News Items

The US Department of Commerce has announced a new initiative to collaborate with universities to protect potentially sensitive research products from theft by foreign agents. The Commerce Department's assistant secretary for export enforcement, Matthew S. Axelrod, announced the Academic Outreach Initiative during a speech at the annual meeting of the National Association of College and University Attorneys. The federal government wants to empower colleges and universities to prevent unauthorized exports, including releases of controlled technology, and to make better decisions about their future and ongoing partnerships with foreign universities and companies by working closely with universities that conduct research with potential national security implications. A part of the initiative is to identify the universities and research institutions considered to be at high risk because they conduct research for the Department of Defense, have ties to restricted foreign universities, or perform studies in sensitive technologies. The Academic Outreach Initiative also aims to provide training to prioritized research institutions on potential threats. This article continues to discuss the purpose, goals, and elements of the Academic Outreach Initiative.

Inside Higher ED reports "US Plans to Help Universities Protect Security of Research"

Personal information of all concealed carry permit holders in California was exposed after the state Department of Justice suffered a data breach. On Tuesday, the Fresno County Sheriff's Office learned of the breach from the California State Sherriff's Association. The sheriff's office noted that the breach occurred as part of the state DOJ's launch of its "2022 Firearms Dashboard Portal." It was noted that this public site allows access to certain information, however, personal information of Concealed Carry Weapon (CCW) permit holders is not supposed to be visible. According to the sheriff's office, the personal information included a person's name, age, address, Criminal Identification Index number, and license type. The state DOJ pulled down the dashboard site along with all related links after learning of the breach. However, officials warned that "portions of private information may have been posted on social media websites." The sheriff's office said it was unknown exactly how long the information was accessible. The California attorney general's office said it was investigating the exposure. The sheriff's office urges anyone who learns their identity was compromised to make an online report.

NBC News reports: "California DOJ Data Breach Exposes Personal Information of All Concealed Carry Permit Holders Across State"

SoS Musings #62 -

Increasing the Power of Cybersecurity Deception

The Homeland Security Systems Engineering and Development Institute, sponsored by the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA) and operated by MITRE, has released a list of the top 25 most dangerous software weaknesses. The list compiles the most common and critical errors that can lead to serious software vulnerabilities. It uses data from the National Vulnerability Database to compile the list. An attacker can exploit these flaws to gain control of a vulnerable system, obtain sensitive information, or cause a Denial-of-Service (DoS) condition. This article continues to discuss the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list.

CISA reports "2022 CWE Top 25 Most Dangerous Software Weaknesses"

Researchers at cybersecurity firm Checkmarx alerted Amazon about a high severity vulnerability affecting the Amazon Photos Android app in December. The app contained a flaw that allowed attackers to steal a user's Amazon access token, which is required for authentication across several Amazon Application Programming Interfaces (APIs). These APIs contain personal information such as names, emails, addresses, and more. Some would grant a hacker complete access to a user's files, such as the Amazon Drive API. Before a patch for the vulnerability was made available on December 18 for the Amazon Photos Android app, it had been downloaded more than 50 million times. The team discovered a number of issues with the app's various components, finding that if a malicious app had been installed, an Android user's Amazon access token could have been taken, leaving them open to ransomware or worse. With a stolen access token, an attacker could change files while erasing user history, making it impossible to restore the original content from file history. This article continues to discuss the potential exploitation and impact of the high severity vulnerability found in the Amazon Photos Android app.

The Record reports "Amazon Quietly Patches 'High Severity' Android Photos App Vulnerability"

Chinese Internet company Tencent has confirmed a significant account hijacking attack on its messaging and social networking platform QQ. A number of QQ users claimed that their login credentials were no longer giving them access to their accounts. Tencent refers to this issue as "stolen" accounts. Tencent claims that the problem started when scammers uploaded QR codes offering gaming logins. After scanning the codes, users were given the option to verify using their QQ login information. The malicious actors hijacked and recorded the login behavior, which was later used by the criminals to send "bad picture ads." This also resulted in users getting locked out of their accounts. China is likely interested in Tencent and whoever created the malicious QR codes, given that the country recently made it clear that it wants its digital titans to take their responsibilities to the country seriously. If it is found that Tencent did not offer sufficient protection to prevent this issue, it might receive a "rectification notice." This article continues to discuss the poisoned QR code attack on the QQ chat platform.

CyberIntelMag reports "Tencent Acknowledges Using Poisoned QR Code on QQ Chat Platform Attack"

Researchers at Cisco Talos uncovered previously unknown infrastructure operated by several ransomware groups, including DarkAngels, Snatch, and Quantum, using various methods and some helpful mistakes by the operators themselves. Ransomware groups typically hide their infrastructure on sites on the dark web accessible via TOR. Their goal is to keep their activities hidden from law enforcement and security researchers who want to expose them. Many groups use this method for both communication and payment sites, as well as a blog/leak site where they publish stolen data and the names of victims. Cisco Talos researchers used different techniques to correlate ransomware groups' hidden infrastructure with sites visible on the public Internet, such as matching TLS certificates used on TOR hidden services with those used on public sites. The researchers explain that a significant part of operating on the dark web is to maintain anonymity, so certificates providing identity attestation can help identify the operator behind a website. The ransomware group may be using an SSL/TLS site on the dark web to give their victims the impression that they are operating in a secure environment and that their operation is legitimate. The researchers successfully applied this method to Dark Angels, a ransomware group that has been identified as a rebranding of the Babuk ransomware group. They operate similarly to other groups in that they have established a blog website as a TOR hidden service with a countdown timer to the publication of victim data, as well as links for victims to use to enter a chat room with DarkAngels affiliates to negotiate ransom payments. The researchers discovered, using Shodan, that the DarkAngels operators used the same self-signed certificate that they use for their dark web site for a public site hosted in Singapore. That public site contains all of the same information as the hidden site, and the researchers were also able to identify some database information and a login portal for DarkAngels operators. This article continues to discuss the discovery of several ransomware groups' previously unknown infrastructure.

Decipher reports "Bringing Ransomware Infrastructure Into the Light"

Security Researchers at Black Lotus Labs discovered a new remote access trojan (RAT) called ZuoRAT, which targets remote workers via their small office/home office (SOHO) devices, including models from ASUS, Cisco, DrayTek, and NETGEAR. The researchers noted that ZuoRAT is part of a complex campaign that went undetected for nearly two years. The tactics, techniques, and procedures (TTPs) that analysts observed bear the markings of what is likely a nation-state threat actor. ZuoRAT is a multi-stage RAT developed for SOHO routers leveraging know vulnerabilities. In a recent campaign, ZuoRAT was used to enumerate the adjacent home network, collect data in transit, and hijack home users' DNS/HTTP internet traffic. The actor was also able to remain undetected by living on devices rarely monitored and by hijacking DNS and HTTP traffic. Director of threat intelligence for Black Lotus Labs, Mark Dehus, stated that router malware campaigns pose a grave threat to organizations because routers exist outside of the conventional security perimeter and can often have weaknesses that make compromise relatively simple to achieve. The researchers noted that organizations should keep a close watch on SOHO devices. To help mitigate the threat, organizations should ensure patch planning includes routers and confirm these devices are running the latest software available.

Help Net Security reports: "Researchers Uncover ZuoRAT Malware Targeting Home-Office Routers"

Cyber Scene #69 -

Looking Back, and Forward

The extortion group RansomHouse claims to have data stolen from the processor designer AMD following an alleged security breach earlier this year. According to RansomHouse, the files were obtained from an intrusion into AMD's network on January 5, 2022, and that this is not data from a previous leak of AMD's intellectual property. This new group also claims it does not breach system security or create or use ransomware. Instead, it acts as a "mediator" between attackers and victims, ensuring payment for stolen data is made. RansomHouse said on its Tor-hidden website that it had 450 GB of data, but it is unclear whether the group means "gigabytes" or "gigabits." The group also posted samples of the data. RestorePrivacy, an online privacy specialist, stated in a blog post that it had examined the sample of data, which included network files, system information, and AMD passwords gathered in the alleged breach. RansomHouse group claims AMD used simple passwords to protect its network. RansomHouse is relatively new to the cybercrime scene, first appearing in December 2021. According to RestorePrivacy, the Saskatchewan Liquor and Gaming Authority (SLGA) was RansomHouse's first victim. The group lists a total of six victims, including ShopRite, a large African retail chain. Malwarebytes Labs threat intelligence researchers categorize RansomHouse as "grey hats" - black hat hackers with the potential to do good or white hats who take a step into the dark side while keeping one foot in the light. This article continues to discuss findings regarding RansomHouse and its alleged targeting of AMD.

The Register reports "AMD Targeted by RansomHouse, Cybercriminals Claim to Have '450 GB' in Stolen Data"

Carnival Cruise Lines will have to pay more than $6.25 million to settle two lawsuits brought by 46 states in the U.S. after a series of cyberattacks allowed hackers to access private information about customers and workers. In 2019 the first breach happened as a result of a phishing email or password spray attack. In April 2020, the company disclosed that hackers had not only encrypted some of its data but had also downloaded thousands of people's names and addresses, Social Security numbers, driver's license, and passport numbers, as well as their health and financial information, in almost every state in the U.S. Between August 2020 and March 2021, there were three more breaches, two of which used ransomware and the other one involved phishing. As part of the settlement, Carnival agreed to create training requirements for employees, conduct phishing-focused exercises, and use multifactor authentication (MFA) for remote access to corporate email. Carnival is going to employ secure password storage systems, strong, complex passwords, and password rotating. Carnival will also be implementing third-party security evaluations and advanced behavior analytics tools to log and watch for potential security incidents on the Carnival network.

iTech Post reports: "Carnival Cruises Fined $5 Million for Cybersecurity Failures"

The LockBit 3.0 ransomware operation has recently launched, and the gang is starting a bug bounty program offering up to $1 million for vulnerabilities and various other types of information. LockBit has been around since 2019. The LockBit 2.0 ransomware-as-a-service operation emerged in June 2021. Researchers stated that it has been one of the most active ransomware operations, accounting for nearly half of all ransomware attacks in 2022, with more than 800 victims being named on the LockBit 2.0 leak website. With the launch of LockBit 3.0, it seems the gang is reinvesting some of the profit in their own security via a "bug bounty program." Similar to how legitimate companies reward researchers to help them improve their security, LockBit operators claim they are prepared to pay out between $1,000 and $1 million to security researchers and ethical or unethical hackers. Rewards can be earned for website vulnerabilities, flaws in the ransomware encryption process, vulnerabilities in the Tox messaging app, and vulnerabilities exposing their Tor infrastructure.

SecurityWeek reports: "LockBit 3.0 Ransomware Emerges With Bug Bounty Program"

High-severity cybersecurity flaws discovered in OFFIS DCMTK software could lead to Remote Code Execution (RCE) if exploited, according to a recent advisory released by the US Homeland Security Department's Cybersecurity and Infrastructure Security Agency (CISA). OFFIS advised all users to upgrade to version 3.6.7 or later as soon as possible. DCMTK is made up of libraries and applications that process Digital Imaging and Communications in Medicine (DICOM) files. It includes software for inspecting, constructing, and converting DICOM image files, as well as handling offline media and sending and receiving images over a network connection. It is used by hospitals and businesses globally for various purposes, including product testing and as a building block for research projects, prototypes, and commercial products. According to CISA, an attacker who successfully exploits the vulnerabilities could cause a Denial-of-Service (DoS) condition, write malformed DICOM files into arbitrary directories, and gain RCE. This article continues to discuss the potential exploitation and impact of the vulnerabilities found in OFFIS DCMTK software.

HealthITSecurity reports "CISA Alerts Healthcare Sector to OFFIS DCMTK Cybersecurity Vulnerabilities"

A new Android banking malware called Revive impersonates the two-factor authentication (2FA) application required to access BBVA bank accounts in Spain. Rather than infecting customers of various financial institutions, this Trojan has a more focused strategy that targets the BBVA bank. Despite being in its early stages of development, Revive is already capable of performing sophisticated tasks such as intercepting 2FA codes and one-time passwords. To resume itself after being terminated, the malware uses a function with the same name. According to Cleafy's experts, the new malware targets potential victims via phishing attacks and convinces them to download an application that purports to be a 2FA tool required for improved bank account security. When Revive is installed, it requests permission to use the Accessibility Service, which grants it full access to the screen as well as the ability to tap the screen and navigate. Users are asked to enable access to SMS and phone calls when they use the app for the first time, which seems typical for a 2FA service. Following that, Revive operates in the background as a simple keylogger, capturing whatever the user enters on the device and routinely transferring it to the command-and-control (C2) server. This article continues to discuss the Revive malware posing as a 2FA app for BBVA bank accounts.

CyberIntelMag reports "Android Malware Called 'Revive' Poses as 2FA App For Spain's BBVA Bank"

Cybersecurity advancements made by the Georgia Tech Research Institute (GTRI) in collaboration with the US Navy could soon help strengthen protection for the Automated Identification System (AIS), which is used to track and identify commercial and military ships all over the world. AIS uses signals from transponders on ships to assist captains in avoiding collisions when the vessels are outside of busy ports. Since AIS is based on an open standard developed many years ago, the US Navy's Battlespace Awareness and Information Operations Program Office recognized that the system needed to be hardened to help address current cybersecurity conditions and expectations. GTRI researchers were initially asked to assess the system's potential vulnerabilities and then develop Bifrost, an add-on software system that works with AIS to filter messages from ships, protect against potentially malicious messaging, and provide critical alerts to ship captains. The Navy's Battlespace Awareness and Information Operations Program Office has received the Bifrost system, which is now being evaluated as a step toward potential deployment. The goal of AIS is to avoid collisions and enable everyone to work together to contribute information about where their ship is and which way it is heading so that everyone can predict where it will be, explained Shelby Allen, the project's lead GTRI research scientist. Trusting the information provided is critical to ensuring the safety of global maritime traffic. Along with GPS, AIS is critical to how forces operate across the seas. Due to the critical nature of the communications, the Bifrost system was designed to extract useful information from ship transmissions even if they do not meet all of the protocol specifications. Bifrost can detect deliberate misinformation, such as location updates that suggest speeds that vessels cannot achieve. Aside from cybersecurity hardening, Bifrost improves how the system handles emergency alerts, which may not be visible enough in the original AIS interface. This article continues to discuss the development, capabilities, and goals of GTRI's Bifrost system.

GTRI reports "Project Improves Cybersecurity of Global Ship-Tracking System"

On Monday, a cyberattack temporarily knocked out public and private websites in Lithuania, with a pro-Moscow hacker group reportedly claiming responsibility. A distributed-denial-of-service (DDOS) attack targeted a secure national data network. The State Tax Inspectorate and Migration Department were also among the public agencies forced to suspend online services for several hours. Services were restored later the same day. The incident came a week after Russian officials threatened to retaliate because Lithuania restricted the transit of steel and ferrous metals under EU sanctions. Local authorities in Lithuania had warned that cyberattacks were likely to follow. The ministry did not name the hackers, but a Baltic News Service said the pro-Kremlin group "Killnet" had claimed responsibility for the attack.

Associated Press reports: "Cyberattack Hits Lithuania After Sanctions Feud With Russia"

Dr. Mythili Menon, assistant professor of English and linguistics and director of linguistics at Wichita State University (WSU), was recently awarded $296,470 as part of the National Science Foundation's Early-concept Grants for Exploratory Research (EAGER) program to study refugees' responses to phishing and vishing attempts. EAGER provides exploratory funding for high-risk, high-reward research into the nation's pressing issues. Phishing or vishing can have serious consequences for anyone, but it can be especially devastating for refugees who may not understand the legal and justice systems in the US. The project titled "Enabling Interdisciplinary Collaboration: Studying Social Engineering Attacks Targeting Vulnerable Refugee Populations" or, as Menon has dubbed it, "Cybersecurity for All," will include two parts of Wichita's refugee population: 94 Congolese refugees and 94 Afghani refugees. The research team behind this project will also work with the Wichita branch of the International Rescue Committee. Menon's research will be divided into three phases: digital literacy education for study participants, phishing simulations, and additional education based on the gaps revealed by the phishing simulations. The study's digital education component will teach small groups of refugees the fundamentals of technology, such as how to use a phone, access email, set up email, and follow cybersecurity best practices. Phase two will take place in the spring and summer of 2023, with researchers staging phishing and vishing attacks on their students to gain insight into what they do when they encounter a social engineering attack, specifically what linguistics traits they fall for and whether they fall for certain linguistic patterns or keywords. The study participants will be brought back for an educational workshop at the end of the study in summer 2024, after which they will be equipped with a checklist and instructions on how to avoid falling victim to phishing or vishing attacks. This article continues to discuss the goals and support behind the Cybersecurity for All project.

WSU reports "Wichita State Researchers Aim to Educate, Protect Refugees From Cyber-Scams"

Security researchers have analyzed Black Basta ransomware and stated that it had become a significant new threat in just a couple of months. Evidence suggests it was still in development in February 2022 and only became operational in April 2022. Since then, the Black Basta group has claimed responsibility for 36 victims in English-speaking countries, and the number is growing. Researchers at Cybereason have recently reported that it became known in early June that the new Black Basta group has partnered with the QBot malware operation to spread their ransomware. The researchers noted that a QBot partnership is a well-worn path, with criminal groups including MegaCortex, ProLock, DoppelPaymer, Conti, and Egregor all having done the same. QBot has many built-in capabilities that are very useful for attackers. The researchers noted that Black Basta is copying the techniques of the major ransomware gangs. Its rapid rise has led to some researchers speculating that the gang might be related to Conti. The researchers noted that there are several similarities between the two operations, including the appearance of the leak Tor site, the ransom note, the payment site, and the behavior of the support team. However, Conti has denied this, saying, "BlackBasta is not conti it's... kids." Lior Div, Cybereason CEO, stated that Black Basta is likely operated by former members of the defunct Conti and REvil gangs. Like most groups operating targeted attacks, Black Basta employs the double extortion strategy. The researchers noted that it is too early to know how successful it is at gaining ransom payments, but the group has been seen demanding millions of dollars as the ransom fee.

SecurityWeek reports: "Black Basta Ransomware Becomes Major Threat in Two Months"

The Federal Trade Commission (FTC) recently announced that it has finalized an order against CafePress, requiring it to improve its security posture following a cybersecurity incident that the company attempted to cover up. CafePress is an online retailer of products such as T-shirts, bags, calendars, and mugs, which users can customize with their own graphics designs or texts. It also allows users to have virtual shops on the platform. The data breach occurred in 2019 and impacted 23 million accounts. Despite repeated attempts to get the company to take proper action, CafePress failed to secure its systems and decided not to inform impacted customers about this and other cybersecurity incidents. A complaint was filed against former CafePress owner Residual Pumpkin Entity, LLC, and against the current owner, PlanetArt, LLC. The complaint claims that CafePress retained user data longer than needed, stored Social Security numbers in plaintext, failed to secure its systems against known threats, and covered up the 2019 data breach. The FTC is now requiring Residual Pumpkin and PlanetArt to improve their security practices through the adoption of multi-factor authentication, to minimize the amount of collected data, and to store Social Security numbers encrypted. The two companies will now need to implement a comprehensive information security program within 60 days. Additionally, both companies are now required to have their information security programs assessed by a third party and to provide the FTC with a copy of the assessment that can be publicly shared. FTC also ordered Residual Pumpkin to pay $500,000 that will be sent as relief to the victims of the data breach and asked PlanetArt to notify consumers whose personal information was compromised. The two companies are now required to provide the FTC with an annual certification from a senior corporate manager, detailing both their compliance with the order and a description of any cyber incident that might have occurred during the certified period.

SecurityWeek reports: "FTC Takes Action Against CafePress Over Massive Data Breach, Cover-Up"

The Iranian steel industry has been targeted in a significant cyberattack with hackers claiming to have taken over the systems of three state-owned enterprises. The Khuzestan Steel Company announced that it has shut down its factory until further notice due to technical problems brought on by a cyber intrusion. The Israel-linked hacking group, Gonjeshke Darande, which previously launched cyberattacks on Iranian infrastructure, posted a video on Twitter stating that it had hacked Khuzestan and two other steel businesses - the Moborakeh Steel Company and the Hormozgan Steel Company. The video appears to showcase footage of the hacker group allegedly seizing control of equipment inside one of the plants. Additionally, Gonjeshke Darande shared screenshots that appeared to be taken from within the computer systems of the businesses it had hacked. This article continues to discuss the cyberattack on the Khuzestan Steel Company, the group claiming to be behind the attack, the reason behind this attack, and the targeting of Iranian infrastructure in the cyberwar with Israel.

TechMonitor reports "Iran's Steel Industry Hit by Cyberattack as Tensions With Israel Rise"

ShiftLeft recently reported AppSec news, revealing a 97 percent reduction in open-source software (OSS) vulnerabilities, based on millions of scans of its customers. According to the researchers, by identifying and prioritizing attackable OSS vulnerabilities, AppSec teams and developers can now fix what matters, ship code faster, and improve security with fewer and better fixes. ShiftLeft's report also said focusing on attackability and reducing false positives increases the speed at which developers carry out fixes and reduces mean-time-to-remediate (MTTR). ShiftLeft reported a 37 percent year-over-year reduction in MTTR, improving overall security posture and reducing the likelihood of attacks by reducing the time vulnerabilities are exposed. Rapid scans, according to the report, now allow security teams to scan more frequently, improving security by allowing better coverage of very large applications that previously required hours or days to scan. This article continues to discuss key findings from ShiftLeft's report on application security.

SC Media reports "ShiftLeft Finds a 97 Percent Reduction in Open-Source Software Vulnerabilities"

The Intelligence Advanced Research Projects Activity (IARPA) has awarded a $14 million contract to fund a collaborative project between BAE Systems and a team of researchers at Virginia Tech in order to meet the growing demand for secure communications research and development. The award aims to create tools for deciphering an ever-increasing number of radio frequency signals to quickly and accurately help secure mission-critical information. The Virginia Tech team will provide expertise in Machine Learning (ML)-based strategies for radio frequency anomaly detection. The team will focus on reservoir computing, a type of computing used to predict a network's activity and occupancy based on observations of a small sample piece of that network. When it comes to secure communications, looking at a small section to predict activity on a larger scale is especially important because analyzing the entire network in a time-sensitive situation would be nearly impossible. As information travels quickly, threats can cause widespread damage in seconds. It is critical to be able to identify a threat as soon as possible in order to prevent damage on a large scale. Signal characterization will also be used by the team to identify the types of signals being sent within the secure communications network. The hope is that the technology developed using these prediction and characterization techniques will improve situational awareness, help target threats, and secure communications against malicious attacks. BAE Systems will provide suggestions and guidance to the team on setting up the experiment. This assistance includes providing a baseline of simulated data before moving on to actual hardware testbed data. The advanced defense technology company will then collaborate with the Virginia Tech team to review the success of the proposed candidate technologies, including how well they work to analyze anomalies and threats, and provide suggestions and feedback based on those test runs. This article continues to discuss the collaborative project aimed at improving secure communications.

Virginia Tech reports "Professor Receives Grant as Part of $14 Million Industry Collaboration to Improve Secure Communications"

Researchers at Duke University have discovered that incorporating known physics into machine learning algorithms can help the enigmatic black boxes attain new levels of transparency and insight into the characteristics of materials. The researchers used a sophisticated machine learning algorithm in one of the first efforts of its type to identify the characteristics of a class of engineered materials known as metamaterials and to predict how they interact with electromagnetic fields. The researchers stated that the algorithm was essentially forced to show its work since it first had to take into account the known physical restrictions of the metamaterial. The researchers noted that this method enabled the algorithm to predict the properties of the metamaterial with high accuracy, more quickly, and with additional insights than earlier approaches. Willie Padilla, professor of electrical and computer engineering at Duke, stated that by incorporating known physics directly into machine learning, the algorithm can find solutions with less training data and in less time. Padilla noted that while this study was mainly a demonstration showing that the approach could recreate known solutions, it also revealed some insights into the inner workings of non-metallic metamaterials that nobody knew before. The results were published in the journal Advanced Optical Materials.

SciTechDaily reports: "Teaching Physics to AI Can Allow it to Make New Discoveries All on Its Own"

A vulnerability in a Voice over Internet Protocol (VoIP) business device was used by a hacker to infect a company with ransomware. According to researchers at the security firm Crowdstrike, the hacker exploited a new vulnerability in a Linux-based VoIP appliance from the business phone provider Mitel. Because the VoIP device had few built-in security measures, the ensuing zero-day attack allowed the hacker to access the company's network through it. The goal of the attack was to effectively take control of the Linux-based VoIP equipment so that the hacker could access other areas of the network. Due to security software noticing the suspicious behavior over the victim's network, Crowdstrike was able to identify the hacker's presence. The business also informed Mitel of the previously undiscovered vulnerability, and in April, Mitel distributed a patch to affected clients. The incident highlights the mounting concern that ransomware organizations would employ zero-day vulnerabilities to target additional victims. This article continues to discuss the exploitation of a zero-day flaw in a business VoIP device to spread ransomware.

PCMag reports "Ransomware Hacker Spotted Using Zero-Day Exploit on Business Phone VoIP Device"