News Items

A new study conducted by the Economist Intelligence Unit has found that most businesses now regard state-sponsored or led attacks as a significant threat. The study was done by conducting interviews with over 500 director-level or above executives from companies in Asia-Pacific, Europe, and the United States. The research was conducted before the SolarWinds campaign came to light. The study nevertheless revealed that 80% of participants are concerned about falling victim to a nation-state attack, with a majority claiming these worries have increased over the past five years. The researchers also found that participants wanted their respective governments to play a more significant role in meeting these challenges: 60% said their country only offers a medium or low-level of protection. The researchers stated that the survey is an important call to action for democratic governments to step up and think more inclusively about the kind of cyber-assistance they provide to protect companies in critical sectors and ultimately civilians. During the study, researchers also found a false sense of security among the senior executives interviewed, potentially because they have little direct experience of being attacked. Over two-thirds (68%) of executives said they feel their organization is "very" or "completely" prepared to deal with a cyber-attack.

Infosecurity reports: "Most Firms Now Fear Nation State Attack"

The Defense Advanced Research Agency (DARPA) recently announced the results of its first bug bounty program called Findings Exploits to Thwart Tampering (FETT). The FETT bug bounty was run in partnership with the Department of Defense's Defense Digital Service (DDS) and trusted crowdsourced security company, Synack. FETT aimed to prove the value of hardware security architectures developed under DARPA's "System Security Integration Through Hardware and Firmware" (SSITH) program and point out critical areas of improvement. After 13,000 hours of hacking exploits performed by more than 580 cybersecurity researchers, only ten vulnerabilities were disclosed. Keith Rebello, the DARPA program manager leading SSITH and FETT, described the common types of vulnerabilities as buffer errors, privilege escalations, information leakage attacks, resource management attacks, numeric errors, cryptographic attacks, and code injection attacks. Out of the ten vulnerabilities, seven were rated "critical," based on the Common Vulnerability Scoring System 3.0 standards. Most of the critical vulnerabilities come from weaknesses introduced by interactions between hardware, firmware, and the operating system software, which calls for more exploration of hardware/software co-design and verification methods. The SSITH program is now in the third and final phase of developing security architectures and tools that protect systems from common means of exploitation. During this phase, researchers will improve the performance of their technologies and create a silicon system-on-chip that executes the security improvements. This article continues to discuss findings from DARPA's FETT bug bounty program and the current phase of the SSITH program.

IEEE Spectrum reports "DARPA Hacks Its Secure Hardware, Fends Off Most Attacks"

Mandiant, a division of the security vendor FireEye, has identified UNC2546 as the hacking group behind the recent data breach suffered by the software firm Accellion, which impacted many corporations, law firms, and other organizations. Accellion recently announced that UNC2546 had exploited multiple vulnerabilities contained by its software to install malware. The hacking group infiltrated an Accellion tool to collect information from the company's clients. From there, the group contacted victims and threatened to publish their data. The breach faced by Accellion involved the exploitation of a zero-day vulnerability to infiltrate the Palo Alto-based cloud company's secure file transfer application (FTA). According to FireEye, UNC2546 appears to be financially motivated, as it has sent extortion emails to several organizations since late January 2021. Kroger recently admitted that some of its customers might have had their data compromised because of the Accellion incident. The supermarket chain revealed that the thieves might have stolen names, phone numbers, Social Security numbers, and medical history information. In response, Kroger has discontinued the use of services from Accellion. This article continues to discuss the Accellion data breach, the impact of the breach on other organizations, and how this incident compares to the hack against the US federal contractor SolarWinds.

CyberScoop reports "FireEye IDs Hacking Group Suspected in Accellion, Kroger Breach"

Recently security researchers have spotted a new malware operation targeting Mac devices that have silently infected almost 30,000 systems. The new malware is named Silver Sparrow. The researchers found that Silver Sparrow had infected 29,139 macOS endpoints across 153 countries as of February 17, including high volumes of detection in the United States, the United Kingdom, Canada, France, and Germany. Despite the high number of infections, details about how the malware was distributed and infected users are still scarce. It's unclear if Silver Sparrow was hidden inside malicious ads, pirated apps, or fake Flash updaters. The purpose of this malware is also unclear, and researchers don't know what its final goal is. The researchers found that once Silver Sparrow infects a system, the malware waits for new commands from its operators. Commands never arrived during the time researchers analyzed it. The researchers warn that this malware shouldn't be interpreted as a failed malware strain. The researchers state that it might be possible that the malware can detect researchers analyzing its behavior and that it is simply avoiding delivering its second-stage payloads to these systems. The malware also comes with support for infecting macOS systems running on Apple's latest M1 chip architecture. The researchers stated that Silver Sparrow is a serious threat, uniquely positioned to deliver a potentially impactful payload at a moment's notice.

ZDNet reports: "30,000 Macs Infected With New Silver Sparrow Malware"

Emmanuel Macron, the French President, recently announced a plan to improve the protection of public facilities and private companies against cyberattacks after cybercriminals launched ransomware attacks against two hospitals in France. These attacks forced the hospitals to transfer some patients to other facilities, posing a significant threat to patient safety. One of the targeted hospital's phone system went down when it was hit by a ransomware attack. Its internet service and other networks had to be shut off in order to prevent the ransomware from spreading. The hospital also had to postpone surgeries due to the ransomware attack. Healthcare workers at the other targeted hospital had to use pen and paper for record-keeping as the ransomware attack that it had faced disrupted phones and computers. According to the French leader, the ransomware attacks, along with other similar cyber assaults in France, have come from nation-states and mafias. Macron emphasized the need for increased international cooperation between police and criminal justice agencies to help combat such attacks. The National Cybersecurity Agency of France (ANSSI) reported a 255 percent increase in ransomware attacks in 2020 against all sectors and geographical areas of France. However, the increase largely affects the healthcare sector, education system, local authorities, and digital service providers. This article continues to discuss the recent ransomware attacks on two French hospitals, the suspected military hacking group behind these attacks, and the plan to strengthen cyber defenses in France.

Security Week reports "France to Boost Cyberdefense After Hospital Malware Attacks"

Kia Motors America has publicly acknowledged an extended system outage but had denied that it was affected by a ransomware attack. Kia stated that "At this time, we can confirm that we have no evidence that Kia or any Kia data is subject to a 'ransomware' attack." Ransomware gang DoppelPymer claimed it was responsible for the outage and that they locked down the company's files in a cyberattack that includes a $20 million ransom demand. That $20 million will gain Kia a decryptor and guarantee not to publish sensitive data bits on the gang's leak site. The ransom note from DoppelPaymer stated that the attack was on Hyundai Motor America, the parent company of Kia Motors America, based in Irvine, Calif. It went on to say that the company has two to three weeks to pay up 404 Bitcoins. The threat actors warn that a delay in payment could result in the ransom being raised to $30 million to add a sense of urgency. The outage affected Kia's mobile apps like Kia Access with UVO Link, UVO eServices, Kia Connect, self-help portals, and customer support. Beyond disrupting critical operations, ransomware threat actors have learned how to add pressure to companies, threatening that their most sensitive stolen data could be exposed on well-known leak sites if they don't pay up fast. This tactic is known as double-extortion. DoppelPaymer ransomware cripples the organization's ability to conduct business and extracts sensitive data that is used for leverage against the victim to get them to pay the ransom. DoppelPaymer, like most other ransomware strains, is generally spread through phishing emails, so researchers suggest that organizations should ensure employees are trained to spot and report any suspicious emails.

Threatpost reports: "Kia Motors Hit With $20M Ransomware Attack - Report"

Cybersecurity researchers at Unit42, a security division at Palo Alto Networks, have discovered a cryptomining botnet called WatchDog. According to the researchers, the WatchDog botnet has been active since January 2019, targeting both Windows and Linux systems. The botnet is written in the Go programming language and relies on outdated enterprise apps as a point of entry for attacks. Further analysis of the WatchDog botnet operations found that the botnet operators have used 33 different exploits to target 32 vulnerabilities in Drupal, Elasticsearch, Apache Hadoop, Spring Data Commons, SQL Server, ThinkPHP, Oracle WebLogic, and other software. Based on the analysis of the WatchDog malware binaries, it has been estimated that the botnet infected 500 to 1,000 systems. Since it launched in 2019, the WatchDog mining operation has gained an estimated profit of 2019 Monero cryptocurrency coins (XMR), currently valued at around $32,000. The actual amount of monetary gain from these botnet operations is believed to be significantly higher as the researchers only analyzed a few binaries. WatchDog has not extracted credentials from infected servers, but researchers warn that the operators could easily update the cryptomining botnet to perform credential scans. This article continues to discuss the Unit42 researchers' findings surrounding the WatchDog botnet.

ZDNet reports "Windows and Linux Servers Targeted by New WatchDog Botnet for Almost Two Years"

Security researchers have discovered that phishers are trying to trick LinkedIn users into opening a "LinkedIn Private Shared Document" and entering their login credentials into a fake LinkedIn login page. The phishing message is delivered via LinkedIn's internal messaging system and is made to look like it has been sent by one of the victim's contacts. The message urges the recipient to follow a third-party link to view a document. The researchers stated that there is no such thing as a 'LinkedIn Private Shared Document' and that if one sees this, it should ring the targets' alarm bell. If the victim clicks on the third-party link, they will be redirected to a convincingly spoofed LinkedIn login page. If they enter their login credentials, their account will probably soon be sending out phishing messages to their contacts. The researchers believe that perhaps the adversaries are indiscriminate in whom they target, but compromising high-value targets might allow them to more successfully target a more significant number of LinkedIn contacts or pivot into stealing even more critical credentials (e.g., for Microsoft/Office 365 accounts). The phishing pages are hosted on sites that may also have legitimate work purposes, e.g., Appspot, Firebase, and Pantheon.io, making it unlikely that enterprises would block access to them. The researchers stated that the phishing sites use major ASNs, including Fastly, Google, and Microsoft, making basic network traffic analysis for the end-user also not so useful. Researchers suggest that to prevent this type of attack from affecting organizations, then organizations should train their employees to spot this attack and similar attacks. Another option is that an organization should consider blocking the use of social media/networks from work computers.

Help Net Security reports: "Phishers Tricking Users Via Fake LinkedIn Private Shared Document"

The cybersecurity firm FireEye has announced the release of the IDC InfoBrief titled "The Voice of the Analysts: Improving Security Operations Center Processes Through Adapted Technologies." The report shares findings from a survey of 350 internal and managed security service provider (MSSP) security analysts and managers. According to the report, security analysts are becoming less productive because of widespread alert fatigue, which has led to alerts being overlooked, increased stress, and fear of missing incidents (FOMI). Security analysts are becoming increasingly overwhelmed by floods of false positive alerts generated by different solutions while growing more concerned about missing actual threats. To address this problem, analysts are asking for advanced automation tools to reduce FOMI and to strengthen their Security Operations Centers' (SOC) cybersecurity posture. The report reveals that less than half of enterprise security teams currently have automated tools in place to help perform SOC activities. This article continues to discuss findings from the new report regarding security analysts' alert fatigue stemming from false positive alerts, the increased FOMI, and the need for automated SOC solutions to help alleviate alert fatigue and FOMI.

Business Wire reports "Analysts Need Advanced Automation Tools to Reduce Fear of Missing Incidents"

Andy Bochman and Sarah Freeman, two cybersecurity researchers at Idaho National Laboratory (INL), published a new book titled "Countering Cyber Sabotage: Introducing Consequence-Driven, Cyber-Informed Engineering." The researchers wrote the book to help train employees at public utilities to identify cybersecurity vulnerabilities and develop methods for defending their networks against cyberattacks. Their book provides details about INL's think-like-the-adversary cybersecurity approach called Consequence-driven Cyber-informed Engineering (CCE), developed to improve the security of water treatment facilities, oil and natural gas refineries, the electric grid, and other critical infrastructure systems. The researchers emphasize that much of the technology implemented to control operations at many public utilities were developed in the pre-internet era. Therefore, this technology lacks modern defense capabilities, leaving the utilities vulnerable to cyberattacks that could result in significant disruptions to services. INL's CCE method addresses this challenge through the use of engineering design principles instead of traditional protection strategies, such as intrusion detection software or firewalls, to prevent increasingly sophisticated attacks from impacting utilities' most crucial operations. This article continues to discuss the INL researchers' new book on the CCE method and the development of this method.

INL reports "INL Researchers Publish Book to Prevent Cybersecurity Disruptions, Train Workforce"

The Financial Services Information Sharing and Analysis Center (FS-ISAC) has revealed that more than 100 financial services firms across Europe, North America, Latin America, and Asia were targeted in a flood of Ransom Distributed Denial-of-Service (RDDoS) attacks launched by the same actor in 2020. Those targeted by these attacks include banks, exchanges, payment processing companies, card issuers, payroll companies, money transfer services, and insurance firms. In each attack, the malicious actor delivered extortion notes to the target, threatening to disrupt their website and services by launching a DDoS attack if they do not pay the demanded ransom. According to a statement recently released by the FS-ISAC, the impact of this threat was mitigated mainly through information-sharing by its members via the FS-ISAC Threat Intelligence Exchange. None of the FS-ISAC members that received the extortion note reported paying the ransom. Further analysis of the RDDoS attacks' victims showed that the attackers primarily focused on retail banking or consumer banking as these organizations were hit by more than 40 percent of the attacks. The FS-ISAC said that some companies increased their cybersecurity spending in response to the attacks. There was more than an increase in the number of RDDoS attacks last year. Security vendors have reported an increase in the overall number, size, and duration of DDoS attacks, as well as the combination of multiple attack vectors by such attacks. This article continues to discuss the targeting of over 100 financial companies in RDDoS attacks in 2020 and the overall advancement of DDoS attacks.

Dark Reading reports "100+ Financial Services Firms Targeted in Ransom DDoS Attacks in 2020"

The ScamClub malvertising group exploited a zero-day vulnerability in the WebKit web browser engine to deliver malicious payloads that redirect users to scams offering gift cards. WebKit is used in Chrome on iOS and Safari. Over the past three months, ScamClub campaigns have served as high as 16 million malicious ad impressions in a day. The volume of ads pushed by ScamClub malvertisers is so large that the number of malicious ad impressions during a single campaign is still significantly high even if most of the ads are blocked. According to the ad security and quality controls company Confiant, a 1 percent improvement in ScamClub's redirection rate can lead to tens of thousands of impacted impressions during a single campaign. A Confiant security engineer and researcher recently shared their discovery of ScamClub's reliance on a vulnerability in the WebKit that enables the circumvention of the iframe sandboxing policy. This article continues to discuss ScamClub's broad targeting and the large volume of malicious ads that the group pushes, as well as the ScamClub malvertisers' exploitation of a zero-day vulnerability in WebKit to redirect users to scams.

BleepingComputer reports "Malvertisers Exploited Browser Zero-Day to Redirect Users to Scams"

South Korea's intelligence agency has discovered that North Korea attempted to steal information on coronavirus vaccines and treatments by hacking Pfizer Inc. The agency did not elaborate on the timing or success of the attempt. Tuesday's news comes after attempts last year by suspected North Korean hackers to break into the systems of at least nine healthcare firms, such as Johnson & Johnson, Novavax Inc, and AstraZeneca. North Korea is often accused of turning to an army of hackers to fill its cash-strapped coffers amid international sanctions that ban most international trade. Health experts have said the North's hackers may be more interested in selling the stolen data than using it to develop a homegrown vaccine.

Reuters reports: "North Korean Hackers Tried to Steal Pfizer Vaccine Know-How, Lawmaker Says"

The French information security agency ANSSI recently published an advisory warning about Sandworm, a group of hackers within Russia's GRU military intelligence agency. This group has been linked to blackouts in Ukraine as well as NotPetya, which is considered the most destructive malware in history. According to the advisory, Sandworm's hackers have breached several French organizations, most of which are IT providers, particularly web hosting providers. ANSSI says the intrusion campaign began in late 2017 and ran until 2020. The hackers appear to have breached servers running the IT monitoring tool called Centreon. The way in which these servers were hacked remains unknown. However, ANSSI found two different pieces of malware on the servers, one of which is the publicly available backdoor called PAS. The other backdoor is known as Exaramel. Joe Slowik, a researcher with the security firm DomainTools, says that the Sandworm group is linked with destructive operations. Although the endgame linked to the campaign documented by the French authorities is not known, the fact that it is occurring should raise serious concern as the end goal of most of Sandworm's operations, has been to cause significant disruptions. ANSSI did not identify those organizations that have fallen victim to the hacking campaign. However, Centreon's website does list customers, including the defense and aerospace firm Thales, the steel and mining firm ArcelorMittal, the nuclear power firm EDF, Airbus, and the French Department of Justice. Any of these customers could have had servers running Centreon exposed to the internet. Some cybersecurity experts interpreted the ANSSI report as suggesting another software supply chain attack similar to the one launched against SolarWinds, though the report does not mention supply chain compromise. DomainTools' Slowik pointed out that the intrusions were carried out by exploiting internet-facing servers running Centreon's IT monitoring application within victims' networks. This article continues to discuss ANSSI's warning about the Sandworm hacker group's targeting of French organizations and the history of Sandworm.

Wired reports "France Ties Russia's Sandworm to a Multiyear Hacking Spree"

The U.S. Homeland Security Department's Cybersecurity & Infrastructure Security Agency (CISA) has issued an alert about the recent compromise of a U.S. drinking water treatment facility, with observations of the incident from CISA, along with the Federal Bureau of Investigation (FBI), Environmental Protection Agency (EPA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC). On February 5, 2021, unidentified cyber actors were able to gain unauthorized access to the facility's Supervisory Control and Data Acquisition (SCADA) system to increase the amount of sodium hydroxide (lye) in a small Florida city's water treatment process. However, water treatment plant personnel immediately noticed the unauthorized change and corrected the issue. CISA, the FBI, EPA, and MS-ISAC have observed cybercriminals targeting and exploiting desktop sharing software to gain unauthorized access to systems. It has been confirmed that the hackers used the desktop sharing software TeamViewer to gain access to the city's water system. All of the computers with this remote access tool were discovered using the same password for accessing the water system. A firewall was also not implemented. The CISA alert provides recommendations from the federal agencies for organizations on how to securely implement TeamViewer software, such as setting random passwords to generate 10-character alphanumeric passwords. There are recommendations for bolstering water and waste treatment systems security, which include installing independent cyber-physical safety systems. Organizations are also advised to enable multi-factor authentication, use strong passwords to protect remote desktop protocol credentials, implement firewalls, use the most up-to-date operating system, and more. This article continues to discuss the findings and recommendations provided by CISA's advisory regarding the recent attack on a Florida water treatment facility.

NextGov reports "CISA, FBI Share Recommendations After Water Treatment Hack"

This Valentine's Day, lovers beware. What looks like confirmation orders from high end lingerie and flowers shops are really part of a spear-phishing attack that executes the BazaLoader downloader malware.

Researchers at Redscan have analyzed 18,000+ Common Vulnerabilities and Exposures (CVEs) recorded in NIST's National Vulnerability Database (NVD). The researchers found that there were more CVEs reported in 2020 than any year previously. Over half (57%) of vulnerabilities in 2020 were classified as "critical' or "high" severity, amounting to over 10,300 CVEs. The researchers also found that 63% of the total number disclosed in 2020 were classed as "low complexity," which means an attacker with low technical skills could exploit them. The number of vulnerabilities classed as "low complexity" has been on the rise since 2017, after mainly falling between 2001 and 2014, according to the researchers. The vulnerabilities that require no user interaction to exploit are also on the rise, representing 68% of all CVEs recorded in 2020.

Infosecurity reports: "Nearly Two-Thirds of CVEs Are Low Complexity"

The mobile Application Programming Interface (API) security company Approov released a report, revealing discoveries from the analysis of 30 popular mobile health (mHealth) applications conducted by Alissa Knight, a partner at the marketing agency Knight Ink. The analysis found that these applications are vulnerable to API attacks. These attacks could allow unauthorized parties to access Protected Health Information (PHI) and Personally Identifiable Information (PII). There has been an increase in the reliance on mHealth apps during the COVID-19 pandemic, resulting in the generation of more user activities by health apps than other types of mobile apps. According to the research study, certificate pinning was not implemented for any of the analyzed applications, leaving them open to man-in-the-middle (MITM) attacks. More than 70 percent of the analyzed apps contained hardcoded API keys, tokens, and credentials. Half of the APIs did not use token authentication for requests, while one-quarter of the apps were not protected against reverse engineering. Knight found 114 hardcoded API keys and tokens for Google, Microsoft App Center, Cisco Umbrella, Facebook, AWS, Stripe, and more. Half of the records exposed by these applications contained sensitive information, including names, addresses, dates of birth, Social Security numbers, allergies, and medication data, belonging to millions of users. Approov's report provides recommendations for mobile app developers on how to protect customer data and sensitive resources, such as performing penetration testing. This article continues to discuss the discovery of vulnerabilities in mHealth applications and the exposure of patient information by these apps.

Security Week reports "Mobile Health Apps Found to Expose Records of Millions of Users"

Researchers from RiskSense have identified 223 different IT security vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database that were exploited in the performance of ransomware attacks in 2020. The number of vulnerabilities used in ransomware attacks in 2020 is four times the number of ransomware-related vulnerabilities discovered by RiskSense in 2019. The researchers have also brought further attention to the significant growth and increasing complexity of ransomware families, comparing the discovery of 19 separate ransomware families in 2019 with the identification of at least 125 ransomware groups in 2020. According to researchers, these groups are continuing to expand their operations, develop new malware strains, sell their tools to other malicious parties, and targeting flaws contained by software and web applications. Nearly 40 percent of the 223 CVEs, tied to attacks involving ransomware in 2020, fall under five commonly identified security vulnerabilities, which include permissions, privileges and access controls, code injection, incorrect input validation, improper limitation of operations within the bounds of a memory buffer, and the exposure of sensitive information to unauthorized users. The driving factors behind this expanded attack surface appear to be the transition of businesses into an online model due to the COVID-19 pandemic, as well as developments in digital transformation and the increase in cloud adoption. These factors have pushed many organizations to adopt technologies such as cloud applications, Virtual Private Networks (VPNs), and home networks, with security flaws and misconfigurations that could be abused in ransomware attacks. This article continues to discuss RiskSense researchers' identification of 223 distinct vulnerabilities used in recent ransomware attacks, the factors behind this increase in ransomware-related vulnerabilities, the growing sophistication of ransomware families, and how organizations can improve their ransomware defense.

SC Media reports "Researchers Identify 223 Vulnerabilities Used in Recent Ransomware Attacks"

Security researchers from Zscaler ThreatLabZ have found multiple active malware campaigns targeting the Discord group-chatting platform. The app is used by gamers and for creating communities on the web, called "servers," either as standalone forums or as part of another website. Discord supports voice, video, or text, allowing all to interact within created communities. Malware found being planted recently in Discord includes Epsilon ransomware, XMRig miner, Redline Stealer, TroubleGrabber, and a broad category of unidentified Discord token grabbers, according to the researchers. The new Discord attacks observed by researchers usually start with spam emails in which users are tricked with legitimate-looking templates into downloading next-stage payloads. The attack vector uses Discord services to form a URL to host a malicious payload. According to the researchers, the campaigns rename malicious files as pirated software or gaming software and use file icons related to gaming to trick victims.

Threatpost reports: "Various Malware Lurks in Discord App to Target Gamers"

According to new research by Positive Technologies, 90 percent of users of dark web forums are seeking hackers who can give them a specific resource or provide a user database. The study involved exploring the ten most prominent forums on the dark web that provide services for those who want to hack websites as well as a place for hackers to buy and sell databases. The study's findings highlight the growing demand for hackers' services and stolen data, ignited by the increase in internet use by organizations and individuals during the COVID-19 pandemic. Researchers found that the most common goal of dark web forum users was to gain access to a web resource, as suggested by 69 percent of ad inquiries. The next most common goal was to gain access to a user or client database from a targeted resource, with this making up 21 percent of all ad inquires. The researchers pointed out that the dark web forum users, most interested in getting this type of information, were competitors and spammers who seek to obtain lists of addresses that can be used to carry out phishing attacks targeting a particular audience. Only 7 percent of forum messages involved individuals offering website hacking services, while 3 percent focused on advertising hacking tools, programs, and sharing hacking experiences. The researchers also observed a high demand for access to e-commerce websites. Prices for purchasing and selling hacking services and website access were seen ranging from $50 to $2000. This article continues to discuss key findings from Positive Technologies' analysis of dark web forums regarding users' most common goals and the most demanded services on these forums, as well as the need to strengthen web application security.

Infosecurity Magazine reports "High Demand for Hacker Services on Dark Web Forums"

According to security researchers, the number of attacks resulting in large-scale credential theft has almost doubled over the past four years, although the volume of breached login pairs declined. The average breach volumes declined from 63 million records in 2016 to 17 million in 2020, but poor security practices is driving downstream risk exposure. The researchers found that plaintext storage of passwords was responsible for the most significant number of spilled credentials (43%), followed by unsalted SHA-1 hashed passwords (20%). At the same time, discredited hashing algorithm MD5 remains surprisingly common. Organizations are also poor at detecting breach attempts. The researchers found that the median time to discovering a credential spill between 2018 and 2020 was 120 days, while the average time to discovery was 327 days. Over 60% of the 100 billion credential stuffing attacks detected over the previous two years were targeted at retail, travel, and hospitality businesses, with retail accounting for over 90% of these.

Infosecurity reports: "Credential Theft Attacks Doubled Between 2016 and 2020"

Hyrum Anderson, the principal architect of the Azure Trustworthy Machine Learning (ML) group at Microsoft, gave a presentation at the recent USENIX ENIGMA Conference in which they called on mature companies to conduct red team attacks against their ML systems to find vulnerabilities and strengthen their defenses. In order to better understand the impact of attacks on ML, Microsoft's internal red team recreated an ML automated system that can assign hardware resources in response to cloud requests. The team's testing of the offline version of the system revealed adversarial examples that can lead to Denial-of-Service (DoS). Data-science teams should defensively protect their data and model, as well as perform sanity checks to make sure that the ML model is not over-provisioning resources, thus increasing robustness. Anderson says that just because a model is not accessible externally does not mean it is safe against attacks. Internal models are not secure by default as there are paths that attackers can take to cause downstream effects in an overall system. Anderson emphasized that organizations face the risk of exposure if they use ML due to the gap between this technology and security. The USENIX presentation is a part of Microsoft's efforts to bring further attention to the possibility of adversarial attacks on ML models. These types of attacks are often highly technical, making it difficult for most companies to know how to assess their security. Anderson suggests that the security community increases its exploration of adversarial ML attacks and considers this issue as a part of the broader threat landscape. According to a survey conducted by Microsoft last year, nearly 90 percent of organizations do not know how to protect their ML systems against attacks. This article continues to discuss why mature companies should perform red team attacks against their ML systems, the lack of awareness among organizations about how to protect ML systems from attacks, and Microsoft's research on adversarial ML attacks.

Dark Reading reports "Microsoft Says It's Time to Attack Your Machine-Learning Models"

The Polish video game company CD Projekt Red, which developed Cyberpunk 2077, one of the top-selling titles of 2020, has been hit by a ransomware attack. CD Projekt Red recently revealed that it had been the victim of a ransomware attack in which unidentified actors gained access to the company's internal network, encrypted some computers, and stole data. The attackers claim to have stolen source code for Cyberpunk 2077 and other games such as Witcher 3. They also say they stole information about the company's investor relations and human resources, as well as financial accounting information. According to CD Projekt Red, there is no evidence that suggests the compromise of customer data in the breach. CD Projekt Red says it will not give in to the attackers' demand for a ransom payment. The company is currently restoring its systems from backups. Researchers from the antivirus firm Emsisoft believe the ransomware used in the attack is HelloKitty, based on the familiarity of the ransom note's style and naming convention. Tony Robinson, an independent researcher, suggests that the motive behind the attack may also be to seek revenge in addition to financial gain. The incident occurred as CD Projekt Red faces significant criticism due to the release of its highly anticipated Cyberpunk 2077 game with numerous bugs and performance issues on different platforms. This article continues to discuss the ransomware group, potential motives, and impact of the ransomware attack on CD Projekt Red, and the company's decision not to pay the attackers' demanded ransom.

Wired reports "Cyberpunk 2077 Maker Was Hit With a Ransomware Attack--and Won't Pay Up"