News Items

Researchers have discovered that threat actors have leaked 1 million stolen credit cards for free online as a way to promote a relatively new and increasingly popular cybercriminal site dedicated to selling payment card credentials. The cards were published on an underground card selling market called AllWorld.Cards and were stolen between 2018 and 2019, according to info posted on the forum. The leaked credit cards include the following fields: credit card number, expiration date, CVV, name, country, state, city, address, ZIP code, email, and phone number, according to threat actors. The researchers stated that AllWorld.Cards appears to be a relatively new player to the market for selling stolen credit card data on the Dark Web. The researcher's analysis suggests that this market has been around since May 2021. The curators of AllWorld.Cards began flogging their cybercriminal services on carding sites in early June to drum up new business. There is some uncertainty about how many of the cards are actually still active and available for cybercriminals to use. Cyble researchers noted that threat actors claimed that 27 percent, according to a random sampling of 98 cards, are still active and can be used for illegal purchasing. However, according to the researcher's own analysis, which involved sending the credit card numbers to client banks "to carry out the appropriate mitigation actions," the researchers found that closer to 50 percent of the cards are "still operational, not yet identified as compromised." Of the banks, 72,937 of the cards were associated with the State Bank of India, 38,010 with Banco Santander (Brazil), 30480 with a U.S. bank based in Ohio called Sutton Bank, 27,441 with JP Morgan Chase Bank, and 24,307 with BBVA Bancomer S.A. a bank based in Mexico. In the last six months of 2020 alone, threat actors offered more than 45 million compromised cards for sale in underground credit card markets monitored by security firm Cybersixgill.

Threatpost reports: "1M Stolen Credit Cards Hit Dark Web for Free"

Researchers at Varonis have found that numerous publicly accessible Salesforce communities are misconfigured and could expose sensitive information. A Salesforce Community site lets customers and partners interface with a Salesforce instance from outside an organization. According to the researchers, anonymous users can "query objects that contain sensitive information such as customer lists, support cases, and employee email addresses." The researchers stated that malicious actors could exploit this misconfiguration to perform recon for a spear-phishing campaign. Some adversaries could also use the misconfigurations to steal sensitive information about the business, its operations, clients, and partners. The researchers stated that in some cases, a sophisticated attacker might be able to move laterally and retrieve information from other services that are integrated with the Salesforce account. The researchers stated that Salesforce admins can take the following steps to protect themselves from attackers: ensure guest profile permissions don't expose things that shouldn't be exposed, disable API access for guest profiles, set the default owner for records created by guest users, and enable secure guest user access.

Infosecurity reports: "Salesforce Communities Could Expose Business-Sensitive Information"

Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi, along with Tom Van Goethem of KU Leuven's imec-DistriNet research group, have developed a new type of timing attack that can crack encryption more efficiently. Timing attacks are a form of encryption cracking that is based on how CPUs process encoded data. An adversary could decode a victim's private encryption key by measuring the time it takes for a CPU to complete specific tasks. Timing attacks have been proven effective in theory, but they have been found to be difficult to perform in practice beyond local ethernet connections. The further away an attacker is from the victim, the harder it is for them to properly analyze timing due to latency and network traffic jitter. In order to overcome these limitations, Vanhoef and Van Goethem discarded the practice of timing CPU processing and instead analyzed the speed of packet arrival. Since modern servers and networks use concurrency, which is the processing of multiple packets simultaneously, the arrival of packets can replace the timing of processing tasks. Instead of trying to measure CPU timing, they decided to send the target a pair of packets. The packets were processed concurrently and returned to the source, and the timing of their return was then measured. This allowed the researchers to measure timing without worrying about distortion from network jitter, because they were both constrained to the same conditions. The timing was then measured and analyzed over multiple attempts to work out secret encryption keys. This article continues to discuss the demonstration and efficiency of the new technique for cracking encryption keys that can overcome the limitations of popular timing attacks.

SearchSecurity reports "Hackers Build a Better Timing Attack to Crack Encryption Keys"

Researchers at Webroot Brightcloud published some of their findings in their mid-year threat report recently. The researchers found that around half of businesses (45.49%) and consumers (52.35%), on average, saw at least one sustained additional infection in May 2021. In May 2021, there was a 440% increase in phishing, holding the record for the single largest phishing spike in a single month. Big brands continued to suffer from cyber extortion and ransomware in the 1st half of 2021. PayPal accounted for 1% of the top 200 phished brands but saw a 1,834% spike in May. The researchers also found that phishing attacks are increasingly targeting crypto exchanges and wallets. Observations by Webroot found that there was a 75% increase in Coinbase phishing pages using HTTPS immediately after Coinbase's IPO. Researchers also found that technology supply chains were under attack in the 1st half of 2021. The management of companies and the enterprise industry showed a significant increase in malware infections, 57%, versus the global average.

Infosecurity reports: "May 2021 Saw a 440% Increase in Phishing, The Single Largest Phishing Spike on Record"

The UK National Security Centre recommends using three random words as passwords because they are easy to remember and are often stronger that the combinations of letters and numbers that people are led to create. Their research found that hacking software targeted predictable strategies meant to make passwords more complex. Example of substituting the letter O with a zero or the number one with an exclamation mark. For best results, use three random words—not related or predictable words.

The Industrial cybersecurity firm Dragos released results from its analysis of exploits targeting vulnerabilities contained by industrial control systems (ICS) and operational technology (OT) systems. Dragos has tracked over 3,000 ICS and OT vulnerabilities over the past decade. According to Dragos, the number of vulnerabilities disclosed in 2020 was less than the number disclosed in the two previous years. In addition to tracking the disclosure of the vulnerabilities, the company looked at the public availability of associated exploits that make it easier for less-skilled threat actors to abuse security holes. Dragos found that only 8 percent of the vulnerabilities disclosed in 2020 have public exploits, possibly because Trend Micro's Zero Day Initiative (ZDI) acquired many ICS vulnerabilities, and ZDI can prevent researchers from making their proof-of-concept (PoC) exploits public. Almost 600 public ICS exploits are known to target the products of more than 110 vendors. Seven major vendors account for about 40 percent of all published exploits, including Advantech, Moxa, Microsoft, Siemens, Rockwell Automation and its Allen-Bradley brand, and Schneider Electric. Many of the public ICS exploits target devices at the site operations level, which could provide an initial access point into the industrial network. There are hundreds of publicly available exploits that a malicious actor can use when they reach the industrial network, which consists of field, control, and supervisory devices. Remote code execution is the most likely impact for most levels of access. However, denial-of-service (DoS) takes the lead in cases where there are exploits targeting control devices. This article continues to discuss the key findings from Dragos' analysis of ICS exploits and recommendations for defenders looking to prioritize ICS vulnerability remediation.

Security Week reports "Analysis of ICS Exploits Can Help Defenders Prioritize Vulnerability Remediation"

In new versions of iOS and iPadOS coming this year, before an image is stored onto iCloud Photos, the technology will search for matches of already known Child Sexual Abuse Material (CSAM). Apple stated that if a match is found, a human reviewer will then assess and report the user to law enforcement. The system works by comparing pictures to a database of known child sexual abuse images compiled by the US National Center for Missing and Exploited Children (NCMEC) and other child safety organizations. Those images are translated into "hashes", numerical codes that can be "matched" to an image on an Apple device. Apple stated the technology will also catch edited but similar versions of original images. The company claimed the system had an extremely high level of accuracy and ensures less than a one in one trillion chance per year of incorrectly flagging a given account. The company says that the new technology offers "significant" privacy benefits over existing techniques, as Apple only learns about users' photos if they have a collection of known CSAM in their iCloud Photos account. However, some privacy experts have voiced concerns that the technology could be expanded to scan phones for prohibited content or even political speech. Experts also worry that authoritarian governments could use the technology to spy on their citizens.

BBC reports: "Apple to Scan iPhones For Child Sex Abuse Images"

Reegun Richard Jayapaul, Trustwave SpiderLabs' Lead Threat Architect, discovered new vulnerabilities that could allow users on Telegram for Mac to save specific self-destructing messages and attachments forever or view them without the sender knowing. When media files, other than attachments, are sent in a message, they are saved to a cache folder. Telegram will not download documents such as text, Doc, or PDF files, and audio and video until a recipient tries to open them, probably because of the larger size of attachments. When a recipient views the content, the self-destruct timer will begin, then when it is finished, the content will be deleted automatically. However, Reegun found that the self-destructing media was not deleted from the cache folder, thus allowing a user to save it to another location on their hard drive. Telegram fixed this bug for macOS in version 7.7 (215786) or later, but an additional bug has been discovered that allows self-destructible media to be saved. As voice recordings, video messages, images, and more are automatically downloaded to the cache, Reegun found that a user could copy the media from the cache folder before viewing it in the program. This article continues to discuss the Telegram for Mac flaw that allows self-destructing messages to be saved forever, Telegram's response to this new discovery, and a similar vulnerability found earlier this year.

Bleeping Computer reports "Telegram for Mac Bug Lets You Save Self-Destructing Messages Forever"

Security researchers at vpnMentor have discovered an online Elasticsearch database completely unsecured and exposed to the public internet, containing the personal details of at least 63 million Americans. The researchers were able to trace the trove back to OneMoreLead, a B2B sales and marketing company that claims on its unfinished website to have a database of "40+ million 100% verified B2B prospects to search from." The database itself contained around 126 million records. The researchers stated that depending on the number of duplicates in there, the number of affected individuals could be anywhere between 63 million and 126 million. Personally identifiable information (PII) featured in the database included full names, job titles, personal email and home addresses, work email and office addresses, personal and work phone numbers, home IP addresses, and employer names. The researchers also found that many of the emails had .gov suffixes, or indicated the individual as working for the New York Police Department. The researchers stated that private data from members of the government and police are a goldmine for criminal hackers. There are also question marks over where the information came from. The researchers stated that the company is new, with no known clients and an unfinished website, which makes it unlikely they collected data from 126 million people since opening in 2020 unless the people behind OneMoreLead were working on a similar business previously. The researchers also stated that the exposed data bears an uncanny resemblance to a leak originally connected to German B2B marketing company Leadhunter in 2020. Leadhunter denied responsibility for the leak at the time, and researchers couldn't confirm a link. The researchers informed OneMoreLead, and apparently, they secured the database the day after they were informed.

Infosecurity reports: "Over 60 Million Americans Exposed Through Misconfigured Database"

Security researchers have discovered a 12-year-old router vulnerability that they have warned may affect millions of devices globally. Evan Grant, a researcher at Tenable, initially found the authentication bypass vulnerability in devices from manufacturer Buffalo. However, during the disclosure process, he discovered that the bug actually existed in the underlying firmware from Taiwanese firm Arcadyan. All of the tested devices shared at least one vulnerability: the path traversal, which allows an attacker to bypass authentication, now assigned as CVE-2021-20090. The researchers stated that this flaw appears to be shared by almost every Arcadyan-manufactured router/modem, including devices that were originally sold as far back as 2008. The issue may affect millions of devices manufactured by 17 different vendors, used in at least 11 countries, including Australia, Germany, Japan, Mexico, New Zealand, and the US. The vulnerability in question has a CVSS score of 8.1, making it high severity. If exploited, it could allow an unauthenticated, remote attacker to bypass authentication. Grant also found two other bugs in Buffalo routers an improper access control flaw CVE-2021-20092 and a configuration file injection vulnerability CVE-2001-20091.

Infosecurity reports: "Decade-Old Router Bug Could Affect Millions of Devices"

According to a midyear update from the Accenture Cyber Investigations, Forensics, and Response (CFIR) team, the volume of global cyberattack activity increased by 125 percent in the first half of 2021 compared to the same time frame in 2020. The team's data comes from aiding clients in cyberattack recovery and response. The increase in global cyberattack activity stems primarily from Web shell activity, targeted ransomware operations, and supply chain attacks. Ransomware accounted for the most attacks, followed by backdoors, credential stealers, and droppers and launchers. REvil/Sodinokibi was found to be the most common ransomware variant, taking up 25 percent of attacks, followed by Hades, DoppelPaymer, Ryuk, and Egregor. This article continues to discuss key findings shared by the Accenture CFIR team's midyear update regarding the most prevalent types of malware, the most common ransomware variants, the top five most targeted industries, and the countries most targeted in cyberattacks.

Dark Reading reports "REvil Most Popular Ransomware Variant in 2021 (So Far)"

The U.S. Department of Homeland Security and Girl Scouts of the USA (GSUSA) has launched the 2021 Girl Scout Cyber Awareness Challenge. This new initiative will encourage girls across the U.S. to learn about cybersecurity and raise awareness within their communities, especially surrounding ransomware. The goal of the 2021 Girl Scout Cyber Awareness Challenge is to help diversify and increase the number of skilled cyber professionals in the cybersecurity workforce in order to strengthen our Nation's cybersecurity resilience. The Challenge will provide opportunities to girls in grades 6-12 to learn more about the cybersecurity field, practice key concepts, and demonstrate the skills they learn during the program. Participants will be encouraged to publish an article about ransomware at the end of the Challenge to increase cybersecurity awareness in their communities. Those who complete the Challenge will receive a certificate of achievement as well as an invitation to attend a capstone virtual event hosted by DHS during Cybersecurity Awareness Month in October. This article continues to discuss the development, goals, and structure of the 2021 Girl Scout Cyber Awareness Challenge.

HSToday reports "DHS Partners with Girl Scouts of the USA to Launch the 2021 Girl Scout Cyber Awareness Challenge"

The PayPal brand is being leveraged in a new phishing scam. The attackers behind the scam are compromising devices and bypassing secure email gateways by using automated scripts and live chat. These unusual techniques emphasize the need for organizations to strengthen defenses against these types of attacks. Researchers at the Cofense Phishing Defense Center found that the campaign creates spoofed logins and uses a carefully crafted email that seems legitimate until the recipient looks at the headers and links. The subject line indicates that the malicious email is attempting to start a live chat to discuss a service notice related to the target's PayPal account. The email contains a "Help & Contact" link and a "Learn to Identify Phishing" link, both of which lead to authentic PayPal links. However, hovering over the "Confirm Your Account" button reveals that it does not lead to a PayPal URL. It instead leads to a fraudulent live chat where the threat actor then uses automated scripts to initiate communication. The attacker attempts to get the victim's email address and phone number through this communication. According to the Cofense report, the attacker may be trying to gather this information to appear legitimate or collect enough information for authentication. When the threat actor obtains the phone number and the email address, the attacker will then try to get the target's credit card information. In order to directly interact with the victim, the attacker will step in where the script fails. This article continues to discuss findings surrounding the new phishing campaign that leverages the PayPal brand.

BankInfoSecurity reports "Phishing Campaign Uses Live Chat, Leverages PayPal Brand"

Researchers from Reposify analyzed eighteen leading pharmaceutical companies and their nine hundred plus subsidiaries worldwide to assess the prevalence of exposures of services, sensitive platforms, unpatched CVEs, and other security issues. Their results were published in a report called "Pharmaceutical Industry Attack Surface Exposures Report." The researchers found that 92% of pharmaceutical companies had at least one exposed database with potential data leakage. The researchers also found that 46% of pharmaceutical companies had an exposed SMB service. SMB exposures were previously exploited in other infamous attacks, like WannaCry, NotPetya and Nachi and Blaster worms. In 70% of pharmaceutical M&A deals in 2020 that were analyzed, the newly acquired subsidiary had a negative impact on the parent company's security posture, usually adding tens, in some cases, hundreds of sensitive exposed and unpatched services.

Help Net Security reports: "92% of Pharmaceutical Companies Have at Least One Exposed Database"

Raccoon Stealer has been upgraded by its developer to steal cryptocurrency alongside financial information. Sophos obtained samples revealing that the stealer is being bundled with malware, including malicious browser extensions, cryptocurrency miners, the Djvu/Stop consumer ransomware strain, and click-fraud bots targeting YouTube sessions. Sophos researchers found that the malware was not spread through spam emails in the new campaign, which was the usual initial attack vector linked to Raccoon Stealer but was instead spread through droppers disguised as installers for cracked and pirated software. The researchers stated that the Raccoon Stealer is able to monitor for and collect account credentials, cookies, website "autofill" text, and financial information that may be stored on an infected machine. The upgraded stealer also now has a "clipper" for cryptocurrency-based theft. Wallets, and their credentials, in particular, are targeted by the QuilClipper tool, as well as Steam-based transaction data.

ZDNet reports: "Raccoon Stealer-As-A-Service Will Now Try To Grab Your Cryptocurrency"

Empathy is essential in almost every aspect of daily life, but it is often overlooked in the development of technology, especially technology in which Artificial Intelligence (AI) is used. Researchers at the School of Information Sciences at the University of Illinois Urbana-Champaign are working to fill this gap by using empathy to teach high school students about cybersecurity and AI ethics issues. The project titled "Teaching High School Students about Cybersecurity and Artificial Intelligence Ethics via Empathy-Driven Hands-On Projects" received a two-year, $297,575 National Science Foundation (NSF) Early-Concept Grant for Exploratory Research (EAGER). Associate Professor and project leader Yang Wang has said that many AI technologies have been observed laden with ethical issues, such as having implicit biases toward certain populations or giving them unfair treatment. It is important to plant the seed today and educate future AI designers so tomorrow's AI technologies can be ethical. According to Wang, developers face a lot of pressure to get products out fast, which results in ethics and empathy being sidelined or ignored. For the project, researchers will develop hands-on labs that delve into various scenarios, such as social media, mobile apps, smart toys, and online gaming. The labs will be publicly available for schools to use. They will include real-life examples of young children interacting with unethical AI or being exposed to cybersecurity risks. The researchers will evaluate the impact of these labs on the activation of brain regions associated with empathy in high school students by using a cutting-edge and non-invasive neuro-imaging technique. This article continues to discuss the goals, components, and expectations of the new project that teaches students about cybersecurity and AI ethics using empathy.

iSchool reports "New Project Uses Empathy to Teach Students about Cybersecurity and AI Ethics"

Bug hunters who want to help the US federal government secure their online assets can now source all the relevant information from a vulnerability disclosure policy (VDP) platform offered by the Cybersecurity and Infrastructure Security Agency (CISA). In September 2020, the Binding Operational Directive 20-01 was released, which mandates that all FCEB agencies develop and publish a vulnerability disclosure policy. At the moment, this newly established VDP platform collects eleven vulnerability disclosure programs, published by the: Federal Communications Commission (FCC), Department of Homeland Security (DHS), National Labor Relations Board (NLRB), Federal Retirement Thrift Investment Board (FRTIB), Millennium Challenge Corporation (MCC), Department of Agriculture (USDA), Department of Labor (DOL), Privacy and Civil Liberties Oversight Board (PCLOB), Equal Employment Opportunity Commission (EEOC), Occupational Safety and Health Review Commission (OSHRC), and Court Services and Offender Supervision Agency (CSOSA). This newly established VDP platform is run by BugCrowd, a bug bounty and vulnerability disclosure company, and EnDyna, a government contractor that provides science and technology-based solutions to several US federal agencies. Eric Goldstein, Executive Assistant Director for Cybersecurity, CISA, explained that this new platform allows agencies to gain more significant insights into potential vulnerabilities, thereby improving their cybersecurity posture. Goldstein also stated that this approach also enables significant government-wide cost savings, as agencies no longer need to develop their own separate systems to enable reporting and triage of identified vulnerabilities.

Help Net Security reports: "CISA Launches US Federal Vulnerability Disclosure Platform"

An Android banking Trojan dubbed Vultur, first identified in March 2021, relies on screen recording and keylogging instead of HTML overlays to capture login credentials. According to security researchers at ThreatFabric, Vultur uses the Virtual Network Computing (VNC) implementation from AlphaVNC to gain complete visibility into a victim's device. In order to provide remote access to the VNC server on the device, the malware uses ngrok, an app that leverages encrypted tunnels to expose local systems hidden behind NATs and firewalls to the public Internet. The researchers said the mobile malware takes advantage of the Accessibility Services to identify the app running in the foreground. If the app is on the target list, the malware will then start screen recording. The malware also abuses the Accessibility Services to log all of the keys pressed by the user on the screen, and to prevent the victim from deleting it through manual uninstallation. Vultur has been observed targeting various banking applications, with users in Australia, Italy, and Spain being the main victims. This article continues to discuss the capabilities and targets of the Vultur Android banking Trojan.

Security Week reports "Android Banking Trojan 'Vultur' Abusing Accessibility Services"

Advancement has been made in secure online file-sharing by a scientist from Florida Atlantic University's (FAU) College of Engineering and Computer Science. Hari Kalva, Ph.D., inventor, associate chair, and professor in the Department of Electrical Engineering and Computer Science, received a patent from the U.S. Patent and Trademark Office for a new invention that can help users control how and when shared documents are displayed. Those who share documents online have little control over who views the information being sent and where it is being viewed, which presents a problem for sharing pictures online and when organizations share confidential documents with employees and other parties. Kalva's technology offers new control mechanisms for limiting the capture of information displayed on screens using an external device such as a camera. The system can restrict an individual from viewing documents based on their individual identity, their social network, and where and when the document is being viewed. Messages are encrypted with viewing restrictions with this new technology. The technology links social media accounts to the software to identify who should be given access. Senders can decide how many people can view the message by using the receiver's camera. If the correct amount of people are present, automatic access is granted. If more people are present, those individuals must ask the sender for permission to be granted access. The application software can use biometrics, such as fingerprints, to determine who is attempting to view the message. It also uses GPS, IP address, or cell tower location to identify the receiver's current location. The message can only be shown when the receiver's location matches the location specified in the sender's restrictions. This novel technology will empower users to protect sensitive information sent online and ensure that only the intended audience can view the information sent. This article continues to discuss the capabilities of the new invention that improves the privacy and security of online file-sharing.

FAU reports "FAU Invention for Privacy of Sharing Files Online Gets U.S. Patent"

In a new report, CynergisTek reviewed just under 100 assessments of healthcare providers across hospitals, physician practices, Accountable Care Organizations (ACOs), and Business Associates. These assessments measure organizations' security posture against the National Institute of Standards and Technology's Cybersecurity Framework (NIST CSF), a standardized framework first published in 2014 intended to help protect American critical infrastructure. Assessments were categorized into two cohorts: high performers with NIST conformance scores over 80% and low performers with conformance scores under 80%. The researchers focused on the industry's overall status in cybersecurity preparedness and found that 64% of organizations obtained below 80% conformance. The researchers identified several areas for continued improvement in planning and preparedness, especially seeing only 75% improved during the coronavirus pandemic and only slightly. The researchers stated that while that is progress, it isn't the progress the industry needs to shore up defenses. The researchers also noted that investing in security is often more cost-effective than paying the recent exorbitant ransoms in the long run. The researchers found that overall, supply chain management was the second lowest-scoring and least mature category assessed. Even among high-performing organizations that have significantly improved over the past four years, scores averaged 2.7 out of 5, reflecting a universal challenge that companies face in identifying and addressing risks across their supply chains. With an acceptable score above a 3, only 23% of organizations barely passed on supply chain security. In particular, researchers found that organizations struggle to validate whether third-party partners are meeting contractual security obligations.

Help Net Security reports: "Curious to See How Healthcare Cybersecurity Fared This Year?"

Palo Alto Networks originally discovered the ransomware campaign "BazaCall" in February. Adversaries lure in targets with an email during the campaign, suggesting that a subscription for a service, such as a gym membership, is expiring. Recent campaigns have posed as confirmation receipts for software licenses. Each email contains a unique ID number and instructs the user to call a number that will connect them with an actual human. The call agent advises the user to visit a legitimate-looking website and tells them to download a file from their account page to cancel their subscription. Once the user enables macros on the downloaded document, the malware is delivered from a Cobalt Strike beacon. While such a campaign requires a little more social-engineering know-how on the part of hackers, the delivery method makes it more difficult for spam and phishing email detection software to intervene, researchers at Microsft stated. Researchers say the ongoing ransomware campaign may be more dangerous than previously thought in new findings by Microsoft. Researchers now say that the malware not only allows hackers a one-time backdoor into the device, as previously thought but can also allow adversaries to remotely control the affected system. That means it's even easier for adversaries to sweep for files and find high-end user credentials that could be used to drop ransomware such as Ryuk or Conti within the first 48 hours of infiltration.

CyberScoop reports: "Criminals Are Using Call Centers to Spread Ransomware in a Crafty Scheme"

The Biden administration has released a national security memorandum to develop cybersecurity standards for critical infrastructure. The "Improving Cybersecurity for Critical Infrastructure Control Systems" memorandum brings the U.S. Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) together with the National Institute of Standards and Technology (NIST) at the Commerce Department to establish cybersecurity performance goals aimed at setting a security baseline that is clear and easy-to-understand. In addition, President Biden formally established the Industrial Control System Cybersecurity Initiative to promote the development and deployment of technology to improve threat detection. The program began with a pilot in the electricity sector and is now being moved to natural gas pipelines. There are plans to move the program to chemical, water, and wastewater sectors this year. According to a senior administration official, the ICS initiative technologies, which are now used by over 150 utilities, would have prevented the ransomware attack on Colonial Pipeline. The ICS initiative has gathered CEOs of utilities and pipelines to inform them about threats to stress the urgency of addressing the cybersecurity threat. The memorandum emphasizes that the cyber threats facing critical infrastructure are among the most significant, and they are growing issues that could significantly harm the U.S. economy and national security. This article continues to discuss the national security memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems and the Industrial Control System Cybersecurity Initiative.

HSToday reports "CISA, NIST to Develop Cybersecurity Goals for Critical Infrastructure Control Systems"

DarkSide and REvil ransomware gangs have recently gone dark, but researchers at Ars Technica may have just discovered the rebranded version of the two ransomware groups or two completely new ransomware gangs. Both of the newly discovered ransomware gangs were found in July. The first new group to appear this month was Haron, and the second is named BlackMatter. Both ransomware groups are claiming to be focused on targets with deep pockets that can pay ransoms in the millions of dollars. They're also virtue-signaling and talk about sparing hospitals, critical infrastructure, and nonprofits, much like the ransomware gang DarkSide did in the past.

Threatpost reports: "BlackMatter & Haron: Evil Ransomware Newborns or Rebirths"

Researchers Zhi Wang, Chaoge Liu, and Xiang Cui recently released a paper showing the possibility of hiding malware inside of Artificial Intelligence (AI) neural networks to slip it past automated detection tools. The three researchers embedded malware into the neural network behind an AI system called AlexNet, taking up 36.9 (MiB) mebibytes of memory space on the hardware running the AI system. The malware-embedded model was observed classifying images with near-identical accuracy within 1 percent of the malware-free model. They found that hiding the malware in the AI model broke it up in ways that prevented standard antivirus engines from detecting it. VirusTotal, a service that examines items with more than 70 antivirus scanners and URL/domain blocklisting services, along with a multitude of tools for extracting signals from the studied content, failed to raise any suspicions about the malware-embedded model. The researchers' method involves choosing the best layer to work with in a model that has already been training and then embedding the malware into that layer. If the accuracy of a malware-embedded model is inadequate, the attacker could choose to start with an untrained model, add extra neurons and then train the model on the same data set used to train the original model. This approach would lead to the production of a larger model with equivalent accuracy and provide more room to hide malicious stuff inside. This article continues to discuss the researchers' demonstrated use of an AI neural network to hide malware.

Ars Technica reports "Researchers Demonstrate That Malware Can Be Concealed inside AI Models"