Management and Budget (OMB) has released a new "progress report" on the condition of cybersecurity across federal agencies. The progress report offers new cyber metrics generated from the Federal Information Security Modernization Act (FISMA) metrics to the public and key stakeholders, including Congress. Notably, the cyber progress report may become a future Federal Information Technology Acquisition Reform Act (FITARA) Scorecard category, representing a form of development from the existing FISMA-centric cyber category. The new cybersecurity progress report category is a "preview" on the committee's most recent scorecard, meaning that it does not figure into the latest set of scores. The category offers each agency a percentage score for their cybersecurity progress, ranging from 68 percent for the Department of the Interior to 94 percent for the General Services Administration (GSA) on the most recent scorecard. In accordance with the National Institute of Standards and Technology's (NIST) Cybersecurity Framework, the metrics for this category are organized into the following five categories: Identify, Protect, Detect, Respond, and Recover. Except for the "Protect" category, which is weighted at 40 points, the percentage value total result of each category is weighted at 15 points. OMB stated that the Protect category has more weight than other categories since it contains more criteria, such as the adoption of multi-factor authentication (MFA) and data encryption. This article continues to discuss the progress report on the state of cybersecurity across federal agencies and the new FITARA Scorecard.

MeriTalk reports "OMB Drops New Cybersecurity Metrics in Time for FITARA Hearing"

Cisco has recently updated multiple security advisories to warn of the malicious exploitation of severe vulnerabilities impacting its networking devices. Many of the bugs, which carry severity ratings of "critical" or "high," have been addressed 4-5 years ago, but organizations that haven't patched their devices continue to be impacted. Last week, Cisco added exploitation warnings to more than 20 advisories detailing security defects in Cisco IOS, NX-OS, and HyperFlex software. Five of the updated advisories resolve critical-severity vulnerabilities that could allow remote attackers to execute arbitrary code (RCE), cause a denial-of-service (DoS) condition, or execute arbitrary commands. Carrying a CVSS score of 9.8, the exploited vulnerabilities are tracked as CVE-2017-12240, CVE-2018-0171, CVE-2018-0125, CVE-2021-1497, and CVE-2018-0147, and impact Cisco IOS and IOS XE, the RV132W and RV134W routers, HyperFlex HX, and Secure Access Control System (ACS). Cisco also updated 15 advisories that deal with high-severity flaws in Cisco IOS and IOS XE and one that addresses a high-severity arbitrary command execution issue in Small Business RV series routers. Cisco also updated several advisories detailing medium-severity bugs. The US Cybersecurity and Infrastructure Security Agency (CISA) added these vulnerabilities to its Known Exploited Vulnerabilities Catalog months ago, but there does not appear to be any information regarding the attacks exploiting many of these flaws. Organizations are advised to review the advisories and apply necessary patches as soon as possible.

SecurityWeek reports: "Cisco Warns of Many Old Vulnerabilities Being Exploited in Attacks"

A security researcher has discovered flaws in the online game Wordle, owned by the New York Times, that leak the answer to the daily word puzzle and expose its Application Programming Interface (API) to potential hackers. David Thompson, a security researcher at Noname Security, discovered the vulnerabilities using Google Chrome's built-in developer tool. Thompson discovered the daily answer with the assistance of a JSON-formatted API. Simply visiting the Wordle website, clicking the "network" tab in Chrome's developer tools, and then selecting the "Fetch/XHR" filter led to the solution. Clicking on JSON API with the current date in the "Requests" cell exposes an API GET request. Then by clicking the "Response" tab, the solution will be clearly displayed. Thompson also discovered a technique to find the solution to the following day's Wordle puzzle by using the command line interface to retrieve the JSON file for a different date. In addition to the solution, the returned information also includes the editor's name. When building and releasing APIs, the ability to acquire the information is a common error. In the instance of Wordle, the vulnerabilities violate the OWASP API Security Top 10 in terms of excessive data disclosure and broken function-level authorization. This article continues to discuss the API vulnerabilities found in Wordle.

SiliconANGLE reports "API Vulnerabilities in Wordle Exposed Answers, Opened the Door to Potential Hacking"

In November, the Internal Revenue Service (IRS) accidentally republished 112,000 taxpayer data records that were previously published due to a technical issue earlier in the year. An external contractor operating on behalf of the IRS and tasked with managing a database for the government agency is supposedly to blame for the incident. According to a letter sent to congressional leaders, the incident involves the upload of 990-T forms containing private information used by tax-exempt entities, including government entities and retirement accounts, to pay income tax on income coming from specific investments or that is unrelated to their exempt purpose. In September 2022, the IRS disclosed that Form 990-T data, which should not have been made public had been made available for download through its Tax Exempt Organization Search (TEOS). At the time, it deleted the files and planned to replace them in the future with updated versions. This time, a contractor reuploaded older files to the database containing the original data, rather than fresh files that ensured the forms were set to be kept private. The IRS had provided the contractor with the new data on November 23, but the contractor had not yet deleted the outdated files from their system. This article continues to discuss the exposure of 112,000 taxpayer records due to a contractor error.

ITPro reports "IRS Mistakenly Publishes 112,000 Taxpayer Records for the Second Time"

In recent years, threat actors have often employed Business Email Compromise (BEC) attacks to steal money from organizations. In a new development, cybercriminals are using these attacks to steal food shipments and ingredients from suppliers and distributors. The FBI and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) issued an alert warning on December 16 that the attacks have been ongoing since at least the beginning of this year and have already caused hundreds of thousands of dollars in losses to various organizations. Although BEC is typically used to steal money, in these cases, the cybercriminals spoof emails and domains to impersonate employees of real firms to order food supplies, the two agencies stated in the joint cybersecurity statement. While the activity resembles rat scavenging, the intent of these thefts is often to repackage and resell the stolen food items without respect for safety and sanitation regulations. The advisory cited several instances, the most recent dating back to February, in which businesses were tricked. In one case in August, a food distributor got an email request for two full truckloads of milk supposedly from the CFO of a multinational snack and beverage company. The attacker used the actual name of the CFO but had an email address containing an extra letter in the domain name than that of the real organization. The food distributor fell victim to the scam and was required to pay their supplier over $160,000 for the fake shipment. A food manufacturer lost over $600,000 in February after receiving and fulfilling orders for whole milk powder and nonfat dry milk from four fake organizations. In each instance, the attackers placed orders using real employee names and emails with small domain name changes belonging to legitimate firms. This article continues to discuss the cybercriminals performing BEC attacks to steal food shipments and ingredients from suppliers and distributors.

Dark Reading reports "FBI: Criminals Using BEC Attacks to Scavenge Food Shipments"

The Glupteba malware botnet has reemerged, infecting devices throughout the globe after Google halted its operation about a year ago. Google was able to disrupt the blockchain-enabled botnet in December 2021 by obtaining court orders to seize control of the botnet's infrastructure and filing complaints against two Russian operators. However, Nozomi currently says that blockchain transactions, TLS certificate registrations, and reverse engineering Glupteba samples indicate a continuous, large-scale Glupteba campaign that began in June 2022. Glupteba is a blockchain-enabled, modular malware that infects Windows devices to mine cryptocurrency, steal user credentials and cookies, and deploy proxies on Windows and Internet of Things (IoT) devices. These proxies are eventually offered to other cybercriminals as "residential proxies." The malware is primarily distributed via malvertising on Pay-Per-Install (PPI) networks and Traffic Distribution Systems (TDS), which push installers masquerading as free software, videos, and movies. Glupteba exploits the Bitcoin blockchain to evade disruption by obtaining updated lists of command-and-control (C2) servers it should contact to execute commands. Clients of the botnet acquire the C2 server address using a discover function that enumerates Bitcoin wallet servers, retrieves their transactions, and parses them to locate an AES-encrypted address. This article continues to discuss the reemergence of the Glupteba malware botnet.

Bleeping Computer reports "Glupteba Malware Is Back in Action After Google Disruption"

For decades, advertisers and online trackers have been able to aggregate users' information across all of the websites they visit, mostly through the placement of third-party cookies in users' browsers. Prioritizing user privacy, numerous browsers, including Safari, Firefox, and Brave, began blocking third-party cookies for all users by default two years ago. This poses a problem for corporations that put advertisements on the Internet on behalf of other businesses and rely on cookies to track click-through rates to estimate how much they must be paid. Advertisers have responded by developing user ID (or UID) smuggling, a new method for tracking users across the web. This method does not require third-party cookies. A measurement tool called CrumbCruncher, developed by researchers at UC San Diego, has, for the first time, attempted to quantify the prevalence of UID smuggling in the wild. CrumbCruncher navigates the Internet like a typical user, but keeps track of the number of times it has been tracked using UID smuggling. The researchers discovered that UID smuggling was present in around 8 percent of CrumbCruncher's navigations. They presented these findings at the Internet Measurement Conference in Nice, France, from October 25 to 27, 2022. The team is also making their whole dataset and measurement pipeline available to browser developers. Audrey Randall, a Ph.D. student in computer science at UC San Diego and the paper's lead author, stated that the team's primary objective is to raise browser developers' awareness of the issue. She stated that UID smuggling is more prevalent than anticipated. It is unknown how much of it poses a privacy risk to users. This article continues to discuss the new UID smuggling web tracking technique bypassing privacy protections and the CrumbCruncher tool developed by researchers at UC San Diego to quantify the frequency of UID smuggling in the wild.

UC San Diego reports "New Web Tracking Technique is Bypassing Privacy Protections"

While the use of Artificial Intelligence (AI) in cyberattacks remains relatively limited, a new paper titled "The security threat of AI-enabled cyberattacks" predicts that this will soon change. The paper, a collaboration between WithSecure, the Finnish Transport and Communications Agency (Traficom), and the Finnish National Emergency Supply Agency (NESA), examines current trends and advancements in AI, cyber threats, and places where the two interact. It is noted that AI-based cyberattacks remain uncommon and limited to social engineering applications, such as impersonation, or employed in ways not readily observable by researchers and analysts, such as data analysis in backend systems. However, the paper emphasizes that the number and quality of AI advancements have made more sophisticated cyberattacks possible in the near future. According to the analysis, target identification, social engineering, and impersonation are the most imminent AI-enabled threats today and are predicted to increase in number and sophistication over the next two years. Within the next five years, attackers will likely create AI capable of independently discovering vulnerabilities, planning and executing attack campaigns, leveraging stealth to escape defenses, and collecting data from compromised systems or open-source intelligence. The paper emphasizes that while current defenses can solve some of the difficulties posed by AI-using attackers, others require defenders to adapt and evolve. New strategies are required to combat AI-based phishing that employs synthesized material, biometric authentication system spoofing, and other impending capabilities. The report also discusses the role that non-technical solutions such as intelligence sharing, resource allocation, and security awareness training have in mitigating the threat posed by AI-driven attacks. This article continues to discuss key points made in the new report on AI-enabled cyberattacks.

Continuity Central reports "Report Says That Action Is Needed to Prevent AI-Based Attacks Winning the Cyber War"

Researchers at the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) recently detected Russian hackers lurking within a US satellite network, raising new fears about Moscow's plans to infiltrate and disrupt the space industry. Researchers linked the attack to the Russian military group known as Fancy Bear, also known as APT28. The attack involved a satellite communications provider with clients in critical infrastructure sectors in the US. In response to a warning concerning strange network behavior, CISA researchers discovered hackers in the satellite network. MJ Emanuel, a CISA incident response analyst who discussed the event at the CYBERWARCON cybersecurity conference last month, stated that Fancy Bear appears to have been in the victim's networks for months. Space security is a growing worldwide concern, particularly as businesses and militaries rely more on satellites for essential communications, the Global Positioning System (GPS), and Internet access. For example, prior to the February Russian invasion, Internet access in Ukraine was affected by a hack targeting the US telecommunications company Viasat, which offers Internet services throughout Europe. This strike, which officials attributed to Russia, is one of the most significant digital attacks of the war, prompting a warning from the FBI and CISA over the possibility of further Russian infiltration of satellite systems. The satellite network intrusion discovered by CISA is a prime example of the type of insufficient security that might provide intruders with access to networks. Fancy Bear apparently exploited a 2018 vulnerability found in an unpatched Virtual Private Network (VPN), allowing its hackers to harvest all active session credentials. This article continues to discuss the infiltration of a US satellite network by Fancy Bear.

CyberScoop reports "CISA Researchers: Russia's Fancy Bear Infiltrated US Satellite Network"

IBM has announced its collaboration with the Cloud Security Alliance (CSA) to strengthen a financial services cloud security architecture. IBM's Cloud Framework for Financial Services has been mapped to CSA's Cloud Control Matrix (CCM), allowing organizations adopting CSA's controls to use services or conduct business with Software-as-a-Service (SaaS) providers on IBM's platform. Jim Reavis, the CSA's CEO, stated that as global regulations continue to evolve, it is crucial for all organizations to adhere to changing requirements while operating in a secure cloud environment, but this is especially important for highly regulated industries such as the financial services industry. IBM has emphasized the importance of establishing a highly secured hybrid, multi-cloud architecture that enables organizations to host workloads wherever they are running. According to Shira Shamban, CEO of Solvo, it makes sense for IBM to develop specific frameworks for the financial services industry because the financial sector is typically the first to implement security and compliance technology. This article continues to discuss the new collaboration between IBM and CSA to bolster a cloud security framework for financial services.

SC Media reports "IBM to Work With Nonprofit on Cloud Security Framework for Financial Services"

Hackers are using fake Windows installers to target Ukrainian government networks in a new supply chain attack. According to a new Mandiant report, threat actors identified as UNC4166 hosted malicious files disguised as legitimate Windows 10 installs on Ukrainian and Russian-language torrent sites such as Toloka and RuTracker. Mandiant says this is a new tactic in espionage operations. Beginning in July, the researchers discovered multiple devices within Ukrainian government networks infected with malicious files. Once installed, these files drop malware that spies on and steals data from its victims. The infected files are meant to target Ukrainian users as they use the Ukrainian language pack. Mandiant also discovered additional payloads most likely deployed after the initial infection, including STOWAWAY, BEACON, and SPAREPART backdoors, which allow hackers to maintain access to the compromised computers, execute commands, transfer files, and steal information such as credentials and keystrokes. The threat actors also integrated anti-detection features into their malware. According to Mandiant, the operation would have required substantial time and resources to create and wait for the malicious files to be put on the targeted network, indicating that the attackers are security-aware. The vice president of Mandiant, John Hultquist, said several Ukrainian government organizations are among the victims of the supply chain attack. The researchers did not say which government institutions were compromised or how pirated torrent files reached their computers. Mandiant lacks sufficient information to link UNC4166 to a sponsor or previously tracked group. However, its targets overlap with organizations attacked with wipers by the Russian military intelligence-associated group Fancy Bear. This article continues to discuss the new supply chain attack targeting Ukrainian government networks.

The Record reports "New Supply Chain Attack Targeted Ukrainian Government Networks"

The National Security Agency (NSA) has released its Cybersecurity Year in Review for 2022 to discuss its mission priorities and demonstrate how it bolsters the nation's cybersecurity. This year's review emphasizes NSA's capacity to scale cybersecurity solutions through partnerships, resulting in increased speed and agility. Rob Joyce, NSA Cybersecurity Director, stated that by securing the most sensitive networks of the US government, solutions are cascaded to help protect critical infrastructure, US allies, businesses, and consumers worldwide. The Year in Review highlights NSA's efforts, such as collaborating with industry to harden billions of endpoints against active and ongoing nation-state threats, disclosing zero-day vulnerabilities to vendors for remediation before nation-state actors exploit them, releasing cybersecurity guidance to protect against active adversary and cybercriminal threats, and more. The Cybersecurity Collaboration Center (CCC) of the NSA has increased its industry partnerships to over 300 in the past year. NSA combines Signals Intelligence (SIGINT) insights with those of industry partners at the CCC to provide intelligence-driven cybersecurity that protects the nation and its allies. The agency uses encryption to protect millions of devices, and the agency also oversees the infrastructure necessary to key those devices. This involves the production and distribution of the keys, codes, and other cryptographic materials that the US government and military employ to secure weapons, satellites, communications, and a variety of other systems crucially important to the nation's security. This article continues to discuss NSA's 2022 Cybersecurity Year in Review.

NSA reports "NSA Publishes 2022 Cybersecurity Year in Review"

FuboTV, a live-TV bundle streaming service, recently said it was the target of a criminal cyberattack affecting customers trying to access their subscriptions during the World Cup semifinal match between France and Morocco. Once the attack was detected, FuboTV said, it took immediate steps to contain the incident and was able to restore service by Wednesday evening. FuboTV noted that the cyberattack was reported to law enforcement and that the company has engaged Mandiant to assist in its investigation and response. The investigation is still in the early stages, and the company said it would remain transparent and provide updates when it has further information to share. FuboTV said as of September 30th, it had roughly 1.2 million paying subscribers, a 31% increase year over year.

CNBC reports: "FuboTV Hit With Cyberattack During World Cup Semifinal Match"

Researchers at the Center for Countering Digital Hate (CCDH) have discovered that the popular social media app TikTok feeds harmful content to a primarily teenage audience within the first half hour of using it. The CCDH conducted the study, setting up eight new accounts, posing as 13-year-old users, and recording what videos were played in the first 30 minutes of using it. The researchers scrolled TikTok's "For You" page, which over time, caters itself to users based on how they engage with the content. The researchers found that TikTok played body image and mental health-related videos every 39 seconds. New accounts were recommended videos discussing eating disorders and self-harm "within minutes." The researchers noted that content directly addressing suicide played every 2.6 minutes, and some eating disorder videos have more than 13 billion views. The researchers pointed out that the report they created is not peer-reviewed and that eight samples is a relatively small sample size to be scientifically reliable. The researchers interacted with all videos featuring body image, mental health, and eating disorders by pausing and liking the videos. The researchers noted that four of the accounts were given generic female usernames and designated their locations as the United States, United Kingdom, Australia, and Canada. The other four accounts were given "loseweight" usernames to test if TikTok would show different content. These were considered "vulnerable" teen accounts, which CCDH opines TikTok deliberately targets with more harmful content. The researchers stated that rather than entertainment and safety, their findings reveal a toxic environment for TikTok's youngest users, intensified for its most vulnerable. The researchers noted that the "loseweight" TikTok accounts were shown three times as many harmful videos and 12 times as many self-harm videos. CCDH ends its report by calling on social media platforms like TikTok to take responsibility for the potential harm they may cause. A spokesperson from TikTok said the behavior by researchers does not accurately "reflect genuine behavior or viewing experiences of real people."

UPI News reports: "Research Finds TikTok Shows New Users Harmful Content Quickly"

Counterfeiting endangers the world's economy and security. The value of global counterfeit and pirated products is estimated to be between $1.7 and $4.5 trillion per year, according to a report issued by the US Patent and Trademark Office (USPTO) in 2020. Conventional anti-counterfeiting approaches, such as QR codes can be easily fabricated because of limited data encryption capacity on a planar space. Therefore, researchers have been looking at increasing encryption density in a limited space. Dr. Ji Tae Kim of the Department of Mechanical Engineering at the University of Hong Kong (HKU) led the development of a high-precision 3D printing method capable of producing new polarisation-encoded 3D anti-counterfeiting labels. This new 3D label has the ability to encrypt more digital information than a traditional 2D label. The work titled, "Three-Dimensional Printing of Dipeptides with Spatioselective Programming of Crystallinity for Multi-level Anti-counterfeiting," was published in Nano Letters. The new 3D printing method, when combined with nature-driven molecular self-assembly, can produce multi-segmented 3D FF micro-pixels with programmed crystallinity for high-density data encryption. A tiny single 3D pixel can encrypt a multi-digit binary code consisting of "0" and "1" through the use of different responses of the amorphous and crystalline segments to polarised light. This article continues to discuss the high-precision 3D printing method developed to produce new polarisation-encoded 3D anti-counterfeiting labels, which can encrypt more digital information than traditional 2D labels.

University of Hong Kong reports "HKU Mechanical Engineering Team Develops New Microscale 3D Printer for Multi-Level Anti-counterfeiting Labels"