News Items

According to researchers at the cybersecurity company Halcyon, the US-registered cloud company Cloudzy provided web hosting and Internet services to over two dozen state-sponsored hacking groups and commercial spyware operators. In a recently published report, Halcyon noted that it had discovered Cloudzy to be "knowingly or unwittingly" serving as a command-and-control provider (C2P) for well-known state-sponsored hacking groups. C2Ps are Internet providers that enable hackers to host virtual private servers and other anonymized services for ransomware affiliates conducting cyberattacks and extortion. The groups that rely on Cloudzy include the China-backed espionage group APT10, North Korea-backed hacking group Kimsuky, and more. This article continues to discuss the facilitation of state-backed cyberattacks by a US-registered cloud company.

TechCrunch reports "Researchers Claim US-Registered Cloud Host Facilitated State-Backed Cyberattacks"

The Biden administration recently announced that it believes China has implanted malware in key US power and communications networks in a "ticking time bomb" that could disrupt the military in the event of a conflict. The Times reported that the malware potentially gave China's People's Liberation Army the ability to disrupt US military operations if Beijing were to move against Taiwan at some point. The systems affected, the Times said, could allow China not only to cut off water, power, and communications to US military bases but also to homes and businesses across the United States. The report comes two months after Microsoft warned that state-sponsored Chinese hackers had infiltrated critical US infrastructure networks. Microsoft pointed out Guam, a US Pacific territory with a vital military outpost, as one target but said malicious activity had also been detected elsewhere in the United States. Microsoft stated that the stealthy attack carried out since mid-2021 was likely aimed at hampering the United States in the event of a regional conflict.
Authorities in Australia, Canada, New Zealand, and Britain warned at the same time that Chinese hacking was likely taking place globally, affecting an extensive range of infrastructure. The Times said the discovery of the malware sparked a series of meetings in the White House Situation Room involving top military, intelligence, and national security officials to track down and eradicate the code. The White House issued a statement Friday saying, "The Biden administration is working relentlessly to defend the United States from any disruptions to our critical infrastructure, including by coordinating interagency efforts to protect water systems, pipelines, rail and aviation systems, among others." Reports of the malware operation come at a particularly strained point in US-China relations, with China aggressively asserting its claim that Taiwan is Chinese territory and the US seeking to ban sales of sophisticated semiconductors to Beijing.

SecurityWeek reports: "Possible Chinese Malware in US Systems a 'Ticking Time Bomb': Report"

With the development of a new, highly efficient cipher for cache randomization, a group of international researchers has made significant progress in computer security. The cipher, designed by Rei Ueno, an assistant professor from the Research Institute of Electrical Communication at Tohoku University, addresses the threat of cache side-channel attacks, providing improved security and performance. Cache side-channel attacks pose a significant threat to today's computer systems because they can stealthily extract sensitive data, such as secret keys and passwords. These attacks exploit flaws in the operating principles of modern computers, making countermeasures difficult. Cache randomization is a promising countermeasure, but identifying a secure and efficient mathematical function for this purpose has remained challenging. Therefore, Ueno and his team developed SCARF, which is based on a comprehensive mathematical formulation and modeling of cache side-channel attacks. This article continues to discuss the SCARF system developed to combat cache side-channel attacks.

Tohoku University reports "Researchers Unveil New Cipher System that Protects Computers Against Spy Programs"

Canon is warning users of home, office, and large-format inkjet printers that the Wi-Fi connection settings stored in the devices' memories are not wiped during initialization, enabling access to the data for others. This vulnerability could pose a security and privacy risk to affected users if the printer memory is extracted by repair technicians, temporary users, or future buyers of the devices, allowing them to get their Wi-Fi network's connection information. Depending on the model and configuration, the information stored in a Canon printer may include the network SSID, password, network type, assigned IP address, MAC address, and network profile. This sensitive Wi-Fi connection information could help a malicious third party gain unauthorized access to a Canon printer user's network to which the printer was connected. The attacker can then access shared resources, steal data, or execute other privacy-invading attacks exploiting additional vulnerabilities. This article continues to discuss the Wi-Fi security risks that arise when discarding inkjet printers.

Bleeping Computer reports "Canon Warns of Wi-Fi Security Risks When Discarding Inkjet Printers"

The US military has been dealing with two significant cyber threats, one being the Chinese campaign called Volt Typhoon against military bases, and the other being an insider breach impacting Air Force and FBI communications. The Biden administration has confirmed that Volt Typhoon's malware is far more widespread than previously believed. Responders have discovered it within many networks that control the communications, power, and water supplying US military bases. These networks also affect ordinary businesses and individuals. It is difficult for investigators to determine the complete scale of the infestation. The Chinese state-aligned Advanced Persistent Threat (APT) behind Volt Typhoon, also known as Vanguard Panda, came to light after Microsoft uncovered Chinese cyber activity in Guam, the location of a US military base strategically critical to Taiwan's defense against Chinese aggression. This article continues to discuss China's Volt Typhoon APT as well as the insider breach affecting Air Force and FBI communications.

Dark Reading reports "China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure"

The many advancements in Artificial Intelligence (AI) show that the technology is critical. In the realm of national security, experts are taking note of the impact of AI on the collective defense strategy. Paulo Shakarian, an associate professor of computer science in the School of Computing and Augmented Intelligence, part of the Ira A. Fulton Schools of Engineering at Arizona State University, is at the forefront of this important work, using his expertise in symbolic AI and neuro-symbolic systems, which are advanced forms of AI technology, to meet the needs of national security organizations. He has been invited to AI Forward, a series of workshops hosted by the US Defense Advanced Research Projects Agency (DARPA). Shakarian is one of 100 participants working to advance DARPA's initiative to explore new directions for AI research impacting various defense-related tasks, such as autonomous systems, intelligence platforms, military planning, big data analysis, and computer vision. This article continues to discuss Shakarian's work and insights on AI and security as well as DARPA's AI Forward initiative.

Arizona State University reports "ASU Researcher Bridges Security and AI"

Google has published its annual report regarding zero-day vulnerabilities. In the report, Google's Threat Analysis Group (TAG) notes that patches are often unavailable to Android users for too long. The research group discovered 41 zero-day vulnerabilities in the wild. As the developer of Android, Google controls its own patch policy, whereas many smartphone manufacturers release their own version of the operating system. Examples include Samsung's OneUI and Nothing's NothingOS, but numerous others exist. After each Android update, there may be some delay between the release of a patch for "vanilla" Android, such as that found on Pixel smartphones, and the release of patches for Android offshoots. Google does not identify a specific vendor whose parch policy is not in order. This article continues to discuss key findings and observations from Google in regard to zero-day vulnerabilities.

Techzine reports "Google: 'Vulnerabilities Persist Too Long on Android'"

It has recently been discovered that hackers are actively exploiting a "BleedingPipe" remote code execution vulnerability in Minecraft mods to run malicious commands on servers and clients, allowing them to take control of the devices. BleedingPipe is a vulnerability found in many Minecraft mods caused by the incorrect use of deserialization in the "ObjectInputStream" class in Java to exchange network packets between servers and clients. The adversaries send specially crafted network packets to vulnerable Minecraft mod servers to take over the servers. The threat actors can then use those hacked servers to exploit the flaws in the same Minecraft mods used by players that connect to the server, allowing them to install malware on those devices as well. In a new report by a Minecraft security community (MMPA), the researchers have found that the flaw impacts many Minecraft mods running on 1.7.10/1.12.2 Forge, which uses unsafe deserialization code.

BleepingComputer reports: "Hackers Exploit BleedingPipe RCE to Target Minecraft Servers, Players"

The FBI has further emphasized that Artificial Intelligence (AI) helps nearly every aspect of cybercriminal activity, from development to deployment, and this trend is continuing. On a recent media call, an FBI official suggested that free, customizable open source models are gaining popularity among hackers attempting to spread malware, conduct phishing attacks, and carry out other scams. There has also been a significant increase in the number of AI writers created by hackers specifically to target vulnerable Internet users. Generative AI offers much assistance in launching cyberattacks, due to its powerful coding capabilities. Now that tens of models have been trained to write and fix code, malware development is more accessible to those who previously lacked the skill. The FBI and other organizations have also observed content creation tools being used to write phishing emails and develop malicious websites. In addition, with the introduction of multimodal models such as GPT-4, hackers can create convincing deepfakes to coerce victims into handing over sensitive information, payment, and more. This article continues to discuss the FBI's warning regarding cybercriminals using AI to create and launch attacks.

TechRadar reports "FBI Says AI Is Making It Easier for Hackers to Write Malware"

The Karakurt ransomware group is targeting the McAlester Regional Health Center in Oklahoma, claiming to have stolen over 126 GB of data from the facility, including DNA patient records. Karakurt announced its plans to publish samples and auction 117 GB of the hospital's sensitive data. The group claims that this cache contains at least 40 GB of stolen genetic DNA patient records. According to a report from Nature Reviews Genetics, stolen genetic material can be used for malicious purposes, including blackmail and/or profiting through fake paternity results as well as revealing predispositions to disease and existing medical conditions that could affect employment prospects, insurance premiums, and more. The US Cybersecurity and Infrastructure Security Agency (CISA) first profiled the Karakurt gang in an advisory released in June 2022. The threat actors are suspected to be an offshoot of the Russian-affiliated Conti group, notorious for its double extortion tactics and aggressive nature. CISA reported that the group uses various tactics, techniques, and procedures (TTPs), posing significant defense and mitigation challenges. This article continues to discuss the Karakurt ransomware group threatening to auction off DNA patient records from the McAlester Regional Health Center.

Cybernews reports "Hackers Threaten to Auction off DNA Patient Records From Oklahoma Hospital"

The Abyss Locker operation has developed a Linux encryptor that targets VMware's ESXi Virtual Machine (VM) platform for enterprise-level attacks. As businesses migrate from individual servers to VMs for improved resource management, performance, and disaster recovery, ransomware groups develop encryptors that are specifically designed to target the platform. Considering that VMware ESXi is one of the most widely-used VM platforms, nearly every ransomware group has begun releasing Linux encryptors to encrypt all virtual servers on a device. Other ransomware operations that use Linux ransomware encryptors include Akira, Royal, Black Basta, LockBit, BlackMatter, AvosLocker, REvil, Hello Kitty, RansomEXX, and Hive, with most targeting VMware ESXi. This article continues to discuss the Linux version of Abyss Locker ransomware.

Bleeping Computer reports "Linux Version of Abyss Locker Ransomware Targets VMware ESXi Servers"

"Digital twins" or Artificial Intelligence (AI) assistants trained to serve needs by learning about and, in some ways imitating users, can be turned against people in various ways. According to Ben Sawyer, a professor at the University of Central Florida, and Matthew Canham, the CEO of Beyond Layer Seven, despite the uproar over how Large Language Models (LLMs) will allow hackers to create increasingly sophisticated phishing emails, vishing calls, and bots, this type of activity is nothing new. There is already much discussion regarding the insecurity of LLMs, as both researchers and attackers experiment with breaking and manipulating them. Today's social engineering attacks rely on an attacker's ability to closely imitate familiar entities such as coworkers or brands. Sawyer and Canham believe that the future of social engineering will be defined by AI's ability to imitate people and manipulate subconscious preferences. This article continues to discuss how LLMs can be hacked as well as the use of AI to build digital personas to make it easier for malicious actors to create more convincing attacks.

Dark Reading reports "Another AI Pitfall: Digital Mirroring Opens New Cyberattack Vector"

Nektarios Tsoutsos, an assistant professor in the Department of Electrical and Computer Engineering in the College of Engineering at the University of Delaware, is developing new methods to protect data when cloud services are compromised. With support from the Faculty Early Career Development (CAREER) Program of the National Science Foundation (NSF), Tsoutsos will develop advanced cryptographic algorithms and programming strategies to protect user information for various applications. Tsoutsos and his lab will accelerate end-to-end encryption algorithm development to be simpler, usable, and easily integrated into existing computer programming paradigms. A part of the CAREER award will be used to advance Tsoutsos' work on homomorphic encryption, which enables end-to-end encryption in a way that allows data to be processed and analyzed without compromising its security. The initial work will focus on encrypted Machine Learning (ML) so that users can securely send their data to the cloud for complex analysis. This article continues to discuss Tsoutsos' work on developing advanced cryptographic algorithms and programming strategies to help safeguard user information.

The University of Delaware reports "Improving Cybersecurity: New Ways to Protect Data"

New research commissioned by Cohesity reveals that most businesses lack the cyber resilience strategies and data security capabilities necessary to address today's escalating cyber threats and maintain business continuity. In addition, cyber resilience efforts are not keeping up with cyber threats, as data security and recovery technology deficiencies reduce cyber insurance eligibility and amplify the repercussions of a successful cyberattack. Comparing the cybersecurity outlook for 2023 to 2022, 93 percent of respondents felt that ransomware attacks posed a greater threat to their industry in 2023. Nearly half of respondents (45 percent) said their company had fallen victim to a ransomware attack within the previous six months. Eighty percent are concerned about their organization's cyber resilience strategy and whether or not it can address cyber challenges and threats. When asked how long their organization would take to recover data and business processes after a cyberattack, over 95 percent of respondents said it would take longer than 24 hours, 71 percent said longer than four days, and 41 percent said longer than a week. This article continues to discuss key findings from the survey of 3,409 Information Technology (IT) and Security Operations (SecOps) decision-makers.

Continuity Central reports "Research Shows That Business Continuity Response Measures Are Not Keeping Pace With Cyber Threats"

On Tuesday, the University of Rochester sent an update to faculty, students, and staff regarding a June data breach impacting dozens of organizations through a third-party vendor MOVEit. A spokesperson from the University of Rochester stated that after an investigation, they determined the university's broad network security was not impacted. UR Medicine's eRecord, MyChart, and clinical applications were also secure. The spokesperson noted that the data breach may have exposed some of the personal information of students and employees, along with their spouses, domestic partners, and dependents. The university says all individuals directly impacted by the breach will receive a letter in the mail detailing the exact data that was compromised. The letters will be mailed no later than the week of July 31. The University of Rochester is also offering two years of free credit monitoring to anyone whose personal data was found to be compromised by the cybersecurity incident.

WROC Rochester reports: "University of Rochester Updates Investigation Into Data Breach"

The European Union (EU) will soon require some technology platforms to label their Artificial Intelligence (AI)-generated images, audio, and videos with "prominent markings" showing their synthetic origins. In addition, the White House wants major AI companies to disclose when their content was created using AI. However, identifying material created by AI is a significant technical challenge. According to researchers, the best available options, such as AI-powered detection tools and watermarking, are inconsistent, temporary, and occasionally inaccurate. C2PA is another approach that has recently garnered much interest. It is a relatively new open source Internet protocol that uses cryptography to encode information about the origins of a piece of content, or "provenance" information. The creators of C2PA compare the protocol to a nutrition label, except that it reveals the origin of the content and who or what created it. The project, which is part of the nonprofit Joint Development Foundation, was initiated by Adobe, Arm, Intel, Microsoft, and Truepic, who formed the Coalition for Content Provenance and Authenticity (from which the protocol gets its name). This article continues to discuss what C2PA is and how it is being used.

MIT Technology Review reports "Cryptography May Offer a Solution to the Massive AI-Labeling Problem"

North Korea's infamous Lazarus hacking group has been linked to two new attacks on cryptocurrency firms which led to the theft of nearly $100m in virtual currency. CoinsPaid said in an update this week that $37.3m was stolen from the firm. The company claimed that despite the multimillion-dollar loss, customer funds remained intact, although it admitted that the platform's availability had suffered. Lazarus was also linked to an even bigger raid on crypto payments provider Alphapo last Sunday. Blockchain experts explained that Alphapo hot wallets had initially been drained of $23m in Ethereum, Tron, and Bitcoin. However, the experts updated that original estimate days later, revealing that an additional $37m in Tron and Bitcoin was found missing, bringing the total to $60m.

Infosecurity reports: "North Korean Hackers Bag Another $100m in Crypto Heists"

The National Security Agency (NSA) collaborated with US and international cyber agencies to issue the Cybersecurity Advisory (CSA) titled "Preventing Web Application Access Control Abuse," which warns that vulnerabilities in web applications, including Application Programming Interfaces (APIs), may enable malicious actors to manipulate and access sensitive data. The partnering agencies, which include the Australian Cyber Security Centre (ACSC), the US Cybersecurity and Infrastructure Security Agency (CISA), and the NSA, provide vendors, designers, developers, and consumer organizations with guidance to mitigate Insecure Direct Object Reference (IDOR) vulnerabilities in web applications. IDOR vulnerabilities are web application access control flaws that allow malicious actors to modify, delete, or access sensitive data. The exploitation of these vulnerabilities could affect any web application, including those deployed in Software-as-a-Service (SaaS) used for cloud applications, private cloud models proprietary to the organization's infrastructure, and others. This article continues to discuss the CSA on preventing the abuse of access control vulnerabilities in web applications.

NSA reports "New Cybersecurity Advisory Warns About Web Application Vulnerabilities"

Three vulnerabilities in the popular WordPress form-building plugin Ninja Forms could enable attackers to escalate privileges and steal user data. Patchstack disclosed the three vulnerabilities to the plugin's developer, Saturday Drive, warning that they affect NinjaForms versions 3.6.25 and older. In response, the developer released version 3.6.26 to address the vulnerabilities. However, only about half of NinjaForms users have downloaded the most recent version, leaving around 400,000 websites vulnerable to attack. The first flaw discovered by Patchstack is a POST-based reflected cross-site scripting (XSS) vulnerability that allows unauthenticated users to escalate their privileges and steal information by tricking privileged users into visiting a specially-crafted webpage. The second and third vulnerabilities are access control issues on the plugin's form submissions export feature, allowing Subscribers and Contributors to export all the data users have submitted on a vulnerable WordPress site. This article continues to discuss the three vulnerabilities contained by the popular WordPress Ninja Forms plugin.

Bleeping Computer reports "WordPress Ninja Forms Plugin Flaw Lets Hackers Steal Submitted Data"

Developers are increasingly implementing security testing as part of the development pipeline. However, there is still room for improvement as only a minority of companies test software during development or before committing code. According to Snyk's annual 2023 State of Software Supply Chain Security report, while two-thirds of companies have security tools integrated into their software development systems, only 40 percent of firms have deployed security checks into the Integrated Development Environment (IDE), and 48 percent as part of the code committing stage. Forty percent of companies do not use supply chain technologies, such as a Static Analysis Security Tool (SAST) or a Software Composition Analysis (SCA) tool. According to Randall Degges, head of developer relations at Snyk, developers should perform at least three types of scans. They should scan custom code with SAST, check open source dependencies with an SCA tool, and analyze infrastructure files to detect insecure configuration. This article continues to discuss key findings and points from Snyk's annual 2023 State of Software Supply Chain Security report.

Dark Reading reports "Despite Post-Log4J Security Gains, Developers Can Still Improve"

Field hospitals and emergency response Information Technology (IT) infrastructure are confronted with the same cybersecurity challenges as any other IT infrastructure, but the consequences can be fatal. Hackers and scammers attempting to exploit vulnerabilities during an emergency can disrupt critical healthcare services. Research in the International Journal of Emergency Management examines the growing concerns regarding the cybersecurity of medical devices, health data, and healthcare infrastructure as a whole. A team of researchers emphasizes that cyber threat actors target healthcare systems partly due to the invaluable data they hold. Weak defenses in these critical systems allow for unauthorized access and potential harm, such as launching ransomware or violating patient and healthcare worker privacy for monetary gain. The group highlights the need for immediate action to strengthen cybersecurity measures in field hospitals and emergency response operations. Advanced security technologies, regular vulnerability audits, and employee cybersecurity training require investment. This article continues to discuss key points from the study on the cybersecurity challenges faced by field hospitals.

Inderscience reports "Keeping Emergency Field Hospitals Cyber Secure"

Multi-factor authentication (MFA) involves authentication factors such as passwords, fingerprints, and smartphones to secure systems and data. Security experts encourage consumers and organizations to adopt MFA, because it is more difficult for hackers to gain unauthorized access to systems when multiple authentication factors are required. However, cybercriminals are increasingly evading MFA with specially designed attacks. In February, Reddit discovered that its employees had been phished via email, which tricked them into providing the cybercriminals with their MFA credentials. According to James Quick, director of solutions and advisory for the Identity and Access Management (IAM) company Simeio, the attackers used convincing prompts directing employees to a website mimicking Reddit's intranet gateway. When employees entered their credentials and second-factor tokens, the criminals were able to gain access to the organization. MFA bypass attacks are increasing. Sapphire Cybersecurity reported that there were 40,942 MFA fatigue attacks in August 2022. Hackers have used MFA bypass techniques such as man-in-the-middle (MitM) attacks, MFA bypass phishing kits, stolen browser session cookies, MFA fatigue, and malicious OAuth applications. This article continues to discuss growing concerns regarding MFA bypass attacks.

CACM reports "Concerns Grow about MFA Bypass Attacks"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

U.S. government services contractor Maximus has recently disclosed a data breach warning that hackers stole the personal data of 8 to 11 million people during the recent MOVEit Transfer data-theft attacks. Maximus is a contractor that manages and administers U.S. government-sponsored programs, including federal and local healthcare programs and student loan servicing. The company employs 34,300 people and has an annual revenue of about $4.25 billion, with a presence in the U.S., Canada, Australia, and the United Kingdom. After investigating the breach, Maximus found no indication that the hackers progressed further than the MOVEit environment, which the company noted was immediately isolated from the rest of the corporate network. However, this limited access was enough to compromise a large number of individuals to whom the firm is now sending data breach notifications. The company stated that based on the review of impacted files to date, they believe those files contain personal information, including social security numbers, protected health information, and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident. Maximus currently plans to record an expense of approximately $15 million for the quarter ending on June 30, 2023, representing the company's best estimate of the total cost of the investigation and remediation activities related to the incident.

BleepingComputer reports: "8 Million People Hit by Data Breach at US Govt Contractor Maximus"