News Items

A security incident at a nonprofit community hospital in Oklahoma may have exposed the personal data of more than 92,000 individuals.
Duncan Regional Hospital (DRH) discovered that access to some of its systems were mysteriously blocked on January 20, 2022. The hospital disconnected all its systems from external access and notified law enforcement. DRH triggered its cybersecurity incident response plan and hired an independent forensics firm to determine what had happened, how it had occurred, and whether any sensitive information may have been impacted. DRH was able to bring all systems back to normal operations within 24 hours. The investigating firm found that patient information and employee information may have been exposed during the incident. The impacted data might include patients' name, date of birth, Social Security number, limited treatment information, and medical appointment information such as date of service and name of providers. For employees, the data impacted includes personal information associated with W-2s, such as name, date of birth, address, and Social Security number.

Infosecurity reports: "Oklahoma Hospital Data Breach Impacts 92,000 People"

An undisclosed website has faced a days-long Distributed Denial-of-Service (DDoS) attack, which measured up to 2.5 million requests per second. According to researchers at Imperva, instead of the attackers contacting the victim separately, the attack itself included a ransom note, perhaps to remind the target to send their bitcoin payment. The ransomware note suggests that the attack was carried out by the Ransomware-as-a-Service (RaaS) operator REvil. As part of the latest attack, the threat actor claimed to have been behind a different attack against the service provider Bandwidth, but the researchers have not determined whether the attackers were, in fact, part of the original REvil group. They did find that the Meris botnet played a key role in the attack. Researchers at Qrator Labs and Cloudflare first observed the botnet activity in huge waves of DDoS attacks. These firms observed the DDoS attack signatures reach nearly 17.2 million to 21.8 million requests per second. In the recent DDoS attack, multiple sites belonging to the targeted company were attacked, with one of the sites being hit for about 10 minutes. The attackers used sophisticated tactics to prevent mitigation as they constantly changed ransom messages and attack vectors. The attacks lasted for several days, sometimes lasting up to several hours. In 20 percent of cases, the attack reached between 90,000 and 750,000 requests per second. The researchers were able to mitigate over 12 million embedded requests targeting random URLs on the same site. On the second day of the attack, the researchers mitigated more than 15 million requests, with the URL containing a different ransom message, but using the same tactics. This article continues to discuss key findings and observations surrounding the days-long DDoS attack on an undisclosed website.

GovInfoSecurity reports "Days-long DDoS Attack with Embedded Ransom Note Mitigated"

The smart devices we use in our daily lives, such as smartphones, smartwatches, and smart health devices, generate large amounts of data. As the number of data sources such as these low-resource client devices continues to grow, the demand for sophisticated computing to extract value from the data using Machine Learning (ML) increases. Low-resource devices have limited computing capabilities due to their simple computing hardware and the energy limitation of their small batteries. These devices could use computational offloading in which sensor data is sent to a nearby edge device or the cloud for processing in order to get around these shortcomings. Offloading makes even very sophisticated data processing feasible, but only with the adjustment that the server performing the processing has unencrypted access to the data. Homomorphically encrypted computing is a new computing method aimed at mitigating these privacy concerns. It involves the client encrypting its data and sending the encrypted data for offloading. The offloaded processing occurs without decrypting the data. Although encrypted computing has a significantly high computational cost, advances in computer architecture and algorithms have made it possible to offload encrypted computation at a reasonable cost, thus making the technique feasible. However, these advances do not consider the costs posed to the low-resource client by encrypted computing, which make encrypted offload computing infeasible for low-resource devices. Therefore, researchers at Carnegie Mellon University (CMU) developed new algorithms and hardware designs to address these costs to client devices in order to make encrypted offloading possible for low-resource clients. This article continues to discuss the concept of homomorphically encrypted computing and the algorithms and hardware designs developed by the researchers to make encrypted offloading feasible for low-resource clients.

CMU reports "Low-Power Encrypted Computing Solutions"

Security researchers at Palo Alto Network's Unit 42 have discovered that most smart medical infusion pumps have known security gaps that make them vulnerable to hackers. Smart infusion pumps are network-connected medication delivery devices that use a combination of computer technology and drug libraries to administer medications and fluids to patients while limiting the potential for dosing errors. The researchers reviewed crowdsourced data from scans of more than 200,000 infusion pumps on the networks of hospitals and other healthcare organizations. Security gaps were detected in 75% of the scanned medical devices. The security researchers noted that the most striking finding was that 52% of all infusion pumps scanned were susceptible to two known vulnerabilities that were disclosed in 2019, one with a "critical" severity score and the other with a "high" severity score. The researchers stated that regulation needs to step in to make vendors and providers ensure that the connected devices used for delivering care meet a minimum standard for security. The researchers noted that devices that can't be updated need to be replaced.

Infosecurity reports: "Vulnerabilities in Over 100k Medical Infusion Pumps"

Researchers at NC State University have demonstrated that it is possible to steal data during homomorphic encryption. Homomorphic encryption has been highlighted as a next-generation data security technology, but the team discovered a vulnerability that allowed them to steal data while it was being encrypted. They were not able to crack homomorphic encryption using mathematical tools. Instead, they performed side-channel attacks in which they monitored a device's power consumption as it encoded data for homomorphic encryption in order to read the data while it was being encrypted. This research suggests that even the next generation of encryption technologies must be protected against side-channel attacks. Homomorphic encryption is a method for encrypting data in a way that prevents third parties from reading it, but this type of encryption still allows third parties and third-party technologies to conduct operations using the data. For example, a user could apply homomorphic encryption to upload sensitive data to a cloud computing system to analyze the data. Programs in the cloud could perform the analysis and then send the results back to the user, but those programs would never be able to read the sensitive data. This method preserves data privacy while allowing users to carry out operations using the data. Although it has been theoretically possible, homomorphic encryption is significantly computing power-intensive. Therefore, researchers are still in the early stages of developing hardware and software to make homomorphic encryption practical. Microsoft is a leader in homomorphic encryption, with its creation of the SEAL Homomorphic Encryption Library to help the broader research community study and develop homomorphic encryption. The team found a way to crack homomorphic encryption using the SEAL Homomorphic Encryption Library via a side-channel attack. They verified the vulnerability contained by the library up through at least version 3.6. As homomorphic encryption research continues, tools and techniques must be developed to protect against side-channel attacks. This article continues to discuss the demonstrated possibility of stealing data during homomorphic encryption through side-channel attacks.

NC State University reports "Researchers Show They Can Steal Data During Homomorphic Encryption"

According to new research, small business owners in America are expanding their service fleets with electric vehicles (EVs) despite having fears about the machines' cybersecurity. An online survey for the Hartford Steam Boiler Inspection and Insurance Company (HSB) found that 15% of small and medium-sized businesses had leased or purchased EVs for commercial use. However, just over three-quarters (76%) of those business owners and managers were concerned that the EVs could fall prey to hackers, ransomware, and other cyberattacks when connected to EV charging stations. The survey revealed that nearly half of small business owners were "somewhat or very concerned" about the cybersecurity and safety of internet-connected and automated vehicles. The president for HSB, Timothy Zeilman, stated that the technology is advancing swiftly, and there is a growing need to focus on the cybersecurity of electric vehicles. He continued by noting that with the rush to make the switch to electric cars and trucks, owners and the EV industry should step up their efforts to protect vehicles and charging infrastructure from cyberattacks. When asked to describe their own security experience regarding their commercial vehicles, 13% of business owners and managers said that their fleet had been impacted by a computer virus, hacking incident, or other cyberattack at some point. Nearly half of the 504 individuals surveyed (44%) said that they were worried about their vehicles' data, software, or operating systems being damaged or destroyed by malware or another form of cyberattack. More than half (56%) of respondents described themselves as somewhat or very concerned that a cyberattack could immobilize their vehicles or render them inoperable. Roughly the same proportion of respondents (54%) said they were worried that a cyberattack could compromise their safety on their EV. The possibility of a hacker breaking into their EV and communicating with them over the vehicle's audio system was a concern for 43% of respondents.

Infosecurity reports: "HSB Survey Finds EV Security Fears"

A hacker claiming to be Ukrainian has leaked Conti ransomware source code after the cybercrime gang behind the ransomware showed support for Russia. The Conti ransomware group released a statement saying it would target the critical infrastructure of Russia's enemies in retaliation for attacks on Russia. They later claimed that they condemned the war and are not allies of any government, but said they are prepared to respond to "American cyber aggression." Someone then created a Twitter account called "conti leaks," where they started leaking files associated with the Conti ransomware operation. Some say the individual behind the leaks is a Ukrainian security researcher, while others say they are a Ukrainian member of the Conti group. The first set of files contained tens of thousands of messages exchanged by Conti members since January 2021. The information included Bitcoin addresses, conversations with victims, IP addresses, and more. The Twitter account has continued releasing Conti chat logs, credentials, email addresses, screenshots, command-and-control (C2) server details, and other files. This article continues to discuss the leak of files associated with the Coni ransomware operation.

Security Week reports "Conti Ransomware Source Code Leaked"

The top law enforcement officials from multiple states are alerting people affected by an August 2021 breach at T-Mobile that their personal data might be circulating in cybercrime forums online. New York Attorney General Letitia James stated that information stolen in a massive data breach has fallen into the wrong hands and is circulating on the dark web. Officials from California, Florida, and several other states issued similar warnings. The T-Mobile breach involved the data of tens of millions of current, former or prospective customers of the wireless company. The stolen data is attractive for identity theft and other financial crimes. Law enforcement agencies from multiple states are investigating the breach. In some cases, the hacker accessed people's names, dates of birth, Social Security numbers, and driver's license or ID numbers. The company also said technical data, including international mobile equipment identities (IMEIs) and international mobile subscriber identities, were also compromised. IMEIs, which are often used for advertising purposes, are a unique fingerprint for a device that cannot be reset. States are advising people to take the usual steps if they fear their personal or financial information has been misused: check credit reports and consider contacting the Equifax, Experian, and TransUnion credit bureaus to place freezes on personal credit reports. Individuals can also ask credit reporting services to provide fraud alerts. The August incident was the fifth the company has suffered since 2018.

CyberScoop reports: "Personal Data From T-Mobile Breach Still Spreading on Dark Web, State Governments Warn"

Researchers at the anti-malware company ESET found signs of new malware with worm-spreading capabilities being distributed in cyberattacks in Ukraine. According to the researchers, the cyberattacks began hours before Russia invaded Ukraine, with Distributed Denial-of-Service (DDoS) attacks targeting Ukrainian government websites. The cyberattacks then turned into wiper attacks, destroying data on computer networks. The initial attacks were found leveraging HermeticWiper, HermeticWizard, and HermeticRansom. HermeticWiper corrupts a system's data to make it inoperable, while HermeticWizard spreads the data wiper like a worm across a local network through Windows Management Instrumentation (WMI) and the Server Message Block protocol (SMB). HermeticRansom adds a data-extortion ransomware component written in the Go programming language. A day later, ESET's technology thwarted another new wiper in a Ukrainian governmental network. The wiper dubbed IsaacWiper is being assessed to determine whether it is linked to HermeticWiper. Although the company has not found any tangible connection with a known threat actor, the wiper and worm-spreading components were found to be signed with a code-signing certificate assigned to Hermetic Digital. The US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) has released indicators of compromise (IOCs) to help threat hunters look for signs of the data-wiping threats in computer networks. This article continues to discuss findings surrounding the destructive data-wiping malware attacks in Ukraine.

Security Week reports "Cyberattacks in Ukraine: New Worm-Spreading Data-Wiper With Ransomware Smokescreen"

Distributed Denial-of-Service (DDoS) attackers have been observed using a new technique to knock websites offline, which involves targeting middleboxes such as firewalls to amplify junk traffic attacks. Amplification attacks have helped malicious actors knock over servers with short traffic bursts. According to the content distribution network firm, Akamai, there has recently been a surge of attacks using Transmission Control Protocol (TCP) Middlebox Reflection. Akamai revealed that the attacks reached 11 Gbps at 1.5 million packets per second (Mpps). Researchers at the University of Maryland and the University of Colorado Boulder released a paper last August, revealing that attackers could use middleboxes through TCP to amplify DDoS attacks. Most DDoS attacks use the User Datagram Protocol (UDP) to amplify packet delivery by sending packets to a server that replies with a larger packet size, which are then forwarded to the attacker's target. The TCP attack leverages network middleboxes that do not follow the TCP standard. The researchers discovered hundreds of thousands of IP addresses that could amplify attacks by more than 100 times through the use of firewalls and content filtering devices. This article continues to discuss the new technique being used by DDoS attackers to amplify attacks.

ZDNet reports "DDoS Attackers Have Found This New Trick to Knock Over Websites"

Security researchers at Proofpoint have detected a new phishing campaign linked to a notorious disinformation threat group, targeting European governments as they try to manage an influx of Ukrainian refugees. The new phishing campaign was first spotted on February 24, and the original phishing email was sent using a compromised account belonging to a member of the Ukrainian military. The email itself piggybacked on news of a recent UN Security Council meeting and contained a malicious XLS macro later determined to deliver the SunSeed malware. The file itself was spoofed to appear as if it contained a recently discovered 'kill list' of Ukrainian figures drawn up by Moscow. The timing of the phishing campaign also appeared to coincide with Ukrainian CERT warnings of widespread phishing campaigns targeting military personnel and relatives launched by Belarusian group Ghostwriter (UNC1151/TA445). The email messages that the researchers observed were limited to European governmental entities. The targeted individuals possessed a range of expertise and professional responsibilities. However, there was a clear preference for targeting individuals with responsibilities related to transportation, financial and budget allocation, administration, and population movement within Europe. The researchers stated that this campaign might represent an attempt to gain intelligence regarding the logistics surrounding the movement of funds, supplies, and people within NATO member countries. Although the researchers said they didn't have definitive technical evidence linking the campaign to Ghostwriter, they had spotted "several temporal and anecdotal indicators." The researchers noted that the group could be trying to gather evidence to help craft more narratives about migrants and refugees intended to sow discord across Europe, a tactic it has used before. TA445 has a history of engaging in a significant volume of disinformation operations designed to manipulate European sentiment around the movement of refugees within NATO countries. The researchers noted that these controlled narratives might intend to marshal anti-refugee sentiment within European countries and exacerbate tensions between NATO members, decreasing Western support for the Ukrainian entities involved in armed conflict.

Infosecurity reports: "Ghostwriter Group Targets NATO Refugee Effort"

Researchers with IBM Security X-Force are warning of a revamped version of the Anchor malware called AnchorMail, which has been targeting Windows systems. Anchor is a backdoor that has been deployed by the group behind the Trickbot malware. It was previously used to communicate with the command-and-control (C2) server, with the end goal being to launch Conti ransomware. According to the researchers, the malware's installation framework has been used by some of the most notorious threat actors in attacks against organizations in the healthcare, finance, telecoms, education, and critical infrastructure sectors. Anchor used the Domain Network System (DNS) protocol to communicate with the C2. The newly discovered variant now uses an email-based C2 server and communicates via the Simple Mail Transfer Protocol (SMTP) and Internet Message Access Protocol (IMAP) protocols over Transport Layer Security (TLS), helping attackers avoid detection. AnchorMail is difficult to detect as it encrypts the data over SMTPS/IMAPS protocols, and leverages properly crafted email messages to set up the C2 channel. Charlotte Hammond, a malware reverse engineer with IBM Security X-Force, said that AnchorMail is written in C++ and has only focused on targeted Windows systems thus far, but a Linux-variant of AnchorMail could emerge too since Anchor has been ported to Linux. This article continues to discuss the history of Anchor malware and the Trickbot gang, as well as findings regarding AnchorMail.

Decipher reports "Revamped Anchor Malware Targets Windows Systems"

Nvidia investigating a probable cyberattack Nvidia experienced an incident this week that compromised their internal systems including email and development tools for two days. Their commercial activities were not impacted. The hacker has not yet been identified and the company is evaluating if any Nvidia or customer data was affected. U.S. companies are on high alert with possible cyber attacks coming from Russian sources in retaliation for recent U. S. sanctions for their invasion of Ukraine.

TechCrunch reports "Nvidia Confirms It Is Investigating a Cybersecurity Incident"

The State Bar of California has launched an investigation to discover how hundreds of thousands of confidential attorney disciple records were exposed online. The records were found on February 24 on a public website that aggregates nationwide court case records. Data compromised in the incident included case numbers, file dates, case types, case statuses, and respondent and complaining witness names. Alongside the discovered 260,000 confidential attorney discipline records were approximately 60,000 public State Bar Court case records. The State Bar stated that it was taking "urgent action" to address the breach and had notified law enforcement of the incident. The State Bar said that the site "also appears to display confidential court records from other jurisdictions" but did not specify which ones. During the investigation into the incident, the State Bar discovered that a previously unknown security vulnerability in the Tyler Technologies Odyssey case management portal allowed the nonpublic records to be unintentionally swept up by Judyrecords when they attempted to access the public records using a unique access method. The State Bar is working with Tyler Technologies, the maker of the Odyssey system, to remediate the security vulnerability, which they believe may not be unique to the State Bar's implementation and could impact other users of Odyssey systems. The State Bar said that as of late Saturday, February 26, all State Bar records, confidential and public, had been removed from the website.

Infosecurity reports: "State Bar of California Investigates Data Breach"

The group behind the Trickbot malware appears to be shifting away from the cybercriminal platform to the use of more modern attack tools. According to researchers at the threat intelligence firm Intel 471, the group behind the malware stopped spreading Trickbot and instead started distributing copies of Emotet and Qbot to infected systems late last year. The shift suggests that Trickbot's operators are changing strategies and working more closely with Emotet botnet operators. According to Greg Otto, a researcher at Intel 471, Trickbot employs nearly 400 people, making the group likely to continue operations, refine its malware, and resurface under a different name. Researchers at Check Point Software Technologies had also observed over 140,000 Trickbot-infected machines spreading Emotet malware to other systems in November 2021, which caused a surge in Emotet infections after a multinational takedown by law enforcement agencies in January 2021. The Trickbot operators likely have phased Trickbot malware out of their operations in favor of other platforms, such as Emotet, since Trickbot itself is relatively old malware that has not been significantly updated. Although Trickbot has apparently stopped its campaign to infect new systems, currently compromised computers are still communicating with each other and uploading code that can be injected into websites and other malware programs, such as Emotet and Qbot. The campaigns themselves have been quiet, but the command-and-control (C2) infrastructure tied to Trickbot remains operational, serving more plugins and web injects as well as additional configurations to bots in the botnet. The operators also used the Bazar backdoor malware to gain stealthy access to high-value targets. This article continues to discuss changes made by the group behind Trickbot.

Dark Reading reports "Trickbot Comes Up With a New Set of Tricks"

MIT alumni founded a startup named r2c with the purpose of simplifying the process of securing code by offering a database of software checks. It is easier to attack a system than it is to protect it in the software security industry as hackers only need to find one vulnerability to successfully execute an attack, while software developers must protect their code from all possible attacks. Therefore, when an individual programmer makes a popular app, it quickly becomes a target for various security threats. Although larger companies have software security teams, they are known to slow down deployments as they review lines of code to safeguard against attacks. The startup r2c is now looking to make the process of securing software more seamless through an open source code-proofreading tool. The tool called Semgrep parses lines of code to detect potential bugs and vulnerabilities similar to how Grammarly finds grammatical errors or possible improvements in online writing. Semgrep includes a database of over 1,500 prewritten rules that security professionals can use in their code scans. If a security professional does not see the rule they want, they can use r2c's interface to write their own rules and then add it to the database for others to use. Besides simplifying the process of implementing code standards, r2c has also fostered a community in which security professionals share ideas and brainstorm solutions to threats. This article continues to discuss r2c's open source Semgrep tool and other services offered by the startup to help improve software security.

SciTechDaily reports "r2c: An Open Source Tool for Software Security"

According to researchers at Mandiant, the ransomware gang known as Cuba is increasingly shifting to exploiting Microsoft Exchange vulnerabilities, including ProxyShell and ProxyLogon. The group has been likely using these vulnerabilities as early as last August. Mandiant, which tracks the threat actor as UNC2596, noted that the group deploys the COLDDRAW ransomware. The researchers stated that Cuba might be the only group that uses COLDDRAW because it's the only threat actor using it among those tracked by Mandiant. In a December flash alert, the FBI attributed a spate of attacks on at least 49 U.S. entities in the financial, government, healthcare, manufacturing, and information technology sectors to the group. In order to identify active network hosts to potentially encrypt and files to exfiltrate, Cuba has used WEDGECUT, a reconnaissance tool, which sends PING requests to a list of hosts generated by a PowerShell script that enumerates the Active Directory. Then, the adversaries peek around to see what files might be of interest. The researchers noted that Cuba also routinely uses a script to map all drives to network shares, "which may assist in user file discovery." The researchers stated that Cuba threat actors have used several methods for lateral movement, including RDP, SMB, and PsExec, frequently using BEACON to facilitate this movement. The adversaries then deploy various backdoors, including NetSupport, as well as BEACON and BUGHATCH, which are often deployed using the TERMITE in-memory dropper. To finish their extortion work, the gang tries to steal files and encrypt machines, threatening to publish exfiltrated data belonging to organizations that fail to pay the ransom.

Threatpost reports: "Microsoft Exchange Bugs Exploited by 'Cuba' Ransomware Gang"

Researchers at the University of Waterloo have developed new technology aimed at protecting governments, businesses, and other organizations from cyberattacks by monitoring power consumption for warning signs of such attacks. The technology involves a small piece of hardware that uses Artificial Intelligence (AI) software to determine if a system's power usage is inconsistent with known predictable patterns. If the power consumption is unusual, the AI software will alert security staff within the organization, stating that its infrastructure could be under attack by hackers seeking to steal or lock critical information. For example, if several machines are suddenly exhibiting a similar pattern of high-power usage in specific patterns, the technology would raise an alert that crypto-ransomware might be spreading throughout the network. The technology has a wide variety of potential applications as it could be used to protect network equipment, computers, water supply, 5G infrastructure, trains, airplanes, and anything else that consumes power. This article continues to discuss the new security technology developed by researchers at the University of Waterloo to monitor power consumption for warning signs of cyberattacks and protect organizations from such attacks.

The University of Waterloo reports "New Security Tech Monitors Power Use for Warning Signs of Cyberattacks"

New York State is creating a Joint Security Operations Center (JSOC) to centralize and enhance its cyberdefenses. State governor Kathy Hochul stated that New York was forming a statewide team to "thwart" potential cyberattacks. She added that the state would be hiring 70 "highly trained individuals to work in a facility with 117 desktop computers." The governor said that the center would improve New York's ability to prevent cyberattacks and respond to attacks that could not be blocked. She noted that this center would help shore up New York's defenses, identify weaknesses, and protect from vulnerabilities. The governor also announced that she is proposing that New York invest $61.9m to improve its cyberdefenses. Should her proposal be approved, it will represent a doubling of the state's previous funding allocations for making cybersecurity improvements. Cybersecurity and Infrastructure Security Agency director Jen Easterly praised New York's actions on social media.

Infosecurity reports: "New York to Get Statewide Cybersecurity Center"

A backdoor malware, dubbed Electron Bot, is actively taking over social media accounts, including those on Facebook, Google, and Soundcloud, and has cloned popular games such as Temple Run or Subway Surfer to infiltrate Microsoft's official store. The backdoor allows attackers to take full control over compromised machines. It can remotely enable operators to register new accounts, log in, comment, and like social media posts in real-time. According to a report recently released by Check Point Research (CPR), over 5,000 people in Bermuda, Bulgaria, Russia, Spain, Sweden, and more, have fallen victim to the malware. Its main path of distribution is through the Microsoft store platform, as it hides in dozens of infected apps, most of which are games that the threat actors are constantly uploading. CPR researchers describe the Electron Bot backdoor as a modular Search Engine Optimization (SEO) poisoning malware used for social media promotion and click fraud. SEO poisoning is a technique in which threat actors create malicious websites and use SEO strategies to make them appear above legitimate sites in search results. Electron Bot is also said to be an ad clicker, which constantly clicks on remote websites to generate clicks on ads generating Pay-Per-Click (PPC) ad revenue. The attackers have also been using Electron Bot to promote social media accounts to direct traffic to specific content, thus increasing views and ad-clicking for PPC revenue. CPR explains that the Electron framework allows the bot to imitate human browsing behavior and circumvent protections implemented for websites. This article continues to discuss the discovery, capabilities, and infection routine of the new Electron Bot malware, as well as other malware found in official app stores.

Threatpost reports "Microsoft App Store Sizzling with New 'Electron Bot' Malware"

The Oklahoma City Police Department (OKCPD) has announced that personal data belonging to victims of sexual assault may have been exposed during a security incident at a DNA analysis laboratory. The OKCPD said that a company the department previously used to perform forensic testing had been hacked. DNA Solutions is a private DNA analysis laboratory whose testing facility is located at the University Research Park Campus in Oklahoma City. The laboratory provides paternity and forensic testing in humans and sire confirmation, genotype registries, DNA banking, and animal forensic identification. Master Sgt. Gary Knight stated that the OKCPD had contracted the company for two years to perform "Y-screening" (Y-chromosomal testing) to detect male DNA foreign to the victim of sexual assault. DNA Solutions Inc. determined that an unauthorized third party accessed their network and may have compromised certain sensitive personal and health-related information from sexual assault kits sent to them for forensic testing. DNA Solutions said it discovered the hack on November 18, 2021, and immediately blocked the hacker's access to its network. An investigation was launched to determine which files had been accessed by the attacker. The company said that while some sensitive personal and health information was compromised, the attacker did not access any personally identifiable information or financial information. The company stated that the data accessed by the adversaries did not include social security numbers, driver's license information, or financial information.

Infosecurity reports: "Oklahoma Cops Say Rape Victims' Data May Have Been Leaked"

IBM's security researchers have found that phishing emerged as the number one threat vector in 2021. The researchers revealed that phishing overtook vulnerability exploitation as the top pathway for compromise globally last year, accounting for 41% of initial access attempts, up from 33% in 2020. Interestingly, the researchers stated that click rates for the average targeted phishing campaign increased almost three-fold, from 18% to 53% when phone phishing (vishing) was also used by threat actors. In the UK, an estimated 80% of consumers received a scam call or text over the summer of 2021. The researchers at IBM highlighted business email compromise (BEC) and ransomware actors as particularly prolific users of phishing during 2021. The researchers noted that despite dropping into second place, vulnerability exploitation remains a significant threat to organizations. The number of incidents using this as an infection vector surged by 33% year-on-year in 2021.

Infosecurity reports: "Vishing Makes Phishing Campaigns Three-Times More Successful"

Researchers at the Massachusetts Institute of Technology (MIT) have demonstrated a new technique that protects a computer program's secret information from attackers while enabling faster computation. Multiple programs running on the same computer may not be capable of directly accessing each other's hidden information. However, as they share the same memory hardware, their secrets could be stolen by a malicious program through the performance of a memory timing side-channel attack. The malicious program detects delays when it attempts to access a computer's memory because the hardware is shared by all the programs using the machine. It can then gather another program's secrets, such as a password or cryptographic key, by interpreting those delays. One method to prevent these attacks is to enable only one program at a time to use the memory controller, but this significantly slows down the computation. Therefore, the MIT researchers devised a new approach that allows memory-sharing to continue while providing robust defense against this type of side-channel attack. Their method can speed up programs by 12 percent compared to state-of-the-art security schemes. According to the researchers, their technique could be applied to various types of side-channel attacks that target shared computing resources. The scheme developed by the team shapes a program's memory requests into a predefined pattern that is independent of when the program needs to use the memory controller. Before a program accesses the memory controller and interferes with another program's memory request, it must go through a request shaper that uses a graph structure. This structure processes requests and sends them to the memory controller on a fixed schedule. The graph is called a Directed Acyclic Graph (DAG), so the team's security scheme is dubbed DAGguise. The researchers tested DAGguise by simulating its performance in a real implementation. They continuosly sent signals to the memory controller, simulating how an attacker would try to determine another program's memory access patterns. They verified that no private data were leaked with any attempt. Then they used a simulated computer to determine how their system could improve performance compared to other security approaches. This article continues to discuss the MIT team's demonstration of their method aimed at safeguarding a computer program's secret information while enabling faster computation.

MIT News Office reports "A Security Technique to Fool Would-Be Cyber Attackers"

Cybersecurity Snapshots #27 -

Organizations Are Urged to Be On the Lookout for Potential Russian Cyberattacks