News Items

According to a new study conducted by the nonprofit Internet Safety Labs, 96 percent of apps used in K-12 schools in the US share children's personal information with third parties, including advertisers, often without the knowledge or consent of users or schools. The study shows how the race by schools to expand their technological arsenal has put students and their parents in a position of not knowing where their personal information is going. The researchers examined 13 schools in each state, resulting in a total of 663 schools representing nearly 500,000 students. They discovered that most schools had more than 150 approved classroom technologies. The report builds on previous research conducted by the group, formerly known as the Me2B Alliance, which discovered that hundreds of advertisers obtained valuable student data from a website specializing in school sports data. According to the most recent report, the exposure of student data to advertisers via school-approved technology is widespread. Almost a quarter of the apps recommended or required by schools contained advertisements, and 13 percent had retargeting advertisements, which allow digital advertisers to target visitors based on previous website visits. There is a risk that student data will be pulled into advertising networks with no way for schools or parents to find out. Several states, including California, prohibit the use of student data for this type of targeting. Google was the most common third-party that received data from school apps. Almost 70 percent of all apps were found to be sending data to Google, and 70 percent of them included Google Software Developer Kits (SDKs). Some of this is due to Google's dominance as a hardware and software supplier for K-12 schools. Researchers discovered that customized apps for schools were less safe than the general pool of apps studied. For example, researchers discovered that 81 percent of custom apps requested access to location information. Furthermore, 69 percent of custom apps accessed calendars, contacts, and other social information. This article continues to discuss findings from Internet Safety Labs' exploration of children's educational technology safety across US schools.

CyberScoop reports "Most Apps Used in US Classrooms Share Students' Personal Data With Advertisers, Researchers Find"

Many access control systems that use facial recognition technology are insecure. They can be breached, deceived, and shown a person's photo on the phone screen rather than their actual face. A typical access control system consists of a device in a metal case with a screen and a front-facing camera aimed at the visitor. Face recognition occurs within the device. Photos taken during the authentication process are not transmitted to a central server. The tablet's processor power is sufficient to perform recognition on its own. A typical deployment architecture includes several of such devices and a central server that synchronizes the user base across devices. There are several vulnerabilities that can come into play here. The device is protected from physical interference by its metal case, but an open USB port can ruin everything. Its purpose is to service the device, but malicious actors can connect their devices and use them to install spyware or run malicious code. Another widespread issue is the device's firmware, which is sometimes based on an old version of Android from several years ago. Many security-related improvements have been made to the operating system over the years. One of the primary reasons devices are breached is because of operating system vulnerabilities. Many access control systems still use HTTP to communicate between the device and the server. All information is sent in clear text and can be intercepted. Administrative commands are also sent in plain text. An attacker with access to the network to which the tablet is connected can intercept network traffic between the access control system and the server, and obtain the information required to carry out attacks. Hackers can register a user, give that user an administrator role, delete that user, and begin synchronization. Some developers exacerbate the vulnerability by creating a completely ineffective device authentication procedure. This article continues to discuss the potential security vulnerabilities faced by access control systems.

BetaNews reports "What Dangerous Security Vulnerabilities Can Access Control Systems Have?"

Fortinet has patched an actively exploited FortiOS SSL-VPN flaw, which could allow a remote, unauthenticated attacker to execute arbitrary code on devices. Fortinet strongly advises customers to update their installations in order to address the FortiOS SSL-VPN vulnerability, tracked as CVE-2022-42475. According to Fortinet, the vulnerability is a heap-based buffer overflow issue in FortiOS sslvpnd. A heap overflow is a type of buffer overflow that occurs when a chunk of memory is allocated to the heap and data is written to it without any bound checking. This can result in the overwriting of critical heap data structures such as heap headers or any heap-based data such as dynamic object pointers, which can then result in the overwriting of the virtual function table. The vulnerability impacts FortiOS version 7.2.0 through 7.2.2, FortiOS version 7.0.0 through 7.0.8, and more. A remote attacker can also use the flaw to execute commands through specially crafted requests. This article continues to disucss the actively exploited FortiOS SSL-VPN bug.

Security Affairs reports "Fortinet Urges Customers to Fix Actively Exploited FortiOS SSL-VPN Bug"

During a new study, security researchers at Veracode found that with more applications to contend with than other industries, tech firms would benefit from implementing improved secure coding training and practices for their development teams. The researchers found that 24 percent of applications in the technology sector contain security flaws that are considered high risk, meaning they would cause a critical issue for the application if exploited. The researchers noted that organizations whose developers had completed just one lesson in their hands-on Security Labs training program fixed 50 percent of flaws two months faster than those without such training. The researchers stated that the technology industry has the second-highest proportion of applications that contain security flaws, at 79 percent, making it marginally better than the public sector at 82 percent. The tech sector lands in the middle of the pack when it comes to the proportion of flaws that are fixed. The researchers noted that tech firms are comparatively quick to fix software security flaws. However, the industry still takes up to 363 days to fix 50 percent of flaws, suggesting there is still ample room for improvement. Server configuration, insecure dependencies, and information leakage are the most common types of flaws discovered by dynamic analysis of technology applications. The researchers noted that the sector exhibits the highest disparity from the industry average for cryptographic issues and information leakage, perhaps indicating that developers in the tech industry are more savvy on data protection challenges.

Help Net Security reports: "24% of Technology Applications Contain High-Risk Security Flaws"

A threat actor named "UberLeaks" published employee email addresses, Information Technology (IT) asset information, and corporate reports online, resulting in a new data breach for Uber. The stolen Uber and Uber Eats data was published on a hacking forum known for publishing data breaches. Archives claiming to be source code associated with Mobile Device Management (MDM) platforms used by Uber and Uber Eats, as well as third-party vendor services, have been leaked. Uber confirmed that its data was stolen in a breach on Teqtivity, the company's asset management and tracking service. The third-party company also acknowledged the cybersecurity incident. The threat actor gained unauthorized access to Teqtivity's systems, compromising customer data. They infiltrated the Teqtivity Amazon Web Services (AWS) backup server containing code and data files pertaining to Teqtivity customers. According to the firm, the data exposed included device information such as serial number, make, model, and technical specs, as well as user data such as first name, last name, work email address, and work location details. Each post on the hacking forum refers to a Lapsus$ hacking group member. This group is suspected of being behind many high-profile attacks, including a September attack on Uber in which cybercriminals gained access to the company's internal network and Slack server. However, Uber claims that the Lapsus$ group is unrelated to this specific breach. The company also stated that it had not observed any malicious access to its systems. Nonetheless, security experts say that the leaked data contains enough information for targeted phishing attacks on Uber employees. This article continues to discuss the new data breach faced by Uber.

Cybernews reports "Uber Suffers Data Breach After Attack on Third-Party Vendor"

Security researchers at Surfshark have found that Australia had the highest "data breach density" in the world as of the fourth quarter. On average, 7387 user accounts were leaked per 100,000 Australians during the first two months of this quarter, making its breach density 24 times higher than the global average. The researchers noted that Russia came in second (2568 accounts per 100,000), followed by Turkey (2421 per 100,000). The researchers stated that so far this quarter, an average of 22 Australian accounts have been breached every minute, versus just two in the previous quarter. This is primarily down to the 1.88 million Australian user profiles stolen during October and November, which itself is up from 300,000 in Q3 2022. The researchers noted that this is a 489% increase, Australia's highest quarterly spike in data breach count this decade. The researchers noted that globally, data breaches have gone down by 70.8% from October to November. In Australia, however, data breaches have surged by 1550%, from 107,659 in October to 1,776,065 in November. The researchers noted that Australia is still only 16th in the world by total data breach count. Since 2004, the country has had 125.8 million accounts breached versus 9.73 billion in the US.

Infosecurity reports: "Aussie Data Breaches Surge 489% in Q4 2022"

The National Security Agency (NSA) has warned that a Chinese state-sponsored group is exploiting an unauthenticated Remote Code Execution (RCE) flaw, tracked as CVE-2022-27518, to compromise Citrix Application Delivery Controller (ADC) deployments. Compromising Citrix ADCs can facilitate illegitimate access to targeted organizations through the circumvention of normal authentication controls. The flaw results from vulnerable devices' software failing to maintain control over a resource throughout its creation, use, and release, thus allowing remote attackers to execute arbitrary code on vulnerable appliances without prior authentication. The zero-day vulnerability impacts both Citrix ADC and Citrix Gateway. Citrix ADC is typically used to provide load-balanced, secure remote access to Citrix Virtual Apps and Desktops applications. Citrix Gateway is a secure remote access solution that includes identity and access management capabilities as well as Single Sign-On (SSO) for various hosted applications. The NSA has published threat-hunting guidance for organizations to determine whether their Citrix ADC environments have been compromised. The agency has linked the attacks to APT5, also known as UNC2630 and MANGANESE. APT5 has been targeting and breaching organizations in a variety of industries, particularly telecommunications and technology firms, for over a decade. Previously, the group was known to exploit vulnerabilities in Virtual Private Network (VPN) products from Fortinet, Palo Alto Networks, and Pulse Secure. This article continues to discuss the discovery and exploitation of the RCE vulnerability impacting Citrix ADC and Citrix Gateway appliances.

Help Net Security reports "State-Sponsored Attackers Actively Exploiting RCE in Citrix Devices, Patch ASAP! (CVE-2022-27518)"

A previously unknown Python backdoor targeting VMware ESXi servers has been discovered, allowing hackers to remotely execute commands on a compromised system. VMware ESXi is a virtualization platform that is commonly used in the enterprise environment to host multiple servers on a single device while making better use of CPU and memory resources. Juniper Networks researchers discovered the new backdoor while exploring a VMware ESXi server. However, due to limited log retention, they could not determine how the server was compromised. They suspect the server was compromised by exploiting the CVE-2019-5544 and CVE-2020-3992 vulnerabilities in ESXi's OpenSLP service. Although the malware can target Linux and Unix systems, Juniper's analysts discovered multiple indications that it was designed for ESXi attacks. This article continues to discuss the new Python backdoor targeting VMware ESXi servers.

Bleeping Computer reports "New Python Malware Backdoors VMware ESXi Servers for Remote Access"

A team of researchers from Charles Darwin University (CDU) and the University of Tehran in Iran discovered a new cyber threat that brings blockchain security in critical infrastructure into question. The study labeled the new cyber threat a misleading attack due to its intent to deceive miners. Miners perform computations to validate transactions on a blockchain in order to keep it up to date, and are compensated with cryptocurrency. With this new strategy to mislead miners, the system is at risk. The attack misleads blockchain miners by stealing some of their computational power and redirecting it to a different chain or fork. Miners are compensated for using their computational power to verify transactions on the blockchain of a specific cryptocurrency. The misleading attack is carried out by someone who redirects some miners' computational power to a different chain in order for the attacker to outrun the main chain and thus become the dominant one. The chain to which miners are being misdirected is designed to fail in competition, as is the main chain. Everything is set up for the attacker's chain to win and become dominant. This vulnerability can also help other types of blockchain attacks succeed. This new blockchain attack method is concerning because its success rates are high, and the blockchain technology was being used in critical infrastructures. There is a widespread belief that blockchain, such as Bitcoin, is safe and secure from attack, but this new misleading attack, as well as some other high-profile attacks costing millions of dollars, have demonstrated that blockchain technology is not as secure as it needs to be. According to the researchers, if no preventive measures are taken, this attack has the potential to undermine trust in blockchain security and reduce its value. Significant consequences can be expected if such a blockchain is ever used in critical infrastructure or financial systems. This article continues to discuss the study and findings behind a new misleading attack on Bitcoin.

CDU reports "Cyber Security Experts Identify New Threat to Blockchain Technology"

People have used Artificial Intelligence (AI) technology to distort reality as it has advanced. They have made fake images and videos of Tom Cruise, Mark Zuckerberg, and other high-profile individuals. While many of these applications are harmless, others, such as deepfake phishing, are far more sinister. A new wave of threat actors is using AI to create synthetic audio, image, and video content designed to impersonate trusted individuals such as CEOs and other executives in order to trick employees into handing over sensitive information. However, most organizations are unprepared to deal with these types of threats. Gartner analyst Darin Stewart warned in 2021 that while businesses scramble to defend against ransomware attacks, they are doing nothing to prepare for an onslaught of synthetic media. Organizations cannot afford to ignore the social engineering threat posed by deepfakes, especially with providers such as OpenAI offering access to AI and Machine Learning (ML) through new tools like ChatGPT. While deepfake technology is still in its early stages, it is gaining popularity. Cybercriminals are already experimenting with it in order to launch attacks on unsuspecting users and organizations. According to the World Economic Forum (WEF), the number of deepfake videos on the Internet is increasing at a rate of 900 percent per year. At the same time, VMware discovered that two out of every three defenders have seen malicious deepfakes used as part of an attack, a 13 percent increase from the previous year. These attacks have the potential to be devastatingly effective. For example, in 2021, cybercriminals impersonated the CEO of a large corporation using AI voice cloning. They tricked the organization's bank manager into transferring $35 million to another account to complete an "acquisition." In 2019, a similar incident occurred when a fraudster called the CEO of a UK energy firm and impersonated the CEO of the firm's German parent company using AI. The malicious actor requested a $243,000 urgent transfer to a Hungarian supplier. Many analysts believe that the rise in deepfake phishing will continue, and that threat actors' false content will become more sophisticated and convincing. This article continues to discuss the state of deepfake phishing in 2022, how deepfakes mimic individuals and bypass biometric authentication, the role of security awareness training in addressing deepfake phishing, and fighting adversarial AI with defensive AI.

VB reports "Why Deepfake Phishing Is a Disaster Waiting to Happen"

Almost half of Britain's manufacturers (42 percent) have fallen victim to cybercrime over the last 12 months, according to a new survey report titled "Cyber Security: UK manufacturing," published by Make UK. 26 percent reported a considerable financial loss resulting from an attack. Although two-thirds of respondents said the importance of cybersecurity has increased in the last 12 months, most decided not to take any additional cybersecurity actions despite adopting new technologies to boost production. Maintaining legacy Information Technology (IT) (45 percent), a lack of cyber skills within the company (38 percent), and providing access to third parties for monitoring and maintenance (33 percent) were the most cited cybersecurity vulnerabilities. The study also discovered that production halts were the most common result of a cyberattack (65 percent), with reputational damage ranking second (43 percent). The adoption of Industrial Internet of Things (IIoT) devices is the most important driver of cybersecurity adoption in one out of every three organizations (30 percent). These new IIoT processes, such as automated sensors that drive efficiencies, are central to manufacturing production and are regarded as business-critical functions. Thirty-seven percent say that cybersecurity concerns have delayed the introduction of new connected technologies into their organization, stifling potential productivity gains and impeding growth. This article continues to discuss findings from Make UK's report on manufacturing cybersecurity.

Continuity Central reports "Over a Quarter of UK Manufacturers Experienced Substantial Financial Loss From Cyber Attacks in Last 12 Months"

The number of weekly ransomware attacks against the US transportation sector increased by 186 percent between June 2020 and June 2021. Other types of cyberattacks are increasing at a similar rate. For example, pro-Russian hackers targeted public-facing websites of numerous US airports in October 2022. Cyber experts believe these attacks were probing attempts by hackers to learn how to launch more malicious attacks in the future. Cyberattacks are growing while transportation operators face market pressures to automate functions ranging from ticketing to self-driving vehicles. Increased automation requires an even greater reliance on information systems, creating a catch-22 between innovation and vulnerability. Therefore, the Transportation Security Administration (TSA) and the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) are responding by expanding cybersecurity requirements for airport, airline, rail, pipeline, and mass transit operators. Designating a cybersecurity coordinator, reporting cyber incidents, conducting cybersecurity assessments, and developing remediation and incident response plans are all part of the detailed requirements. This article continues to discuss TSA's new cyber requirements, overcoming resource challenges by leveraging industry, the benefits of the proposed framework, and the need for regulatory approaches to evolve to meet new threats.

HSToday reports "PERSPECTIVE: Leveraging Public-Private Partnerships to Improve Cybersecurity in the Transportation Sector"

The Ragnar Locker ransomware gang exposed sensitive data from a Belgian police unit after mistaking it for the municipality of Zwijndrecht. Belgian media outlets called the data leak one of the biggest public service exposures in the country's history, exposing people who reported crimes. As a result, the exposure may have an impact on law enforcement operations and investigations by endangering witnesses and alerting suspects. The stolen data was published on the ransomware gang's 'name and shame' dark web data leak site. Confidential information such as investigation reports, criminal records, thousands of license plates, traffic fines, personnel files, telephone research, and crime files, including images of child abuse, have been exposed in leaked data. The leak also revealed traffic camera recordings that could reveal people's whereabouts at specific times, invading their privacy and putting their safety at risk. Names, phone numbers, and subscriber and SMS metadata of people under covert police investigation were also leaked. This information could alert suspects to ongoing investigations, giving them the opportunity to destroy evidence and harm potential witnesses. The ransomware gang, according to Belgian local media, exposed 18 years of data collected by the Belgian police unit from 2006 to September 2022. Although the leak affects only a small Belgian police unit, it has the potential to affect thousands of citizens. This attack demonstrates the serious consequences of cyberattacks, with people who have reported crimes or abuse potentially having their personal information leaked online. The Zwijndrecht police unit in Antwerp, Belgium, blamed human error for the incident. This article continues to discuss the Ragnar Locker ransomware gang exposing sensitive data of a Belgian police unit and the potential impact of this leak.

CPO Magazine reports "Ransomware Gang Hacks Belgian Police Unit While Targeting Municipality, Leaks Investigation Reports"

Security researchers at Fortinet have shared information on three new ransomware families named Aerst, ScareCrow, and Vohuk. The researchers noted that the new ransomware targets Windows computers encrypts victim files, and demands a ransom payment in exchange for a decryption key. This new ransomware has been used in an increasing number of attacks. The researchers stated that Aerst was seen appending to encrypted files the ".aerst" extension and displaying a popup window containing the attacker's email address instead of dropping a typical ransom note. The researchers noted that the popup window contains a field where the victim can enter a purchase key required to restore the encrypted data. Aerst deletes Volume Shadow copies to prevent file recovery. The other ransomware Vohuk does drop a ransom note readme.txt, asking the victim to contact the attackers via email. Seemingly under continuous development, the malware assigns a unique ID to each victim. The researchers noted that this ransomware family appends the ".vohuk" extension to the encrypted files, replaces file icons with a red lock icon, and changes the desktop wallpaper with its own. This ransomware leaves a distinctive mutex, "Global\\VohukMutex," which prevents different instances of Vohuk ransomware from running on the same system. Vohuk has been used mainly to target users in Germany and India. The third ransomware, ScareCrow, has a ransom note named "readme.txt," which instructs victims to contact the attacker using one of three Telegram channels. This ransomware seems to be the most widespread, with files submitted from the United States, Germany, India, Italy, the Philippines, and Russia. The researchers noted that they have identified some similarities between ScareCrow and Conti, such as the use of the CHACHA algorithm for encryption and the use of the WMI command-line utility to delete Volume Shadow copies, which suggest that ScareCrow's developers might have used Conti source code leaked earlier this year. The researchers stated that the ransomware's developer has encrypted each command string in the malware, including DLL names, API names, and even command strings, with a different decryption routine. ScareCrow appends the ".crow" extension to the encrypted files.

SecurityWeek reports: "Users Warned of New Aerst, ScareCrow, and Vohuk Ransomware Families"

The Google One Virtual Private Network (VPN) service is now available to Google One Premium members in over 20 countries. During the summer, NCC Group, an information assurance firm, conducted a security assessment of the Google One VPN service and discovered 22 flaws. Researchers discovered three medium-severity issues, ten low-severity issues, and nine informational observations. The most notable discovery was related to the Windows application's requirement to be executed with administrator privileges. Although NCC Group found no software vulnerabilities in this application, NCC stated in its report that potentially insecure coding practices could result in a privilege escalation attack. During the retest, Google resolved the issue, and the application is now executed with user privileges. The other two medium-risk discoveries were in the login process of both Windows and macOS applications, which would allow local malicious applications to deny the service's availability or obtain the OAuth token sent after a successful login by manipulating local ports temporarily opened by the applications during the login process. This article continues to discuss findings from the security assessment of the Google One VPN service.

Cybernews reports "Security Researchers Discover 22 Issues in Google One VPN"

Security researchers at Endor Labs have discovered that nearly all open source vulnerabilities (95%) are found in transitive or indirect dependencies. The researchers noted that developers increasingly favor open source as a way to accelerate time to market. However, only a small number (5%) of these so-called software dependencies are actually chosen by DevOps teams. Most are automatically pulled into the codebase, known as transitive/indirect dependencies. The researchers stated that this can add extra risk if they're not all mapped, with any associated bugs remediated. The CEO of Endor Labs said that in this environment, open source software is the backbone of our critical infrastructure, but even veteran developers and executives are often surprised to learn 80% of the code in modern applications comes from existing OSS. The researchers noted that this is a vast arena, yet it's been largely overlooked. The researchers stated that even if developers use the latest version of open source packages, there's a 32% chance it will contain vulnerabilities. A separate report from Sonatype released earlier in 2022 claimed that transitive dependencies accounted for six out of every seven bugs affecting open source projects over the past year.

Infosecurity reports: "Transitive Dependencies Account for 95% of Bugs"

Google recommends that organizations use the Supply Chain Levels for Software Artifacts (SLSA) framework when developing software to improve software security and integrity, following an exploration of best practices for securing the software supply chain. Google made several recommendations for improving supply chain security, including the need for organizations to take more direct responsibility for open-source software and to take a more holistic approach to address risks like the Log4J vulnerability and the SolarWinds breach. Google's report on software security is the first in a new research series called "Perspectives on Security," which looks at emerging security trends and how to address them. The report's publication coincides with the second anniversary of the SolarWinds breach disclosure, and its recommendations are based on Google's analysis of that incident and other software supply chain breaches that have occurred since then. These include incidents at Codecov, Kaseya, and public code repositories such as PyPI. The breaches have elevated software supply chain security to the top of the enterprise Information Technology (IT) priority list. According to a recent Mandiant report, supply chain compromises accounted for 17 percent of all intrusions in 2021. Supply chain issues were the second most common initial intrusion vector in 2021, trailing only software vulnerability exploits. This article continues to discuss the main takeaways for security decision-makers from Google's new security perspectives report.

Dark Reading reports "Google: Use SLSA Framework for Better Software Security"

Deep Instinct's Threat Research team discovered a new campaign carried out by the MuddyWater Advanced Persistent Threat (APT) group, also known as SeedWorm, TEMP.Zagros, and Static Kitten. The APT's campaign has targeted Armenia, Azerbaijan, Egypt, Iraq, Israel, Jordan, Oman, Qatar, Tajikistan, and the United Arab Emirates. In addition, the campaign has updated tactics, techniques, and procedures (TTPs). The first MuddyWater campaign, which targeted entities in the Middle East, was observed in late 2017. Over time, the group evolved by adding new attack techniques to its arsenal. The APT group has also targeted European and North American countries. The US Cyber Command (USCYBERCOM) officially linked Iran's Ministry of Intelligence and Security (MOIS) to the MuddyWater APT group in January. Deep Instinct observed a campaign that began in September, which differs from previous ones in that it employs a new remote administration tool called "Syncro." MuddyWater is not the only threat actor using Syncro. It has also been used in BatLoader and Luna Moth campaigns. The MuddyWater APT group used an HTML attachment as a lure and used third-party providers to host the archives containing the remote administration tool installers. HTML attachments are typically delivered to recipients and are not blocked by antivirus or email security software. The threat actors were seen in July using the ScreenConnect remote administration tool, which was delivered via an installer called "promotion.msi." The installers used in the current campaign were also given the name "promotion.msi." This article continues to discuss the Iran-linked MuddyWater APT targeting countries in the Middle East as well as Central and West Asia in a new campaign.

Security Affairs reports "MuddyWater APT Group Is Back With Updated TTPs"

As part of a broader campaign aimed at legal and financial investment institutions in the Middle East and Europe, a hack-for-hire group called Evilnum has targeted travel agencies. The attacks, which occurred in 2020 and 2021 and most likely began in 2015, used a reworked variant of a malware called Janicab. This malware uses public services such as WordPress and YouTube as dead drop resolvers. Janicab infections have affected people in Egypt, Georgia, Saudi Arabia, the United Arab Emirates, and the United Kingdom. However, this is the first time this group has targeted legal organizations in Saudi Arabia. The threat actor, also known as DeathStalker, is known to use backdoors such as Janicab, Evilnum, Powersing, and PowerPepper to steal sensitive corporate information. Their desire to obtain sensitive business information indicates that DeathStalker is a group of mercenaries providing hacking-for-hire services or acting as financial information brokers. According to ESET, the hacking group has a pattern of harvesting internal company presentations, software licenses, email credentials, and documents containing customer lists, investments, and trading operations. Zscaler and Proofpoint discovered new attacks orchestrated by Evilnum earlier this year, directed against companies in the cryptocurrency and financial technology verticals since late 2021. An examination of the DeathStalker intrusions revealed the use of an LNK-based dropper embedded within a ZIP archive for initial access via spear-phishing. The lure attachment claims to be an industrial profile document related to power hydraulics that, when opened, leads to the deployment of the VBScript-based Janicab implant, which can execute commands and deploy additional tools. This article continues to discuss the Evilnum group targeting legal and financial investment institutions in the Middle East and Europe with a new Janicab malware variant.

THN reports "Hack-for-Hire Group Targets Travel and Financial Entities with New Janicab Malware Variant"

To deter and defeat agile adversaries, people and assets deployed by the US Department of Defense (DOD) in ground, sea, air, and space must maintain operational wireless network connectivity. Researchers from Florida Atlantic University's (FAU) College of Engineering and Computer Science, Florida International University (FIU), Virginia Tech (VT), and PQSecure Technologies have collaborated to develop a universal radio adapter that will enable seamless and secure operations for US military, government, and critical infrastructure systems via non-cooperative indigenous 5G networks. The National Science Foundation (NSF) has awarded the research team a one-year, $750,000 grant for the project titled "Autonomously Tunable Waveform-Agnostic Radio Adapter for Seamless and Secure Operation of DOD Devices Through Non-Cooperative 5G Networks." The project's goal is to reduce the likelihood of communications being intercepted, disrupted, or jammed over 5G networks. The project is part of the NSF's acceleration of 5G solutions to provide secure communications to the US government and critical infrastructure operators anywhere and at any time. The FAU, FIU, VT, and PQSecure Technologies collaboration is one of 16 multidisciplinary teams chosen nationally by the NSF for the 2022 Convergence Accelerator program. Researchers will develop a waveform-agnostic adapter compatible with US DOD communication protocols that operate from HF up to the Ka-band. The research effort includes post-quantum-computing secure cryptography, physical layer security, interference avoidance, policy and governance for secure communications, and more. The universal radio adapter's goal is to accelerate transformative outcomes in how the US DOD personnel, aircrafts, satellites, mobile phones, vehicles, sensors, drones, and other Internet of Things (IoT) devices operate through either friendly or adversary untrusted 5G network infrastructure, seamlessly connecting with devices on trusted US military networks. The goal is also to provide end-to-end data integrity, confidentiality, and resiliency by data hiding and autonomously switching between communications pathways. This article continues to discuss the goals of the "Autonomously Tunable Waveform-Agnostic Radio Adapter for Seamless and Secure Operation of DOD Devices Through Non-Cooperative 5G Networks" project.

FAU reports "FAU Receives NSF Grant for Secure Communications Over 5G Networks"

Security researchers at Cisco Talos have discovered that threat group Silence has been infecting an increasing number of devices using Truebot malware. The researchers suggest that there is a connection between Silence and the infamous hacking group Evil Corp (tracked by Cisco as TA505). According to an advisory published on Thursday, the campaigns observed by the researchers have resulted in the creation of two botnets: one with infections distributed worldwide (particularly in Mexico and Brazil) and a more recent one focused on the US. The researchers noted that while they don't have enough information to say that there is a specific focus on a sector, they noticed a number of compromised education sector organizations. One of the researchers, Tiago Pereira, believes Truebot to be a precursor to other threats that are known to have been responsible for attacks leading to high losses. The researchers stated that Silence is not simply expanding its targets but also advancing from using malicious emails as its primary delivery method to new techniques.

Infosecurity reports: "Truebot Malware Activity Increases With Possible Evil Corp Connections"

CommonSpirit Health, based in Chicago, has confirmed that an October ransomware attack exposed the personal information of over 620,000 patients. On October 5, CommonSpirit Health, which operates over 700 care sites and 142 hospitals across 21 states, confirmed an Information Technology (IT) security issue. The incident disrupted access to electronic health records and delayed patient care in multiple regions. CommonSpirit confirmed the incident was a ransomware attack in a December update. According to the organization, threat actors gained access to portions of its network between September 16 and October 3. They may have accessed certain files that contain personal information belonging to patients who received care or family members of those who received care at Franciscan Health, a 12-hospital affiliate of CommonSpirit Health. While the investigation is ongoing, CommonSpirit notes that this data includes names, addresses, phone numbers, dates of birth, and unique ID numbers used internally by the organization. The attackers did not gain access to medical record numbers or insurance IDs, and there is no evidence that any personal information was misused as a result of the attack. According to Brett Callow, threat analyst at Emsisoft, at least 15 US health systems operating 61 hospitals across the country have been impacted by ransomware attacks in 2022. Sensitive data, including personal health information, was compromised in at least 12 of these incidents. This article continues to discuss the CommonSpirit Health ransomware attack.

TechCrunch reports "CommonSpirit Health Says Patient Data Was Stolen During Ransomware Attack"

The need for new authentication methods that do not require a person's full face to be visible has emerged in the post-COVID world of face coverings and amplified hygiene awareness. According to new research from the University of Georgia, people may soon be able to access their devices using their ears rather than their face or fingerprint. Thirimachos Bourlai, the lead author of the study, says the ear is one of the few body parts that remains relatively the same over time, making it a useful alternative to technology requiring face or fingerprint recognition. The ear recognition system developed by Bourlai's team correctly authenticates individuals with up to 99 percent accuracy, depending on the dataset and model used for testing. Ears, like fingerprints, are distinctive to each individual, as even identical twins' ears differ. An added benefit is that, with the exception of the earlobe, which drops lower over time, ears do not age in the same way that the face does. The ear recognition software functions similarly to face recognition software. When a person purchases a new phone, they must first register their fingerprint or face for the phone to recognize them. In order to get a complete "picture" of their fingerprint, new devices typically require users to place their fingers repeatedly over the sensor. Face-recognition technology relies on users moving their faces in specific ways in front of their camera for the device to effectively capture their facial features. The algorithm takes multiple samples of a person's identity, such as facial images or fingerprints, and logs them into the device while configuring a biometric device. When a user unlocks their device with a biometric, a live sample is taken and compared to the device logs, such as a picture of their face or, in this case, a picture of their ear. Bourlai's software evaluates ear scans and determines whether they are suitable for automated matching using an ear recognition algorithm. To test the software, he used various ear datasets with a wide range of ear poses. Bourlai tested his algorithm on two different datasets of ear images. In one dataset, system accuracy increased from 58.72 percent to 97.25 percent when compared to prior ear recognition software, while in the other, accuracy increased from 45.8 percent to 75.11 percent when compared to the baseline approach. This article continues to discuss the new ear identification technology developed by researchers at the University of Georgia.

UGA Today reports "New Facial Recognition Technology Scans Your Ear"

According to a recent Maine Attorney General data breach notification, more than 2.5 million student loan accounts were compromised in the summer of 2022. The breach targeted Nelnet Servicing, a servicing system and web portal provider for the Oklahoma Student Loan Authority (OSLA) and EdFinancial. An investigation determined that between June and July 2022, intruders accessed student loan account registration information, including names, addresses, emails, phone numbers, and Social Security numbers for 2,501,324 student loan account holders. The breach, according to Nelnet, did not expose users' financial information. It remains unclear how the breach occurred or who was responsible for the attack. Some are concerned about the long-term consequences of this incident for student loan recipients. President Biden announced a student loan relief plan in August 2022 that would impact millions of borrowers. The information stolen in the OSLA / Nelnet breach could be used to take advantage of the loan forgiveness plan. Actors could use the stolen emails to contact unsuspecting loan holders. Borrowers could be tricked by threat actors using social engineering or phishing scams. The schemes may also be used to gain access to bank accounts or other sensitive information. According to one study, 83 percent of surveyed organizations have experienced multiple data breaches. Furthermore, 45 percent of the incidents investigated were cloud-based. The average total cost of a data breach has risen to $4.35 million. This article continues to discuss the OSLA / Nelnet breach, the threat posed by this breach to student loan holders, credential hacking becoming a common incident faced by organizations, and how to bolster security against data breaches.

Security Intelligence reports "Will the 2.5M Records Breach Impact Student Loan Relief?"