News Items

Developers are increasingly implementing security testing as part of the development pipeline. However, there is still room for improvement as only a minority of companies test software during development or before committing code. According to Snyk's annual 2023 State of Software Supply Chain Security report, while two-thirds of companies have security tools integrated into their software development systems, only 40 percent of firms have deployed security checks into the Integrated Development Environment (IDE), and 48 percent as part of the code committing stage. Forty percent of companies do not use supply chain technologies, such as a Static Analysis Security Tool (SAST) or a Software Composition Analysis (SCA) tool. According to Randall Degges, head of developer relations at Snyk, developers should perform at least three types of scans. They should scan custom code with SAST, check open source dependencies with an SCA tool, and analyze infrastructure files to detect insecure configuration. This article continues to discuss key findings and points from Snyk's annual 2023 State of Software Supply Chain Security report.

Dark Reading reports "Despite Post-Log4J Security Gains, Developers Can Still Improve"

Field hospitals and emergency response Information Technology (IT) infrastructure are confronted with the same cybersecurity challenges as any other IT infrastructure, but the consequences can be fatal. Hackers and scammers attempting to exploit vulnerabilities during an emergency can disrupt critical healthcare services. Research in the International Journal of Emergency Management examines the growing concerns regarding the cybersecurity of medical devices, health data, and healthcare infrastructure as a whole. A team of researchers emphasizes that cyber threat actors target healthcare systems partly due to the invaluable data they hold. Weak defenses in these critical systems allow for unauthorized access and potential harm, such as launching ransomware or violating patient and healthcare worker privacy for monetary gain. The group highlights the need for immediate action to strengthen cybersecurity measures in field hospitals and emergency response operations. Advanced security technologies, regular vulnerability audits, and employee cybersecurity training require investment. This article continues to discuss key points from the study on the cybersecurity challenges faced by field hospitals.

Inderscience reports "Keeping Emergency Field Hospitals Cyber Secure"

Multi-factor authentication (MFA) involves authentication factors such as passwords, fingerprints, and smartphones to secure systems and data. Security experts encourage consumers and organizations to adopt MFA, because it is more difficult for hackers to gain unauthorized access to systems when multiple authentication factors are required. However, cybercriminals are increasingly evading MFA with specially designed attacks. In February, Reddit discovered that its employees had been phished via email, which tricked them into providing the cybercriminals with their MFA credentials. According to James Quick, director of solutions and advisory for the Identity and Access Management (IAM) company Simeio, the attackers used convincing prompts directing employees to a website mimicking Reddit's intranet gateway. When employees entered their credentials and second-factor tokens, the criminals were able to gain access to the organization. MFA bypass attacks are increasing. Sapphire Cybersecurity reported that there were 40,942 MFA fatigue attacks in August 2022. Hackers have used MFA bypass techniques such as man-in-the-middle (MitM) attacks, MFA bypass phishing kits, stolen browser session cookies, MFA fatigue, and malicious OAuth applications. This article continues to discuss growing concerns regarding MFA bypass attacks.

CACM reports "Concerns Grow about MFA Bypass Attacks"

Pub Crawl summarizes, by hard problems, sets of publications that have been peer reviewed and presented at SoS conferences or referenced in current work. The topics are chosen for their usefulness for current researchers.

U.S. government services contractor Maximus has recently disclosed a data breach warning that hackers stole the personal data of 8 to 11 million people during the recent MOVEit Transfer data-theft attacks. Maximus is a contractor that manages and administers U.S. government-sponsored programs, including federal and local healthcare programs and student loan servicing. The company employs 34,300 people and has an annual revenue of about $4.25 billion, with a presence in the U.S., Canada, Australia, and the United Kingdom. After investigating the breach, Maximus found no indication that the hackers progressed further than the MOVEit environment, which the company noted was immediately isolated from the rest of the corporate network. However, this limited access was enough to compromise a large number of individuals to whom the firm is now sending data breach notifications. The company stated that based on the review of impacted files to date, they believe those files contain personal information, including social security numbers, protected health information, and/or other personal information, of at least 8 to 11 million individuals to whom the company anticipates providing notice of the incident. Maximus currently plans to record an expense of approximately $15 million for the quarter ending on June 30, 2023, representing the company's best estimate of the total cost of the investigation and remediation activities related to the incident.

BleepingComputer reports: "8 Million People Hit by Data Breach at US Govt Contractor Maximus"

Hackers are targeting Call of Duty players with a massive malware push that can self-replicate and spread through the game's multiplayer lobbies. The malware infection appears to have been sufficient for Activision to take the game offline. Some members of the Steam community attempted to examine the malware, which was discovered to have a match in Virus Total's database. Based on the findings, the malware appears to be a worm that exploits security flaws in the application's code. That ability enables it to evade traditional protections against code injection. Once the malware infects a lobby, it can run localized code on the machines of the users accessing that session. Currently, malware infections have only been reported for the 2009-launched Modern Warfare II. However, given that different Call of Duty games released around 2009 are likely to share most of the same multiplayer code, other games in the series may be vulnerable to the exploit. This article continues to discuss hackers' recent targeting of Call of Duty players.

Tom's Hardware reports "'Call of Duty' Players Are Being Hit With Self-Spreading Malware"

Security researchers at Check Point have discovered that internet-connected Peloton fitness equipment is plagued with numerous security issues that could allow attackers to obtain device information or deploy malware. The researchers analyzed the software running on the Peloton Treadmill and revealed exposure to security risks associated with Android devices that are not updated to the most recent platform iterations, as well as risks posed by attackers with physical access to the device. The treadmill runs Android 10, which does not contain patches for more than 1,000 vulnerabilities that have been addressed in the operating system over the past three years. Furthermore, the device was found to have USB debugging enabled, meaning that an attacker with physical access could retrieve a list of all installed packages and could also obtain shell access, compromising the treadmill completely. The researchers noted that an attacker could use specific commands to exfiltrate data from the treadmill, or they could exploit the existing applications, which are compiled using different SDK versions. Applications can also be fetched for reverse engineering and for extracting secrets. According to the researchers, some applications on the device incorporate rooting detection mechanisms, but an attacker could use certain techniques to identify further vulnerabilities in the applications at runtime. Additionally, the researchers identified hardcoded sensitive information on the device, such as a license key for a text-to-speech voice service. The service could be abused for denial-of-service (DoS). The researchers noted that certain unprotected services were also identified on the treadmill, potentially allowing malicious applications to escalate privileges and gain access to sensitive data or to abuse broadcast receivers and send the device into an infinite loop, preventing updates. The researchers also discovered "differences in the signature scheme of the installed apps," which could potentially expose the device to malicious attacks. The researchers stated that the treadmill operating system includes numerous standard APIs that can be exploited to execute Android code, allowing attackers to carry out nefarious actions from a networking perspective and take advantage of the device's always-on nature. Moreover, the presence of a webcam and microphone makes the treadmill vulnerable to eavesdropping attacks if malware is installed. The researchers were able to sideload a mobile remote access tool (MRAT) on the device, gaining full access to the treadmill's functionality, including audio recording, taking photos, accessing geolocation, and abusing the network stack. According to the researchers, the compromised device also provided "full access to the local area network," which could be leveraged for additional malicious activities. After being informed of these issues, Peloton told the researchers that "they meet expected security measures for Android-based devices," pointing out that physical access is required for exploitation.

SecurityWeek reports: "Multiple Security Issues Identified in Peloton Fitness Equipment"

DepositFiles is a service that claims to be the ideal location to store and share files. However, researchers discovered DepositFiles' publicly hosted environment configuration (config) file, a critical record of how to run software. The file exposed payment service credentials, Abuse and Support email credentials, and more. Due to this exposure, the service's clients are at risk of having their Personal Identifiable Information (PII), files, and passwords stolen. Researchers noted that attackers could also target the company with malware, ransomware, and unauthorized access to business payment systems. They believe that the environment configuration file was exposed beginning in February 2023 based on the indexing of another sensitive file. This article continues to discuss DepositFiles' environment configuration file being left accessible and the potential impact of this exposure.

Security Affairs reports "DepositFiles Exposed Config File, Jeopardizing User Security"

In the first quarter of 2023, the number of incidents involving infostealer malware more than doubled compared to last year, mainly targeting Windows, Linux, and macOS. According to a recent study by Uptycs, most of the perpetrators behind infostealer malware use Telegram as a platform for command-and-control (C2) and data exfiltration. Infostealer malware targets victims by stealing passwords, login credentials, and other sensitive information. Following the collection of personal information, the stealer sends it to the malicious actor's C2 system. Uptycs' examination of the dark web revealed that RedLine has the largest market share, followed by Raccoon and the RecordBreaker stealer. Newcomer Meta, Vidar, Cryptbot, and AZORult are other widely-used infostealers. This article continues to discuss key findings from Uptycs' latest report on infostealers.

SC Magazine reports "Infostealer Incidents More Than Doubled in Q1 2023"

A cyberattack on an NHS supplier has recently left two ambulance trusts serving millions of people without access to electronic patient records. Swedish healthcare IT firm Ortivus said in a statement that an attack on July 18 left affected UK customers using its hosted data center. Ortivus noted that electronic patient records are currently unavailable and are, until further notice, handled using manual systems. No patients have been directly affected. The company stated that no other systems have been attacked, and no customers outside of those in the hosted data center have been affected. Ortivus noted that it is currently working in close collaboration with the affected customers to restore the systems and recover data. The affected customers are the ones using MobiMed ePR, electronic patient record systems in a hosted environment. BBC claimed that South Central Ambulance Service (SCAS) and South Western Ambulance Service (SWASFT) are both affected by the incident. Neither trust has released any information publicly about the incidents. Although Ortivus claimed no patients have been directly affected, if ambulances turn up without the ability to access patient records, it's likely that the standard of care will suffer. The two trusts are said to serve around 12 million people in the south of England.

Infosecurity reports: "Supply Chain Attack Hits NHS Ambulance Trusts"

Two recently introduced Linux vulnerabilities in the Ubuntu kernel make it possible for unprivileged local users to acquire elevated privileges on a large number of devices. Ubuntu is one of the most popular Linux distributions, particularly in the US, with an estimated 40 million users. Two vulnerabilities tracked as CVE-2023-32629 and CVE-2023-2640, discovered by Wiz researchers, were recently introduced into the operating system, affecting about 40 percent of Ubuntu's users. CVE-2023-2640 is a high-severity (CVSS v3 score: 7.8) vulnerability in the Ubuntu Linux kernel that allows a local attacker to gain elevated privileges. CVE-2023-32629 is a medium-severity (CVSS v3 score: 5.4) vulnerability in the Linux kernel memory management subsystem, where a race condition when accessing VMAs may result in use-after-free, allowing arbitrary code execution by a local attacker. This article continues to discuss the discovery and impact of the Linux vulnerabilities.

Bleeping Computer reports "Almost 40% Of Ubuntu Users Vulnerable to New Privilege Elevation Flaws"

Hackers are planting "malvertisements" for widely-used Information Technology (IT) tools on search engines in an attempt to lure IT professionals and conduct ransomware attacks in the future. The scheme involves pay-per-click advertisements on Google and Bing, which link to compromised WordPress sites and phishing pages that resemble download pages for software such as AnyDesk, Cisco AnyConnect, TreeSize Free, and WinSCP. Unsuspecting visitors end up downloading the intended software along with a Python package containing initial access malware, which the attackers then use to launch additional payloads. Sophos researchers have dubbed the campaign "Nitrogen." Several technology companies and nonprofits in North America have already been affected. Although none of the known cases have been successful, the researchers found that hundreds of brands have been co-opted for this type of malvertising across multiple campaigns in the past few months. This article continues to discuss findings and observations regarding the malicious Nitrogen campaign.

Dark Reading reports "'Nitrogen' Ransomware Effort Lures IT Pros via Google, Bing Ads"

Cellular networks are essential for various applications, including phone calls and Internet access. However, the growth of fake base stations in cellular networks, sometimes known as stingrays, cell-site simulators, or IMSI catchers, poses a major security threat with potentially severe consequences. Attackers can use fake base stations as stepping stones for different multi-step attacks, including signal counterfeiting, numb attacks, detach/downgrade attacks, energy depletion attacks, and panic attacks. These attacks can cause significant harm to individuals, businesses, and even governments. Therefore, security researchers at Purdue University's Department of Computer Science led a recent study demonstrating how high-quality datasets could be used to detect fake base stations in cellular networks using Machine Learning (ML) algorithms. This article continues to discuss the security researchers' work on high-quality datasets that could be used to detect fake base stations in cellular networks using ML algorithms.

Purdue University reports "Researchers Uncover Fake Base Stations in Cellular Networks Using Machine Learning"

Reports of "hacktivism" are rising, with 2022 seeing a significant resurgence in the area, primarily fueled by the Russia-Ukraine conflict. According to Radware data, from February 18 to April 18 this year, hacktivists claimed over 1,800 Distributed Denial-of-Service (DDoS) attacks across 80 Telegram channels. Since the Russia-Ukraine conflict, hacktivism has experienced a resurgence, with loosely affiliated groups of partisans or volunteers being pitted against nation-states. Some well-known hacktivist groups include the IT Army, Guacamaya, and SiegedSec. The infamous pro-Russian entity NoName057(16) engages in targeted DDoS campaigns across multiple sectors in NATO countries. CyberArmyofRussia_Reborn (CARR) has been identified by Mandiant as a Russian hacktivist group conducting DDoS attacks against Ukraine. KillNet, a prominent pro-Russian hacktivist group, consistently targets the US and Europe with DDoS attacks. It may appear that these types of groups are becoming more prevalent, but cybersecurity experts paint a more nuanced picture, noting that it is unclear whether the practice is becoming more widespread, if the term is being redefined, or if it is being used as a cover for more traditional malicious activity in cyberspace, such as ransomware and cyber espionage. This article continues to discuss notable hacktivist groups, the potential use of hacktivism as a cover, and the future of such activity.

SC Magazine reports "Hacktivism: Is It Fashionable Again or Just a Sly Cover?"

According to computer security researchers, Python security fixes are often implemented through "silent" code commits without an associated Common Vulnerabilities and Exposures (CVE) identifier. That is not ideal, they argue, because attackers like exploiting undisclosed vulnerabilities in unpatched systems. In addition, developers who are not security experts may not notice that an upstream commit is targeting an exploitable vulnerability relevant to their code. Therefore, application developers may not realize that a Python package could have a major flaw due to little or no announcement about it, and not incorporate a patched version into their code. Malicious actors could take advantage of this by exploiting those non-publicized vulnerabilities. In a paper titled "Exploring Security Commits in Python," a team of researchers from George Mason University and Dougherty Valley High School propose a solution, which is a database of security commits called PySecDB. The database would increase the community's visibility of Python code repairs. This article continues to discuss the proposed security commits database aimed at making Python code repairs more visible to the community.

The Register reports "Sneaky Python Package Security Fixes Help No One - Except Miscreants"

According to a new report from the US Cybersecurity and Infrastructure Security Agency (CISA), more than half of all cyberattacks against government agencies, critical infrastructure organizations, and state-level government bodies involved legitimate accounts. CISA collaborated with the US Coast Guard (USCG) in 2022 to conduct 121 Risk and Vulnerability Assessments (RVAs) on federal civilian agencies, high-priority private and public sector critical infrastructure operators, and select state, local, tribal, and territorial stakeholders. According to Gabriel Davis, a federal lead for risk operations at CISA, these assessments are designed to test an organization's defenses and allow the government to explore how they would respond to a sophisticated attack. They also provide CISA with information about how hackers operate. A new report of their findings reveals that threat actors conducted their most successful attacks using standard techniques involving phishing and default credentials. In 54 percent of successful attacks studied, valid credentials, including those from former employee accounts that have not been disabled in addition to default administrator accounts, were used. This article continues to discuss key findings from the RVAs.

The Record reports "CISA: Most Cyberattacks on Governments, Critical Infrastructure Involve Valid Credentials"

According to security researchers at Sophos, the education sector recorded a higher share of ransomware victims than any other in 2022. During the study, the researchers conducted interviews with 400 IT and cybersecurity leaders globally, split evenly across schools and higher education institutions. The researchers found that 79% of higher and 80% of "lower" education institutions were compromised by ransomware over the past year, up from 64% and 56% in 2021, respectively. The researchers noted that exploits and compromised credentials accounted for 77% of ransomware attacks against higher education organizations and 65% of attacks against lower education organizations. Breaches stemming from compromised credentials (37%/36%) accounted for a much bigger share than the cross-industry average of 29%. The researchers stated that the lack of adoption of multi-factor authentication (MFA) technology in the education sector makes them even more at risk of this method of compromise. Interestingly, the researchers noted that the education sector had one of the highest rates of ransom payment, with over half (56%) of higher education victims and 47% of schools paying up. This may account for why the sector is so frequently targeted by threat actors. Another possible factor is the fact that higher education institutions are less likely to maintain backups than the cross-sector average (63% versus 70%).

Infosecurity reports: "Education Sector Has Highest Ransomware Victim Count"

The ALPHV ransomware group, also known as BlackCat, is attempting to increase the pressure on their victims to pay a ransom by providing an Application Programming Interface (API) for their leak site in order to increase the visibility of their attacks. This action follows the recent breach of Estee Lauder, which resulted in the beauty company disregarding the threat actor's attempts to negotiate a ransom payment. Multiple researchers recently observed that the ALPHV/BlackCat data leak site added a new page with instructions on how to use their API to get timely updates about new victims. The malware research group VX-Underground warned of the new section on the gang's site. However, the "feature" appears to have been partially available to a limited audience for months. The ransomware group published API calls that could be used to fetch information about new victims added to their leak site or updates starting on a specific date. This article continues to discuss the ALPHV/BlackCat ransomware gang providing an API for their leak site to increase visibility for their attacks.

Bleeping Computer reports "ALPHV Ransomware Adds Data Leak API in New Extortion Strategy"

Users of applications involving Large Language Models (LLMs) similar to ChatGPT must be aware of the possible risks. Researchers warn that an attacker who develops untrusted content for the Artificial Intelligence (AI) system could compromise any information or recommendations generated by the system. The attack could enable job applicants to circumvent resume-checking applications, disinformation specialists to force a news summary bot to only give a specific point of view, or malicious actors to turn a chatbot into a willing participant in their fraud. In a session titled "Compromising LLMs: The Advent of AI Malware," a group of computer scientists will demonstrate that indirect prompt-injection (PI) attacks are possible because applications connected to ChatGPT and other LLMs often treat consumed data in the same manner as user queries or commands. Attackers can take control of the user's session by inserting specially crafted information as comments into documents or web pages that an LLM will parse. This article continues to discuss researchers finding that AI applications involving LLMs could be compromised by attackers using natural language to trick users.

Dark Reading reports "ChatGPT, Other Generative AI Apps Prone to Compromise, Manipulation"

Some of the largest US-based generative Artificial Intelligence (AI) companies plan to watermark their content, according to a White House fact sheet released on July 21. Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI have agreed to eight voluntary commitments concerning the use and oversight of generative AI, including watermarking. This agreement follows a March statement expressing the White House's concerns about the misuse of AI. In addition, the agreement comes at a time when regulators are finalizing procedures for managing generative AI's impact on technology and how people interact with it since ChatGPT brought AI content to the public's attention in November 2022. This article continues to discuss the eight AI safety commitments and how government regulation of AI could discourage malicious actors.

TechRepublic reports "OpenAI, Google and More Agree to White House List of Eight AI Safety Assurances"

Cybersecurity Snapshots #44 -

Data Travel is the Organization's Next Big Cybersecurity Challenge

FraudGPT, a new Artificial Intelligence (AI) bot discovered being sold on different dark web marketplaces and Telegram accounts, is used exclusively for offensive purposes, such as spear-phishing, cracking tools, and carding. John Bambenek, principal threat researcher at Netenrich, which discovered FraudGPT, noted that his team believes the threat actor behind it is likely the same group that operates WormGPT, another AI phishing tool recently reported by SlashNext. According to Bambenek, Netenrich is currently unaware of any active attacks launched through FraudGPT tools. FraudGPT appears to focus more on short-duration, high-volume attacks such as phishing, whereas WormGPT is more focused on longer-duration attacks involving malware and ransomware. This article continues to discuss the new AI bot FraudGPT, believed to come from the same group that developed the WormGPT tools.

SC Media reports "New AI Phishing Tool FraudGPT Tied to Same Group Behind WormGPT"

A group of major technology companies recently made an announcement about watermarking Artificial Intelligence (AI)-generated content. However, cybersecurity researchers already suggest this new approach has flaws. Amazon, Anthropic, Google, Inflection, Meta, Microsoft, and OpenAI met with the White House to discuss how they can mitigate the risks associated with the AI they create. They promised to invest in cybersecurity and AI-generated content watermarking. Dr. Florian Kerschbaum, a professor of computer science and member of the Cybersecurity and Privacy Institute at the University of Waterloo, explained that the watermarking technology pitched by the companies embeds a secret message within the content's code. The idea is that the message cannot be removed without also removing the content. Kerschbaum notes, however, that there are still some uncertainties in the scientific foundations of watermarking. Malicious actors may be able to remove a watermark, and the issue of digital watermarks has fascinated scientists for decades. This article continues to discuss concerns and questions regarding watermarking AI-generated content.

The University of Waterloo reports "The Promise of Watermarking AI Content"

Recently, commercial and consumer bank 1st Source Corp announced that it was affected by a security breach that involved a popular file transfer tool, MOVEit. The data breach has impacted about 450,000 records. The company stated that a third party had gained access to data of its commercial and individual clients earlier this month, adding that it was in the process of identifying and notifying individual clients affected. MOVEit, made by Massachusetts-based Progress, allows organizations to securely transfer files and data between business partners and customers.

U.S. News reports: "1st Source Says 450,000 Records Affected in Client Data Breach"